未经授权的WL.Client.invokeProcedure调用 [英] Unauthorized WL.Client.invokeProcedure call

问题描述

WL.Client.InvokeProcedure是一个内部API，由Worklight Framework使用，但是，您可以在将调试模式下的设备与Google Chrome连接后调用此API。我们如何限制对WL.Client.invokeProcedure的访问，以便用户无法利用此调用？

复制步骤（仅用于利用）：

1.解压缩由Worklight构建的APK

2.设置android：debuggable = true（还检查如何在JS文件中调用WL适配器）< br>
3.重建APK

4.在手机中安装APK

5.启动应用程序并通过Chrome连接：// inspect

6.作为普通用户进行身份验证

7.转到开发者控制台

8.为经过身份验证的任何适配器调用WL.Client.invokeProcedure，但未经授权的用户数据

解决方案

我认为测试有点误导，因为你是攻击者将有几个先决条件：拥有操纵代码，调用代码并知道什么是普通用户的技术技能。

那说：

1. 在即将推出的MobileFirst Platform v7.0中，您将能够混淆移动应用程序的代码（iOS，Android等）。您也可以立即手动执行此操作。 / p>




2. 现在您已经可以启用应用程序真实性保护功能以及webResourcesChecksumTest和webResourcesEncryption功能。请参阅安全元素部分。 /c_the_application_descriptor.htmlrel =nofollow>应用程序描述符用户文档主题。

   
   
   

   上面将为您的应用程序添加几层保护，要么阻止篡改应用程序代码，如果其校验和已更改并且验证应用程序标识，则不允许使用该应用程序。

WL.Client.InvokeProcedure is an internal API and used by Worklight Framework, however, you can call this API after connecting a device in Debug mode with Google Chrome. How can we restrict the access to WL.Client.invokeProcedure so that a user is not able to Exploit this call?

Steps to replicate (for Exploitation Only):
1. unpack an APK built by Worklight
2. Set the android:debuggable=true (also check how WL Adapters are being called in JS files)
3. Rebuild the APK
4. Install the APK in mobile
5. Start the Application and connect through Chrome://inspect
6. Authenticate as a "normal" user
7. Go to Developer Console
8. Invoke WL.Client.invokeProcedure for any adapter you are authenticated, but with unauthorized User Data

解决方案

I think the test is a bit misleading since "you" as an attacker will have several prerequisites: have the technical skill of manipulate code, invoking code and know what is a "normal" user.

That said:

1. In the upcoming MobileFirst Platform v7.0 you will be able to obfuscate the code of a mobile app (iOS, Android and so on). You can also do this manually now.

2. Already now you can enable the Application Authenticity Protection feature as well as the webResourcesChecksumTest and webResourcesEncryption features. See the security element section in the Application Descriptor user documentation topic.

   The above will add several layers of protection to your application, either preventing tampering with the application code, not allowing to use the app if its checksum has change and verify the application identity.

这篇关于未经授权的WL.Client.invokeProcedure调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！