MiniCAT: Understanding and Detecting Cross-Page Request

Forgery Vulnerabilities in Mini-Programs

Zidong Zhang Qinsheng Hou Lingyun Ying∗
School of Cyber Science and Shandong University; QI-ANXIN QI-ANXIN Technology Research
Technology, Shandong University Technology Research Institute Institute
Qingdao, China Qingdao, China Beijing, China
[email protected] [email protected] [email protected]

Wenrui Diao∗ Yacong Gu Rui Li

School of Cyber Science and Tsinghua University; Tsinghua School of Cyber Science and
Technology, Shandong University University-QI-ANXIN Group JCNS Technology, Shandong University
Qingdao, China Beijing, China Qingdao, China
[email protected] [email protected] [email protected]

Shanqing Guo Haixin Duan

School of Cyber Science and Tsinghua University; Quancheng
Technology, Shandong University Laboratory
Qingdao, China Beijing, China
[email protected] [email protected]
ABSTRACT some famous ones with millions of users, such as Sohu and Wen-
Mini-programs are lightweight apps running in super apps (such juanxing. Following the responsible disclosure principle, we have
as WeChat, Baidu, Alipay, and TikTok), an emerging paradigm reported verified vulnerable mini-programs to the corresponding
in the era of mobile computing. With the growing popularity of vendors and developers, and three real-world cases have been con-
mini-programs, there is an increasing concern for their security firmed by CNVD. Additionally, we suggest mitigation strategies to
and privacy. In essence, mini-programs are WebView-based apps. resolve the security issue related to MiniCPRF.
This means that they may be vulnerable to the same security
risks associated with web apps. In this work, we discovered a CCS CONCEPTS
new mini-program vulnerability called MiniCPRF (Cross-Page Re- • Security and privacy → Software and application security.
quest Forgery in Mini-Programs). The exploit of this vulnerability
is easy, and the attack consequences are severe, leading to unau- KEYWORDS
thorized operations, such as free shopping, and the exposure of Mini-program Security; Program Analysis; Vulnerability Detection
confidential information, such as credit card numbers. The root
causes of MiniCPRF can be attributed to multiple design flaws in ACM Reference Format:
both mini-programs and their super apps, including the insecure Zidong Zhang, Qinsheng Hou, Lingyun Ying, Wenrui Diao, Yacong Gu, Rui
Li, Shanqing Guo, and Haixin Duan. 2024. MiniCAT: Understanding and
routing mechanism, lack of message integrity check, and plain-text
Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs.
storage. To evaluate the impacts of MiniCPRF, we designed an au-
In Proceedings of the 2024 ACM SIGSAC Conference on Computer and Com-
tomated analysis framework called MiniCAT. It can automatically munications Security (CCS ’24), October 14–18, 2024, Salt Lake City, UT, USA.
crawl mini-programs, perform static analysis on them, and gen- ACM, New York, NY, USA, 15 pages. https://doi.org/10.1145/365864
erate detection reports. In large-scale real-world evaluations with 4.3670294
MiniCAT, we identified that 32.0% (13,349/41,726) of analyzable
mini-programs are potentially vulnerable to MiniCPRF, including
1 INTRODUCTION
∗ Corresponding Mini-programs, lightweight apps within a super or host app, have
authors.
played an important role in mobile computing due to their conve-
nience and functionality. The global popularity of mini-programs
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed (hosted by WeChat [22], Baidu [6], Alipay [2], TikTok [26], and oth-
for profit or commercial advantage and that copies bear this notice and the full citation ers) underscores the growing concerns about security and privacy.
on the first page. Copyrights for components of this work owned by others than the Mini-programs have features of both mobile and web apps and
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission operate within a super app. For example, page navigation and com-
and/or a fee. Request permissions from [email protected]. munications are managed via routing, similar to many web apps,
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA and they can manage user states. This allows user-specific data to
© 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ACM ISBN 979-8-4007-0636-3/24/10 be stored and retrieved in future interactions. However, the routing
https://doi.org/10.1145/3658644.3670294 mechanism in mini-programs can become susceptible to attacks,

525
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

resulting in issues like broken authentication, request forging, and issue but a widespread security concern across the mini-program
sensitive data leaks. ecosystem.
Existing research has predominantly assessed the security of Responsible Disclosure. Every attack experiment described in
mini-programs from the perspective of mobile apps, such as ex- this paper that involves real-world mini-programs was performed
ploring permissions, common development bugs, and cross-mini- in a controlled environment. Moreover, we have reported all our
program communications [68, 70, 72]. Nevertheless, a noticeable discovered vulnerabilities to the corresponding vendors and de-
gap persists in studying mini-program security from a web app velopers. Currently, three of them have been confirmed and as-
standpoint. signed vulnerability IDs: CNVD-2024-05527 (high-severity), CNVD-
Our Work. We have discovered a new vulnerability that results 2023-75836 (moderate-severity), and CNVD-2023-75837 (moderate-
from the flawed design of page routing and user state management severity).
in mini-programs, including dependence on URL schema for nav- Contributions. The main contributions of this paper are:
igation and transmission of parameters, unencrypted parameter
communication, and inconsistent preservation of user state. • New Vulnerability. We identified a new type of mini-program
In particular, utilizing the sharing & forwarding features of mini- vulnerability named MiniCPRF. This vulnerability enables at-
programs and the insecure local storage, an attacker can manipu- tackers to forge mini-program routing and parameters, leading
late the URLs designated for page routing within mini-programs. to various security consequences, such as controlling sensitive
This manipulation allows controlling the targeted routing page operations and information leakage.
and the transmitted parameters. This specific vulnerability, termed • New Tool. We developed an automated analysis framework called
MiniCPRF (Cross-Page Request Forgery in Mini-Programs), can MiniCAT, specifically designed for MiniCPRF. This framework
result in the following consequences: can automatically crawl WeChat mini-programs and perform
MiniCPRF detection based on static analysis.
• Consequence I: Inducing victims to access modified mini-program • Large-scale Evaluations. We measured 41,726 out of the 44,273
page routes, thus executing sensitive operations (e.g., free shop- crawled WeChat mini-programs and found that 13,349 (32.0%)
ping and unauthorized device control). could be identified as potentially vulnerable to MiniCPRF.
• Consequence II: Stealing sensitive information from the mini-
program routes (e.g., the credit card number).
Open Source. Our analysis framework, MiniCAT [49], has been
After further investigation into the root causes of MiniCPRF, released on GitHub.
we found they were linked to several design flaws in both mini- Demo Site. The anonymized PoC attack demos of the above vul-
programs and their super apps, including plain-text routing param- nerabilities can be found at https://sites.google.com/view/minicprf.
eter transmission, a lack of integrity check for chat messages, and Roadmap. The rest of this paper is organized as follows. Section 2
modifiable local storage of the super app. Thus, due to the simplic- provides the necessary background of the WeChat mini-program
ity of implementing MiniCPRF and the potential for attackers to framework and introduces the threat model used in this paper.
expand the attack surface by exploiting the sharing mechanism of Section 3 discusses the motivation case and summarizes MiniCPRF.
mini-programs, it is imperative to measure the impact of MiniCPRF The detailed design of MiniCAT is illustrated in Section 4, and
on the current mini-program ecosystem and their corresponding Section 5 gives its prototype implementation. Section 6 analyzes
platforms comprehensively. the evaluation results. Section 7 discusses the limitations of our
To conduct such a large-scale measurement, we designed an work and the lessons learned. Section 8 reviews the existing related
automated detection framework called MiniCAT (MiniCPRF Anal- work, and Section 9 concludes this paper.
ysis Tool). It consists of a mini-program crawler and a MiniCPRF
automatic detector based on reverse taint analysis. With Mini-
CAT, we crawled mini-programs on a large scale and detected the 2 BACKGROUND AND THREAT MODEL
corresponding potential MiniCPRF issues. In the experiments, we 2.1 Mini-Program
collected 44,273 WeChat mini-programs, and 41,726 (94.2%) can be
successfully unpacked for further analysis. The final results show WeChat Mini-Program Framework. WeChat is a killer app devel-
that 32.0% (13,349/41,726) of them are risky to MiniCPRF, includ- oped by Tencent for messaging, social media, and mobile payment.
ing some famous ones with millions of users, such as Sohu [21], a Besides, WeChat is also a super app that provides a runtime en-
leading Chinese Internet and media mini-program, and Wenjuanx- vironment for WeChat mini-programs [35]. These mini-programs
ing, a leading online survey service mini-program. Moreover, we are lightweight without installation and provide users with various
also propose measures to mitigate MiniCPRF, such as deploying services, such as e-commerce, games, and tools. The architecture
encryption methods and performing message integrity checks. of a WeChat mini-program has two parts, as illustrated in Figure 1:
Our research primarily concentrates on WeChat mini-programs 1) a front-end running on the super app to interact with the user
due to their prevalence, as WeChat has over 900M daily active users and access system services; 2) a back-end providing the running
worldwide [40]. Nevertheless, our findings on MiniCPRF in WeChat environment (super apps) and performing server-side operations.
mini-programs led us to extend our analysis to other mini-program According to the official documentation [9], the mini-program
platforms, such as Baidu and Alipay, where we discovered similar front-end can be further divided into a render layer and a logic
vulnerabilities. This indicates that MiniCPRF is not an isolated layer [30]. WXML (Wechat Markup Language) templates and WXSS

526
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

The Render Layer The Logic Layer

WXSS+WXML Data Page Routing

② Trigger the event
Front-end

Components Event
Handler
①
Event Tigger Event
API
...
...

Login

page/index/index ③ page/user/index/index
Back-end

Super App (Host App): WeChat

wx.navigateTo
/page/user/index/index?username=Alice
Developers Server / WeChat Server

Figure 2: Example of event communication and routing.

Figure 1: WeChat mini-program architecture.

