Le ndatshana izobhekana nobungozi obuyaziwa nge-OAUTH. Abafundi bazofunda futhi ukuthi basebenzise kanjani ukugunyazwa okuphephile nokuvikelekile kuhlelo lokusebenza lweWebhu.
I-Oauth iyisivumelwano esithembekile, kepha izinga laso lokuphepha lincike ekuqwashisweni kwabathuthukisi beWebhu lapho basebenzisa ukugunyazwa. Lokhu kwenza lesi sihloko sibaluleke kakhulu kochwepheshe bezokuphepha. Badinga ukuhlinzeka ngezinga eliphakeme lokuvikelwa kwama-akhawunti abasebenzisi babo. Sekuyisikhathi sokujwayelana nabasebenza ngempumelelo abazosiza ukunciphisa ingozi yokuthengisa abampofu i-Oauth.
UkuqalisaI-Oauth 2.0 Protocol isetshenziswa kabanzi kuzicelo ezahlukahlukene. Ukuyisebenzisa, isikhombimsebenzisi esisebenziseka kalula sesitholakala, ukuqinisekiswa okulula nokugunyazwa okuqhathaniswa nezindlela zendabuko zokufaka igama lomsebenzisi nephasiwedi. Ngokuqaliswa okufanele nokucatshangelwa, iphrothokholi ye-OAUTH izobe iphephe kunokugunyazwa kwendabuko, ngoba abasebenzisi abadingi ukwaba idatha yabo ye-accounting ngohlelo lokusebenza lwenkampani yesithathu ukufinyelela insiza ethile. Abasebenzisi bavame ukuncamela ukungena ngemvume besebenzisa ama-akhawunti wabo we-Google, i-Facebook noma i-LinkedIn, esikhundleni sokudala i-akhawunti entsha ngaso sonke isikhathi lapho udinga ukubhalisa kwi-Web site. Ngakho-ke, iphrothokholi ye-OAUTH yenza kakhulu izimpilo zethu.
Ngokuvamile, abahlinzeki bezinsizakalo ezithandwayo ze-OAuth bathembeke kakhulu. Ngena ngemvume nge-Google noma i-akhawunti ye-Facebook ifaka umuzwa othile wokuphepha, futhi ilungile. Iphrothokholi ihlolwe ngokucophelela ngochwepheshe. Onke amakhono atholakalayo ahlala alungiswa ngokushesha yiqembu lonjiniyela. Kodwa-ke, kufanelekile ukuqaphela ukuthi umuzwa wokuphepha okuphelele ungaba ngamanga.
Abahlinzeki bezinsizakalo ze-OAuth bashiya abathuthukisi bezicelo izizathu eziningi zokulwa nokuphepha kwezinhlelo zabo. Eqinisweni, ekuqaleni insizakalo ye-oauth evikelekile, isetshenziswe ngokungalungile kwinqubo yokufakwa kwayo, ingaba yithagethi elula yabangeneleli. Ukucabanga okunjalo kuzoholela ekwebiweni kwedatha yomuntu siqu yabasebenzisi.
Okulandelayo, kufanele ucabangele ubungozi obuvame kakhulu obuhlangabezana nabo kuzinhlelo zokusebenza zabantu besithathu ezisebenzisa i-OAuth Protocol ukuphatha abasebenzisi bazo. Kumele kukhunjulwe ukuthi i-protocol uqobo iphephile futhi ithembekile. Ngemuva kokuqaliswa okungalungile kuphela, kuba sengozini yokuhlaselwa kweHacker.
Ukwebiwa kwe-Oauth Tockey usebenzisa unhlokweni wenkohlisoLapho uhlelo lokusebenza lucela ukugunyazwa egameni lomsebenzisi kwiseva ye-Oauth, umuntu uthola ikhodi yokungena nokuthumela emuva kuseva ngesheke lawo elilandelayo. Uma ngesikhathi somsebenzi umsebenzisi uzophinde aqondiswe kwelinye ikhasi, ikhodi izobonakala kunhlokweni "yesicelo" sesicelo se-HTTP. Ngakho-ke, ikhodi izokwehla kwiwebhusayithi yangaphandle, ezosongela idatha yomsebenzisi ibhalisiwe kwiseva ye-OAUTH.
Qaphela: Inhloko Yenkohliso iyinhloko-mbuzo yombuzo ye-HTTP, idlulisa umgcini we-URL lapho isicelo sithunyelwe khona.
Ukuthambisa imiphumela yalokhu engcupheni, unjiniyela kufanele aqinisekise ukuthi uhlelo lwayo lwewebhu alunayo imijovo ye-HTML. Uma imijovo itholakele, umhlaseli angasetha kalula umaki wesithombe kwiseva yayo yeWebhu futhi athole indlela yokuqondisa kabusha umsebenzisi kukho. Ngakho-ke, uzothola ithuba lokuntshontsha ikhodi kusuka kunhlokweni "wesicelo" sesicelo se-HTTP.
Ukwebiwa kwe-Oauth Tockey usebenzisa iRedirect_uri ParameterUhlelo lokusebenza luqala inqubo yokugunyazwa ngokuthumela isicelo kwiseva ye-Oauth:
https://www.exxple.com/signin/authorise. Ku -&redirect_uri=https:
Umbuzo uhlala equkethe i-parameter "eRedirect_uri" esetshenziswa yi-Oauth Server ukuthumela amathokheni abuyele kuhlelo lokusebenza ngemuva kokuthi umsebenzisi anikeze imvume yakhe. Uma inani lale pharamitha alilawulwa noma alihloliwe, umhlaseli angayishintsha kalula futhi aqondise kabusha isicelo kwiwebhusayithi yawo, lapho isebenzisa uhlelo olukhethekile lokucubungula ithokheni futhi lifinyelele kwisisetshenziswa esilinganiselwe.
https://www.exxple.com/signin/authorise.
