CN115189924B - OAuth2.0 open redirection vulnerability detection method and system - Google Patents

OAuth2.0 open redirection vulnerability detection method and system Download PDF

Info

Publication number
CN115189924B
CN115189924B CN202210712266.3A CN202210712266A CN115189924B CN 115189924 B CN115189924 B CN 115189924B CN 202210712266 A CN202210712266 A CN 202210712266A CN 115189924 B CN115189924 B CN 115189924B
Authority
CN
China
Prior art keywords
callback
parameter
parameters
open
vulnerability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210712266.3A
Other languages
Chinese (zh)
Other versions
CN115189924A (en
Inventor
王磊
李桐
刘扬
周小明
雷振江
李广翱
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Liaoning Electric Power Co Ltd
Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Liaoning Electric Power Co Ltd
Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Liaoning Electric Power Co Ltd, Electric Power Research Institute of State Grid Liaoning Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202210712266.3A priority Critical patent/CN115189924B/en
Publication of CN115189924A publication Critical patent/CN115189924A/en
Application granted granted Critical
Publication of CN115189924B publication Critical patent/CN115189924B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)

Abstract

一种OAuth2.0开放式重定向漏洞的检测方法及系统,其特征在于,所述方法包括以下步骤:步骤1,对于OAuth2.0授权的第三方的API接口中的URI字段进行检测,发现并记录其中涉及到的所有回调参数;步骤2,基于预先定义的回调参数表,对步骤1中获取的所述所有回调参数的类型进行匹配,并基于所述匹配的结果对所述回调参数的参数值进行替换;步骤3,模拟用户请求,以调用实现过参数替换的所述API接口,并基于所述调用的响应结果实现对所述API接口中漏洞的检测。本发明方法简单、效果良好,能够从根本上检测开放式重定向过程中URI参数被修改的问题,从而实现对于漏洞的补救和预防。

An OAuth2.0 open redirect vulnerability detection method and system, characterized in that the method includes the following steps: Step 1, detect the URI field in the API interface of the third party authorized by OAuth2.0, discover and Record all callback parameters involved; step 2, based on the predefined callback parameter table, match the types of all callback parameters obtained in step 1, and match the parameters of the callback parameters based on the matching results The value is replaced; step 3, simulate a user request to call the API interface that has implemented parameter replacement, and implement the detection of vulnerabilities in the API interface based on the response result of the call. The method of the present invention is simple and effective, and can fundamentally detect the problem that URI parameters are modified during the open redirection process, thereby realizing the remediation and prevention of vulnerabilities.

Description

一种OAuth2.0开放式重定向漏洞的检测方法及系统A detection method and system for OAuth2.0 open redirect vulnerability

技术领域Technical Field

本发明涉及集成电路领域,更具体地,涉及一种OAuth2.0开放式重定向漏洞的检测方法及系统。The present invention relates to the field of integrated circuits, and more specifically, to a detection method and system for OAuth2.0 open redirection vulnerabilities.

背景技术Background technique

目前,在以开放平台为中心的复杂网络生态系统中,RESTful API是Web API的主要的类型,然而RESTful API在基于OAuth 2.0协议的授权方式上存在着较为严重的安全威胁。利用Web API进行基于Web的各种互联网服务集成时,出现的各种集成服务在功能和协议流程上通常是具有复杂的设计和实现场景。正是这种复杂性使得原有的各种Web系统在边界交互上存在了新的安全威胁。现有技术中,Web API漏洞挖掘主要集中于逻辑漏洞挖掘。RESTful API存在的安全问题主要有:接口被滥用消耗系统资源、数据泄漏、伪造/篡改数据、应用被仿制等。Currently, in the complex network ecosystem centered on open platforms, RESTful API is the main type of Web API. However, RESTful API has serious security threats in the authorization method based on the OAuth 2.0 protocol. When using Web API to integrate various Internet services based on the Web, the various integration services that appear usually have complex design and implementation scenarios in terms of functions and protocol processes. It is this complexity that creates new security threats in boundary interactions of various original Web systems. In the existing technology, Web API vulnerability mining mainly focuses on logical vulnerability mining. The security problems of RESTful API mainly include: interface abuse and consumption of system resources, data leakage, forgery/tampering of data, application imitation, etc.

OAuth 2.0协议是一个旨在为授权提供一个开放标准的协议。它使得用户允许第三方应用有限地访问用户存储在其他应用的数据而不用向第三方应用暴露自己的用户名和密码等信息。随着OAuth 2.0成为最流行的框架之一,越来越多的网站采用OAuth 2.0协议来进行授权从而提供资源服务。最常见的一个用处是用于第三方登录的授权。当一个用户访问了一个网站并选择以第三方账户登录的方式,网站会将其重定向到该第三方账户所在的服务器,用户提供他的账号密码以通过第三方账号服务器的验证并同意授权。在第三方授权服务器成功验证了用户的身份之后,将发放一个授权码,并将用户重定向至网站,然后网站就可以凭借授权码请求令牌,从而访问用户第三方账号的资源。但是,即便是采用OAuth协议,RESTful API中仍存在redirect_uri绕过或被攻击并修改等问题。当redirecturi发生被绕过事件时,就会导致OAuth token被劫持,进而发生用户账户劫持的严重问题。The OAuth 2.0 protocol is a protocol designed to provide an open standard for authorization. It allows users to allow third-party applications to have limited access to the user's data stored in other applications without exposing information such as user names and passwords to third-party applications. As OAuth 2.0 becomes one of the most popular frameworks, more and more websites use the OAuth 2.0 protocol for authorization to provide resource services. One of the most common uses is for authorization of third-party logins. When a user visits a website and chooses to log in with a third-party account, the website will redirect him to the server where the third-party account is located. The user provides his account password to pass the verification of the third-party account server and agree to authorization. After the third-party authorization server successfully verifies the user's identity, an authorization code will be issued and the user will be redirected to the website. The website can then request a token based on the authorization code to access the resources of the user's third-party account. However, even if the OAuth protocol is adopted, there are still problems in the RESTful API such as redirect_uri being bypassed or being attacked and modified. When the redirecturi is bypassed, the OAuth token will be hijacked, resulting in a serious problem of user account hijacking.