(Wechat Style Sheets) are used in the render layer, while JavaScript
is used in the logic layer. with the system. In HTTP-based web apps, cookies and session
Figure 1 shows how WeChat mini-programs enable communi- mechanisms typically manage the user state. However, WeChat
cation between the render and logic layers using Events [13]. User mini-programs do not support such HTTP-like mechanisms. To
actions are transferred from the render layer to the logic layer via implement user states in WeChat mini-programs, developers need
events for further processing by the super app, similar to JavaScript to utilize WeChat’s specific authentication mechanism based on the
DOM Events [15]. When an event is triggered by the render layer ac- OAuth 2.0 model [31]. Figure 3 shows an example of mini-program
tivity (e.g., user tap), the logic layer will execute the corresponding authentication and user state process in the logic layer and the
function named Event-Handling Function. Events drive the function- back-end. Specifically:
ality and interactivity of the WeChat mini-program framework.
• Step ➊: The mini-program initiates wx.login, prompting the
Routing Implementation. Routing [20] is a common concept WeChat client to produce a temporary credential, generally 5-
in web apps, referring to determining the network scope for the minute valid, named code.
end-to-end path when packets are transmitted from a source to a • Step ➋: Developers need to setup a handler page handler.php
destination. Similarly, WeChat mini-programs require interactions in their own servers. The front-end of mini-programs sends
and communications between different pages. In this paper, we the code to the handler page, and the page will communicate
define these processes as mini-program page routing. In detail, with the WeChat server by the back-end API code2Session,
mini-program page routing is the rule for navigating from one retrieving the user’s unique OpenID and session_key. At this
page to another based on routing rules (i.e., the path) [37]. The point, the session_key-OpenID forms a pair of credentials for
URL schema controls it and can pass parameters in the page URL. the user state.
For example, a completed mini-program routing path may look
like /page/index?param=1 (similar to the GET method in HTTP). There are two options to check the user state on specific pages:
WeChat officially provides three APIs for navigation between mini- • Step ➌.A: Design a custom user state using the OpenID, stored
program pages: wx.navigateTo [45], wx.redirectTo [46], and locally [38] via wx.setStorage. When validation is needed, de-
wx.reLaunch [47]. velopers can use wx.getStorage to fetch the OpenID, as demon-
Figure 2 shows an example of event communication and page strated in Page I of Figure 3.
routing implementation. The loginBtn button component in in • Step ➌.B: Use wx.checkSession for the validation of user state
dex.wxml is bound to the event-handling function formSubmit. generated by wx.login, as seen in Page II of Figure 3.
When the user enters the username and password and presses the
login button (①), this action will trigger bindtap and then trigger It is crucial to mention that the custom user state method man-
formBubmit (②) of index.js, resulting in sending the user’s user- dates verification on every authentication page. Otherwise, the
name and password to the developer’s server for verification. If the page will lack user state by default.
verification is successful, the username will be a routing parameter Sharing and Forwarding. As WeChat is a social-focused app with
of /page/user/index/index, and the mini-program will jump to social features, users can share mini-programs with their friends
index page via wx.navigateTo (③). through Moments or chats [34]. The shared mini-programs will
User State. The user state refers to the user’s authenticated status appear as WeChat mini-program cards as normal chat messages.
in a system or app, meaning that a user has successfully authenti- Moreover, developers can customize the shared mini-program card
cated and can durable access the protected resources or function- and use the onShareAppMessage function of one specific page in
alities. It serves as the foundation for maintaining user sessions the logic layer to determine whether this page can be shared or
and enforcing security measures throughout the user’s interaction forwarded to other users.

527
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

for smart locks management) through MiniCPRF and take over the
➊ smart locks of the victim users.
Normal Workflow. The unlocking process of OKLOK is illustrated
❷ in Figure 4. OKLOK offers two binding options for users Bluetooth
smart locks: QR code scanning (①.A) and a mini-program’s device
search page (①.B). In both methods, the mini-program communi-
Mini-Program
cates with the back-end server, submitting the QR code or receiving
Storage Bluetooth broadcast packets and retrieving a unique, user-invisible
_id identifier (used to identify each lock). This _id guides the user
The Authentication Page to the Bind Page (pages/index/deviceAdd?_id=...), verifying
code2Session:code + Appsecret + appid whether the lock has been bound (②). If the lock is already bound,
other users will receive a message indicating the need for permis-
session_key + OpenID
sion to access it. If unbound, the current user’s account will be
WeChat Back-end API handler.php
linked to the lock, and the process advances to the Unlock Page
❸.A (/pages/index/deviceDetail?_id=...), carrying the _id (③).
Page I The login status (user state) is checked on this page, and then the
mini-program will start the unlocking process to unlock the target
Page II
❸.B lock (④).
Vulnerability and Attack. However, the above process can present
opportunities for attackers. Through manual analysis, we discov-
Figure 3: Case of authentication and user state management. ered that the Bind Page allows users to share, presenting as a
WeChat mini-program card. As illustrated in Figure 4, a WeChat
mini-program card is an XML text stored in the local storage of the
2.2 Threat Model WeChat client. It contains the page routing URL (i.e., <pagepath>)
that the mini-program navigates to after a user clicks on this card.
Here, we discuss the threat model used in our work, including the Also, OKLOK allows users to forward the Bind Page to any chat. Be-
attack scenario and the attacker’s capabilities. sides, we found that the Unlock Page does not implement complete
Scenario. Both the attacker and the victim are WeChat users. user state verification, which means that this page only checks if
They can access WeChat mini-programs using the official WeChat the user is logged in, not if the user is the owner of the _id lock. In
client on any platform (Windows/macOS/iOS/Android). Addition- other words, any user who provides the correct _id can unlock the
ally, their devices run normally without malicious mini-programs. target lock.
In this scenario, the attacker does not intercept communications The attack process is described as follows: First, the attacker
directly between WeChat clients, nor is there a need for physical can share the Bind Page to any chat (❶). Then, the attacker can
or remote manipulation of the victim’s device. Moreover, the at- extract this card from the local storage to obtain the lock’s _id (❷).
tack can also occur indirectly (e.g., through sharing mini-program Next, they can modify the URL in the <pagepath> XML section
cards). of the card to the URL of the Unlock Page with the device’s _id
Attacker’s Capabilities. An attacker can exploit MiniCPRF vul- (pages/index/deviceDetail?_id=...), and update the modified
nerabilities to generate malicious mini-program cards and either card to the local storage (❸). Since the Unlock Page implements
personally click on them or induce the victim to do so, enabling incomplete user state checks, the attacker can click on the modified
both individual and mass targeting. Furthermore, the attacker can mini-program card (❹) and then navigate to that page and perform
create or modify malicious mini-program cards, with or without an unauthorized unlocking (❺). It should be noted that attackers can
existing card as a base. To construct or modify these cards, attack- acquire the victim’s _id directly (e.g., by accessing the victim’s
ers only need to acquire the page routing URL and corresponding device) or indirectly. For example, in an Airbnb rental scenario, if
parameters, which can be obtained directly or indirectly from the the landlord (victim) remotely shares a temporary mini-program
victim. These capabilities are relatively easy for the attacker to card with the tenant (attacker) for unlocking, it may accidentally
achieve because WeChat mini-program cards are stored in the local expose the device’s _id, enabling the attacker’s permanent control
storage, and a public method [12] is still functional in the latest of the device by exploiting MiniCPRF.
version of WeChat (Jan 2024). Consequently, the attacker can ac- Even worse, the mini-program sharing feature enables attack-
cess the detailed content of mini-program cards for the purpose of ers to widely distribute malicious mini-program cards, potentially
modification or forgery. affecting all OKLOK products. To carry out the attack mentioned
above, the attacker only needs the device’s _id. Besides, WeChat’s
functionality of navigating through mini-program QR codes (i.e.,
3 MOTIVATION CASE AND MINICPRF WeChat mini-program code [29]) allows attackers to enable unau-
3.1 Motivation Case thorized unlocking for any user who scans such a QR code. In
Here, we give a real-world case to illustrate MiniCPRF. In this case, other words, attackers can widely distribute forged mini-program
an attacker can bypass the authorization of OKLOK (a mini-program

528
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

Extract from ➋ Extract Changed

Local WeChat Db
Mallory ➌ Modify & Save
OKLOK
OKLOK
Mini-program Card Evil Mini-program Card
Binding Page

➊ Share to a chat ➍ Navigate by click

_id Leakage Forge/Modify
①.A Scan the QR code
Mini Programs

Incomplete User ➎Unauthorized

Save to _id State Check
OR
Local WeChat Db
Users
_id ④
(Mallory & Victim) OKLOK Server ② Bind Page ③ Unlock Page Lock Opened
pages/index/deviceAdd?_id= pages/index/deviceDetail?_id=
An Mini-program Card Snippet
①.B Mannual Searching

Figure 4: The workflow and attack path of the OKLOK case.

cards, affecting many users simultaneously in a "spray and pray" Table 1: Comparison of CMRF, CSRF, and MiniCPRF.
approach.
MP: Mini-program; WA: Web app.

3.2 Summary of MiniCPRF Vulnerablity Target Mechanism Scope

CMRF MP Cross-MP Two/Multi MPs
To summarize, a complete attack flow exploiting MiniCPRF can be
generalized in three steps. CSRF WA WA routing Single WA
MiniCPRF MP MP routing Single MP
Step 1 Attackers identify potentially vulnerable pages and obtain
parameters from the page’s routing URL by forwarding (say ❶).
Step 2 The attacker modifies a mini-program card or generates a
can increase the attack surface, leaving it vulnerable to further
new one by modifying the page routing URL (say ❷ & ❸).
exploitation.
Step 3 When the victim (or the attacker in some exploiting cases)
clicks on the crafted mini-program card, the attacker can per- Remarks. It is important to distinguish MiniCPRF from CMRF
form sensitive operations (say ❹ & ❺). (Cross Miniapp Request Forgery) proposed by Yang et al. [70].
MiniCPRF targets security issues in routing within a single mini-
Root Causes. We have identified three main factors that cause the
program. On the contrary, CMRF concentrates on the risks in com-
appearance of MiniCPRF.
munication between two mini-programs. CMRF assesses if a target
• The routing of WeChat mini-programs only allows developers mini-program verifies the source called by another mini-program,
to convey parameters in the URL schema. If the developer lacks similar to cross-app security concerns in mobile apps. Besides, it
security awareness, such as transmitting sensitive parameters in should be noted that MiniCPRF is a new type of vulnerability. Al-
plaintext within page routing URLs, this can lead to information though its attack method (using URL modifications and forgeries)
leakage and associated security risks. might look similar to CSRF, they have different targets for attack
• WeChat mini-programs lack a unified and overall user state and underlying mechanisms. The differences among CMRF, CSRF,
implementation, with existing user state security depending and MiniCPRF are summarized in Table 1.
on the developer’s awareness. In the above case, the lack of
implementation of user state verification on sensitive pages is a 3.3 Automated Detection of MiniCPRF
key factor for the attack’s success. Although WeChat mini-program pages and web apps have similar
• WeChat’s lack of integrity checks enables the forwarding of routing mechanisms, applying existing studies on security issues
modified and forged malicious mini-program cards, and these like CSRF in web apps to mini-programs is difficult. Specifically,
cards are stored as plain-text XML in the local storage, allowing previous studies [55, 63] usually use hybrid static-dynamic analysis
attackers easy access to view and modify page routing parame- approaches to detect CSRF. However, WeChat has strict security
ters from those cards. measures to prevent instrumentation analysis on real-world mini-
Consequences. In summary, MiniCPRF can result in two potential programs. As a result, we cannot obtain the current page’s routing
consequences. URL or the user state at run-time. Besides, since all back-end com-
• Unauthorized operations. If developers include sensitive operation- munication in the mini-program is invisible, we cannot access the
related parameters in the mini-program page routing URLs, at- communication context. Thus, existing methods are inapplicable
tackers can manipulate or forge those URLs to carry out unau- for detecting MiniCPRF in mini-programs. There is a need for a
thorized operations. Additionally, through sharing or generating new solution to address these challenges.
a mini-program code, these malicious mini-program cards can Fortunately, unlike web apps, mini-programs can be easily crawled
be used by others, creating a significant security threat. and unpacked. With direct access to the source code, it becomes
• Sensitive data leakage. Sensitive data may be leaked during the feasible to detect potential MiniCPRF vulnerabilities using static
attack. In the above case, the lock’s _id should be invisible to the analysis. In detail, we need to design a system that can automati-
mini-program users. However, attackers can obtain _id through cally acquire the source code of mini-programs and perform code
the MiniCPRF vulnerability. If the _id is used on other pages of analysis on both the logic layer (i.e., JavaScript files) and the ren-
the mini-program or involved in other sensitive operations, it der layer (i.e., WXML files). The system should accurately collect

