在业务系统中,通常都存在着根据id查询详细信息的场景,比如GET /item/100,获取id为100的商品,这是最常规的做法,但不适用于对外服务,因为数字id泄露了内部信息,通过更改id可以访问其他数据,如果使用程序脚本还可以把所有数据爬下来,另外通常id是递增的,id较小通常代表创建时间早。
因而对外服务中我们需要对id做混淆,合格的算法混淆后的id通常需要达到以下几点:
-
随机数字或字符串
-
无特征,相邻id混淆后非递增、非相近数字或字符串
/* | |
* Recommend run with node v8.9.x or higher version | |
* npm install lodash crypto-js request-promise request | |
* node hack.js | |
*/ | |
const version = 5 // the version of t1t | |
const score = 370 // the score you wanna get | |
const playTimeSeconds = score * 0.01 // simulate the playing time (seconds) |
var CryptoJS = require('crypto-js') | |
var request = require('request-promise') | |
/* | |
* npm install crypto-js request-promise request | |
* node wx_t1t_hack.js | |
*/ | |
// export function testEncription(msg, fullKey) { | |
// var fullKey = fullKey.slice(0, 16) |
People
![]() :bowtie: |
😄 :smile: |
😆 :laughing: |
---|---|---|
😊 :blush: |
😃 :smiley: |
:relaxed: |
😏 :smirk: |
😍 :heart_eyes: |
😘 :kissing_heart: |
😚 :kissing_closed_eyes: |
😳 :flushed: |
😌 :relieved: |
😆 :satisfied: |
😁 :grin: |
😉 :wink: |
😜 :stuck_out_tongue_winking_eye: |
😝 :stuck_out_tongue_closed_eyes: |
😀 :grinning: |
😗 :kissing: |
😙 :kissing_smiling_eyes: |
😛 :stuck_out_tongue: |