当前位置:首页 > 报告详情

回到未来:在智能体人工智能和集成平台中破解和保护基于连接的 OAuth 架构.pdf

上传人: 竿*** 编号:981899 2025-11-29 122页 13.25MB

1、#BHUSA BlackHatEventsBack to the Future:Hacking&Securing Connection-based OAuth Architecturesin Agentic AI&Integration PlatformsKaixuan Luo1,Xianbo Wang1,Adonis Fung2,Yanxiang Bi1,Wing Cheong Lau11 The Chinese University of Hong Kong2 Samsung Research America#BHUSA BlackHatEventsAbout usXianbo WangP

2、hD Candidate sanebowKaixuan LuoPhD Candidatekaixuanie.cuhk.edu.hkWing C.LauProfessorwclauie.cuhk.edu.hkAdonis FungDirector of Engineering,SYanxiang BiPhD Candidateby022ie.cuhk.edu.hk2#BHUSA BlackHatEventsBackground:Integration Platform,Agentic AI EcosystemOAuth-based delegation of Tool access by Use

3、rs to Integration Platforms&AI AgentsThe new OAuth-as-a-Service(OaaS)paradigm to ease 3rd-party Agent developmentsKey Concepts behind OaaS:Technical details of the non-standard,yet increasingly popular,Connection-based OAuthArchitectures for realizing OaaSClassic Web Attacks resurrected by Connectio

4、n-based OAuth:Cross-Agent/Cross-Tool/Cross-User Confused Deputy,Session Fixation,Open RedirectMitigations and the Intricacies required to get them right Real-World Impact:Case Study,Demo and EvaluationReflections and Summary:Key Takeaways3Agenda#BHUSA BlackHatEventsPreviously BHUSA24:the Pre-Agentic

5、 AI EraMicrosoftPower AutomateMany Tools(a.k.a.Integrations)Handful of Big-nameIntegration PlatformsUsers delegate Tool access/control to a handful of Integration Platforms built-by Big-name Service providers.BHUSA 24 Kaixuan Luo et al.One Hack to Rule Them All:Pervasive Account Takeovers in Integra

6、tion Platforms for Workflow Automation,Virtual Voice Assistant,IoT,&LLM Services.https:/ BlackHatEventsTrending:The Era of Agentic AIMany Tools(a.k.a.Integrations)In the Era of Agentic AI,many 3rd-party developers will build various Agents to serve their customers.Customers will delegate Tool access

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据《Back to the Future:Hacking & Securing Connection-based OAuth Architectures in Agentic AI & Integration Platforms》一文,主要内容如下: 1. **OAuth-as-a-Service (OaaS)兴起**:OaaS简化了第三方代理的开发,但引入了新的安全风险。 2. **经典Web攻击复现**:由于OaaS架构,经典Web攻击(如混淆代理、会话固定、开放重定向)在连接式OAuth中再次出现。 3. **攻击场景**:包括跨代理/工具/用户混淆代理、会话固定、开放重定向等。 4. **漏洞实例**:发现16个漏洞实例,包括Power Platform、Copilot Studio、Azure Logic Apps等。 5. **安全影响**:可能导致工具账户未经授权的接管。 6. **解决方案**:建议开发者审查OAuth堆栈,OaaS提供商尽快修复问题。
AI平台安全危机?" "连接OAuth,AI安全漏洞再现?" AI平台安全风险大揭秘!"
客服
商务合作
小程序
服务号
折叠