目前,主流的redirect_uri异常检测方法,通常只能够利用开放式重定向漏洞诱骗用户访问某个可信赖站点的URL,并将他们重定向到新站点的方式实现检测。在这种检测方法中,方法通常会最终检测新站点是否为合法的网站,从而实现对于开放重定向功能异常与否的判断。Currently, the mainstream redirect_uri anomaly detection methods can usually only use open redirect vulnerabilities to trick users into visiting the URL of a trustworthy site and redirect them to a new site. In this detection method, the method usually ultimately detects whether the new website is a legitimate website, thereby determining whether the open redirect function is abnormal or not.

然而,这种方法并不能够从根本上来说对于开放式重定向方法的安全进行判定。具体来说,如果攻击者修改该回调uri的参数指向,伪造一个回调uri为自己的地址并将伪造后的用户授权链接发给目标用户。那么,当目标用户点击这个伪造的链接并授权登录之后,服务器会将用户的凭证发给攻击者,攻击者从而可利用此登录上用户的账户。现有技术中,针对这种修改方式,也存在一种更具威胁性的攻击方法,攻击者能够利用第三方通过API进行登录的过程中修改redirect_uri的方式获得未使用的授权码。此时,攻击者可能不会将redirect_uri修改为攻击者的地址,而是为了攻击该第三方网站,将redirect_uri修改为与原始地址同源的另一个第三方网站内的uri地址,从而实现攻击。在这种情况下,仅仅考虑网站地址的合法性与否,并无法充分的预防或避免对于redirect_uri中参数修改后对网站造成的威胁。However, this method cannot fundamentally determine the safety of open redirection methods. Specifically, if the attacker modifies the parameter point of the callback URI, forges a callback URI as his own address and sends the forged user authorization link to the target user. Then, when the target user clicks on the forged link and authorizes the login, the server will send the user's credentials to the attacker, and the attacker can use this to log in to the user's account. In the existing technology, there is also a more threatening attack method for this modification method. The attacker can use a third party to modify the redirect_uri during the login process through the API to obtain unused authorization codes. At this time, the attacker may not modify the redirect_uri to the attacker's address, but in order to attack the third-party website, modify the redirect_uri to a URI address in another third-party website that has the same origin as the original address, thereby achieving the attack. In this case, simply considering the legality of the website address cannot fully prevent or avoid the threat to the website caused by modifying the parameters in redirect_uri.

针对上述问题,本发明提供了一种新的OAuth2.0开放式重定向漏洞的检测方法及系统。In response to the above problems, the present invention provides a new OAuth2.0 open redirection vulnerability detection method and system.

发明内容Contents of the invention

为解决现有技术中存在的不足,本发明的目的在于,提供一种OAuth2.0开放式重定向漏洞的检测方法及系统,通过对于API接口中的URI字段进行检测,寻找URI回调参数,并根据预设的回调参数的类型和替换方法,对URI进行修改,并通过新的用户请求,实现API接口中的漏洞检测。In order to solve the deficiencies in the existing technology, the purpose of the present invention is to provide a detection method and system for OAuth2.0 open redirection vulnerabilities, by detecting the URI field in the API interface, looking for the URI callback parameters, and Modify the URI according to the preset callback parameter type and replacement method, and implement vulnerability detection in the API interface through new user requests.

本发明采用如下的技术方案。The present invention adopts the following technical solution.

本发明第一方面,涉及一种OAuth2.0开放式重定向漏洞的检测方法,其中方法包括以下步骤:步骤1,对于OAuth2.0授权的第三方的API接口中的URI字段进行检测,发现并记录其中涉及到的所有回调参数;步骤2,基于预先定义的回调参数表,对步骤1中获取的所有回调参数的类型进行匹配,并基于匹配的结果对回调参数的参数值进行替换;步骤3,模拟用户请求,以调用实现过参数替换的API接口,并基于调用的响应结果实现对API接口中漏洞的检测。The first aspect of the present invention relates to a method for detecting OAuth2.0 open redirection vulnerabilities, wherein the method includes the following steps: Step 1, detect the URI field in the API interface of the third party authorized by OAuth2.0, discover and Record all callback parameters involved; Step 2, based on the predefined callback parameter table, match the types of all callback parameters obtained in Step 1, and replace the parameter values of the callback parameters based on the matching results; Step 3 , simulate user requests to call API interfaces that implement parameter replacement, and detect vulnerabilities in API interfaces based on the response results of the calls.

优选的,所有回调参数至少包括redirect_uri参数和destination参数。Preferably, all callback parameters include at least the redirect_uri parameter and the destination parameter.

优选的,预先定义的回调参数表中,不仅包括预先定义的回调参数类型,还包括API接口中相关参数与回调参数类型的匹配关系、回调参数类型和替换参数值之间的匹配关系。Preferably, the predefined callback parameter table includes not only the predefined callback parameter type, but also the matching relationship between the relevant parameters in the API interface and the callback parameter type, and the matching relationship between the callback parameter type and the replacement parameter value.

