Wannan talifin zai yi ma'amala da sanannen sanannun outh. Masu karatu za su koyi yadda ake aiwatar da kai mai tsaro da amintacce a cikin aikace-aikacen yanar gizo.
Oauth wani ingantaccen tsari ne, amma matakin tsaro ya dogara da wayar da kai na masu samar da yanar gizo lokacin aiwatar da izini. Wannan ya sa wannan batun yana da mahimmanci ga ƙwararrun masu tsaro na bayanai. Suna buƙatar samar da babban matakin kariya daga asusun masu amfani da su. Lokaci ya yi da za a san shi da ingantacciyar masu koyar da masu aiki wanda zai taimaka wajen rage mummunan hatsarin outut.
Shigowa daA halin yanzu ana amfani da yarjejeniya ta 2.0 a aikace-aikacen aikace-aikace daban-daban. Amfani da shi, mai amfani da mai amfani da mai dacewa ya zama ya zama yana da, amincin mafi sauƙi da izini idan aka kwatanta da hanyoyin gargajiya don shigar da sunan mai amfani da kalmar wucewa. Tare da aiwatar da aiki mai kyau da tunani mai zurfi, Eurt Prvolol zai zama mafi aminci fiye da izini na gargajiya, tunda masu amfani ba sa buƙatar raba bayanan asusunsu tare da aikace-aikacen ɓangare na uku don samun damar takamaiman hanya. Masu amfani suna son shiga cikin amfani da asusun Google, facebook ko LinkedIn, maimakon ƙirƙirar sabon asusu a duk lokacin da kuke buƙatar yin rijista a kan wasu gidan yanar gizo. Don haka, Prinocol Pr Prosocol ƙwarai ke sauƙaƙa rayuwar mu.
Gabaɗaya, mashahurin Ma'aikatar Eaut sun dogara sosai. Shiga cikin asusun Google ko Facebook yana ƙarfafa wata hanyar tsaro, kuma daidai ne. An gwada yarjejeniya da masana. Dukkanin raunin da ke akwai koyaushe suna gyara da tawagar masu tasowa. Koyaya, yana da mahimmanci a lura cewa jin cikakken aminci zai iya zama ƙarya.
Masu ba da sabis na OATut sun bar masu haɓaka aikace-aikace na aikace-aikace suna da dalilai da yawa don sun yi karo da amincin shirye-shiryen su. A zahiri, sabis na farko na EAuch, ba daidai ba aiwatar cikin aiwatar da shigarwa ba, na iya zama mai sauƙin manufa ga masu kutse. Irin wannan preogupacy zai haifar da satar bayanan sirri na masu amfani.
Na gaba, ya kamata ya kamata ka yi la'akari da mafi yawan lahani na gama gari a cikin aikace-aikacen ɓangare na uku waɗanda ke aiwatar da shirin oauth don ba da izinin masu amfani. Dole ne a tuna cewa yarjejeniya kanta amintacciya ce kuma amintacce. Sai kawai bayan an aiwatar da aiki ba daidai ba, ya zama mai haɗari ga hare-hare masu ba da izini.
Outut tockkey satar ta amfani da reshe aroLokacin da aikace-aikacen ya nemi izini a madadin mai amfani a uwar garken Ouruth, mutum yana karɓar lambar don shigar da aika lambar don sake dawo da uwar garken don rajistar ta mai zuwa. Idan a yayin aikin da mai amfani za'a tura shi zuwa wani shafin, za a gan lambar a cikin "referer" taken bukatar HTTP. Don haka, lambar zata fada akan shafin yanar gizon na waje, wanda zai yi barazanar bayanan mai amfani da aka yi rajista akan uwar garken OAU.
Lura: Shugaban yabo shi ne Shugaban HTTP, yana watsa rundunar rundunar URL daga abin da aka aiko da bukatar.
Don taushi sakamakon wannan yanayin yanayin yanayin, mai haɓakawa dole ne ya tabbatar da cewa aikace-aikacen yanar gizo bai ƙunshi allurar HTML ba. Idan an gano allurar, mai harin zai iya sauƙaƙa alamar hoto zuwa sabar yanar gizon ta kuma nemo hanyar tura mai amfani da shi. Don haka, zai samu damar satar lambar daga "referer" na bukatar HTTP.
Outh tockkey sata ta amfani da sigar sigogi_uriAikace-aikacen ya fara aikin izini ta hanyar aika buƙatu ga uwar garken awon:
https://www.example.com/Signarin/aukaRicize?e..
Tambayar koyaushe tana dauke da "Redirect_uri" sigogi da OAUD uwar garken ya koma baya ga aikace-aikacen bayan mai amfani ya ba shi izinin sa. Idan ba a sarrafa darajar wannan siga ko ba a bincika shi ba, ana iya canza shi sauƙaƙe don shigar da alama da samun damar zuwa iyakantaccen albarkatun.
HTTPS://www.example.com/Signarin/AUNAROWIZOZERROWET'S... 'Yuga orredirect_URI=HTPPS://Cocalhost.evil.com.
