这里存在的问题是,Microsoft Teams如何保证正确或有权限的用户才能查看到这些图片呢?如用户分享的图片应该只有互相才能看到,为此,Microsoft Teams增加了名为“authtoken”和“skypetoken_asm”的cookie来进行访问限制,如下图“authtoken”cookie所示:
上图中可以看到,“authtoken”cookie中包含了一个JWT形式的access token,它会被发送到*.teams.microsoft.com,该JWT的处理后端是api.spaces.skype.com,也即是说只有特定的域名才能接收该token。但api.spaces.skype.com只负责验证token,并不处理具体的消息发送请求,为此需要找到包含token的发起请求。
接下来,我们在Microsoft Teams聊天消息的网络交互中,找到了包含skypetoken,执行图片分享浏览的请求:
GET https://amer.ng.msg.teams.microsoft.com/v1/users/ME/conversations/19%3A...%40unq.gbl.spaces/messages?view=msnp24Equivalent|supportsMessageProperties&pageSize=200&startTime=1 HTTP/1.1
Host: amer.ng.msg.teams.microsoft.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
x-ms-session-id: 00000000000-0000-0000-0000-00000000000
BehaviorOverride: redirectAs404
x-ms-scenario-id: 00
x-ms-client-cpm: ApplicationLaunch
x-ms-client-env:
x-ms-client-type:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
ClientInfo:
Accept: json
Sec-Fetch-Dest: empty
x-ms-client-version:
x-ms-user-type: user
Authentication: skypetoken=eyJhbGciOiJSUzI1NiIsImtpZCI6IkVhc3RlckVnZyA6KSIsInR5cCI6IkpXVCJ9.eyJ...
Origin: https://teams.microsoft.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Referer: https://teams.microsoft.com/_
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
从上图中可以看到,要发起这么一个图片请求首先需要获取一个“skypetoken”,但如何来得到呢?在更深入的网络交互分析中,我们发现下面的POST请求即是创建“skypetoken”的请求:
POST /api/authsvc/v1.0/authz HTTP/1.1
Host: teams.microsoft.com
Connection: close
Content-Length: 0
Pragma: no-cache
Cache-Control: no-cache
x-ms-session-id: 00000000000-0000-0000-0000-00000000000
x-ms-scenario-id: 00
x-ms-user-type: user
x-ms-client-env:
x-ms-client-type:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6IktleXMiLCJraWQiOiJLZXlzRXZlcnlXaGVyZSJ9.eyJ...
Accept: application/json, text/plain, */*
X-Client-UI-Language: en-us
Sec-Fetch-Dest: empty
ms-teams-authz-type: TokenRefresh
x-ms-client-version:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 Safari/537.36
Origin: https://teams.microsoft.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Referer: https://teams.microsoft.com/_
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: {redacted}
域名劫持