Ichi chinyorwa chichaita neanozivikanwa outh villarabudzi. Vaverengi vanozodzidzawo maitiro ekushandisa zvakachengeteka uye kuchengetedza mvumo muWebhu application.
Oauth ndeye yakavimbika protocol, asi iyo degree raro rekuchengetedza zvakanyanya rinoenderana nekuziva kwevanogadzira webhu kana kushandisa mvumo. Izvi zvinoita kuti nyaya iyi yakanyanya kukosha kune ruzivo rwekuchengetedza ruzivo. Ivo vanofanirwa kupa yakakwira mwero wekudzivirira nhoroondo dzevashandisi vavo. Iyi inguva yekuziva varapi vanobudirira vanozobatsira kuderedza njodzi yevarombo kutengesa Oauth.
NhanganyayaOAHTH 2.0 protocol parizvino inoshandiswa zvakanyanya mune dzakasiyana siyana application. Uchishandisa, iyo yakanakira mushandisi interface inowanikwa, nyore kusimbiswa uye mvumo ichienzaniswa nenzira dzechinyakare dzekupinda zita rezita uye password. Nekushandiswa kwakakodzera uye kufunga, iyo outh protocol ichave yakachengeteka pane zvetsika mvumo, nekuti vashandisi vasingafanire kugovana data yavo account neyechitatu-bato app kuti uwane chaiyo sosi. Vashandisi vanowanzofarira kupinda mukushandisa yavo yeGoogle account, Facebook kana LinkedIn, panzvimbo pekugadzira account nyowani nguva dzese dzaunoda kunyoresa pane imwe Webhusaiti. Saka, Oauth protococl kwazvo hupenyu hwedu.
Muzhinji, yakakurumbira oauth service vashandi vakavimbika kwazvo. Pinda muGoogle kana Facebook account inokurudzira imwe pfungwa yekuchengetedza, uye iri chaiyo. Iyo protocol inoongororwa nokungwarira nenyanzvi. Zvese zviripo zvinowanikwa zvinogara zvichikurumidza kururamisa neyekugadzira timu. Nekudaro, zvakakodzera kucherechedza kuti kunzwa kwekuchengetedza kuzere kunogona kuve kwenhema.
OAHTH Service Vanopa Vanovandudza Vashandisi Vashandisi Zvikonzero Zvakawanda zvikonzero zvekukonzerwa nekuchengeteka kwezvirongwa zvavo. Kutaura zvazviri, pakutanga vakachengetedza Service yeOauth. Kubata kwakadaro kuchatungamira mukubiwa kwe data rako revashandisi.
Tevere, iwe unofanirwa kufunga nezvezvakanyanya kujairika zvakasangana muzvishandiso zvechitatu-zvebato zvinoshandisa oauth protocol kuti ubvumire vashandisi vavo. Zvinofanira kurangarirwa kuti protocol pachayo yakachengeteka uye yakavimbika. Chete mushure mekushandiswa zvisiri izvo, zvinova panjodzi yekukurwiswa kweHacker.
OAHTH TOCCKEY ARF uchishandisa iyo Referer HeaderKana chikumbiro chemubhadharo chakamirira mushandisi paOauth server, munhu anogamuchira kodhi kuti apinde uye tumira kumashure kune server yakatevera cheki. Kana panguva yebasa iyo mushandisi ichaunzwa kune imwe peji, iyo kodhi ichaonekwa mu "Referrer" musoro weiyo humre chikumbiro. Nekudaro, iyo kodhi ichawira pane iyo webhusaiti yekunze, iyo ichatyisidzira iyo mushandisi data yakanyoreswa paOauth Server.
Ongorora: Iyo Referer Header ndeye HTTP Query Head Head
Kuti apfise migumisiro yekushambadzira uku, anovandudza anofanira kuve nechokwadi chekuti Webhusaiti yayo haina kana chero html majekiseni. Kana majekiseni akaonekwa, anorwisa anogona kugadza nyore nyore mufananidzo webhusaiti yewebhu uye tsvaga nzira yekudzosera mushandisi pairi. Saka, achawana mukana wekuba kodhi kubva ku "Referrer" musoro weiyo http chikumbiro.
OAHTH TOCKEY ATFT uchishandisa iyo redirect_uri paramendeIyo application inotanga iyo mvumo yekubvumidza nekutumira chikumbiro kuOauth Server:
https://www.example.com/uthorie? merera .... os neworleans ..
Mubvunzo unogara une "redirect_uri" paramende inoshandiswa neiyo outh server kutumira tokens kudzokera kuchishandiso mushure mekunge mushandisi akapa mvumo yake. Kana kukosha kweparamende iyi isingadzorerwe kana kusatariswa, iye anorwisa anogona kuzvishandura nekudzosera chikumbiro kune webhusaiti yayo, apo inoshandisa chirongwa chakakosha chekugadzirisa chiratidzo uye kuwana mukana wezvishoma.
https://www.example.com/signin/uthorie? mer .... osetsodirect_uri=hts.com.com.