优选的,步骤2中,基于回调参数表中回调参数类型和替换参数值之间的匹配关系,对回调参数的参数值进行替换。Preferably, in step 2, the parameter value of the callback parameter is replaced based on the matching relationship between the callback parameter type and the replacement parameter value in the callback parameter table.

优选的,生成用户请求的用户为平台的授权用户,并允许基于OAuth2.0实现对于授权第三方的接入;用户请求对应于授权第三方的、实现过参数替换的API接口的调用。Preferably, the user who generates the user request is an authorized user of the platform and is allowed to access an authorized third party based on OAuth2.0; the user request corresponds to a call to an API interface of an authorized third party that has implemented parameter replacement.

优选的,平台为基于OAuth2.0实现第三方应用授权接入的平台,其中包括OAuth2.0服务器。Preferably, the platform is a platform that implements third-party application authorization access based on OAuth2.0, including an OAuth2.0 server.

优选的,当调用的响应结果与替换参数值之前的响应结果不一致,则判定参数值发生了替换,API接口中存在漏洞。Preferably, when the response result of the call is inconsistent with the response result before the parameter value is replaced, it is determined that the parameter value has been replaced and there is a vulnerability in the API interface.

优选的,用户请求中授权码的获取方式为:基于ARP攻击拦截HTTP流量,并从所述HTTP流量中解析明文授权码;或者,伪造HTTP REFERER以获取所述授权码;或者,基于burpsuite截取HTTP流量,以获取未使用过的授权码。Preferably, the authorization code in the user request is obtained by: intercepting HTTP traffic based on ARP attacks, and parsing the plaintext authorization code from the HTTP traffic; or forging HTTP REFERER to obtain the authorization code; or intercepting HTTP based on burpsuite traffic to obtain unused authorization codes.

本发明第二方面,涉及一种OAuth2.0开放式重定向漏洞的检测系统,其中,系统采用如本发明第一方面中所述的一种OAuth2.0开放式重定向漏洞的检测方法实现。A second aspect of the present invention relates to a detection system for OAuth2.0 open redirection vulnerabilities, wherein the system is implemented using a detection method for OAuth2.0 open redirection vulnerabilities as described in the first aspect of the present invention.

本发明的有益效果在于,与现有技术相比,本发明中的一种OAuth2.0开放式重定向漏洞的检测方法及系统,能够通过对于API接口中的URI字段进行检测,寻找URI回调参数,并根据预设的回调参数的类型和替换方法,对URI进行修改,并通过新的用户请求,实现API接口中的漏洞检测。本发明方法简单、效果良好,能够从根本上检测开放式重定向过程中URI参数被修改的问题,从而实现对于漏洞的补救和预防。The beneficial effect of the present invention is that, compared with the prior art, the OAuth2.0 open redirect vulnerability detection method and system in the present invention can detect the URI field in the API interface, find the URI callback parameter, and modify the URI according to the preset callback parameter type and replacement method, and realize vulnerability detection in the API interface through a new user request. The method of the present invention is simple and effective, and can fundamentally detect the problem of URI parameter modification in the open redirection process, thereby realizing the remedy and prevention of the vulnerability.

附图说明Description of drawings

图1为本发明一种OAuth2.0开放式重定向漏洞的检测方法的步骤示意图。Figure 1 is a schematic diagram of the steps of a method for detecting OAuth2.0 open redirection vulnerabilities in the present invention.

具体实施方式Detailed ways

下面结合附图对本申请作进一步描述。以下实施例仅用于更加清楚地说明本发明的技术方案,而不能以此来限制本申请的保护范围。The present application will be further described below in conjunction with the accompanying drawings. The following examples are only used to more clearly illustrate the technical solutions of the present invention, but cannot be used to limit the protection scope of the present application.

图1为本发明一种OAuth2.0开放式重定向漏洞的检测方法的步骤示意图。如图1所示,一种OAuth2.0开放式重定向漏洞的检测方法,其中,方法包括步骤1至步骤3。Figure 1 is a schematic diagram of the steps of a method for detecting OAuth2.0 open redirection vulnerabilities in the present invention. As shown in Figure 1, a method for detecting OAuth2.0 open redirect vulnerability, in which the method includes steps 1 to 3.

步骤1,对于OAuth2.0授权的第三方的API接口中的URI字段进行检测,发现并记录其中涉及到的所有回调参数。Step 1: Detect the URI field in the third-party API interface authorized by OAuth2.0, discover and record all callback parameters involved.

首先,本发明中的方法中,为了实现对于URI字段中相关的回调参数的具体取值内容进行修改,需要首先判断API接口中存在哪些回调参数。First, in the method of the present invention, in order to modify the specific value content of the relevant callback parameters in the URI field, it is necessary to first determine which callback parameters exist in the API interface.

具体来说,现有技术中,大多采用开放平台与第三方合作的方式实现多种互联网的业务。通过这种合作方式实现的业务,能够简化第三方应用代码编写过程中的复杂度,另外,也能够将开放平台中的用户充分的导入至第三方应用中。对于开放平台来说,则能够更加便捷的为用户提供各种定制化的服务。Specifically, in the existing technology, most of the open platforms and third parties are used to implement various Internet services. The services implemented through this cooperation can simplify the complexity of the third-party application code writing process, and can also fully import users in the open platform into third-party applications. For the open platform, it can provide users with various customized services more conveniently.

通常,开放平台会制作API规则和提供API接口,以供第三方应用调用,从而实现业务的导通和用户的接入。Usually, an open platform will make API rules and provide API interfaces for third-party applications to call, thereby realizing business connection and user access.

