Web Apps security in Telegram bots


On April 16, 2022, Telegram presented a new feature – Web apps, with which you can open web pages in a bot without switching to a browser. More details can be found in the source. https://core.telegram.org/bots/webapps.

Definitely a handy feature for both users and developers. But, since this is a web application, you can see what’s under the hood. Telegram cited a bot as an example @DurgerKingBotwe will analyze it.

We open telegram webfind the bot, run it.

Click Order Food, the web application will open

  1. Here we see the site address. Doors are opening for DDoS, brute force. If you use a webhook, then the link to it must be complex (for example, the bot key, as Telegram suggests), no tg, telegram, tgwebhook, etc.

  2. You can find out which domains are on the same ip. For example, through 2ip.ru, and if there are bots that you do not want to advertise, keep them on a different ip. It is also not advisable to keep the bot code with the web application on shared hosting, as there is a chance to meet an unexpected “neighbor”, or choose a reliable shared hosting

  3. Find js, study it

We are looking for the necessary methods, for example, the order creation event

and we can send your data

Therefore, in ajax it is necessary

  1. only the data entered by the user needs to be transferred. Substitute prices, warehouses, etc. in the back. If the quantity must be an integer, then check, otherwise the bot will skip 0.1 and issue an invoice for this product at 0.1 price and then prove that this is not a bot glitch.

  2. server-side check for SQL injection, XSS, parse incoming data