Question

SSO bypass usually means that attackers can take over the accounts of others. Therefore, these vulnerabilities are of high severity before any escalation attempts. But you can escalate SSO bypass vulnerabilities by attempting to take over accounts with high privileges, such as admin accounts.

SSO 绕过通常意味着攻击者可以接管他人的帐户。因此，在任何升级尝试之前，这些漏洞的严重程度非常高。但是，您可以通过尝试接管高特权帐户（例如管理员帐户）来升级 SSO 绕过漏洞。

Also, after you’ve taken over the user’s account on one site, you can try to access the victim’s account on other sites by using the same OAuth credentials. For instance, if you can leak an employee’s cookies via subdomain takeover, see if you can access their company’s internal services such as admin panels, business intelligence systems, and HR applications with the same credentials.

此外，在接管了一个站点上的用户帐户后，您可以尝试使用相同的 OAuth 凭据访问受害者在其他站点上的帐户。例如，如果您可以通过子域接管泄漏员工的 cookie，请尝试使用相同的凭据访问其公司的内部服务，如管理员面板、商业智能系统和人力资源应用程序。

You can also escalate account takeovers by writing a script to automate the takeover of large numbers of accounts. Finally, you can try to leak data, execute sensitive actions, or take over the application by using the accounts that you have taken over. For example, if you can bypass the SSO on a banking site, can you read private information or transfer funds illegally? If you can take over an admin account, can you change application settings or execute scripts as the admin? Again, proceed with caution and never test anything unless you have obtained permission.

你也可以编写脚本自动接管大量账户，以提高账户接管的效率。最后，你可以使用接管的账户试图泄露数据、执行敏感操作或接管应用程序。例如，如果你可以绕过银行网站的 SSO，你能查看私人信息或非法转账吗？如果你能够接管管理员账户，你能够更改应用程序设置或作为管理员执行脚本吗？再次强调，必须谨慎行事，除非你已获得许可，否则不要测试任何东西。