529
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

1 /* deviceAdd . wxml */
ta Metadata Render 2 /* < button bindtap =" __e " class =" ubgc - blue umar - t100 "
da Event S2# WXML
ta fo API Layer data - event - opts ="{{[ [ 'tap ' ,[ ['toBindDevice'] ] ]
Me In Trigger Elements
(WXML) ]}}" >{{ ' '+( lan . btn_bind || ' bind ') + ' '}} </ button >
Auto */
Event S3# 3
User Actions WeChat User State
Simulator Client Logic Function Result 4 /* deviceAdd . js */
Layer 5 ④ Page({
(Js) Routing
Shareablity 6 ...
API Calls S4# 7 onLoad : function ( e ) {
wxunpacker
S1# 8 var data = this ;...
9 wx . setStorageSync (" user " , data . user )
Crawler MiniCPRF Detector 10 ...
11 }
Figure 5: The Workflow of MiniCAT. 12 onShareAppMessage () {
13 return {..}
14 } ,...
15 ③ toBindDevice: function () {
16 ....
risky page routing URLs, associated parameters, and attack paths 17 var a = {
18 _id : t . form . code ,
for MiniCPRF. This collected information can be used to create 19 user : t . user . _id ,
malicious mini-program cards to launch MiniCPRF attacks. 20 remark : t . form . remark };
21 /* binding the device from the server - side */
22 n . default . httpPost ({
4 DESIGN OF MINICAT 23 name : " device / bind " ,
24 data : a ,
We designed an automated analysis framework, MiniCAT, to detect 25 /* If the binding process is successful , the
potential MiniCPRF vulnerabilities in WeChat mini-programs. As device 's _id will be connected to the URL as a
parameter */
shown in Figure 5, MiniCAT contains two modules: Mini-Program 26 ② success: function ( a ) {
Crawler to collect massive mini-programs and MiniCPRF Detector to 27 var n = {
detect MiniCPRF vulnerabilities in mini-programs. 28 _id : t . form . code
29 };
30 ① wx.redirectTo({ url : "/ pages / index / deviceDetail /
deviceDetail ? param =" + JSON . stringify ( n ) }) ;
4.1 Mini-Program Crawler 31 },
Crawling WeChat mini-programs is challenging since there are no 32 fail : function (e , t ) {
33 n . default . showToast ( t ) ;
official or third-party markets similar to Google Play [14] or Ap- 34 }
kpure [4] for Android apps. Typically, users access mini-programs 35 }) ;}...})
by scanning mini-program QR codes or searching within the WeChat 36
37 /* deviceDetail . js */
client. Zhang et al. [73] developed MiniCrawler to download mini- 38 Page ({
programs using specific WeChat APIs and designated AppIDs, 39 ...
40 onLoad : function ( t ) {
which are unique identifiers for mini-programs. However, batch 41 var o = this ;
querying of AppIDs has become impossible due to Tencent’s re- 42 o . app = wx . getStorageSync ( ' user ') ,
striction on related API access. 43 if ( o . app ) { o . getDetail () ;}
44 } ,...
During our investigation, we discovered that when a user ac- 45 getDetail : function () {
cesses a mini-program on the WeChat Windows client, the client 46 var t = this ,
creates a directory under the user profile folder to store the mini- 47 o = { _id : t . param . _id };
48 ...
program, located at user_file/Applet/AppID. Furthermore, a 49 success : function ( o ) { ...
WeChat metadata API [23] can provide metadata information for 50 t . blue . device = o ,
51 /* Unlock the corresponding lock */
mini-programs, such as description, type, and developer informa- 52 t . toStart () ;
tion, based on the AppID. This discovery inspired us to develop 53 ...}) ;
an automated crawler that simulates user actions on the WeChat 54 } ,...})
Windows client. Listing 1: Code snippet of OKLOK.
Our crawler, called Mini-Program Crawler, utilizes Natural Lan-
guage Processing (NLP) techniques to construct a keyword dictio-
nary to search for mini-programs within the WeChat Windows 4.2 MiniCPRF Detector
client, similar to the approach mentioned in MiniCrawler [73]. Addi-
tionally, Mini-Program Crawler leverages the mini-program metadata Following the attack for MiniCPRF flow described in Section 3, we
to generate the keyword dictionary. The metadata can be obtained designed MiniCPRF Detector in the following steps.
through the metadata API using the mini-program AppID from the Step I: Identifying the Nodes Calling Page Routing APIs. Ac-
user profile directory. cording to the WeChat developer documentation [37], page rout-
Furthermore, the crawler retrieves mini-program packages from ing APIs of WeChat mini-programs are called in the logic layer
the user profile directory and unpacks them into source code us- of the mini-program (i.e., in JavaScript files). We focus on three
ing wxappUnpacker [42] for further analysis, serving as input for routing APIs: wx.navigateTo, wx.reLaunch, and wx.redirectTo.
MiniCPRF Detector. In detail, MiniCPRF Detector constructs an Abstract Syntax Tree

530
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

(AST) of the source code in the mini-program logic layer (i.e., Algorithm 1 Finding the event-driven function in the logic layer.
JavaScript code). Then, it filters the callee nodes that match the 1: function findEventHandling(rawAST, routingAPI_calleeNode)
names of those APIs. Next, MiniCPRF Detector filters the callee node 2: sourceNodeList ← ∅
and extracts the url property to obtain the URL passed through 3: sink = routingAPI_calleeNode
the page routing API. The URL is then split by regular match- 4: sourceNodeList += reverseTaint(rawAST,sink)
ing into the potentially vulnerable mini-program page, (for Steps 5: for source in sourceNodeList do
III and IV) and parameters (for Step II). As in the case of OK- 6: sourceScope = source.getContainer().getScope()
LOK (see Listing 1), MiniCPRF Detector can locate the API call to 7: sinkScope = sink.getContainer().getScope()
if sourceScope == sinkScope then
wx.redirectTo (Line 30∼31). It extracts the url property from
8:
9: PR_node = sourceScope.getpredNode()
this API as the page routing URL, including the vulnerable page 10: if PR_node.getContainer() instanceof Function then
/pages/index/deviceDetail/deviceDetail and its parameters 11: continue
JSON.stringify(n). 12: else if PR_node.getContainer() instanceof TopLevel then
Step II: Building the Attack Path. After obtaining the routing 13: EV_FunctionNode = source
and parameters of a potentially vulnerable mini-program page, the 14: break
15: end if
next step to launch the MiniCPRF attack is to build an attack path. In
16: end if
other words, our goal is not to obtain exact parameter values, which 17: end for
may be server-generated and hard to extract statically. Rather, we 18: return EV_FunctionNode
focus on outlining and formulating the attack path, which are the 19: end function
steps an attacker must take at the render layer to activate the page
routing API, reach the vulnerable page, and eventually extract its
routing URL. As described in Listing 1, after retrieving the URL,
our MiniCPRF Detector aims to identify how to initiate the page
routing API for url attribute manipulation within the attack con- that trigger events. Therefore, we must solve the following two
text. Through manual analysis, we have charted the reverse attack challenges to automate the above manual process:
path to engage the routing API at the mini-programs logic layer Challenge I: Locating the correct event-handling function in
as follows: ①wx.redirectTo() → ②success: function(a) → the logic layer. In Listing 1, we found that the attack path passed
③toBindDevice: function() → ④Page({..}). two functions: success and toBindDevice. If MiniCPRF Detector
However, the existing static analysis tools for mini-programs [57, mistakenly identifies success as an event-handling function, it
60, 65] are insufficient for automated analysis of mini-programs like cannot find the corresponding WXML element on the render layer
OKLOK, as they fail to detect MiniCPRF issues. In detail, these tools
page, resulting in an interruption in the attack path. Therefore, it is
use forward static analysis, focusing on client-side data flow, such crucial for our approach to identify the correct function accurately.
as TaintMini [65], which constructs data flows from user inputs to To address Challenge I, we analyzed the AST of the source code
sensitive APIs. However, our approach differs from this, as we aim and identified that the part executing the page routing API (Lines
to reconstruct the entire attack path instead of building a data flow 15∼35 in Listing 1) acts as a function container. This container
through page routing APIs. Thus, we need to find a new method could either be an event-handling function (EV function) or another
for detecting MiniCPRF. function type (OT function, e.g., the success callback function). Dis-
Since the attack path always ends with a page-routing API callee tinguishing between these functions is possible by examining the
node, reverse taint analysis can potentially automate the analysis of scope of their preceding node (PR node). Based on the standardized
this path. To verify our assumption, we manually analyzed the at- architecture of mini-program logic layers [24], the PR node of an
tack path in the mini-program. In the related view page in the render EV function aligns with its module node at the AST’s top level (the
layer (deviceAdd.wxml), we discovered that the event toBindDe- Page() object in Listing 1), while the PR node of an OT function is
vice interacts with the logic layer through a WXML attribute in a located within a function container.
button component. As shown in Listing 1, when the user clicks the In particular, MiniCPRF Detector identifies each function’s PR node
(bindtap) button, it triggers the logic layer (deviceAdd.js) to ex- using reverse taint analysis, as shown in Algorithm 1. It defines
ecute the toBindDevice event-handling function. The _id is then the PR node scope per node, accurately locating the EV function
passed to toBindDevice through the event channel and ultimately while avoiding OT function confusion. If an EV function ties to mini-
linked with ?param= to construct the complete page routing URL. program page functions [36] like onLoad or onHide, it suggests user
To address this issue, we propose an analysis method based on interaction response, such as page loads or refreshes. In summary,
reverse taint analysis. Specifically, we set the page routing API we can solve Challenge I by analyzing the scope of PR nodes in
node as the sink node and aim to locate its event-handling function the AST, achieving accurate locating of event-handling functions
toBindDevice through reverse taint query (as the target source without interference from other functions.
node). Following that, the MiniCPRF Detector attempts to identify Challenge II: Identifying WXML components in the render
the WXML elements and attributes that trigger the event on the layer. After solving Challenge I, we can locate the event-handling
corresponding logic layer page. Note that reverse taint analysis aids function on the logic layer. Then, we must implement a data flow
our analysis by accurately identifying components on the attack analysis to find the event-triggered element in the render layer.
path, such as event-handling functions and WXML components Although tools like [57, 60, 65] do analyze WXML data flows, they
fall short of our needs as their analysis initiates at the render layer.

