欢迎来到天天文库
浏览记录
ID:33941375
大小:1.34 MB
页数:34页
时间:2019-03-01
《20130914_pdf_pub_OAuth-2.0_security_case_review.pdf》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、OAuth2.0安全案例回顾HorseLuke版本改动记录Ver0.0.1/2013-09-13初版,发表于乌云知识库:http://drops.wooyun.org/papers/598发表时有改动分段方法Ver0.0.1/2013-09-14初版,根据原版调整成PDF主要是分页和排版1/34目录一、背景................................................................................................
2、...................................................................................3二、OAuth2.0的安全焦点......................................................................................................................................................4
3、(1)尽量适应多个场景授权:场景复杂化下增加了攻击点.....................................................................................4(A)AuthorizationCodeGrant(授权code许可)..............................................................................................5(B)Impli
4、citGrant(隐式许可)...........................................................................................................................7(C)ResourceOwnerPasswordCredentialsGrant(资源所有者密码凭据许可;XAuth即为此类)...............9(2)简化和不作强制要求:落空的开发者保安全愿望.........
5、..................................................................................10三、攻陷应用方的账号体系.................................................................................................................................................113.1、当授权
6、用于认证时的不当参数选择或无验证机制............................................................................................113.2、针对应用方csrf劫持第三方账号......................................................................................................................
7、..133.3、更猥琐的针对应用方csrf劫持第三方账号:应用方授权动作本身的csrf+平台方的登录漏洞…..............153.4、账号体系的固有逻辑缺陷利用............................................................................................................................19四、攻击平台方的账号和资源体系.......................
8、..............................................................................................................214.1、ImplicitGrant场景的无奈(response_type=token)..........................................................................................214.1
此文档下载收益归作者所有
点击更多查看相关文章~~
