{"categories":["Web Security Academy","OAuth"],"html":"","version":"1.0","blog_title":"Shikata Ga Nai","width":"100%","provider_url":"https://hatena.blog","published":"2025-08-19 17:27:51","height":"190","image_url":null,"type":"rich","provider_name":"Hatena Blog","description":"Hello there, ('\u03c9')\u30ce \u306d\u3089\u3044 \u3053\u306eLAB\u306f\u3001OAuth\u30ed\u30b0\u30a4\u30f3\u306eredirect_uri\u691c\u8a3c\u306e\u4e0d\u5099\u3068\u3001\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\u306b\u3042\u308bpostMessage\u306e\u53d6\u308a\u6271\u3044\u30df\u30b9\u3092\u9023\u9396\u3055\u305b\u3066\u3001\u7ba1\u7406\u8005\uff08admin\uff09\u306e\u30a2\u30af\u30bb\u30b9\u30c8\u30fc\u30af\u30f3\u3092\u596a\u3044\u3001/me API\u304b\u3089API\u30ad\u30fc\u3092\u76d7\u3080\u306e\u304c\u30b4\u30fc\u30eb\u3067\u3059\u3002 \u653b\u6483\u306e\u6838\u5fc3\u306f\u6b21\u306e2\u70b9\uff1a OAuth\u5074\uff1aredirect_uri\u306b\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30c8\u30e9\u30d0\u30fc\u30b5\u30eb\uff08../\uff09\u304c\u901a\u308b\u305f\u3081\u3001\u30a2\u30af\u30bb\u30b9\u30c8\u30fc\u30af\u30f3\u304c\u4efb\u610f\u306e\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5185\u30da\u30fc\u30b8\u3078\u5e30\u3063\u3066\u304f\u308b\u3002 \u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u5074\uff1a/post/comment/comment-form \u304c window.location.href\uff08\uff1dURL\u30d5\u30e9\u30b0\u30e1\u30f3\u30c8\u306e#a\u2026","title":"\u3010\u6709\u6599\u8a66\u4f5c\u7248\u3011PortSwigger LAB\u89e3\u8aac\uff1aStealing OAuth access tokens via a proxy page\uff08\u30d7\u30ed\u30ad\u30b7\u30da\u30fc\u30b8\u7d4c\u7531\u3067OAuth\u30a2\u30af\u30bb\u30b9\u30c8\u30fc\u30af\u30f3\u3092\u596a\u53d6\uff09","author_url":"https://blog.hatena.ne.jp/ThisIsOne/","author_name":"ThisIsOne","blog_url":"https://cysec148.hatenablog.com/","url":"https://cysec148.hatenablog.com/entry/2025/08/19/172751"}