531
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

Algorithm 2 Finding event trigger attribute in the render layer. complete verification of the user state. That is, the page logic can
1: function findEventWXML(wxmlFile, jsFile, EV_FunctionNode) be executed regardless of whether the user is logged in. This incon-
2: newSourceCode ← ∅ sistency in user state is key to the success of MiniCPRF attacks.
3: newSourceCode += (convertoHTML(wxmlFile), jsFile) Step IV: Shareability Check. As mentioned in Section 2, the on-
newAST ← ∅
ShareAppMessage() function can control the shareability of the
4:
5: newAST += buildAST(newSourceCode)
6: wxmlSinkNode = EV_FunctionNode
mini-program page. MiniCPRF Detector analyzes the page with page
7: wxmlSourceNode = reverseTaint(newAST, wxmlSinkNode) routing API calls in Step I, checking whether it uses this function to
8: EV_attribute = wxmlSourceNode determine its shareability. As shown in Listing 1, MiniCPRF Detector
9: return EV_attribute identifies that the page deviceAdd.js calls the onShareAppMes-
10: end function sage() function in the OKLOK case. The attacker can share the
page within any chat and extract the full page routing URL from
the WeChat local storage, which simplifies the attack.
This necessitates a technique for the MiniCPRF detector to analyze
WXML files effectively and make the attack path uninterrupted. 5 IMPLEMENTATION OF MINICAT
As the syntax of WXML is similar to HTML [43], we can use a
Here, we introduce the implementation of MiniCAT, including the
public tool [44] to convert WXML files to HTML files while main-
Mini-Program Crawler and MiniCPRF Detector modules. In summary,
taining the raw WXML tags and attributes. Then, utilizing well-
MiniCAT contains 2,374 lines of Python code and 900 lines of QL
established HTML-supported analysis tools (such as CodeQL [11]),
code.
we can reconstruct the AST with the transformed mini-program
source code for further cross-layer analysis. As shown in Algo- Mini-Program Crawler Implementation. First, we used pywin-
rithm 2, MiniCPRF Detector uses the previously queried EV function auto [19] (a set of Python modules to automate the Windows GUI)
as the new sink node of the new reverse taint analysis in the new to simulate the user search and access process on the WeChat Win-
AST. Finally, MiniCPRF Detector can locate the attribute correspond- dows client. Moreover, using the NLP word segmentation library,
ing to the EV function (called EV attribute). Since the converted jieba [16], we processed mini-program descriptions from the meta-
WXML files preserve all original attributes, we can identify the data API mentioned in Section 4 to create the search keyword list.
EV attribute and its corresponding element as the target event- Finally, we used wxappUnpacker (a public WeChat mini-program
triggered WXML components. unpacking tool) to unpack the crawled mini-program packages.
In the OKLOK case (Listing 1), we can construct a complete attack MiniCPRF Detector Implementation. After obtaining source
path of the MiniCPRF vulnerability page after Step II. That is, to get codes of mini-programs, we implemented MiniCPRF Detector follow-
the value of t, an attacker only needs to click the target <button> ing the steps designed in Section 4 based on CodeQL, a static anal-
on the deviceAdd page (deviceAdd.wxml). After clicking, t will ysis tool that can build ASTs and conduct static data flow analysis.
be passed into toBindDevice and used as part of the parameter Furthermore, we used the wxml-transformer to convert WXML
url of wx.redirectTo in deviceAdd.js. Then, the OKLOK mini- to HTML files.
program will jump to the vulnerable page deviceDetail. If page
deviceDetail can be shared or forwarded, the attacker can easily
6 EVALUATIONS
obtain the value of t by extracting its routing URL.
In this section, we discuss the detection results of MiniCAT. We also
Step III: Checking User State. In the OKLOK case, a crucial fac- design a passive DNS-based approach to evaluate the popularity
tor for the success of the attack was the lack of correct user state of mini-programs. Moreover, two real-world cases are analyzed
implementation on the deviceDetail page, allowing attackers’ deeply, and measurements on multi-platforms are discussed.
unauthorized access and sensitive operations. As mentioned in Sec-
tion 2, the implementation of user state in WeChat mini-programs is Experiment Setup. Our Mini-Program Crawler was deployed on a
more unified than that of web apps, enabling us to perform general Windows 10 laptop (i7-6600u/16 GB RAM) with Python 3.8.0. For
static analysis on them. MiniCPRF Detector, we performed the analysis on a server running
Our static analysis focuses on detecting two types of API calls Ubuntu 20.04 with 32 CPU cores and 256 GB memory, utilizing 10
in the onLoad page load functions of potentially vulnerable pages. threads to analyze all mini-programs.
The absence of these calls suggests that the page does not check Dataset. We collected and successfully unpacked 44,273 WeChat
the user state upon loading, leading to higher risks, especially if mini-programs using Mini-Program Crawler, which occupied a stor-
MiniCPRF vulnerabilities exist. age space of 126.38 GB. These mini-programs consisted of 2,264,377
(1) The APIs can check if the user state obtained by wx.login is pages, with an average of approximately 51 pages per mini-program.
expired, such as wx.checkSession. For those non-unpackable mini-programs, we found that they were
(2) The APIs can get the local mini-program storage cache, such as incompatible with the wxappUnpacker tool due to their use of a
wx.getStorage and wx.getStorageSync. newer version of the WeChat mini-program base library. Addition-
In the OKLOK case, after the user logs into the mini-program, ally, failures in unpacking were also attributed to missing main
wx.setStorageSync("user") on the logic layer is used to store packages [17].
the user field in local storage. However, when users navigate to Result Overview. Among the mini-programs collected, MiniCAT
the deviceDetail page and trigger the onLoad function, it lacks successfully analyzed 41,726/44,273 (94.2%), identifying 13,349/41,726

532
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

ɩɬŜɭɰ
(32.0%) as potentially vulnerable with a cumulative 119,471 risky ɩɬ
pages. On average, each such mini-program contained nine poten-
tial MiniCPRF vulnerabilities. The remaining 2,547/44,273 (5.8%) ɩɥ ɨɯŜɪɬ

‡”…‡–ƒ‰‡
mini-programs were not analyzed due to absent codes from WeChat
ɨɬ
Cloud Development [28] or highly obfuscated source codes.
ɨɥŜɨɫ ɨɥŜɥɰ
Efficiency. Mini-Program Crawler took about 15 seconds to crawl ɨɥ
ɭŜɯɯ ɮŜɩɫ ɮŜɩɫ ɮŜɩɫ ɮŜɩɫ
a single mini-program, enabling an average collection of 2,687 ɬŜɥɬ

mini-programs daily. Finally, our crawler collected a dataset of ɬ

44,273 mini-programs, proving the capability to gather WeChat
ɥ
mini-programs.

Ԡ

…Š
••



‡

…

–Š

–
–

‡
‹‘

…

ˆ‹
‡

›Ž
‘

‡
‡

ƒŽ

‡
For MiniCPRF Detector, the total analysis time was eight days, av-

ƒ–

ƒ

ƒˆ


•–
•‹

‡

”
—…

‹

”
ƒ‹

ˆ‡
—

˜‡
†
”–

‹
eraging 106.75 seconds for each mini-program. Building each mini-

‘
–‡

program AST and performing a global data flow analysis in a Cod-
eQL query was time-consuming. To optimize the process, MiniCPRF
Detector introduced a 5-minute timeout for CodeQL queries, con- Figure 6: The MiniCPRF statistic based on categories.
sistent with the default timeout of CodeQL CLI [10] and another
previous JavaScript static analysis work using CodeQL [61]. As a
result, 14,920 out of 41,726 (35.8%) mini-programs were skipped due rather than as an independent event-handler function. 2) MiniCAT
to timeouts. Our further analysis revealed that these mini-programs failed to capture the full page URL due to its construction from
featured heavily obfuscated source codes, leading to timeouts due concatenated paths and strings. 3) The page’s use of getApp() [48]
to endless CodeQL iterations. to fetch the mini-program instance before defining Page() altered
its position in the AST, leading MiniCAT to mistakenly exclude it
based on Algorithm 1.
6.1 False Positive and False Negative In detail, Scenario 1 represents a complex challenge in the domain
As described in Section 4, MiniCAT generates potential MiniCPRF of static analysis tools (such as MiniCAT) due to the dynamic nature
attack paths by scanning the source code of mini-programs. In other of function calls and event handling in JavaScript. Thus, it can lead
words, incorrectly identifying secure mini-program page routes to unpredictable outcomes that hinder systematic detection. Sce-
(such as pages that cannot be shared) as potential attack paths nario 2 and Scenario 3 involved deviations from standard practices
will result in false positives (FP), as attackers are unable to exploit as recommended in the mini-program development documentation.
these routes for constructing MiniCPRF attacks. Similarly, note We regard the latter two scenarios as instances where developers
that if essential elements on the attack paths (such as page routes deviated from the guidelines outlined in the mini-program devel-
and their parameters, trigger pages, WXML elements, and page opment documentation.
shareability) are not properly identified, MiniCAT may overlook Note that the definition of our FP and FN is based on the static
potential MiniCPRF vulnerabilities, leading to false negatives (FN). query results provided by MiniCAT, rather than the actual harm
Due to the absence of ground truth, we followed the methodol- caused by the vulnerabilities detected during scanning. We will
ogy outlined in previous studies [65, 70] to select 100 samples from discuss the latter in Section 6.3.
mini-programs flagged as potentially vulnerable. These samples
were manually inspected to determine whether they could con- 6.2 Insight Evaluation
struct MiniCPRF attack paths, thus measuring FP. Additionally, we To evaluate the impact of MiniCPRF on mini-programs, we per-
manually selected 100 samples from mini-programs excluded from formed a detailed analysis of the evaluation results from multiple
the MiniCAT query results. Then, we manually examined them dimensions.
to identify whether insecure page routing implementations (i.e., Category Analysis. We measured the potential impact of MiniCPRF
potential MiniCPRF attack paths) existed, thus measuring FN. on mini-programs based on their categories, as shown in Figure 6.
False Positives. Among the selected 100 potentially vulnerable Among all the mini-program categories affected by MiniCPRF,
samples of mini-programs, we did not detect any FPs. Moreover, we LifeStyle has the highest percentage (25.7%). What surprises us
found that MiniCAT strictly analyzes source code models derived is that the Government category (18.4%) and the Finance category
from MiniCPRF attack processes, following the guidelines set in the (7.2%) have relatively high proportions. Developers should ensure
WeChat official developer documentation. This approach allows the security of these mini-programs since they often require fre-
attackers to potentially use MiniCAT’s detection results to forge quent interactions with sensitive personal information, such as ID
mini-program cards for MiniCPRF attacks, ensuring MiniCAT does cards and credit card numbers.
not produce false positives. Template Development. After analyzing results from MiniCAT,
False Negatives. Among the selected 100 mini-programs not iden- we identified 36 potentially vulnerable mini-program templates
tified as potentially vulnerable by MiniCAT, we discovered 3 FN with similar risk-related page routes, event-function names, and
cases. These three FN cases correspond to different scenarios: 1) WXML components. These templates, often used in similar func-
MiniCAT identified a function that invokes the page routing API tionalities such as shopping and dining categories, are sourced from
as being embedded within another function registered in Page(), third-party providers or WeChat itself. 503/13,349 (3.8%) matched

