3

This is a follow up question for this.

I'm using the latest Django OAuth2 Toolkit (0.10.0) with Python 2.7, Django 1.8 and Django REST framework 3.3

Some background:
When authenticating, the client receive a new AccessToken that he uses every time a makes a new request to the server. This AccessToken is owned by the client and being transferred using Authorization header upon request.

A simple test that I made was grabbing this access token from an authenticated client and send it in the Authorization header using a simple HTTP request from a different machine.
The result was that this new "client" is now authenticated just like the original client, and he can make requests as he pleased.

So the issue is:
The access token is not bind to any form of client validation (Like session id or client IP address). Any one that can get/find/steal/lookup the client's AccessToken, can be fake requests on behalf of this client.

I researched this issue allot but I couldn't find any one who addressed this matter. Maybe i'm doing something wrong in the from of authenticating the client? I would love some insights. Maybe its a simple configuration, out-of-the-box solution that I missed.

Thanks!

4

1 回答 1

1

这种攻击方法称为重放攻击。Messer 教授的这段视频解释了重放攻击。

由于网络浏览器的透明性,您无法真正实现任何客户端(浏览器)来克服这个问题。

您可以做的是使用 nonce 实现摘要身份验证。

在密码学中,nonce 是一个只能使用一次的任意数字。

一个基本的实现看起来像这样。

在此处输入图像描述

  1. 用户请求 API 服务器。
  2. API 服务器响应 HTTP 401 和WWW-Authenticate标头中的 nonce [您必须跟踪 nonce](带有 nonce 的 JWT 设置为在小窗口中过期,可能是 2 秒或更短时间会更好且无状态)。
  3. 客户端使用接收到的 nonce、客户端 nonce 和密码对请求进行签名,然后再次调用资源。
  4. API 服务器验证签名,如果签名有效,则接受请求。
  5. 攻击者捕获请求并伪造用户。
  6. 由于 nonce 已过期/“仅使用一次”,攻击者的请求被拒绝。
于 2016-06-08T08:31:48.087 回答