Kwesinye isikhathi ama-URL afanayo avinjelwe. Umhlaseli angakwazi ukuqondisa kabusha idatha etholakele ku-URL evulekile, kanjena:
https://www.exxple20_aauth20_authorize.srf?ing..iri=htttps ://accounts.google.com/accounthoukhoubtarget?next
Noma lokhu:
https://www.exxple2/auth2/authorize? [...]% indect_uri = https% 3a% 2f% 2fbook.com% 2fatter% 2f.
Lapho usebenzisa i-OAuth, awusoze wafaka izizinda eziphelele ohlwini olumhlophe. Ama-URL ambalwa kuphela okufanele angezwe ku- "Redirect_uri" awazange aqondiswe kabusha isicelo sokuvuselela kabusha.
Ukukhohlakala kwezicelo ze-cross-lineUkuvuselelwa kwesicelo sokuphambana kwenzeke lapho umhlaseli ephumelela ekwenzeni isisulu ukuba sichofoze ngesixhumanisi sakhe futhi, ngaleyondlela, ukukhiqiza isicelo sokuthi ngeke akwazi ukukhiqiza. Ukuvuselelwa kwezicelo ze-cross-line kuvame ukuthathwa ngethokheni ye-CSRF, ehambisana neseshini yomsebenzisi. Kuyasiza uhlelo lokusebenza ukubheka umuntu womuntu othumele isicelo. Ipharamitha "yombuso" eProtocol ye-OAuth isebenza njengethokheni ye-CSRF.
Kuhle ukubuka ukuthi ukuhlaselwa kwe-CSRF kwenziwa kanjani ku-OAuth futhi njengoba ipharamitha "yombuso" ingasetshenziswa ukunciphisa imiphumela yokulimazeka.
IHacker ivula uhlelo lwewebhu futhi iqala inqubo yokugunyazwa ukufinyelela umhlinzeki wesevisi esebenzisa i-OAUTE. Uhlelo lokusebenza lucela umhlinzeki wesevisi ukufinyelela okudinga ukuhlinzekwa. IHacker izophinde iqondiswe kwiwebhusayithi yomhlinzeki wesevisi, lapho uvame ukudinga khona ukufaka igama lakho lomsebenzisi nephasiwedi ukuze ugunyaze ukufinyelela. Esikhundleni salokho, umgibeli ebamba futhi avimba lesi sicelo futhi asindise i-URL yaso. I-Hacker ngandlela thile ibangela ukuba isisulu sivule le-URL. Uma isisulu singena ohlelweni lomhlinzeki wesevisi sisebenzisa i-akhawunti yalo, khona-ke iziqinisekiso zalo zizosetshenziselwa ukukhipha ikhodi yokugunyazwa. Ikhodi yokugunyazwa ishintshana ukufinyelela kwithokheni yokufinyelela. Manje i-akhawunti ye-Hacker kuhlelo lokusebenza i-APPRODE. Ingafinyelela i-akhawunti yesisulu.
Ngakho-ke, ngingasivimbela kanjani lesi simo ngisebenzisa ipharamitha "yombuso"?
Isicelo kumele sakhe inani eliseduze kwe-akhawunti yomthombo (ngokwesibonelo, sebenzisa ukhiye weSeshini Yomsebenzisi we-Hash). Akubaluleke kangako ukuthi kuyini, yinto esemqoka ukuthi inani lihlukile futhi likhiqizwa kusetshenziswa imininingwane eyimfihlo mayelana nomsebenzisi wokuqala. Yabelwe kwipharamitha "yombuso".
Leli nani lidluliselwa kumhlinzeki wesevisi lapho liqondisa kabusha. Manje isigebengu simema isisulu ukuba sivule i-URL, ayigcina.
Ikhodi yokugunyazwa iyakhishwa futhi yathunyelwa emuva kwiklayenti esigabeni kanye nepharamitha "yombuso".
Iklayenti likhiqiza inani lepharamitha elisuselwa olwazini lweseshini futhi liqhathanise nenani elithi "State", elibuyiselwe esicelweni sokugunyazwa kumhlinzeki wesevisi. Leli nani alihambelani nepharamitha "yombuso" embuzweni, ngoba kwenziwe kuphela ngesisekelo solwazi mayelana neseshini yamanje. Ngenxa yalokhu, inani elitholwe alwamukelwa uhlelo.
Amanye ubungozi atholakele lapho kusetshenziswa i-OAuth kufaka phakathi amandla okwenza i-XSS (ukubhala okusayintiwe kwesayithi) usebenzisa ipharamitha "yokuqondisa kabusha i-Oauth Ikhodi yokugunyazwa ingasetshenziswa ngaphezu kwesisodwa ukukhipha amathokheni amaningi wokufinyelela). Lezi zingozi azivamile kunalezo ezichazwe ngenhla, kepha akubenzi ziyingozi. Unjiniyela kufanele azi yonke imikhuba edingekayo yokuqinisekisa ukusebenza okuthembekile kohlelo lwayo lwewebhu.
Umbhali we-athikili ehunyushwe: Simon Saliba.
Kubalulekile! Imininingwane kuphela ngezinhloso zemfundo. Sicela uhambisane nemithetho futhi ungasebenzisi lolu lwazi ngezinhloso ezingekho emthethweni.
Indwangu ethokozisayo ku-CisoClub.ru. Bhalisela: Facebook | I-VK | I-Twitter | I-Instagram | I-Telegraph | Zen | Isithunywa | I-ICQ New | I-YouTube | Pulse.