然而,由于API接口的安全性受限,如今主流的开放平台基本都会通过OAuth2.0的方式实现对于用户的认证,和对于用户接入第三方应用请求的处理。本发明中的方法,正是针对于这一过程中存在的风险实现的检测。However, due to the limited security of API interfaces, today's mainstream open platforms basically use OAuth2.0 to authenticate users and process user requests to access third-party applications. The method in the present invention is precisely aimed at detecting the risks existing in this process.

具体来说,用户为了接入第三方应用,会从开放平台获取授权码,从而获得第三方应用发送给开放平台的重定向地址或字段,本发明中,也就是redirect_uri,其中的uri是指统一资源标识符(Uniform Resource Identifier)。在这个过程中,当用户的客户端回调uri时,如果uri中的参数内容发生了篡改,则用户回调的响应结果就可能发生异常。Specifically, in order to access a third-party application, the user will obtain the authorization code from the open platform, thereby obtaining the redirection address or field sent by the third-party application to the open platform. In the present invention, it is redirect_uri, where uri refers to the unified Resource identifier (Uniform Resource Identifier). During this process, when the user's client calls back the URI, if the parameter content in the URI is tampered with, the response result of the user's callback may be abnormal.

因此,本发明中,为了检测到uri中是否有参数内容发生了篡改,会模拟uri篡改的过程,从而实现对漏洞的检测。为了模拟uri中参数的篡改过程,本发明步骤1中首先对于API接口的uri中所有的回调参数进行了提取。本发明中,可以采用现有技术中常用的扫描器来实现回调参数的提取。Therefore, in the present invention, in order to detect whether the parameter content in the uri has been tampered, the process of uri tampering is simulated, thereby realizing the detection of the vulnerability. In order to simulate the tampering process of the parameters in the uri, in step 1 of the present invention, all callback parameters in the uri of the API interface are first extracted. In the present invention, a scanner commonly used in the prior art can be used to realize the extraction of callback parameters.

优选的,所有回调参数至少包括redirect_uri参数和destination参数。Preferably, all callback parameters include at least the redirect_uri parameter and the destination parameter.

本发明中,各类回调参数的内容可以根据开放平台所提供的API接口的内容所确定。但是一般来说,uri中可以包括重定向的网站地址参数redirect_uri和入侵检测的目的地址参数destination等相关的回调参数。In the present invention, the contents of various callback parameters can be determined according to the contents of the API interface provided by the open platform. But generally speaking, the uri can include related callback parameters such as the redirected website address parameter redirect_uri and the intrusion detection destination address parameter destination.

步骤2,基于预先定义的回调参数表,对步骤1中获取的所有回调参数的类型进行匹配,并基于匹配的结果对回调参数的参数值进行替换。Step 2: Based on the predefined callback parameter table, match the types of all callback parameters obtained in step 1, and replace the parameter values of the callback parameters based on the matching results.

优选的,预先定义的回调参数表中,不仅包括预先定义的回调参数类型,还包括API接口中相关参数与回调参数类型的匹配关系、回调参数类型和替换参数值之间的匹配关系。Preferably, the predefined callback parameter table includes not only the predefined callback parameter type, but also the matching relationship between the relevant parameters in the API interface and the callback parameter type, and the matching relationship between the callback parameter type and the replacement parameter value.

需要说明的是,本发明中的回调参数表可以以txt文件的形式进行存储。在该文件中,不仅包括开放平台各类API接口中所包含的所有回调参数,也包括各种回调参数的类型,以及如果发现了这一回调参数后,能够对回调参数的取值进行替换的预设参数值。It should be noted that the callback parameter table in the present invention can be stored in the form of a txt file. This file not only includes all the callback parameters included in the various API interfaces of the open platform, but also includes the types of various callback parameters, and if the callback parameter is found, the value of the callback parameter can be replaced. Default parameter values.

另外,回调参数的名称、所属于的API接口、回调参数类型和替换用的预设参数值之间可以采用一一对应的方式实现记录。因此,这一回调参数表,就可以用于后续的回调参数中取值的替换和本发明的检测方法了。In addition, the name of the callback parameter, the API interface it belongs to, the callback parameter type and the preset parameter value for replacement can be recorded in a one-to-one correspondence manner. Therefore, this callback parameter table can be used for subsequent replacement of values in the callback parameter and the detection method of the present invention.

优选的,步骤2中,基于回调参数表中回调参数类型和替换参数值之间的匹配关系,对回调参数的参数值进行替换。Preferably, in step 2, the parameter value of the callback parameter is replaced based on the matching relationship between the callback parameter type and the replacement parameter value in the callback parameter table.

本发明中,正式基于txt文件中所记录的对应关系,实现对于不同回调参数中参数值的替换的。In the present invention, the replacement of parameter values in different callback parameters is implemented formally based on the corresponding relationship recorded in the txt file.

步骤3,模拟用户请求,以调用实现过参数替换的API接口,并基于调用的响应结果实现对API接口中漏洞的检测。Step 3: Simulate user requests to call the API interface that implements parameter replacement, and detect vulnerabilities in the API interface based on the response results of the call.

本发明中,在完成了回调参数中参数值的替换后,就可以实现漏洞的检测了。In the present invention, after completing the replacement of parameter values in callback parameters, vulnerability detection can be implemented.

优选的,生成用户请求的用户为平台的授权用户,并允许基于OAuth2.0实现对于授权第三方的接入;用户请求对应于授权第三方的、实现过参数替换的API接口的调用。Preferably, the user who generates the user request is an authorized user of the platform and is allowed to access an authorized third party based on OAuth2.0; the user request corresponds to a call to an API interface of an authorized third party that has implemented parameter replacement.

