OAuth银河护卫队：保护您的组织免受OAuth应用程序攻击.pdf

1、#SECTORCA SecTorCAGuardians of the OAuth GalaxyDefending Your Organization from OAuth Application Attacks#SECTORCA SecTorCAMangatas TondangSecurity Researcher IIShrutiRanjitSenior Security Researcher#SECTORCA SecTorCAAgenda OAuth&OAuth Application Crash Course OAuth Application Abuse1.Consent Phishi

2、ng2.Crypto Mining3.Business Email Compromise(BEC)4.Spamming Operation Hunting Pointers Remediation Strategies Mitigation Strategies Conclusion(aka SecTor Sound Bytes)#SECTORCA SecTorCAOAuth&OAuth Application Crash Course#SECTORCA SecTorCAResource OwnerAuthorization ServerResource ServerAPIClient App

3、lication1.Authorizes3.Uses tokenSimple OAuth Protocol FlowOAuth Authorization Code FlowAccesses user data based on permissions associated with the applicationMicrosoft Entra ID#SECTORCA SecTorCAOAuth Application Characteristics123546771.Display name ApplicationDisplay Name2.Application(client)ID Uni

4、que Identifier for the Application3.Directory(tenant)ID Unique identifier for the Microsoft Entra ID instance4.Supported Account types Availability to other tenants5.Redirect URIs Location where the authorization server directs the user once the app is authorized and granted necessary tokens6.Certif

5、icates and Secrets Credentials that allow your confidential client applications to authenticate as itself,requiring no user interaction at runtime.7.API permissions Permissions-based access to resources for authorized users and client apps accessing APIs.#SECTORCA SecTorCAOAuth Application“Consent”O

6、perationUserpermissionsApppermissionsApppermissionsApplication consent request page to userDelegated permissionsApp-only permissionspermissions#SECTORCA SecTorCAOAuth Application AbuseConsent Phishing#SECTORCA SecTorCAConsent Phishing AttackTHREAT ACTORVICTIM1.TA compromises an admin account and cre