Iyi ngingo izakemura ibibazo bizwi cyane bya oath. Abasomyi bazamenya kandi gushyira mubikorwa uruhushya rwiza kandi rutekanye muburubuga.
Oauth ni protocole yizewe, ariko urwego rwarwo rugisanzwe biterwa no kumenya abashinzwe umutekano mugihe bashyira mubikorwa uruhushya. Ibi bituma iyi ngingo ingenzi cyane kubashinzwe amakuru yumutekano. Bakeneye gutanga urwego rwo hejuru rwo kurengera konti zabakoresha. Igihe kirageze cyo kumenyana nabakora neza bazafasha kugabanya akaga ko gusuzugura kugurisha oauth.
IntangiriroOauth 2.0 protocole ikoreshwa cyane muburyo butandukanye. Kubikoresha, Imigaragarire yabakoresha byoroshye iraboneka, byoroshye kwemeza no gutanga uburenganzira ugereranije nuburyo gakondo bwo kwinjira izina ryukoresha nijambobanga. Hamwe no gushyira mubikorwa neza kandi bitekereje, protocole ya oauth izaba ifite umutekano kuruta uburenganzira gakondo, kubera ko abakoresha badakeneye gusangira amakuru yabacumukira hamwe nubwa gatatu gusaba umutungo runaka. Abakoresha bakunze kwinjira mu gukoresha konti zabo za Google, Facebook cyangwa LinkedIn, aho gukora konti nshya igihe cyose ukeneye kwiyandikisha kurubuga runaka. Rero, protocole ya Oauth yoroshya cyane ubuzima bwacu.
Muri rusange, abatanga serivise za oauth nizewe cyane. Injira hamwe na konte ya Google cyangwa Facebook itera kumva umutekano runaka, kandi nibyo. Porotokole igeragezwa neza ninzobere. Byose biboneka bikunze gukosorwa byihuse nitsinda ritezimbere. Ariko, birakwiye ko tumenya ko kumva umutekano wuzuye bishobora kuba ibinyoma.
Abatanga serivise ba Oauth basize abategura porogaramu kubwimpamvu nyinshi zo guhangana numutekano wa gahunda zabo. Mubyukuri, umurimo wambere warinzwe, washyizwe mubikorwa nabi mugikorwa cyo kwishyiriraho, birashobora guhinduka intego yoroshye kubacengezi. Ibyo ni byo bituma ibyo byifuzo bizaganisha ku kwiba amakuru ku giti cye.
Ibikurikira, ugomba gusuzuma intege nke nyinshi zahuye nazo muburyo bwa gatatu ishyira mubikorwa protocole ya Oauth kugirango yemere abakoresha. Igomba kwibukwa ko protoco ubwayo ifite umutekano kandi wizewe. Gusa nyuma yo gushyira mubikorwa nabi, bibazwa nibitero bya hacker.
Oauth thiffic ukoresheje umutwe wa chefererIyo porogaramu isaba uruhushya mu izina ry'umukoresha kuri seriveri ya OAUTuth, umuntu yakira kode kugirango yinjire kandi asubire kuri serivise yakurikiyeho. Niba mugihe cyakazi uyikoresha azayoborwa kurundi rupapuro, kode izagaragara muri "umukemu" icyifuzo cya HTTP. Rero, code izagwa kurubuga rwo hanze, izabangamira amakuru yumukoresha yanditse kuri seriveri ya oauth.
ICYITONDERWA: Umutwe wa cheferer numutwe wibibazo bya HTTP, bituma url yakiriye url icyifuzo cyoherejwe.
Kugira ngo urusheho ingaruka z'iki kibazo, interteur igomba kwemeza neza ko gusaba urubuga bitarimo inshinge za HTML. Niba inshinge zamenyekanye, igitero gishobora gushiraho byoroshye amashusho kurubuga rwayo hanyuma ushake uburyo bwo kugereza umukoresha kuri yo. Rero, azabona umwanya wo kwiba kode kuva kumutwe wa "umukemuva".
Oauth thift ubujura ukoresheje redirect_uri parameterPorogaramu itangira inzira yoherereza ibyemezo yohereza icyifuzo kuri seriveri ya OAUTH:
https://www.example.com/signin/signinqu? Ifoto Yumurongo.
Ikibazo gihora kirimo "redirect_Uri" yakoreshejwe na seriveri ya OAuth kugirango yohereze ibimenyetso bigaruka kuri porogaramu nyuma yuko umukoresha yemeye uruhushya. Niba agaciro k'iki gikorwa kidagenzuwe cyangwa kutigenzurwa, igitero kirashobora guhindura byoroshye no kugereza icyifuzo kurubuga rwayo, aho kigereza icyifuzo cyihariye cyo gutunganya ikimenyetso no kubona uburyo buke.
https://www.example.com/signin/signinqu? Ifoto Yumurongo.