本发明中,会首先模拟用户请求,该用户请求可以是一个第三方平台的真实用户,也可以是采用现有技术中的方法实现的对真实用户的模拟。如果是对真实用户的模拟,那么本发明需要首先获得开放平台给予用户的授权码。In the present invention, a user request is first simulated, and the user request can be a real user of a third-party platform, or a simulation of a real user implemented by a method in the prior art. If it is a simulation of a real user, the present invention needs to first obtain the authorization code given to the user by the open platform.

通过该用户的授权码,用户就可以请求开放平台实现客户端与第三方应用之间的连接。在连接第三方平台的过程中,用户会使用开放平台提供的回调参数,而如果回调参数发生被替换的情况,那么开放平台反馈给用户的网址就会发生问题,至少与未发生回调参数被替换前的网址是不同的。这种不同,并不局限于不同源的地址,也包括同源下的不同地址。Through the user's authorization code, the user can request the open platform to realize the connection between the client and third-party applications. In the process of connecting to the third-party platform, the user will use the callback parameters provided by the open platform. If the callback parameters are replaced, then the URL fed back to the user by the open platform will have problems, at least as long as the callback parameters have not been replaced. The previous URL is different. This difference is not limited to addresses from different sources, but also includes different addresses from the same source.

优选的,平台为基于OAuth2.0实现第三方应用授权接入的平台,其中包括OAuth2.0服务器。这里所述的平台,也就是上文中的开放平台,其中至少包括OAuth2.0服务器,以实现第三方应用的接入。Preferably, the platform is a platform that implements third-party application authorization access based on OAuth2.0, including an OAuth2.0 server. The platform described here is the open platform mentioned above, which at least includes an OAuth2.0 server to enable access to third-party applications.

优选的,当调用的响应结果与替换参数值之前的响应结果不一致,则判定参数值发生了替换,API接口中存在漏洞。Preferably, when the response result of the call is inconsistent with the response result before the parameter value is replaced, it is determined that the parameter value has been replaced and there is a vulnerability in the API interface.

优选的,用户请求中授权码的获取方式为:基于ARP攻击拦截HTTP流量,并从HTTP流量中解析明文授权码;或者,伪造HTTP REFERER以获取授权码;或者,基于burpsuite截取HTTP流量,以获取未使用过的授权码。Preferably, the method for obtaining the authorization code in the user request is: intercepting HTTP traffic based on ARP attack and parsing the plaintext authorization code from HTTP traffic; or, forging HTTP REFERER to obtain the authorization code; or, intercepting HTTP traffic based on burpsuite to obtain an unused authorization code.

本发明中,为了实现对于用户请求的模拟,可以采用多种不同的方式实现授权码的获取。该授权码获取过程中,可以采用上文中提到的一种或多种获取授权码的方式来实现模拟的非真实用户的请求被开放平台所接受。In the present invention, in order to simulate user requests, multiple different methods can be used to obtain the authorization code. In the process of obtaining the authorization code, one or more of the methods of obtaining the authorization code mentioned above can be used to realize that the simulated non-real user's request is accepted by the open platform.

如果本发明的方法发现了API接口中有相关的uri参数被更改,就可以将这种被修改的参数,以及相关信息,例如修改的内容,对应的API接口等记录到数据库中,已备后续对于API接口安全性的改进。If the method of the present invention finds that the relevant uri parameters in the API interface have been changed, the modified parameters and related information, such as the modified content, the corresponding API interface, etc., can be recorded in the database for subsequent follow-up. Improvements to API interface security.

本发明一个实施例中,选取了6个能够提供第三方登录的服务平台商进行实验,分别为腾讯QQ、微信、新浪微博、百度、人人和豆瓣。在前500的中文网站中进行预筛选,有233个网站实现了针对上述6个开放平台的第三方登录服务。故本发明实施例中就是基于这233个网站进行账户劫持攻击实验的。In one embodiment of the present invention, six service platform providers capable of providing third-party login were selected for experiments, namely Tencent QQ, WeChat, Sina Weibo, Baidu, Renhe and Douban. After pre-screening among the top 500 Chinese websites, 233 websites implemented third-party login services for the above-mentioned 6 open platforms. Therefore, in the embodiment of the present invention, the account hijacking attack experiment is conducted based on these 233 websites.

授权劫持实验需满足以下条件:Authorization for hijacking experiments must meet the following conditions:

(1)redirect_uri是否可修改是根据自动化扫描系统的OAuth Callback模块在检测过程中判定的。(1) Whether redirect_uri can be modified is determined during the detection process based on the OAuth Callback module of the automated scanning system.

(2)本发明中通过拦截HTTP流量或者插入图片获取授权码。在拦截HTTP流量窃取授权码的方式中,当redirect_uri的参数值被修改为一个使用HTTP协议进行通信的网站时,攻击者在同一局域网通过ARP(Address Resolution Protocol,地址解析协议)攻击来拦截任何发送至目标站点的流量,从而从拦截的流量中解析出授权码。在插入图片的方式中,访问一个插入图片的网站会发送两次请求,攻击者可以发出插入远程图片请求,并将该请求发送到远程服务器上,从而通过Referer获得授权码。另外,由于授权码与当前会话之间具有绑定关系,因此本发明中还可以通过使用burpsuite截取流量,从而获得未使用过的授权码,然后利用授权码重新构造新的请求,判断是否能够成功登录。(2) In the present invention, the authorization code is obtained by intercepting HTTP traffic or inserting pictures. In the method of intercepting HTTP traffic and stealing authorization codes, when the parameter value of redirect_uri is modified to a website that uses the HTTP protocol for communication, the attacker intercepts any sent messages through an ARP (Address Resolution Protocol) attack on the same LAN. traffic to the target site, thereby parsing the authorization code from the intercepted traffic. In the method of inserting pictures, visiting a website that inserts pictures will send two requests. The attacker can issue a request to insert a remote picture and send the request to the remote server to obtain the authorization code through the Referer. In addition, since there is a binding relationship between the authorization code and the current session, the present invention can also use burpsuite to intercept traffic to obtain an unused authorization code, and then use the authorization code to reconstruct a new request to determine whether it can be successful. Log in.