533
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

these templates. For instance, we discovered two completely unre- Table 2: Mini-programs with top 10 pDNS record counts.
lated mini-programs with similar structures. MiniCAT identified a
camping reservation app and a coffee shop ordering app that both #Vul: Number of MiniCPRF potential vulnerabilities;
concatenated the price as a parameter in the page route on their #pDNS: Number of pDNS records.
order submission pages (pages/order/order?action=selectO Mini-Program Name Category #Vul #pDNS
rder&showall=1&is_chooese_tick=..&price=..), allowing LingLingFa Job 9 226,572,893
attackers to modify the price and successfully invoke WeChat pay- Changan E-parking Traffic 6 11,271,812
ments. Nevertheless, whether the vulnerabilities stem directly from Sohu Lifestyle 28 11,191,188
the templates or how developers implement them remains unclear. OPPO Shop Shopping 2 10,489,618
Our finding suggests caution when using templates in development BianLiFeng Food 8 10,364,160
as there could be associated security risks. LengshuiJiang Parking Traffic 11 9,311,400
Xiwo E-learning E-learning 11 8,717,258
Inconsistent User States. To discern whether developers inadver- WMS Business 4 8,019,688
tently introduced MiniCPRF vulnerabilities, we analyzed all 119,471 MOGO Traffic 9 7,474,291
risky pages. Of these, 13,109 (11.0%) involved user-state checks on CMobile CloudVision Entertainment 20 4,984,846
their target pages, while 106,362 (89.0%) did not. In those 106,362
pages, except for only 3 (0.2%) potentially vulnerable mini-programs
excluded user states across all pages, 6,792 (53.9%) of the potentially
vulnerable mini-programs lacked user-state involvement on target
pages. As mentioned in Section 4, inconsistent user state implemen- wx.navigateTo("/pages/pay/submit?orderid=...&price="),
tations are security hazards. Therefore, our analysis found that the we can find that it redirects users to a payment page, showing
current user state implementation of the WeChat mini-program the payment price and order id. However, it is uncertain whether
framework may inadvertently cause developers to overlook user modifying the price leads to a real vulnerability due to the lack
state verification on certain pages. of additional server-side authentication mechanisms for the mini-
Impact Measurement by pDNS. To assess the impact of MiniCPRF, program.
we aimed to measure the popularity of potentially vulnerable mini- Thus, for MiniCPRF, our verification focuses on the front-end
programs. Although WeChat has no official mini-program ranking, of mini-programs. Specifically, we determine a mini-program as
previous studies [70, 73] used ratings to assess their popularity and vulnerable if: 1) Parameters within the page routing URL can be
impact. However, since the rating is optional for users, it may not obtained by manually sharing its card. 2) These parameters can be
accurately represent the user base. After investigation, we found modified. 3) Users can open and be redirected from the modified
that each WeChat mini-program had a domain allowlist [32], which mini-program card.
restricts communication to specific domains. MiniCAT can crawl Building the Test-case Dataset. Since manually analyzing all
this list via the mini-program metadata API [23]. Therefore, we 13,349 potentially vulnerable mini-programs is impractical, we thus
leveraged passive DNS (pDNS) [18] data related to these domains constructed a potentially vulnerable mini-program set for manual
to indicate mini-program popularity. vulnerability verification and evaluating the effectiveness of Mini-
Specifically, pDNS collects and examines historical DNS data, CAT. We implemented the method based on an existing study [70].
providing insights into domain resolutions. By tracking the pDNS In detail, we extracted parameter names linked to potential vul-
records of the domain allowlist over time, we can infer the popular- nerabilities from the results of MiniCAT. Then, we classified these
ity of the mini-program. Utilizing a commercial tool with extensive parameters into five categories:
pDNS records, we filtered out common service domains (e.g., Con- • Payment Info: Covers payment details, such as method and
tent Delivery Network (CDN) and Object Storage Service (OSS)) outcome. If breached, attackers can shop without payment.
and specific duplicated domains (e.g., official WeChat/Tencent and • Promotion Info: Consists of membership cards, coupons, and
third-party APIs). We focused on the unique domains of each mini- promotions. Vulnerabilities allow attackers to claim undue bene-
program. Our study targets 3,208 mini-programs with 9,007 related fits.
domains and measures their pDNS records in seven days (4th June • Order Info: Information like order IDs and total prices. Attack-
to 11th June 2023). The top 10 mini-programs by pDNS record ers could tamper with prices and item counts, leading to some
counts are detailed in Table 2. The result shows many potentially severe consequences.
vulnerable mini-programs are very popular. Although pDNS does • Device Info: Pertains to device data, especially from IoT de-
not give an exact user count for each mini-program, it can serve as vices, like device ID and UUID. Compromised info risks unau-
a relative measure of popularity, offering insights into the impact thorized access or leaks.
of potentially vulnerable mini-programs. • Personal Info: Includes mobile numbers, addresses, and credit
card numbers, leading to sensitive personal data leakages of
6.3 Vulnerability Verification users.
As mentioned above, MiniCAT identifies potential vulnerabilities We prioritized these categories because their modifications carry
in mini-programs. However, verifying a MiniCPRF vulnerability is serious consequences.Table 3 displays the categorized results. Note
challenging due to the absence of ground truth about the server- that a mini-program can fall under multiple categories due to vari-
side processes of these mini-programs, for example, with the route ous insecure routing implementations.

534
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

Table 3: Categorized results of parameters. 1 /* The trigger page : friendDetail . js */

2 tofriendAuth: function () {
3 var t = {
#IVM: Number of potentially vulnerable mini-programs involved. 4 user_id : this . detail . friend ._id
Category Examples #IVM 5 };
Payment payprice, isPaysuccess 2,432 (18.2%) 6 ... ,
7 success: function ( t ) {
Promotion coupon_id, membercard 1,903 (14.3%) 8 /* The target callee node */
Order orderId, goods_id 3,385 (25.4%) 9 wx.navigateTo({
10 url : "/ pages / friend /\ texttt { friendAuth }/
Device deviceID, device_uuid 5,805 (43.4%) friendAuth ? param =" + JSON . stringify ( t ) }
Personal mobile, creditcardNum 4,642 (34.8%) 11 }) ;} ,...
12
13 /* Shareability implementation : friendAuth . js */
14 onShareAppMessage : function () {...} , ...
Verification Overview. To build our test case for verification, 15 /* The user state check in the target page */
16 onLoad : function ( e ) {
we randomly selected 80 mini-programs from each category, to- 17 var n = this ;...
taling 400 mini-programs. We detected severe security issues in 18 n . user = wx . getStorageSync (" login ") || {} ,
316/400 (79.0%) mini-programs, such as data leaks. Besides, we 19 ...
20 n . initView () ;
found that 33/400 (8.3%) mini-programs were unverifiable due to 21 }
deprecation and inaccessibility, e.g., we could not verify some inter-
nal use mini-programs without specific credentials. Among the 316 Listing 2: Friends authorization in DBDLOCK.
mini-programs with vulnerabilities, 234/316 (74.1%) mini-programs
have at least sensitive information leakage (e.g., leakage of phone
number or address, etc.), and 82/316 (25.9%) mini-programs can con-
duct overstepping sensitive operations (e.g., viewing or modifying with this user_id as a friend of the current user and grants them
other users’ information without permissions, etc.) device permissions. Although user_id is transparent to the mini-
program and users, attackers can obtain their own user_id by
Harmless Mini-program with MiniCPRF. After excluding 33 registering two accounts and replicating the process due to the
mini-programs that cannot be analyzed, we found that 38/367 shareability of the friendAuth page. Subsequently, attackers can
(10.4%) mini-programs cannot modify the parameters of their page generate malicious mini-program cards or malicious WeChat mini-
routing URLs, or we failed to open their modified mini-program program codes to redirect to pages/friend/friendAuth/friend
cards. We can categorize these 38 cases into three scenarios: 1) Op- Auth?param={user_id of Attackers}. If victims click on these
erations implemented through MiniCPRF remain within the normal malicious cards or scan the generated codes, they inadvertently add
user role (12/38, 31.6%), such as a news app where users read news the attacker as a friend, thereby granting the attacker unauthorized
controlled by the id in page/news/id=. Even if the id is modifiable, control over their devices.
it does not allow any sensitive operations. 2) Page routes contain
one-time use or tamper-proof parameters (12/38, 31.6%). For exam- Case II: Modify Shopping Price. Due to the convenient integra-
ple, in cases like /pages/pay/submit?money=..&user=..&sig tion of payment API [33] with mini-programs on WeChat, more
n=...&timestamp=..., the parameters sign and timestamp have and more mini-programs are used for online businesses. In this case,
time constraints, preventing attackers from altering them to bypass developers must implement secure payment mechanisms and hide
authentication. 3) Developers implemented secondary verification sensitive information while jumping to other mini-program pages.
on the server side (14/38, 36.8%). For example, in cases where the Otherwise, attackers can perform sensitive payment operations by
payment amount is passed in the page route, the server-side re- exploiting the MiniCPRF vulnerability (e.g., shopping for free).
verification of the payment amount ensures that even if modified, EasyOrderHelper is a mini-program designed to help vendors sell
the payment cannot be processed successfully. products online and receive payments. Vendors can share the mini-
program with the customers to sell their products online. As shown
6.4 Real-world Case Studies in Listing 3, when a user submits an order, the mini-program will
navigate to the order submission page submitOrder, carrying the
Based on our evaluation, we introduce some representative MiniCPRF total number of current user’s products in the shopping cart as
instances to show the impact of MiniCPRF on real-world mini- cartNum, and the total price of the shopping cart as cartPrice.
programs, such as unauthorized control of smart devices and ar- However, the payment logic violates the security rules of WeChat
bitrarily modified shopping prices. These cases demonstrate that Payment [39], which requires the payment order generation pro-
MiniCPRF can cause significant security threats even as a front-end cess to be invisible to the front-end of the mini-program. Plus, the
vulnerability. server side of this mini-program lacks secondary authentication
Case I: Unauthorized Operations. DBDLOCK is a smart device of the payment price. As a result, attackers can forward the sub-
management mini-program that allows device owners to autho- mitOrder page to generate a mini-program card and modify the
rize other users by adding them as friends, considering the need cartPrice parameter to a lower price, even zero. After clicking the
for multiple people to use a single smart device. Specifically, the card again, attackers can generate an order and purchase the goods
friendDetail page receives a user_id parameter and redirects at the modified price. More seriously, if the attacker forwards those
to the friendAuth page. The user_id uniquely identifies a mini- malicious mini-program cards to other users, these cards might be
program user. Then, the friendAuth page adds the user associated widely spread, leading to huge financial losses for the merchant.