Rimwe na rimwe urusaku rusa narwo ruhagarikwa. Igitero gishobora kohereza amakuru yakiriwe kuri URL ifunguye, nkiyi:
https://www.example.com/oauth20_ibihengeri..
Cyangwa ibi:
https://www.example.com/oauth2/Oauth2? [...]% Iteka_uri = https% 2f% 2F% 2FEPS.Umurongo wa 2f.
Mugihe ushyira mubikorwa Oauth, ntushobora na rimwe gushyiramo indangarugero yose kurutonde rwera. Gusa kongero nke zigomba kongerwaho kuri "redirect_uri" ntabwo yerekeje icyifuzo cyo gufungura.
Impimbano zambukiranya imipakaImpimbano wibisabwa kugirango bibe mugihe igitero cyatsinze mugukora uwahohotewe gukanda kumurongo we kandi, bityo, kubyara ko atagiye kubyara. Impimbano yumurongo wambukiranya ubusanzwe zisanzwe hamwe na csrf ikimenyetso cya csrf, zijyanye nisomo ryumukoresha. Ifasha gusaba kugenzura umuntu wumuntu wohereje icyifuzo. Ibipimo bya "Leta" muri protokole ya OAuth ikora nka CSRF.
Birakwiye kubona uburyo igitero cya CSRF gikorwa kuri oauth kandi nka "leta" irashobora gukoreshwa mu kugabanya ingaruka zintege nke.
Hacker afungura urubuga kandi atangiza inzira yemewe kugirango abone itanga serivisi akoresheje oauth. Porogaramu irasaba utanga serivisi kugirango abone itangwa. Hacker azayoborwa kurubuga rwa serivisi, aho mubisanzwe ukeneye kwinjira izina ukoresha nijambobanga kugirango uburenganzira bwo kubona. Ahubwo, hacker arafata kandi akabuza iki cyifuzo kandi akiza URL yacyo. Hacker hari ukuntu bitera uwahohotewe gufungura iyi URL. Niba uwahohotewe yinjiye muri sisitemu abatanga serivisi akoresheje konti yayo, noneho ibyangombwa byayo bizakoreshwa mugutanga kode yemewe. Kode yemewe ihana uburyo bwo kubona ikimenyetso. Noneho konte ya Hacker muri porogaramu yemerewe. Irashobora kugera kuri konti y'uwahohotewe.
None, nigute nshobora kubuza ibihe ukoresheje ibipimo "leta"?
Porogaramu igomba gukora agaciro kamwe gashingiye kuri konte yinkomoko (urugero, koresha umukoresha Isomo Hash Urufunguzo). Ntabwo ari ngombwa cyane icyo aricyo, ikintu cyingenzi nuko agaciro kidasanzwe kandi gitangwa gukoresha amakuru yihariye kubyerekeye umukoresha wumwimerere. Yahawe ibipimo bya "Leta".
Agaciro kashyikirizwa abatanga serivisi mugihe uyobora. Noneho hacker arahamagarira uwahohotewe gukingura URL, yagumije.
Kode yemewe itangwa kandi yoherezwa kubakiriya mu nama hamwe na "leta".
Umukiriya atanga agaciro kagereranijwe ashingiye kumasomo anayigereranya n '"leta", yoherejwe mu cyifuzo cyemewe kubatanga serivisi. Agaciro kadahuye nubutaka bwa "leta" mubibazo, kubera ko byabyariwe gusa hashingiwe kumakuru yerekeye isomo ryubu. Nkigisubizo, agaciro kabonetse ntabwo byemewe na sisitemu.
Ibindi bisubizo byagaragaye mugihe ushyira mubikorwa Oauth harimo ubushobozi bwo gukora Kode yemewe irashobora gukoreshwa inshuro zirenze imwe kugirango igaragaze ibimenyetso byinshi). Izi ntege nke ntizisanzwe kurenza ibyasobanuwe haruguru, ariko ntibituma biba bibi. Iterambere rigomba kumenya ibikorwa byose bikenewe kugirango tumenye imikorere yizewe yurubuga.
Umwanditsi w'ingingo yahinduwe: Simoni Saliba.
Icy'ingenzi! Amakuru gusa kubikorwa byamasomo. Nyamuneka ukurikize amategeko kandi ntukoreshe aya makuru mubikorwa bitemewe.
Ibikoresho bishimishije kuri Cisoclub.ru. Iyandikishe kuri Amerika: Facebook | VK | Twitter | Instagram | Telegaramu | Zen | Intumwa | ICQ Nshya | YouTube | Pulse.