Rookie

漫游指南-1 的世界

流浪在大理的斜杠青年
首页标签归档图文关于

Emergency Summary of Malicious SMS Interface Abuse

#接口#应急88
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document discusses emergency measures to address malicious SMS verification code flooding through web and app registration interfaces. Key points include: 1. **Current Issues**: Large volumes of verification codes are being sent from numerous changing IPs and phone numbers, regardless of whether the numbers are valid. 2. **Solutions Implemented**: - **Security Captcha**: Added to the SMS sending process. - **Time Intervals**: Implemented restrictions on the time between SMS requests for the same number (60-120 seconds). - **IP Limitations**: Set daily SMS limits per IP and phone number, with checks for regional consistency. - **Modified Registration Steps**: Split the registration process into two steps—setting username/password first, followed by SMS verification. - **Token Usage**: Introduced a unique token for sender identification to prevent parameter tampering. - **Image Captcha**: Required for SMS requests, with single-use images to thwart automated recognition attempts. - **Data Collection**: Used JavaScript to gather device fingerprints and client information for better user verification. 3. **Security Testing**: Discusses methods to test for vulnerabilities, such as manipulating request data to bypass SMS limits, including adding characters to phone numbers. Overall, the document emphasizes the importance of layered security measures to combat SMS abuse.

Incident#

Source of the interface

  1. WEB registration interface
  2. APP registration interface
    Sending a large number of verification codes
    The number of IPs keeps changing, a large number of phone numbers (regardless of whether the SMS is sent to invalid numbers)

Current Solutions#

• Increased security verification code
• Input verification code before sending SMS

Security Solutions#

0. SMS Sending Time Interval Limitation:#

Limit the time interval for resending to the same phone number. Usually set to 60-120 seconds, with a countdown limit on the front end, preventing the SMS button from being clicked until the time is up, and the back end also implements a time interval limit, preventing SMS from being sent until the time is up.

1. IP Limitation#

Set the maximum daily sending volume for each IP and number based on your business characteristics. Additionally, verify whether the phone number and IP belong to the same region.

2. Modify Registration Steps#

For registering users, separate the sending of SMS verification codes and the setting of usernames and passwords into two steps. The first step is a page for setting the username and password, where users send their username and password to the back end. After receiving a successful receipt from the back end for the first step, they proceed to the second step on another page to send the SMS verification code. (Submission speed and IP submission limits apply)
Note: Separate the mobile SMS verification and username/password setting into two steps, allowing users to proceed to SMS verification only after successfully setting their username and password and receiving a successful receipt for the first step.

3. Add Token#

Uniquely identify the sender: Prevent modification of parameters to forge multiple IP addresses and phone numbers for malicious attacks. Use a Token as a unique identification mark, with the back end injecting the Token into the front end. The front end can retrieve the Token and include it when requesting the SMS verification code interface. The back end verifies the Token, and if verification fails, SMS cannot be sent. (This solution is recommended)
Additionally, bind the image and phone number.

4. Increase Image Verification Code:#

When sending the SMS verification code, require input of an image verification code. Each image verification code can only be used once; after use, it automatically becomes invalid regardless of whether the input is correct.
If the input is incorrect, update the image verification code. The invalidation of the image verification code can prevent recognition software from attempting multiple recognitions.
Consider using complex image verification codes or touch verification, sliding verification, image front and back.

5. Data Collection#

Collect some web-based device fingerprints and client information via JS reporting. Generate hash fingerprints through JS to distinguish different devices, while also uploading browser UA, resolution, platform, system, etc., providing broad identification capabilities. This method can help establish your own intelligence database.
Conduct human-machine verification for users, such as monitoring the loading of front-end JS and the time users spend on the page to determine if they are using a proxy IP.
Capable enterprises can build their own risk control systems.

Security Testing#

When submitting data packets, send to Request, first send normally once, analyze and focus on the data packet, then add a comma after the phone number to continue testing. If successful, continue to add commas repeatedly to achieve unlimited sending.

  • This method may also bypass the system's daily maximum SMS sending limit.

  • Testing has shown that commas, periods, hyphens, spaces, etc., can also achieve bypassing purposes.

  • Testing can also be done by changing or adding phone area codes.

In testing SMS bombing, additional characters can be added for testing. For example, it was previously reported that during registration on WeChat, adding semicolons allowed for multiple number registrations.

  • The approach determines the outcome.
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.