535
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

1 /* The trigger page */ Listing 4 illustrates the similarity in parameters and target pages
2 cart_count : function (t) {
3 ... this . setData ({
of mini-programs named Wenjuanxing across different platforms
4 cartCount : h. data . cartNum , despite minor differences in routing prefixes. This uniformity in
5 cartMoney: parseFloat (a). toFixed (2) ,... routing mechanisms means MiniCAT needs only minimal adjust-
6 }) ;
7 } ,... ments for each platform. Thus, due to the similarity of the routing
8 to_submit_order : function () { mechanisms, MiniCAT only needs to make some simple adjust-
9 this . haveAvatar ? wx . navigateTo ({ ments to apply to the analysis of the corresponding platform. For
10 url : "/ pages / submitOrder / submitOrder ? cartNum =" +
this . data . cartCount + "& cartPrice =" + example, to analyze Baidu mini-programs, MiniCAT only needs to
this.data.cartMoney adjust the API names involved in each step. The MiniCPRF Detector
11 }) : this . setData ({
12 authShow : !0
from MiniCAT now supports automated WeCom, Baidu, Alipay,
13 }) ;} ,... and TikTok mini-programs analysis.
14
15 /* pages / submitOrder / submitOrder . js */ Feasibility of MiniCPRF. As previously discussed, to perform
16 onLoad : function (...) { the MiniCPRF attack, the attackers should easily access, view, and
17 ...
18 this . setData ({
modify the page routing URLs and their parameters. If we want to
19 ... figure out how to implement MiniCMRF on other platforms, we
20 cartNum : a. cartNum , need to answer the following two questions:
21 cartPrice : a.cartPrice,
22 ... }) ) ,... • Can attackers obtain mini-programs page routing URLs and pa-
Listing 3: Shopping for free in EasyOrderHelper. rameters through sharing or forwarding? Our analysis indicates
that only the WeCom and Alipay mini-programs are vulnera-
ble to MiniCPRF attacks. WeCom’s mini-programs can be for-
Table 4: Feature comparison of mini-program platforms. warded to WeChat, allowing the transition of MiniCPRF attacks
due to similar frameworks. Baidu’s mini-programs only permit
RI: Page Routing Implementation; USI: User State Implementation; forwarding via encrypted links and always redirecting to the
US: URL Schema; PwU: Parameter with URL; ENC: Encryption; homepage. Alipay’s mini-programs enable forwarding to vari-
CF: Cookie-like Features; CI: Custom Implementation.
ous applications, with forwarding to DingTalk exposing the path
RI USI Daily and parameters [3]. On the contrary, TikTok mini-programs lack
Platforms
US PwU ENC CF CI Active User sharing or forwarding capabilities.
• Can attackers construct or modify mini-programs page routing
WeChat ✓ ✓ × × ✓ 928M
URLs and parameters? Our findings indicate that all examined
WeCom ✓ ✓ × × ✓ 130M
platforms provide navigation to specific mini-program page
Baidu ✓ ✓ × ✓ ✓ 378M
Alipay ✓ ✓ × × ✓ 639M paths. Notably, WeCom accepts mini-program cards from WeChat,
TikTok ✓ ✓ × ✓ ✓ 276M and due to framework similarities, MiniCPRF attacks can be
transferred from WeChat to WeCom. From platforms’ developer
✓: Implementation found; × : Implementation not found.
documents [1, 5, 25] and W3C specifications [27], Baidu, Alipay,
and TikTok mini-programs facilitate mini-program launching
through the URL schema from H5 or Webview, allowing page
6.5 Measurements on Other Platforms and parameter customization. This feature opens avenues for
To further evaluate the all-sided impact of MiniCPRF on the mini- MiniCPRF attacks, where attackers can craft a modified URL
program ecosystem, we analyzed other mini-program platforms schema. Furthermore, even without routing paths and parame-
besides WeChat. This analysis is divided into two main aspects: ters (notably in Baidu and TikTok), attackers can exploit mini-
Similarity Mechanism and Feasibility of MiniCPRF. programs with the same name on other platforms and then
Similarity Mechanism. Table 4 highlights the page routing and perform attacks.
user-state mechanisms’ resemblance to WeChat’s, indicating po- In summary, despite certain limitations, our measurements indi-
tential shared vulnerabilities due to similar routing structures. Our cate that MiniCPRF is a universal risk in the mini-program ecosys-
research examined mini-programs from the WeCom [41], Baidu, Ali- tem, requiring great attention from vendors and developers.
pay, and TikTok platforms. In our test set, we found mini-programs
with the same names across these platforms: 49 in WeCom, 49 in 7 DISCUSSIONS
Baidu, 23 in Alipay, and 17 in TikTok. Further analysis showed a
high degree of similarity in the vulnerability patterns of these mini- Limitations. Although MiniCAT can perform further analysis
programs compared to their WeChat counterparts: 49/49 (100%) in and evaluations for MiniCPRF, our work still has some limitations.
WeCom, 47/49 (95.9%) in Baidu, 20/23 (87.0%) in Alipay, and 12/17 First, MiniCAT is a static analysis tool based on CodeQL, and its
(71.5%) in TikTok. For mini-programs from platforms other than analysis algorithm is designed based on the standard code structure
WeChat that produce inconsistent results, we noted they use distinct of WeChat mini-programs. Thus, like other static analysis meth-
routing prefixes, suggesting a unified vulnerability classification. ods, MiniCAT is hard to analyze mini-programs that cannot be
Detailed cases of these vulnerable mini-programs across platforms unpacked or heavily obfuscated. Meanwhile, MiniCAT failed to
are listed in the public GitHub repository of MiniCAT [49]. analyze considerable mini-programs due to timeouts, which can

536
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

1 /* WeChat Mini - program */ protections. Alternatively, they can provide warning informa-
2 goToPage : function (e) {
3 var t = e . currentTarget . dataset . id ;
tion on their development documentation.
4 wx . navigateTo ({
5 url : "/ pages / wjxqPage / wjxqPage ? activityId ="+ t Ethical Considerations and Disclosure. To ensure ethical re-
6 }) ;} ,...
7 search practices, we conducted proof-of-concept attacks only on
8 /* Baidu Mini - program */ our accounts, devices, and mini-programs, focusing on potential
9 goToPage : function (e){ vulnerabilities in the front-end without exploiting the server-side
10 var t = e . currentTarget . dataset . id ;
11 swan . navigateTo ({ and collecting sensitive data. When crawling mini-programs or us-
12 url :"/ pages / baiduAppPages / wjxqPage / wjxqPage ? ing the metadata API, we set a reasonable rate limit (i.e., 20 requests
activityId ="+ t
13 }) } ,...
per minute) to prevent server disruptions.
14 Meanwhile, we have tried our best to disclose our findings to
15 /* Alipay Mini - program */ related stakeholders and be responsible for the community. Just as
16 goToPage : function (e) {
17 var t = e . currentTarget . dataset . id ; Yang et al. mentioned [70], similar to CMRF attacks, vulnerabilities
18 my . navigateTo ({ from our test-case set were first reported to Tencent, which attrib-
19 url : "/ pages / wjxqPage / wjxqPage ? activityId ="+ t uted MiniCPRF issues to third-party developer lapses. Nonetheless,
20 })
21 } ,... to raise awareness among mini-program developers, we acquired
contact details for all 248/316 (78.5%) mini-programs, which pro-
Listing 4: Source code of Wenjuanxing in multiple platforms. vided contact information and informed them via email, providing
technical details and remedial advice (the letter is in MiniCAT pub-
lic GitHub repository [49]). We have also contacted CNCERT/CC [8],
be partially alleviated by increasing the timeout value. Second, our the Chinese vulnerability coordination organization, and disclosed
crawler cannot successfully collect some mini-programs due to our findings with CNVD [7]. As of the submission of this paper,
the compatibility limitations of the WeChat Windows client. Fi- three cases have been confirmed (CNVD-2023-75836, CNVD-2023-
nally, MiniCAT mainly focuses on detecting potentially vulnerable 75837, and CNVD-2024-05527), with the disclosure process ongoing.
mini-programs and cannot automatically verify the vulnerabilities
identified. 8 RELATED WORK
Lessons Learned and Mitigation. As mentioned by Wang et Mini-Program Security. To comprehensively understand mini-
al. [69], current mini-program frameworks have some missing func- programs, Zhang et al. [73] presented MiniCrawler to crawl WeChat
tionality and security features compared to browsers running tra- mini-programs and conducted a measurement study of them, in-
ditional web apps. For mini-program routing, we found that the cluding their resource consumption, API usage, obfuscation rate,
routing implementation of most mini-program platforms uses plain- etc. Lu et al. [59] studied resource management in app-in-app sys-
text URL schema and only allows parameters to be passed via URLs, tems and discovered a series of security flaws that can cause system
leading to the risk of MiniCPRF. For user states in mini-programs, resource exposure and deception attacks. Wang et al. [68] proposed
as shown in Table 4, we can observe that, except for Baidu and WeDetector to detect three WeChat mini-program bug patterns
TikTok, other mini-program platforms do not support the cookie- and discovered 11 previously unknown bugs in 25 mini-programs.
like mechanism. If developers want to implement a reliable user Zhang et al. [72] studied the identity confusion vulnerability in
state, they have to customize their implementation by utilizing app-in-app ecosystems, analyzed 47 super apps and found that
the storage capabilities provided by the mini-program framework all of them are vulnerable to identity confusion attacks. Yang et
page by page. This process heavily relies on developers’ security al. [70] proposed CMRFScanner to detect CMRF, a new type of
awareness and poses a significant challenge to the security of user vulnerability, on a large scale. The results show that 50,281 WeChat
states in mini-programs. mini-programs and 493 Baidu mini-programs are subject to CMRF.
To address the issue of MiniCPRF, we recommend taking the Most recently, Zhang et al. [74] and Baskaran et al. [50] exam-
following measures: ined the sensitive resource access protocols of mini-programs and
• Developers should consistently implement and verify the user discovered master key leakage vulnerabilities. Wang et al. devel-
state across pages and avoid transmitting sensitive parameters oped TaintMini [65] to track sensitive data flow in mini-programs,
through page routing APIs. Parameters should be fortified with finding 11.4% of the 238,886 evaluated ones had such data flows,
non-easily forgery elements like time-sensitive signs and times- with 455 risking privacy leaks through collusion. They also devel-
tamps. We also advocate conducting sensitive data processing oped APIDIFF [66] to detect API execution differences in WeChat
on the server-side, but not on the front-end of mini-programs. across platforms, categorizing discrepancies into API existence,
• Frameworks or super app vendors should address the root causes permission, and output. Li et al. [57] developed MiniTracker to
of MiniCPRF. They might consider supplying more secure pa- automatically track sensitive flows in mini-programs, addressing
rameter transmission methods in their page routing APIs and en- challenges such as asynchronous executions in JavaScript. Their
crypting routing details instead of plain text. For mini-program study on 150K mini-programs revealed common privacy threats
cards, super apps could integrate server-side, hard-to-forge, and data leak patterns. Yu et al. [71] developed MiniTaintDev from
time-sensitive signatures, preventing malicious tampering. Ven- WeChat Dev Tools to perform dynamic taint analysis to detect
dors may need to modify their frameworks to implement these data leakage and sensitive APIs invokes in mini-programs. Wang