Dzimwe nguva URL yakafanana yakavharwa. Iye anorwisa anogona kutungamira iyo yakagashirwa data pane yakavhurika URL, seizvi:
https://www.example.com/outhorie.Srf? merera.Goold
Kana izvi:
https://www.example.com/uthorize? [...]%? [...]%? [...]%? "
Kana kushandisa Oauth, iwe haugone kusanganisa nzvimbo yese mune chena zvinyorwa. Chete zviuru zvishoma chete zvinofanirwa kuwedzerwa kune "redirect_uri" haina kugadziridzwa chikumbiro kuvhura redirect.
Kufarwa kweMuchinjiko-Mutsetse ZvikumbiroHunyengedzo hwechikumbiro chikuru chingaitika kana munhu akarwisa achibudirira kuita kuti akabatwa atsvuke pakubata kwake uye, nekudaro, kuburitsa chikumbiro chekuti anga asiri kuenda. Hunyengeri hweMuchinjiko-mutsara unowanzo nyorwa neCSRF Chiratidzo, iyo inosanganisirwa nechirongwa chemushandisi. Inobatsira chishandiso kutarisa munhu wemunhu akatumira chikumbiro. Iyo "nyika" paramende mune outh protocol inoshanda seCSRF Chiratidzo.
Zvakakodzera kuona kuti kurwiswa kweCSRF kunoitwa sei paOauth uye se "nyika" paramende inogona kushandiswa kuderedza mhedzisiro yekusagadzikana.
Hacker anovhura webhu application uye anotangisa iyo mvumo yekubvumidza kuwana mubatsiri webasa uchishandisa Oauth. Iyo application inokumbira mupi webasa kuti uwane iyo inoda kupihwa. Hacker achazotungamirwa kune webhusaiti webasa webasa, kwaunowanzoda kupinda yako username uye password kuti ubvumire kupinda. Panzvimbo iyoyo, iyo hacker inobata uye inodzivirira chikumbiro ichi uye inochengetedza URL yayo. Hacker neimwe nzira inoita kuti munhu akuvadze url iyi. Kana munhu akabatwa achipinda muhurongwa hwebasa webasa achishandisa account its, ipapo zvinyorwa zvaro zvichashandiswa kuburitsa kodhi yemvumo. Iyo Mvumo yekodhi inotsinhana kuwana kune iyo chiratidzo chekuwana. Iye zvino iyo hacker account mune yekushandisa inotenderwa. Inogona kuwana account yemunhu akabatwa.
Saka, ndingadzivirira sei mamiriro ezvinhu aya achishandisa "State" paramende?
Iyo application inofanirwa kuumba kukosha iri neimwe nzira yakavakirwa pane iyo sosi account (semuenzaniso, shandisa mushandisi mushandirapuro haryh kiyi). Hazvina kukosha kuti zviripo, chinhu chikuru ndechekuti kukosha kwakasiyana uye kunogadzirwa uchishandisa ruzivo rwakavanzika pamusoro pemushandisi wepakutanga. Inopihwa iyo "nyika" paramende.
Ukoshi uhwu hunoendeswa kune webasa webasa kana uchidzosera. Iye zvino iyo hacker inodana munhu akabatwa kuti avhure URL, yaakachengeta.
Iyo mvumo yekubvumidzwa inoburitswa uye inotumirwa kudzokera kune mutengi muchikamu pamwe neiyo "State" paramende.
Mutengi anogadzira remaharimita kukosha kwakavakirwa pachirongwa ruzivo uye enzanisa neiyo "nyika" kukosha, iyo yakatumirwa kubva mukukumbira kweMvumo yeService. Ukoshi uhwu haufanane ne "State" paramende mu query, sezvo yakagadzirwa chete pahwaro hweruzivo nezvechirongwa chazvino. Nekuda kweizvozvo, kukosha kwakawanikwa hakuna kugamuchirwa nehurongwa.
Zvimwe zvinodzivirira zvikaonekwa kana zvichishandiswa oauth zvinosanganisira kugona kuita xss (iyo redirection Iyo Mvumo yekodhi inogona kushandiswa kupfuura kamwechete kuti ubudise akawanda ekuwana tokens. Aya mudziyo haana kujairika kupfuura izvo zvinotsanangurwa pamusoro apa, asi hazviite kuti vashatiridzi. Iyo yekuvandudza inofanirwa kuziva ese maitiro anodiwa kuti ave nechokwadi chekuvimbika kushanda kwayo yewebhu application.
Iye munyori wenyaya inoshandurwa: Sonaba.
ZVINOKOSHA! Ruzivo chete nekuda kwechinangwa chedzidzo. Ndokumbirawo uteedzere nemutemo uye usashandise ruzivo urwu rwezvisiri pamutemo zvinangwa.
Mamwe mashoko anonakidza pane chisoclub.ru. SUBSCRIBE Tiri: Facebook | VK | Twitter | Instagram | Telegraph | Zen | Mutumwa | Icq New | YouTube | Pulse.