为什么oauth 2.0规范里 先后两次提交并验证redirect
耗子写了篇关于 oauth 的文章,其中第二个bug没有看懂。翻了原文又翻了规范,后来才想通。 原文是 Bug 2. Lack of redirect_uri validation on get-token endpoint 换token(指的是access token)的时候缺少重定向地址的校验。 OAuth 2.0的规范http://tools.
耗子写了篇关于 oauth 的文章,其中第二个bug没有看懂。翻了原文又翻了规范,后来才想通。
原文是 Bug 2. Lack of redirect_uri validation on get-token endpoint 换token(指的是access token)的时候缺少重定向地址的校验。
OAuth 2.0的规范 http://tools.ietf.org/html/rfc6749#div-4.1 也提到必须校验:
(E) The authorization server authenticates the client, validates the
authorization code, and ensures that the redirection URI
received matches the URI used to redirect the client in
step (C).
redirect_uri这个重定向地址是让第三方接收authorization code(授权码) 来换access token的。对于第三方而言,谁给它授权码谁就是合法用户,后续将与之建立http会话回吐用户的信息。所以一旦这个地址被攻击者改了,code就会被拦截,真正的用户被重定向到了攻击者的页面,正常流程因此中断;而攻击者就可以拿着code重新拼装好redirect_uri往浏览器里一贴,无需密码他就成了合法用户,完成了session劫持。
redirect_uri是如此敏感,有个办法可以在它leak(也就是被改掉)之后补救:第三方在换token的时候是拿着用户给的code,加上自己受信的redirect_uri一起提交给服务提供方做验证。如果之前服务提供方在前面返回code的时候,code是基于异常的redirect_uri计算出来的,那么这一步重新校验就可以知道两者不匹配。
Egor在这儿说redirect_uri应该是个常量,看了下各家都严格做了限定。国内的qq和豆瓣是固定用第三方注册时填写的地址;google是可以注册时填多个,但必须使用其中一个;github是必须使用注册时的地址,或该地址的子目录(因此给了攻击者机会)。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1386
52
The relationship between Bootstrap Table garbled and page encoding
Apr 07, 2025 pm 12:03 PM
Bootstrap Table garbled is usually because the page encoding is inconsistent with the table data encoding. To solve this problem, you need to make sure they are consistent. The specific steps include: checking page and table data encoding, setting page encoding, and verifying the encoding. If UTF-8 is used, the server should also support it. If it cannot be resolved, try using the JavaScript encoding library.
Can JS run without H5?
Apr 06, 2025 am 09:06 AM
Is JavaScript available to run without HTML5? The JavaScript engine itself can run independently. Running JavaScript in a browser environment depends on HTML5 because it provides the standardized environment required to load and execute code. The APIs and features provided by HTML5 are crucial to modern JavaScript frameworks and libraries. Without HTML5 environments, many JavaScript features are difficult to implement or cannot be implemented.
Unable to log in to mysql as root
Apr 08, 2025 pm 04:54 PM
The main reasons why you cannot log in to MySQL as root are permission problems, configuration file errors, password inconsistent, socket file problems, or firewall interception. The solution includes: check whether the bind-address parameter in the configuration file is configured correctly. Check whether the root user permissions have been modified or deleted and reset. Verify that the password is accurate, including case and special characters. Check socket file permission settings and paths. Check that the firewall blocks connections to the MySQL server.
Navicat's method to view MongoDB database password
Apr 08, 2025 pm 09:39 PM
It is impossible to view MongoDB password directly through Navicat because it is stored as hash values. How to retrieve lost passwords: 1. Reset passwords; 2. Check configuration files (may contain hash values); 3. Check codes (may hardcode passwords).
mysql cannot terminate the process
Apr 08, 2025 pm 02:48 PM
The kill command in MySQL sometimes fails because of the special process status and improper signal level. Methods to effectively terminate the MySQL process include: confirming the process status, using the mysqladmin command (recommended), using kill -9 with caution, checking system resources, and in-depth troubleshooting of error logs.
Centos stops maintenance 2024
Apr 14, 2025 pm 08:39 PM
CentOS will be shut down in 2024 because its upstream distribution, RHEL 8, has been shut down. This shutdown will affect the CentOS 8 system, preventing it from continuing to receive updates. Users should plan for migration, and recommended options include CentOS Stream, AlmaLinux, and Rocky Linux to keep the system safe and stable.
How to backup and restore database after mysql installation
Apr 08, 2025 am 11:45 AM
There is no absolutely optimal MySQL database backup and recovery solution, and it needs to be selected based on the amount of data, business importance, RTO and RPO. 1. Logical backup (mysqldump) is simple and easy to use, suitable for small databases, but slow and huge files; 2. Physical backup (xtrabackup) is fast, suitable for large databases, but is more complicated to use. The backup strategy needs to consider the backup frequency (RPO decision), backup method (data quantity and time requirement decision) and storage location (off-site storage is more secure), and regularly test the backup and recovery process to avoid backup file corruption, permission problems, insufficient storage space, network interruption and untested issues, and ensure data security.
Vue and Element-UI cascaded drop-down box remote search
Apr 07, 2025 pm 07:33 PM
The key to the efficient remote search cascading selection box is: a reasonable request strategy: load data on demand, avoid loading all data at once. Data processing: The data structure returned by the backend should be standardized, and error handling and loading status prompts should be done well. Performance optimization: Consider paging, caching and code optimization to improve loading efficiency.