537
CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA Zidong Zhang, et al.

et al. [69] explored the web technologies underlying super apps, ACKNOWLEDGMENTS
detailing their security mechanisms and proposing guidelines for We thank the anonymous reviewers for their valuable comments
enhanced security from a browser’s perspective. Tao et al. [64] and suggestions. The authors from Shandong University were sup-
introduced JSLibD, a tool for automated extraction and heuristic ported by National Natural Science Foundation of China (Grant No.
detection of third-party libraries in mini-programs. Wang et al. [67] 62372268), Shandong Provincial Natural Science Foundation (Grant
proposed a framework for data minimization in mini-programs, No. ZR2023MF043), Taishan Young Scholar Program of Shandong
focusing on usage scenarios to enhance privacy without compro- Province, China (Grant No. tsqn202211001), and Xiaomi Young Tal-
mising functionality. Long et al. [58] investigated dark UI patterns ents Program. Yacong Gu was supported by Postdoctoral Fellowship
in mobile apps, highlighting the need for increased awareness and Program of CPSF (Grant No. GZC20231361).
regulation. Cai et al. [51] addressed the complexity of the shared
account issue in super apps, exploring its implications for security
and user privacy. Zhang et al. [75] discovered and measured the REFERENCES
[1] Accessed: 2024-01-27. Alipay Documentation:Mini-Program Scheme. https:
TrustedDomain attack in app-in-app ecosystems, a method exploit- //opendocs.alipay.com/support/01rb18
ing domain-based allowlist weaknesses. Zhao et al. [76] examined [2] Accessed: 2024-01-27. Alipay Mini-Program. https://global.alipay.com/pl
the security implications of not incorporating signature verification atform/site/product/mini-program
[3] Accessed: 2024-01-27. Alipay open platform: how to get any Alipay small program
in mini-program plugins. Li et al. [56] developed XPOScope to de- appId and the page path. https://open.alipay.com/portal/forum/post/17
tect and mitigate cross-user personal data leakage (XPO) problems 101017
in mini-programs. [4] Accessed: 2024-01-27. APKPure. https://apkpure.net/
[5] Accessed: 2024-01-27. Baidu smart mini-program:mini-program scheme . https:
Unlike the above research, our work focused on the practical //smartprogram.baidu.com/docs/develop/function/opensmartprogram/
security issues of the mini-program’s web-app-like features. We sys- [6] Accessed: 2024-01-27. Baidu Smart Program. https://smartprogram.baidu.c
om
tematically analyzed the problem and presented MiniCPRF, a novel [7] Accessed: 2024-01-27. Chinese National Vulnerability Database (CNVD). https:
vulnerability with mini-programs. Then, we developed MiniCAT //www.cnvd.org.cn
to assess the prevalence of this vulnerability on a large scale. [8] Accessed: 2024-01-27. CNCERT/CC. https://www.cert.org.cn/publish/en
glish/index.html
Web App Security. CSRF vulnerability is one of the top security [9] Accessed: 2024-01-27. Code Composition of a WeChat Mini Program. https:
//developers.weixin.qq.com/miniprogram/en/dev/framework/quicksta
threats against web apps. Pellegrino et al. [63] developed a model- rt/code.html
based dynamic analysis framework – Deemon, and identified 14 [10] Accessed: 2024-01-27. CodeQL CLI. https://docs.github.com/en/code-
previously unknown CSRF vulnerabilities from 10 web apps. Kho- security/codeql-cli
[11] Accessed: 2024-01-27. CodeQL for JavaScript. https://codeql.github.com/
dayari et al. [55] focused on the vulnerability of the CSRF client side docs/codeql-language-guides/codeql-for-javascript
in web apps. They proposed JAW to detect client-side CSRF vul- [12] Accessed: 2024-01-27. Decrypting WeChat DataBase. https://www.forensic
nerabilities using declarative traversals on hybrid property graphs. focus.com/articles/decrypt-wechat-enmicromsgdb-database/
[13] Accessed: 2024-01-27. Events in WeChat Mini-programs. https://developers
Jensen et al. [53] presented a static analysis tool, TAJS, to detect .weixin.qq.com/miniprogram/en/dev/framework/view/wxml/event.html
potential programming errors in JavaScript web apps. Kashyap et [14] Accessed: 2024-01-27. Google Play. https://play.google.com/
[15] Accessed: 2024-01-27. JavaScript HTML DOM Events. https://www.w3school
al. [54] provided JSAI, a robust abstract interpreter specified for- s.com/js/js_htmldom_events.asp
mally for JavaScript. Hedin et al. [52] proposed a security-enhanced [16] Accessed: 2024-01-27. jieba. https://github.com/fxsjy/jieba
JavaScript interpreter, JSFlow, for fine-grained information flow [17] Accessed: 2024-01-27. Packages of WeChat Mini-Program. https://develope
rs.weixin.qq.com/miniprogram/en/dev/framework/subpackages.html
tracking. Park et al. [62] designed SAFE 2.0, a playground for ad- [18] Accessed: 2024-01-27. Passive DNS. https://docs.umbrella.com/investig
vanced research in JavaScript web apps. However, all previous ate/docs/passive-dns
work was designed for web apps, and none of them can analyze [19] Accessed: 2024-01-27. pywinauto. https://github.com/pywinauto/pywinau
to
the WeChat mini-program WXML file and build the attack path [20] Accessed: 2024-01-27. Routing in ExpressJS. https://expressjs.com/en/gui
required by MiniCPRF, which is implemented by MiniCAT. de/routing.html
[21] Accessed: 2024-01-27. Sohu. https://www.sohu.com
[22] Accessed: 2024-01-27. Tencent WeChat. https://www.wechat.com/en/
[23] Accessed: 2024-01-27. The Metadata API for WeChat Mini-Program. https:
//mp.weixin.qq.com/wxawap/waverifyinfo
9 CONCLUSION [24] Accessed: 2024-01-27. The Page Object in WeChat Mini-programs. https://deve
lopers.weixin.qq.com/miniprogram/en/dev/reference/api/Page.html
In this work, we presented a new vulnerability within mini-programs [25] Accessed: 2024-01-27. Tiktok mini-program:Generate Scheme. https://develo
called MiniCPRF. This vulnerability is caused by the design flaw in per.open-douyin.com/docs/resource/zh-CN/mini-app/develop/server
the page routing and user state management of the mini-program /url-and-qrcode/schema/generate-schema-v2
[26] Accessed: 2024-01-27. TikTok Mini-programs. https://www.tiktok.com/dis
framework, exacerbated by developer misuse. To evaluate the im- cover/mini-programs
pacts of MiniCPRF, we developed MiniCAT, which analyzed 41,726 [27] Accessed: 2024-01-27. w3c:MiniApp Addressing explainer. https://github.com
mini-programs. Finally, 13,349 mini-programs were identified as /w3c/miniapp-addressing/blob/main/docs/explainer.md
[28] Accessed: 2024-01-27. WeChat Mini-Program: Cloud Base. https://develo
having potential MiniCPRF vulnerabilities. We responsibly reported pers.weixin.qq.com/miniprogram/en/dev/wxcloud/basis/getting-
our findings to the corresponding vendors, and three of them have started.html
[29] Accessed: 2024-01-27. WeChat Mini-program Code. https://developers.weixi
been confirmed with assigned CNVD IDs. Moreover, we conducted n.qq.com/miniprogram/en/dev/framework/open-ability/qr-code.html
a mini-program impact measurement based on pDNS records and [30] Accessed: 2024-01-27. WeChat Mini Program Host Environment. https://deve
multi-platform feasibility evaluations. We believe that MiniCPRF lopers.weixin.qq.com/miniprogram/en/dev/framework/quickstart/fra
mework.html
poses a certain security threat to the current mini-program ecosys- [31] Accessed: 2024-01-27. WeChat Mini Program Login. https://developers.wei
tem, and most developers are unaware of its existence. xin.qq.com/miniprogram/en/dev/framework/open-ability/login.html

538
MiniCAT: Understanding and Detecting Cross-Page Request Forgery Vulnerabilities in Mini-Programs CCS ’24, October 14–18, 2024, Salt Lake City, UT, USA