Wani lokacin ma URL guda ɗaya aka katange. HARKOKER zai iya tura bayanan da aka karɓa a bude URL, kamar wannan:
HTTPS://www.example.com/oUAUTHIZE.SRHACT_Auri=HTTPSTANTHEXTICT=HTTPESTHTETTHTETHTETHTETHTETHTET=HTTPETTHSTHTETTONTIONT ://evil.com.
Ko wannan:
HTTPS://www.example.com/oUAUwize?
Lokacin aiwatar da outut, ba za ku taɓa taɓa haɗe da duka yankin ba a cikin jerin farin farin. Kadan urls ne kawai ya kamata a ƙara su "Redirect_uri" ba a tura buƙata don buɗe juyawa ba.
Yakamata a layin layin giciyeYakin neman aiki na na iya faruwa lokacin da wani dan wasan ya yi nasara wajen sanya wanda aka azabtar ya danna hanyarsa don haka saboda haka, don samar da bukatar cewa ba zai shiga ba. Yakin Layi na Layi na Layi yawanci ana taushi tare da alamar CSRF, wanda ke da alaƙa da zaman mai amfani. Yana taimaka wa aikace-aikacen don bincika mutumin mutumin da ya aiko da bukatar. A matsayin "jihar" sigogi a cikin OAUT Provencol yana aiki a matsayin CSRF alama.
Yana da kyau duba yadda ake kai harin CSRF akan OAUTH da kuma matsayin "najeriyar" don rage tasirin yanayin rauni.
Hacker yana buɗe aikace-aikacen yanar gizo kuma yana ƙaddamar da tsarin izini don samun damar mai ba da sabis na amfani da outut. Aikace-aikacen yana buƙatar mai ba da sabis don samun damar bayar da wannan buƙatar. Za a tura dan gwanin kwamfuta zuwa shafin mai bada sabis, inda yawanci kake bukatar shigar da sunan mai amfani da kalmar wucewa don ba da izinin shiga. Madadin haka, kamannun dan gwanin kwamfuta da hana wannan bukatar kuma ya ce URL. Hacker ko ta yaya ya sa wanda aka azabtar ya buɗe wannan URL. Idan wanda aka azabtar ya shiga tsarin mai bada sabis ya amfani da asusun ajiyarsa, to, za a yi amfani da takardun shaidunsa don fitar da lambar izini. Musayar izini na izini ga alamar shiga. Yanzu asusun Hacker a cikin aikace-aikacen an ba shi izini. Zai iya samun damar shiga asusun wanda aka azabtar.
Don haka, ta yaya zan hana wannan yanayin ta amfani da sigogin "jihar"?
Aikace-aikacen dole ne a ƙirƙiri ƙimar da ta samo asali ne akan asusun tushen tushen (alal misali, yi amfani da maɓallin HASH HASH). Ba mahimmanci ba ne menene, babban abu shi ne cewa darajar ta musamman kuma an samo asali ta amfani da bayani mai zaman kansa game da mai amfani na asali. An sanya shi zuwa ga "matakin".
An watsa wannan darajar zuwa mai bada sabis yayin juyawa. Yanzu mai gwanin kwamfuta yana gayyatar wanda aka azabtar ya bude URL, wanda ya riƙe.
An bayar da lambar izini kuma ta aika da abokin ciniki a cikin zaman tare da sigar "jihar".
Abokin ciniki yana haifar da ƙimar sigogi dangane da bayanin zaman kuma yana kwatanta shi da darajar "Jihar State, wanda aka aiko da shi daga mai bada izinin sabis. Wannan darajar bai dace da sigogi na "jihar" a cikin tambayar ba, tunda an samar da shi ne kawai ta hanyar bayani game da zaman yanzu. A sakamakon haka, ba a yarda da darajar da aka samu ta tsarin ba.
Sauran raunin da aka gano yayin aiwatar da oututh sun haɗa da ikon yin XSS (Saitin maɓallin keɓaɓɓen) ta amfani da sigar lambar hannu) ta hanyar lalata aikace-aikacen hannu) da kuma ƙa'idar ƙa'idar izini) da kuma ƙa'idar ƙa'idar izini) da kuma ƙa'idar izinin wayar) Za'a iya amfani da lambar izini fiye da sau ɗaya don gabatar da alamun shiga dama da yawa). Wadannan yanayin kasa ba su da nasara fiye da waɗanda aka bayyana a sama, amma ba ya sa su karancin haɗari. Mai haɓakawa ya kamata ya san duk ayyukan da ake buƙata don tabbatar da ingantaccen aiki na aikace-aikacen yanar gizo.
Marubucin labarin da aka fassara: Simon Salima.
Muhimmin! Bayani kawai don dalilai na ilimi. Da fatan za a cika dokar doka kuma kada ku yi amfani da wannan bayanin don dalilai na doka.
Abun ban sha'awa abu akan cisclub.ru. Biyan kuɗi zuwa Amurka: Facebook | VK | Twitter | Instagram | Tabal | Zen | Manzo | ICQ NEW | YouTube | Bugun jini.