微信小程序审核安全检测漏洞导致线上环境一直高频访问报警事故!
微信小程序审核安全检测漏洞导致线上环境一直高频访问报警事故!
业务背景
昨天有个线上项目迁移,涉及到小程序域名接口变更,结果提交审核的时候忘记修改接口地址为线上正式地址,搞了个紧急发布版本,紧急发布版本提交审核后,系统就收到上了上面的邮件报警通知。
昨日,我们进行了一项项目迁移工作,其中涉及到了小程序域名接口的变更。然而,在提交审核的环节中,不慎遗漏了将接口地址更新为线上正式地址的重要步骤,这一疏忽直接导致了紧急发布版本的必要性。随后,紧急发布版本被迅速提交至审核流程,但很奇怪的是,提交紧急审核的同时。收到了好多线上邮件报警通知,提示我们相关问题。
异常报警
昨晚异常群有一条异常报警
- 响应错误:
Server Unknown Error - 详细错误:
Uncaught InvalidArgumentException: Malformed UTF-8 characters, possibly incorrectly encoded in - 请求时间:
2024-11-07 21:55:38 - 请求IP:
106.55.202.118 - 请求路由:
/open/v3/live/record?action=eval&live_id=undefined%bf%27%bf'%27%22'"\%5C%0d%0a%23%23
排查原因
查看系统访问日志
106.55.202.118 - - [07/Nov/2024:21:55:33 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%27%29%29%20AND%20%28SELECT%2AFROM%28SELECT%28SLEEP%284%29%29%29coce%29%20limit%201%23 HTTP/1.1" 401 468 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval%27%29%29%20AND%20%28SELECT%2AFROM%28SELECT%28SLEEP%284%29%29%29edel%29%20limit%201%23&live_id=undefined HTTP/1.1" 401 468 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=%22%20OR%20%28SELECT%2AFROM%28SELECT%28SLEEP%284%29%29%29comp%29%20limit%201%23&live_id=undefined HTTP/1.1" 401 451 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%22%20AND%20%28SELECT%2AFROM%28SELECT%28SLEEP%283%29%29%29boqn%29%20limit%201%23 HTTP/1.1" 401 461 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval%22%20AND%20%28SELECT%2AFROM%28SELECT%28SLEEP%283%29%29%29ednt%29%20limit%201%23&live_id=undefined HTTP/1.1" 401 461 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%27%20union%20select%201--%20 HTTP/1.1" 401 378 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%27%20union%20select%201%2C2--%20 HTTP/1.1" 401 384 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%27%20union%20select%20md5%283141592657%29%2C2--%20 HTTP/1.1" 401 416 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:34 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%27%20union%20select%201%2Cmd5%283141592657%29--%20 HTTP/1.1" 401 416 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:36 +0800] "GET /open/v3/live/record?action=eval&live_id=undefined%22%29%29%20AND%20%28SELECT%2AFROM%28SELECT%28SLEEP%283%29%29%29kmen%29%20limit%201%23 HTTP/1.1" 401 469 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
106.55.202.118 - - [07/Nov/2024:21:55:36 +0800] "GET /open/v3/live/record?action=%22%29%20AND%20%28SELECT%2AFROM%28SELECT%28SLEEP%284%29%29%29zmys%29%20limit%201%23&live_id=undefined HTTP/1.1" 401 457 "https://live.tinywan.com/" "Tencent Security Team, more information: https://developers.weixin.qq.com/community/minihome/doc/0008ea401c89c02cff2d1345051001 (672cc64a5f089b56c41bb4251c64) 7262"
一开始怀疑是被攻击了,查询了一下请求IP106.55.202.118发现怎么是中国 广东省 广州市 运营商:腾讯 而且每个请求都携带参数 Tencent Security Team。
最终排查原因是:小程序提交审核时,微信会对你的后台进行扫描。
小程序安全检测原文
为进一步提升小程序的安全性和用户体验,目前平台将对提审的小程序进行安全检测,以便能及时帮助开发者发现小程序可能存在的安全漏洞。
一、背景介绍
小程序在开发过程中若存在安全漏洞的情况,如敏感数据篡改、拖库信息泄露、WEB攻击等,容易造成小程序的安全隐患,可能带来代码易被反编译、核心业务逻辑被破译、算法易被二次打包等风险。因此,平台将对提审的小程序进行安全检测,以协助开发者提升小程序服务的安全性,同时开发者也应加强自身小程序安全漏洞监测能力,保证可及时消除潜在的安全风险。
二、审核过程
安全检测过程中,平台会模拟真实业务场景,向提审小程序的后台发送服务请求,服务器会收到来自平台(显示为:Tencent Security Team,请求IP为106.55.202.118;113.96.223.69;125.39.132.125;43.139.209.119)的请求。该请求均以较低速率进行,正常情况下不会影响小程序的正常服务。若确实出现了影响小程序正常业务的特殊情况,如用户无法进行小程序的正常访问,开发者可基于自身业务情况,对相应请求加以限频,如有其他疑问,欢迎随时通过官方社区进行反馈。
三、审核结果
安全检测的结果是小程序审核的重要参考。若小程序在安全检测中被检测到存在安全漏洞,该小程序的审核将不予通过。开发者可根据扫描报告中的修改指引,对安全漏洞进行相应修复后,再重新进行提审。
其他常见问题
Q1:可以选择不进行安全检测吗,是否会影响小程序代码提审结果?
A1:安全检测是小程序审核的环节之一,所有提审的小程序均需进行,若检测中发现安全漏洞或小程序故意采取措施规避检测,该小程序的审核将不予通过。
Q2:若在小程序代码审核已结束或审核已撤销的情况下,可以停止安全检测吗?
A2:若在小程序代码审核已结束的情况下,平台将持续进行未完成的安全检测直至完成,如有需要,开发者可通过平台提供的相应链接(在【小程序管理后台 → 通知中心】查看站内信即可)自行中止安全检测;若在小程序审核已撤销的情况下,平台将自动中止未完成的安全检测。
“附表:安全检测内容详情
![谈谈基于OAuth 2.0的第三方认证 [中篇]](https://ask.qcloudimg.com/http-save/yehe-1161266/j4n6bvdh7j.png)
腾讯云开发者