这是因为,API接口中的各种回调参数,例如redirect_uri等可被修改的原因大多是因为开发者在开发API接口的过程中未对授权跳转目录进行严格限制。当redirect_uri可被攻击者修改时,攻击者通常会将跳转地址修改为一个使用HTTP协议的网站,故理论上攻击者能够获得授权码的API接口的比例与存在OAuth Callback漏洞的API接口的比例大致相同。另外,网站能够嵌入远程图片的主要原因是网站未对外来图片源进行设置。This is because the reason why various callback parameters in the API interface, such as redirect_uri, can be modified is mostly because the developer did not impose strict restrictions on the authorized jump directory during the development of the API interface. When the redirect_uri can be modified by an attacker, the attacker usually changes the jump address to a website using the HTTP protocol. Therefore, theoretically, the proportion of API interfaces where the attacker can obtain authorization codes and the proportion of API interfaces with OAuth Callback vulnerabilities Much the same. In addition, the main reason why the website can embed remote images is that the website has not set up external image sources.

实现自动化漏洞扫描框架后,利用其中的OAuth Callback检测模块对一些网站进行检测,在该实施例中,发明者成功的发现很多网站的第三方登录的RESTful API的redirect_uri可以被修改,进而发现有些网站存在账户劫持的风险。除此之外,该实施例还能够实现两种不同的OAuth Callback扫描的运行方式,一种是通过命令行直接运行,另一种是通过Web界面进行操作。最终,本发明方法不仅实现了为开发人员在进行RESTful API的开发时检测当前RESTful API是否存在漏洞,而且还实现了线上的API接口的漏洞检测,大幅提高了API接口的安全性从而降低不必要的损失。After implementing the automated vulnerability scanning framework, the OAuth Callback detection module was used to detect some websites. In this example, the inventor successfully discovered that the redirect_uri of the RESTful API of third-party logins of many websites could be modified, and then discovered that some websites There is a risk of account hijacking. In addition, this embodiment can also implement two different running modes of OAuth Callback scanning, one is to run directly through the command line, and the other is to operate through the web interface. Finally, the method of the present invention not only enables developers to detect whether there are vulnerabilities in the current RESTful API when developing RESTful APIs, but also realizes vulnerability detection of online API interfaces, greatly improving the security of the API interface and reducing the risk of inaccuracies. necessary losses.

表1和表2为上述实施例的检测结果。如表1所示,现有技术中绝大多数68.67%的网站存在着OAuth Callback的漏洞,同时这些网站也能够被攻击者轻易的获取用户的授权码。另外存在12.87%的网站能够被通过嵌入远程图片的方式被攻击者获取授权码,另外,也有约60%左右的用户存在授权码未绑定当前会话的问题。综上,根据各种不同的方式获取授权码,并被攻击者实施并完成账户劫持攻击的网站,占所有网站的约45.49%,这一个数量还是非常多的。因此,本发明中的这种漏洞检测方法,能够使得开放平台或第三方应用网站及时的发现授权过程中发生的问题,以及代码的漏洞,从而实现了漏洞的修补和改进。Table 1 and Table 2 show the test results of the above embodiments. As shown in Table 1, the vast majority of 68.67% of websites in the existing technology have OAuth Callback vulnerabilities. At the same time, these websites can also be easily obtained by attackers to obtain user authorization codes. In addition, 12.87% of websites can be used by attackers to obtain authorization codes by embedding remote images. In addition, about 60% of users have the problem that authorization codes are not bound to the current session. To sum up, the number of websites that obtain authorization codes through various methods and are implemented and completed account hijacking attacks by attackers accounts for about 45.49% of all websites, which is still a very large number. Therefore, the vulnerability detection method in the present invention can enable the open platform or third-party application website to promptly discover problems that occur during the authorization process and code vulnerabilities, thereby realizing the repair and improvement of vulnerabilities.

类别category 网站数量/数量占比Number of websites/number ratio 存在OAuth Callback漏洞OAuth Callback vulnerability exists 160/68.67%160/68.67% 能获取授权码的Can obtain authorization code 160/68.67%160/68.67% 能嵌入远程图片的Ability to embed remote images 30/12.87%30/12.87% 授权码未绑定当前会话的The authorization code is not bound to the current session 139/59.66%139/59.66% 能够完成账户劫持攻击的Capable of completing account hijacking attacks 106/45.49%106/45.49%

表1 233个网站的Redirect uri检测结果Table 1 Redirect uri detection results of 233 websites

另外,本发明中对于不同的开放平台,也就是6个不同的服务提供商进行了分析,发现了其提供的API接口中回调参数能够被修改的程度。其中,只有两个服务提供商的回调参数不会被本发明的检测方法修改,而其他的四个平台均可以被修改。另外,流行度数据是指这些平台被本发明中的排名前500的网站以第三方的形式接入的程度。In addition, the present invention analyzes different open platforms, that is, six different service providers, and finds out the extent to which the callback parameters in the API interfaces provided by them can be modified. Among them, the callback parameters of only two service providers will not be modified by the detection method of the present invention, while the other four platforms can all be modified. In addition, popularity data refers to the degree to which these platforms are accessed by third parties in the form of third parties among the top 500 websites in this invention.