[32] Accessed: 2024-01-27. WeChat Mini-Program Network Ability. https://develo [59] Haoran Lu, Luyi Xing, Yue Xiao, Yifan Zhang, Xiaojing Liao, XiaoFeng Wang,
pers.weixin.qq.com/miniprogram/en/dev/framework/ability/network. and Xueqiang Wang. 2020. Demystifying Resource Management Risks in Emerg-
html ing Mobile App-in-App Ecosystems. In Proceedings of the 2020 ACM SIGSAC
[33] Accessed: 2024-01-27. WeChat Mini-Program Payment. https://pay.weixin Conference on Computer and Communications Security (CCS), Virtual Event, USA,
.qq.com/wechatpay_h5/pages/product/miniapp.shtml November 9-13, 2020.
[34] Accessed: 2024-01-27. WeChat Mini-Program Share & Forwarding. https: [60] Shi Meng, Liu Wang, Shenao Wang, Kailong Wang, Xusheng Xiao, Guangdong
//developers.weixin.qq.com/miniprogram/en/dev/framework/open- Bai, and Haoyu Wang. 2023. Wemint: Tainting Sensitive Data Leaks in WeChat
ability/share.html Mini-Programs. In Proceedings of the 38th IEEE/ACM International Conference on
[35] Accessed: 2024-01-27. WeChat Mini-Programs. https://mp.weixin.qq.com/c Automated Software Engineering (ASE), Luxembourg, September 11-15, 2023.
gi-bin/wx?token=&lang=en_US [61] Aaditya Naik, Jonathan Mendelson, Nathaniel Sands, Yuepeng Wang, Mayur
[36] Accessed: 2024-01-27. WeChat Mini Program’s Frame Interface-Page. https: Naik, and Mukund Raghothaman. 2021. Sporq: An Interactive Environment for
//developers.weixin.qq.com/miniprogram/en/dev/reference/api/Page Exploring Code using Query-by-Example. In The 34th Annual ACM Symposium
.html on User Interface Software and Technology (UIST), Virtual Event, USA, October
[37] Accessed: 2024-01-27. WeChat Mini-Programs Page Routing. https://develo 10-14, 2021.
pers.weixin.qq.com/miniprogram/en/dev/framework/app-service/rout [62] Jihyeok Park, Yeonhee Ryou, Joonyoung Park, and Sukyoung Ryu. 2017. Anal-
e.html ysis of JavaScript web applications using SAFE 2.0. In Proceedings of the 39th
[38] Accessed: 2024-01-27. WeChat Mini-programs Storage. https://developers.w International Conference on Software Engineering (ICSE), Buenos Aires, Argentina,
eixin.qq.com/miniprogram/en/dev/framework/ability/storage.html May 20-28, 2017 - Companion Volume.
[39] Accessed: 2024-01-27. WeChat Payment Guide. https://pay.weixin.qq.com/ [63] Giancarlo Pellegrino, Martin Johns, Simon Koch, Michael Backes, and Christian
wiki/doc/api/wxpay/en/guide/pos/ReasonableQueryMechanism.shtml Rossow. 2017. Deemon: Detecting CSRF with Dynamic Analysis and Property
[40] Accessed: 2024-01-27. WeChat Revenue and Usage Statistics (2024). https: Graphs. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and
//www.businessofapps.com/data/wechat-statistics Communications Security (CCS), Dallas, TX, USA, October 30 - November 03, 2017.
[41] Accessed: 2024-01-27. WeCom Mini-programs. https://work.weixin.qq.com [64] Junjie Tao, Jifei Shi, Ming Fan, Yin Wang, Junfeng Liu, and Ting Liu. 2023. JSLibD:
/wework_admin/wxcontacts/wxconnection_h5_guide?t=miniProgram Reliable and Heuristic Detection of Third-party Libraries in Miniapps. In Pro-
[42] Accessed: 2024-01-27. wxappUnpacker. https://github.com/system-cpu/wx ceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps (SaTS),
appUnpacker Copenhagen, Denmark, November 26, 2023.
[43] Accessed: 2024-01-27. WXML Introduction. https://developers.weixin.qq [65] Chao Wang, Ronny Ko, Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Taint-
.com/miniprogram/en/dev/framework/view/wxml mini: Detecting Flow of Sensitive Data in Mini-Programs with Static Taint Anal-
[44] Accessed: 2024-01-27. wxml-transformer. https://github.com/imingyu/wxm ysis. In Proceedings of the 45th IEEE/ACM International Conference on Software
l-transformer Engineering (ICSE), Melbourne, Australia, May 14-20, 2023.
[45] Accessed: 2024-01-27. wx.navigateTo. https://developers.weixin.qq.com [66] Chao Wang, Yue Zhang, and Zhiqiang Lin. 2023. One Size Does Not Fit All:
/miniprogram/en/dev/api/route/wx.navigateTo.html Uncovering and Exploiting Cross Platform Discrepant APIs in WeChat. In Pro-
[46] Accessed: 2024-01-27. wx.redirectTo. https://developers.weixin.qq.com/m ceedings of the 32nd USENIX Security Symposium (USENIX-Sec), Anaheim, CA,
iniprogram/en/dev/api/route/wx.redirectTo.html USA, August 9-11, 2023.
[47] Accessed: 2024-01-27. wx.reLaunch. https://developers.weixin.qq.com/m [67] Shenao Wang, Yanjie Zhao, Kailong Wang, and Haoyu Wang. 2023. On the
iniprogram/en/dev/api/route/wx.reLaunch.html Usage-scenario-based Data Minimization in Mini Programs. In Proceedings of the
[48] Accessed: 2024-04-27. WeChat Revenue and Usage Statistics (2024). https: 2023 ACM Workshop on Secure and Trustworthy Superapps (SaTS), Copenhagen,
//developers.weixin.qq.com/miniprogram/en/dev/reference/api/getA Denmark, November 26, 2023.
pp.html [68] Tao Wang, Qingxin Xu, Xiaoning Chang, Wensheng Dou, Jiaxin Zhu, Jinhui
[49] Accessed: 2024-06-12. MiniCAT. https://github.com/kee1ongz/MiniCAT Xie, Yuetang Deng, Jianbo Yang, Jiaheng Yang, Jun Wei, and Tao Huang. 2022.
[50] Supraja Baskaran, Lianying Zhao, Mohammad Mannan, and Amr M. Youssef. Characterizing and Detecting Bugs in WeChat Mini-Programs. In Proceedings of
2023. Measuring the Leakage and Exploitability of Authentication Secrets in the 44th IEEE/ACM 44th International Conference on Software Engineering (ICSE),
Super-apps: The WeChat Case. In Proceedings of the 26th International Symposium Pittsburgh, PA, USA, May 25-27, 2022.
on Research in Attacks, Intrusions and Defenses, RAID 2023, Hong Kong, China, [69] Yue Wang, Yao Yao, Shangcheng Shi, Weiting Chen, and Lin Huang. 2023. To-
October 16-18, 2023. wards a Better Super-App Architecture from a Browser Security Perspective.
[51] Yifeng Cai, Ziqi Zhang, Ding Li, Yao Guo, and Xiangqun Chen. 2023. Shared In Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps
Account Problem in Super Apps. In Proceedings of the 2023 ACM Workshop on (SaTS), Copenhagen, Denmark, November 26, 2023.
Secure and Trustworthy Superapps (SaTS), Copenhagen, Denmark, November 26, [70] Yuqing Yang, Yue Zhang, and Zhiqiang Lin. 2022. Cross Miniapp Request Forgery:
2023. Root Causes, Attacks, and Vulnerability Detection. In Proceedings of the 2022
[52] Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld. 2014. JSFlow: ACM SIGSAC Conference on Computer and Communications Security (CCS), Los
tracking information flow in JavaScript and its APIs. In Proceedings of the 29th Angeles, CA, USA, November 7-11, 2022.
ACM Symposium on Applied Computing (SAC), Gyeongju, Republic of Korea, March [71] Jianjia Yu, Zifeng Kang, and Yinzhi Cao. 2023. MiniTaintDev: Unveiling Mini-App
24-28, 2014. Vulnerabilities through Dynamic Taint Analysis. In Proceedings of the 2023 ACM
[53] Simon Holm Jensen, Magnus Madsen, and Anders Møller. 2011. Modeling the Workshop on Secure and Trustworthy Superapps (SaTS), Copenhagen, Denmark,
HTML DOM and browser API in static analysis of avaScript web applications. November 26, 2023.
In Proceedings of the 19th ACM SIGSOFT Symposium and the 13th European Con- [72] Lei Zhang, Zhibo Zhang, Ancong Liu, Yinzhi Cao, Xiaohan Zhang, Yanjun Chen,
ference on Foundations of Software Engineering (ESEC/FSE), Szeged, Hungary, Yuan Zhang, Guangliang Yang, and Min Yang. 2022. Identity Confusion in
September 5-9, 2011. WebView-based Mobile App-in-app Ecosystems. In Proceedings of the 31st USENIX
[54] Vineeth Kashyap, Kyle Dewey, Ethan A. Kuefner, John Wagner, Kevin Gibbons, Security Symposium (USENIX-Sec), Boston, MA, USA, August 10-12, 2022.
John Sarracino, Ben Wiedermann, and Ben Hardekopf. 2014. JSAI: A Static [73] Yue Zhang, Bayan Turkistani, Allen Yuqing Yang, Chaoshun Zuo, and Zhiqiang
Analysis Platform for JavaScript. In Proceedings of the 22nd ACM SIGSOFT Inter- Lin. 2021. A Measurement Study of Wechat Mini-Apps. In Proceedings of the
national Symposium on Foundations of Software Engineering (FSE), Hong Kong, 2021 ACM SIGMETRICS International Conference on Measurement and Modeling
China, November 16 - 22, 2014. of Computer Systems (SIGMETRICS), Virtual Event, China, June 14-18, 2021.
[55] Soheil Khodayari and Giancarlo Pellegrino. 2021. JAW: Studying Client-side [74] Yue Zhang, Yuqing Yang, and Zhiqiang Lin. 2023. Don’t Leak Your Keys: Under-
CSRF with Hybrid Property Graphs and Declarative Traversals. In Proceedings of standing, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs. In
the 30th USENIX Security Symposium (USENIX-Sec), August 11-13, 2021. Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications
[56] Shuai Li, Zhemin Yang, Yunteng Yang, Dingyi Liu, and Min Yang. 2024. Identi- Security (CCS), Copenhagen, Denmark, November 26-30, 2023.
fying Cross-User Privacy Leakage in Mobile Mini-Apps at A Large Scale. IEEE [75] Zhibo Zhang, Zhangyue Zhang, Keke Lian, Guangliang Yang, Lei Zhang, Yuan
Transactions on Information Forensics and Security (2024). Zhang, and Min Yang. 2023. TrustedDomain Compromise Attack in App-in-app
[57] Wei Li, Borui Yang, Hangyu Ye, Liyao Xiang, Qingxiao Tao, Xinbing Wang, and Ecosystems. In Proceedings of the 2023 ACM Workshop on Secure and Trustworthy
Chenghu Zhou. 2023. MiniTracker: Large-Scale Sensitive Information Tracking Superapps (SaTS), Copenhagen, Denmark, November 26, 2023.
in Mini Apps. IEEE Transactions on Dependable and Secure Computing (2023). [76] Yanjie Zhao, Yue Zhang, and Haoyu Wang. 2023. Potential Risks Arising from
[58] Mengyi Long, Yue Xu, Jiangrong Wu, Qihua Ou, and Yuhong Nan. 2023. Un- the Absence of Signature Verification in Miniapp Plugins. In Proceedings of the
derstanding Dark UI Patterns in the Mobile Ecosystem: A Case Study of Apps 2023 ACM Workshop on Secure and Trustworthy Superapps (SaTS), Copenhagen,
in China. In Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Denmark, November 26, 2023.
Superapps (SaTS), Copenhagen, Denmark, November 26, 2023.

539