oauth2 和 csrf 攻击
oauth2 and csrf attck
我目前正在研究 oauth2 实现,我想知道 CSRF 攻击。
我的解释非常好:在这个方案中 https://image.slidesharecdn.com/owasp-nulloauth2-160803124628/95/oauth-20-security-considerations-11-638.jpg?cb=1470228518 or this video https://www.youtube.com/watch?v=_xrhWLqX1j0 但我不明白目标。
最后,我的帐户将可以访问攻击者帐户,我无法从中获取数据,反之亦然。我对吗 ?攻击者这样做有什么好处?
感谢您的回答,
还有其他几个答案(例如:- and this)解释了 state 的背景以及它如何避免 csrf。
最好参考规范创建者给出的内容。 RFC6810 - OAuth 2.0 Threat Model and Security Considerations contains many threats and counter measurements for OAuth 2.0. In that Threat: CSRF Attack against redirect-uri 对威胁进行了全面的概述。以下是节选,
An attacker could authorize an authorization "code" to
their own protected resources on an authorization server. He then
aborts the redirect flow back to the client on his device and tricks
the victim into executing the redirect back to the client. The
client receives the redirect, fetches the token(s) from the
authorization server, and associates the victim's client session with
the resources accessible using the token.
现在客户端有属于攻击者的令牌。不,攻击者将无法访问资源服务器中属于客户端的任何内容。但是如果客户端执行存储操作(例如:- 文档创建),这将被发送给恶意方。现在恶意方获得了对那些新创建的资源的访问权限。这突出显示如下,
The
effective impact depends on the type of resource accessed. For
example, the user may upload private items to an attacker's
resources. Or, when using OAuth in 3rd-party login scenarios, the
user may associate his client account with the attacker's identity at
the external Identity Provider. In this way, the attacker could
easily access the victim's data at the client by logging in from
another device with his credentials at the external Identity
Provider.
所以基本上威胁与在资源服务器上创建的新数据有关。
我目前正在研究 oauth2 实现,我想知道 CSRF 攻击。
我的解释非常好:在这个方案中 https://image.slidesharecdn.com/owasp-nulloauth2-160803124628/95/oauth-20-security-considerations-11-638.jpg?cb=1470228518 or this video https://www.youtube.com/watch?v=_xrhWLqX1j0 但我不明白目标。
最后,我的帐户将可以访问攻击者帐户,我无法从中获取数据,反之亦然。我对吗 ?攻击者这样做有什么好处?
感谢您的回答,
还有其他几个答案(例如:-
最好参考规范创建者给出的内容。 RFC6810 - OAuth 2.0 Threat Model and Security Considerations contains many threats and counter measurements for OAuth 2.0. In that Threat: CSRF Attack against redirect-uri 对威胁进行了全面的概述。以下是节选,
An attacker could authorize an authorization "code" to their own protected resources on an authorization server. He then aborts the redirect flow back to the client on his device and tricks the victim into executing the redirect back to the client. The client receives the redirect, fetches the token(s) from the authorization server, and associates the victim's client session with the resources accessible using the token.
现在客户端有属于攻击者的令牌。不,攻击者将无法访问资源服务器中属于客户端的任何内容。但是如果客户端执行存储操作(例如:- 文档创建),这将被发送给恶意方。现在恶意方获得了对那些新创建的资源的访问权限。这突出显示如下,
The effective impact depends on the type of resource accessed. For example, the user may upload private items to an attacker's resources. Or, when using OAuth in 3rd-party login scenarios, the user may associate his client account with the attacker's identity at the external Identity Provider. In this way, the attacker could easily access the victim's data at the client by logging in from another device with his credentials at the external Identity Provider.
所以基本上威胁与在资源服务器上创建的新数据有关。