服务提供商service provider 流行度Popularity 回调uri可修改度Callback uri can be modified 平台APlatform A 211/90.56%211/90.56% 00 平台BPlatform B 146/62.67%146/62.67% 38/26.03%38/26.03% 平台CPlatform C 192/82.40%192/82.40% 143/74.47%143/74.47% 平台DPlatform D 10/4.29%10/4.29% 5/50.00%5/50.00% 平台EPlatform E 13/5.58%13/5.58% 9/69.23%9/69.23% 平台FPlatform F 9/3.86%9/3.86% 00

表2 6个平台的账户劫持分析结果Table 2 Analysis results of account hijacking on 6 platforms

本发明的有益效果在于,与现有技术相比,本发明中的一种OAuth2.0开放式重定向漏洞的检测方法及系统,能够通过对于API接口中的URI字段进行检测,寻找URI回调参数,并根据预设的回调参数的类型和替换方法,对URI进行修改,并通过新的用户请求,实现API接口中的漏洞检测。本发明方法简单、效果良好,能够从根本上检测开放式重定向过程中URI参数被修改的问题,从而实现对于漏洞的补救和预防。The beneficial effect of the present invention is that, compared with the prior art, the OAuth2.0 open redirect vulnerability detection method and system in the present invention can detect the URI field in the API interface, find the URI callback parameter, and modify the URI according to the preset callback parameter type and replacement method, and realize vulnerability detection in the API interface through a new user request. The method of the present invention is simple and effective, and can fundamentally detect the problem of URI parameter modification in the open redirection process, thereby realizing the remedy and prevention of the vulnerability.

本发明申请人结合说明书附图对本发明的实施示例做了详细的说明与描述,但是本领域技术人员应该理解,以上实施示例仅为本发明的优选实施方案,详尽的说明只是为了帮助读者更好地理解本发明精神,而并非对本发明保护范围的限制,相反,任何基于本发明的发明精神所作的任何改进或修饰都应当落在本发明的保护范围之内。The applicant of the present invention has made a detailed explanation and description of the implementation examples of the present invention in conjunction with the accompanying drawings. However, those skilled in the art should understand that the above implementation examples are only preferred embodiments of the present invention, and the detailed description is only to help readers better understand the present invention. It is not intended to limit the protection scope of the present invention. On the contrary, any improvements or modifications made based on the inventive spirit of the present invention should fall within the protection scope of the present invention.

Claims (7)

1.一种OAuth2.0开放式重定向漏洞的检测方法,其特征在于,所述方法包括以下步骤:1. A method for detecting OAuth2.0 open redirect vulnerability, characterized in that the method includes the following steps: 步骤1,对于OAuth2.0授权的第三方的API接口中的URI字段进行检测,发现并记录其中涉及到的所有回调参数;Step 1: Detect the URI field in the third-party API interface authorized by OAuth2.0, discover and record all callback parameters involved; 步骤2,基于预先定义的回调参数表,对步骤1中获取的所述所有回调参数的类型进行匹配,并基于所述匹配的结果对所述回调参数的参数值进行替换;Step 2: Match the types of all callback parameters obtained in step 1 based on the predefined callback parameter table, and replace the parameter values of the callback parameters based on the matching results; 所述预先定义的回调参数表中,包括预先定义的回调参数类型、API接口中相关参数与回调参数类型的匹配关系、所述回调参数类型和替换参数值之间的匹配关系;The predefined callback parameter table includes predefined callback parameter types, matching relationships between relevant parameters in the API interface and callback parameter types, and matching relationships between the callback parameter types and replacement parameter values; 基于所述回调参数表中所述回调参数类型和替换参数值之间的匹配关系,对所述回调参数的参数值进行替换;Based on the matching relationship between the callback parameter type and the replacement parameter value in the callback parameter table, replace the parameter value of the callback parameter; 步骤3,模拟用户请求,以调用实现过参数替换的所述API接口,并基于所述调用的响应结果实现对所述API接口中漏洞的检测;Step 3: Simulate user requests to call the API interface that has implemented parameter replacement, and implement vulnerability detection in the API interface based on the response results of the call; 步骤4,将漏洞检测过程中被修改的uri参数、对应的API接口记录到数据库中,并基于检测结果作为改进所述API接口的依据。Step 4: Record the uri parameters and corresponding API interfaces modified during the vulnerability detection process into the database, and use the detection results as a basis for improving the API interface. 2.根据权利要求1中所述的一种OAuth2.0开放式重定向漏洞的检测方法,其特征在于:2. A method for detecting OAuth2.0 open redirection vulnerabilities according to claim 1, characterized by: 所述所有回调参数至少包括redirect_uri参数和destination参数。All callback parameters include at least redirect_uri parameters and destination parameters. 3.根据权利要求2中所述的一种OAuth2.0开放式重定向漏洞的检测方法,其特征在于:3. A method for detecting OAuth2.0 open redirection vulnerabilities according to claim 2, characterized by: 生成所述用户请求的用户为平台的授权用户,并允许基于OAuth2.0实现对于授权第三方的接入;The user who generated the user request is an authorized user of the platform and is allowed to access authorized third parties based on OAuth2.0; 所述用户请求对应于所述授权第三方的、实现过参数替换的所述API接口的调用。The user request corresponds to a call of the API interface of the authorized third party that has implemented parameter replacement. 4.根据权利要求3中所述的一种OAuth2.0开放式重定向漏洞的检测方法,其特征在于:4. A method for detecting OAuth2.0 open redirection vulnerability according to claim 3, characterized by: 所述平台为基于OAuth2.0实现第三方应用授权接入的平台,其中包括OAuth2.0服务器。The platform is a platform that realizes authorized access of third-party applications based on OAuth2.0, including an OAuth2.0 server. 5.根据权利要求4中所述的一种OAuth2.0开放式重定向漏洞的检测方法,其特征在于:5. A method for detecting OAuth2.0 open redirection vulnerability according to claim 4, characterized by: 当所述调用的响应结果与替换所述参数值之前的响应结果不一致,则判定所述参数值发生了替换,所述API接口中存在漏洞。When the response result of the call is inconsistent with the response result before replacing the parameter value, it is determined that the parameter value has been replaced and there is a vulnerability in the API interface. 6.根据权利要求5中所述的一种OAuth2.0开放式重定向漏洞的检测方法,其特征在于:6. A method for detecting OAuth2.0 open redirection vulnerability according to claim 5, characterized by: 所述用户请求中授权码的获取方式为:The method of obtaining the authorization code in the user request is: 基于ARP攻击拦截HTTP流量,并从所述HTTP流量中解析明文授权码;或者,Intercept HTTP traffic based on ARP attack and parse the plain text authorization code from the HTTP traffic; or, 伪造HTTP REFERER以获取所述授权码;或者,Forge an HTTP REFERER to obtain said authorization code; or, 基于burpsuite截取HTTP流量,以获取未使用过的授权码。Intercept HTTP traffic based on burpsuite to obtain unused authorization codes. 7.一种OAuth2.0开放式重定向漏洞的检测系统,其特征在于:7. A detection system for OAuth2.0 open redirection vulnerability, characterized in that: 所述系统采用如权利要求1-6任意一项中所述的一种OAuth2.0开放式重定向漏洞的检测方法实现。The system is implemented using an OAuth2.0 open redirect vulnerability detection method as described in any one of claims 1-6.
CN202210712266.3A 2022-06-22 2022-06-22 OAuth2.0 open redirection vulnerability detection method and system Active CN115189924B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210712266.3A CN115189924B (en) 2022-06-22 2022-06-22 OAuth2.0 open redirection vulnerability detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210712266.3A CN115189924B (en) 2022-06-22 2022-06-22 OAuth2.0 open redirection vulnerability detection method and system

Publications (2)

Publication Number Publication Date
CN115189924A CN115189924A (en) 2022-10-14
CN115189924B true CN115189924B (en) 2024-03-29

Family

ID=83515330

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210712266.3A Active CN115189924B (en) 2022-06-22 2022-06-22 OAuth2.0 open redirection vulnerability detection method and system

Country Status (1)

Country Link
CN (1) CN115189924B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN104881603A (en) * 2014-02-27 2015-09-02 腾讯科技(深圳)有限公司 Method and apparatus for detecting webpage redirection vulnerabilities
CN110266669A (en) * 2019-06-06 2019-09-20 武汉大学 A method and system for general detection and location of Java Web framework vulnerability attacks
CN110472414A (en) * 2019-07-23 2019-11-19 中国平安人寿保险股份有限公司 Detection method, device, terminal device and the medium of system vulnerability

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8429751B2 (en) * 2009-03-13 2013-04-23 Trustwave Holdings, Inc. Method and apparatus for phishing and leeching vulnerability detection
US10387656B2 (en) * 2016-03-21 2019-08-20 Checkmarx Ltd. Integrated interactive application security testing

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104881603A (en) * 2014-02-27 2015-09-02 腾讯科技(深圳)有限公司 Method and apparatus for detecting webpage redirection vulnerabilities
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN110266669A (en) * 2019-06-06 2019-09-20 武汉大学 A method and system for general detection and location of Java Web framework vulnerability attacks
CN110472414A (en) * 2019-07-23 2019-11-19 中国平安人寿保险股份有限公司 Detection method, device, terminal device and the medium of system vulnerability

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OAuth 2.0授权协议常见安全问题及修复建议;邱永哲;;无线互联科技(第07期);第45-47页 *

Also Published As

Publication number Publication date
CN115189924A (en) 2022-10-14

Similar Documents

Publication Publication Date Title
US20240160683A1 (en) Theft prevention for sensitive information
US11741185B1 (en) Managing content uploads
CN112073400B (en) Access control method, system, device and computing equipment
Fett et al. A comprehensive formal security analysis of OAuth 2.0
Chen et al. Oauth demystified for mobile application developers
CN107135073B (en) Interface calling method and device
Li et al. Analysing the Security of Google’s implementation of OpenID Connect
CN110086822A (en) The realization method and system of unified identity authentication strategy towards micro services framework
US8775524B2 (en) Obtaining and assessing objective data ralating to network resources
US10225260B2 (en) Enhanced authentication security
US8904521B2 (en) Client-side prevention of cross-site request forgeries
US10778668B2 (en) HTTP session validation module
US20100100950A1 (en) Context-based adaptive authentication for data and services access in a network
WO2018014808A1 (en) Network attack behaviour detection method and apparatus
US11770385B2 (en) Systems and methods for malicious client detection through property analysis
JP2009003559A (en) Computer system for single sign-on server, and program
Li et al. Mitigating CSRF attacks on OAuth 2.0 and OpenID connect
US11539711B1 (en) Content integrity processing on browser applications
Li et al. Mitigating csrf attacks on oauth 2.0 systems
Li et al. Your code is my code: Exploiting a common weakness in OAuth 2.0 implementations
CN115189924B (en) OAuth2.0 open redirection vulnerability detection method and system
US20240365118A1 (en) Authenticated secure audio calling and digitally signed metadata for integrity verification
US20160366172A1 (en) Prevention of cross site request forgery attacks
US11275867B1 (en) Content integrity processing
Jones et al. OAuth 2.0 dynamic client registration protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant