$30 off During Our Annual Pro Sale. View Details »

脆弱なアプリを書く技術

akiym
October 31, 2014
Technology
11
8.5k

 脆弱なアプリを書く技術

Hokkaido.pm #12

補足: Mojo 5.48にて->paramの挙動が変更された

akiym

October 31, 2014
Tweet

More Decks by akiym

See All by akiym
CPAN Module Hacks
akiym
0
2.1k
Perlコーディングテクニック2018
akiym
0
10k
新時代のテストフレームワークTest2
akiym
2
18k
Hokkaido.pm#11
akiym
0
4.6k
Herokuで学ぶ、初めてのPerl
akiym
5
2.7k
Perl meets Leap Motion
akiym
0
1.4k
github止まり モジュール5選
akiym
0
1.3k
Skype効率化
akiym
1
1.5k

Other Decks in Technology

See All in Technology
Snowflake x Terraformに自動テストを導入した話
kddisnowvillage
0
160
GPT APIを使ったテキスト生成コンペ@YANS2023に参加した話
naohachi89
2
320
Kuma UIのこれまでとこれから
poteboy
5
3k
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
3
1.7k
イベント企画設計における「フロントエンド」な考え方とその魅力
kgsi
1
1.9k
SOLID Is Dead, Long Live SOLID
lemiorhan
2
180
新卒エンジニアでも技術的負債に向き合いたい!
smasato
1
1.7k
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
850
Oracle Cloud Infrastructure:2023年11月度サービス・アップデート
oracle4engineer
PRO
0
230
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
1.1k
急成長スタートアップにおける技術的負債とトレードオフ・スライダー / Technical Debt and Trade-off Sliders in Fast-Growing Startups
codenote
2
2.2k
お客様、そこは秘孔です!突かないでください! HTTP/2 Rapid reset の概要と対策
murachiakira
0
140

Featured

See All Featured
What's new in Ruby 2.0
geeforr
336
30k
What’s in a name? Adding method to the madness
productmarketing
PRO
14
2.3k
RailsConf 2023
tenderlove
0
340
Building Flexible Design Systems
yeseniaperezcruz
317
36k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
44
12k
Facilitating Awesome Meetings
lara
37
5.2k
How to Ace a Technical Interview
jacobian
272
22k
Building Your Own Lightsaber
phodgson
97
5.4k
Why Our Code Smells
bkeepers
PRO
329
56k
Clear Off the Table
cherdarchuk
81
300k
Build The Right Thing And Hit Your Dates
maggiecrowley
23
1.7k
Robots, Beer and Maslow
schacon
154
7.7k

Transcript

  1. ੬ऑͳΞϓϦΛॻٕ͘ज़
    BLJZN
    )PLLBJEPQN

    View Slide

  2. ࣗݾ঺հ
    w BLJZN
    w ϚΠϒʔϜ
    w $5'ͱ͍͏ηΩϡϦςΟͷڝٕͷΑ͏ͳ΋ͷ
    w ೔ຊͰ͸4&$$0/$5'ͱ͔

    View Slide

  3. View Slide

  4. View Slide

  5. $5'
    w SFWFSTJOH QXO
    w XFC
    w DSZQUP

    View Slide

  6. w ʮ੬ऑͳΞϓϦΛॻ͘ʯ
    w $5'ͷ໰୊Λղ͘ɺ࡞Δ্Ͱศརͳٕज़
    w ࣮ࡍʹ࡞੒ͨ͠໰୊Λྫʹղઆ
    w ͔ͤͬ͘ͳͷͰ1FSMʹߜͬͨ࿩

    View Slide

  7. IUUQDUGLBUTVEPOPSH

    View Slide

  8. View Slide

  9. PQFO') pMF

    View Slide

  10. w ૝ఆͱͯ͠͸༻ҙ͞ΕͨςΩετϑΝΠϧΛಡΉɺ
    ϑΝΠϧ໊Λࢦఆ͢Δ͜ͱͰ੾Γସ͑Δ
    w ·ͣઈରύεΛࢦఆ͞ΕΔͱˠFUDQBTTXE
    w ૬ରύεͰ΋ˠFUDQBTTXE
    w ࢦఆͰ͖ΔύεΛ੍ݶͰ͖ΔΑ͏ʹ͠ͳ͚Ε͹
    ͍͚ͳ͍

    View Slide

  11. w Ͱ΋·ͩ໰୊͕͋Δ
    w PQFO') pMF
    w pMFcDBUFUDQBTTXE
    w ೚ҙͷίϚϯυΛ࣮ߦՄೳ

    View Slide

  12. PQFONZGI pMFPSEJF

    View Slide

  13. 42-JOKFDUJPO

    View Slide

  14. "SELECT * FROM user WHERE name =
    '$name' AND pass = '$pass'"

    View Slide

  15. "SELECT * FROM user WHERE name =
    '' AND pass = '' OR 1=1--'"

    View Slide

  16. w ೝূͷಥഁ͚ͩͰ͸ͳ͘ʜ
    w ςʔϒϧɺΧϥϜ৘ใ͔Β%#ͷ಺༰ΛಘΔ
    w TRMJUF@NBTUFS JOGPSNBUJPO@TDIFNB
    w .Z42-Ͱ͋Ε͹ɺ-0"%@'*-&Ͱ೚ҙͷϑΝΠ
    ϧΛಡΈࠐΉ͜ͱ͕Ͱ͖ͨΓɺ*/50065'*-&
    ͰϑΝΠϧͷॻ͖ग़͕͠Ͱ͖Δ

    View Slide

  17. w ͍·͞Β42-JOKFDUJPO
    w ϓϨʔεϗϧμʔΛѻ͏৔߹ͳΒ҆શʁ
    w ͜Μͳ࿩΋ʜ

    View Slide

  18. +40/42-J

    View Slide

  19. View Slide

  20. w ΫΤϦϏϧλʹΑΔ42-ੜ੒
    w 42-JOKFDUJPO͸ൃੜ͠ͳ͍Α͏ʹݟ͑Δ͕ʜ
    w ΢ΣϒΞϓϦʹ͓͍ͯɺϢʔβʔ͔Βͷೖྗ͸

    จࣈྻͱͯ͠ѻΘΕΔ͕ɺ+40/Ͱσʔλͷड͚
    ౉͠Λ͢Δ͜ͱͰIBTISFGΛ౉͢͜ͱ΋Ͱ͖Δ
    w IBTISFGΛ౉ͨ͠ࡍͷΫΤϦϏϧλଆͷڍಈΛ

    ར༻ͨ͠42-JOKFDUJPO

    View Slide

  21. \OBNF\BBB^^
    4&-&$5'30.AVTFSA8)&3& AOBNFA
    03%&3#:VTFS@JE%&4$

    View Slide

  22. w ͜Ε͚ͩͰ΋ڴҖɺೝূͷಥഁ΍ςʔϒϧ಺ͷ

    ͢΂ͯͷϨίʔυΛऔಘ͞ΕΔڪΕ͕͋Δ
    w ࠷ѱͷέʔε͸ʁ

    View Slide

  23. w ໰୊
    w BLJDUGRTFBSDIFS
    w IUUQDUGLBUTVEPOPSHQSPCMFN
    w 42-JUF
    w 42-.BLFSΛར༻ͨ͠੬ऑੑ

    View Slide

  24. ΰʔϧผςʔϒϧͷϢʔβʔ໊ͱύεϫʔυΛಘΔ

    ͜͜ʹ͸੬ऑੑ͸ͳ͍

    View Slide

  25. ;(

    View Slide

  26. w XIFSF۟Λ͢΂ͯࢦఆ͢Δ͜ͱ͕Ͱ͖Δ
    w ͜ΕͰԿ͕Ͱ͖Δ͔
    w %#ͷ಺༰ ͢΂ͯ
    ΛऔಘͰ͖Δ

    View Slide

  27. {
    "name": "a",
    "1\"=\"1\") union select sql,tbl_name,null from
    sqlite_master where (\"a": "a"
    }
    WHERE ("name" LIKE ?) AND ("1"="1") union select
    sql,tbl_name,null from sqlite_master where ("a"
    LIKE ?)
    ΧϥϜ໊͸Τεέʔϓ͞Εͳ͍

    View Slide

  28. w IUUQEFWFMPQFSTNPCBHFKQCMPH
    KTPOTRMJOKFDUJPO
    w IUUQCMPHLB[VIPPLVDPNUIF
    KTPOTRMJOKFDUJPOWVMOFSBCJMJUZIUNM
    w IUUQXXXTMJEFTIBSFOFULB[VIPKTPOTRM
    JOKFDUJPOBOEUIFMFTTPOTMFBSOFE

    View Slide

  29. ਖ਼نදݱ

    View Slide

  30. w ϢʔβʔͷೖྗΛਖ਼نදݱͷύλʔϯͱͯ͠ѻ͏
    w RVPUFNFUB
    ͰΤεέʔϓ͢Δ
    w Τεέʔϓ͍ͯ͠ͳ͍৔߹͸ʁ
    w ॏ͍ਖ਼نදݱΛॻ͔ΕΔ
    w FWBM

    View Slide

  31. \DPEF^

    View Slide

  32. w ҆͝৺Λ
    w FWJM \QSJOU
    ^
    dFWJM
    w ಈ͔ͳ͍
    w &WBMHSPVQOPUBMMPXFEBUSVOUJNF
    w VTFSFFWBMΛ͢Ε͹ಈ͘Α͏ʹͳΔ

    View Slide

  33. w QFSMҎ߱Ͱ͸ΑΓݫ͘͠
    w d \ʜͱॻ͍ͯ΋ಈ͔ͳ͘ͳͬͨ
    w །Ұ൵͍͠ͷ͸ʜ"DNF&ZF%SPQT
    w 1FSMͰه߸ͷΈϓϩάϥϛϯά͸ෆՄೳʹ

    View Slide

  34. use re 'eval';
    ''=~('('.'?'
    .'{'.( '`'|'%').("\["^
    '-').('`'| '!').('`'|',').'"'
    .('['^'+') .('['^ ')').('`'|')').('`'|
    '.').('['^'/').('{'^ '[').'\\'.'"'.('`'^'('
    ).('`'|'%').('`'|',') .('`'|',').('`'|('/')).
    ','.('{'^'[').('['^ ',').('`'|'/').('['^')').(
    '`'|',').('`'| '$').'!'.'\\'.'\\'.('`'|'.').
    '\\'.'"'."\;". '"'.'}'.')');$:='.'^'~';$~="\@"|
    '(';$^=')'^'['; $/='`'|'.';$,='('^'}';$\='`'|'!';$:
    =')'^'}';$~='*' |'`';$^='+'^'_';$/='&'|'@';$,='['&'~';
    $\=','^"\|";$:= '.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.'
    ;$,='('^'}';$\ ='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_'
    ;$/='&'|'@';$, ='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';
    $^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~=
    '*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=','^'|';$:='.'^
    '~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^'}';$\='`'|'!'
    ;$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@';$,='['&'~';$\=
    ','^'|';$:='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'|'.';$,='('^
    '}';$\='`'|'!';$:=')'^'}';$~='*'|'`';$^='+'^'_';$/='&'|'@'
    ;$,='['&'~';$\=','^'|';$:='.'^'~';$~='@'|'(';$^="\)"^ '['
    ;$/='`'|'.';$,='('^'}';$\='`'|'!';$:=')'^'}';$~='*' |((
    '`'));$^='+'^'_';$/='&'|'@';$,='['&'~';$\ =','^'|' ;$:
    ='.'^'~';$~='@'|'(';$^=')'^'[';$/='`'| '.';$,= '('
    ^'}'; $\='`'|'!';$:=')'^'}';$~="\*"| '`';$^= '+'
    ^'_';$/='&'|'@';$,='['&'~';$\ =(',')^ '|'
    ;$:='.'^ '~';$~='@' |"\("; $^=')' ^+
    '[';$/= '`'|'.'; $,='(' ^"\}"; $\
    =('`')| "\!";$:= "\)"^ "\}"; (
    ($~))= '*'|'`'; ($^) ='+'
    ^"\_"; $/=('&')| '@'; ($,)
    ='['& "\~";$\= ','^ '|';
    ($:)= '.'^'~' ;$~= '@'|
    '('; $^=')' ^'[' ;$/=
    '`'| '.' ;$,= '('^
    '}'; $\= '`' |((
    '!' )); $:= ')'
    ^(( '}' )); $~=
    '*' |(( '`' ))
    ;( ($^))= ((
    (( '+')) ))
    ^+ "\_";$/= ((
    '&' ))|+ "\@"; $,
    =(( '['))& '~'; $\=
    ','^ "\|";$:= '.' ^'~'
    ;($~)= ('@')|
    "\(";$^= ')'^'['
    use re 'eval';
    )FMMP XPSME
    Λग़ྗ͢ΔϓϩάϥϜ

    View Slide

  35. ηογϣϯ

    View Slide

  36. w ΫϥΠΞϯταΠυηογϣϯ
    w ΫϥΠΞϯτଆͰอଘ͢Δ
    w DPPLJFΛར༻͢Δ

    View Slide

  37. ϝϦοτ
    w αʔόଆͰηογϣϯετΞͷ؅ཧΛ͢Δඞཁ
    ͕ͳ͍

    View Slide

  38. σϝϦοτ
    w ஌ΒΕͨ͘ͳ͍৘ใΛTFTTJPOʹอଘͯ͠͸͍͚
    ͳ͍
    w ηογϣϯΛഁغ͢Δͱ͖͸ʁˠDMJFOUଆͷ৘ใ
    ͱͯ͠ظݶΛ࣋ͨͤΔɺTFDSFUΛมߋ͢Δͱ͔
    w TFDSFU͕ྲྀग़͢ΔͱTFTTJPOΛվ᜵͢Δ͜ͱ͕

    Ͱ͖Δ

    View Slide

  39. .PKPMJDJPVT

    View Slide

  40. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ
    iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0---
    a4fba79dbd246638df17e57e97ed4f1fded7a7e3
    {
    "super_secret_token": "p9B4iaKah8oOUzY1",
    "id": "1",
    "name": "akiym",
    "expires": 1414684980
    }
    data
    HMAC

    View Slide

  41. eyJzdXBlcl9zZWNyZXRfdG9rZW4iOiJwOUI0aWFLYWg4b09VelkxIiwiaWQ
    iOiIxIiwibmFtZSI6ImFraXltIiwiZXhwaXJlcyI6MTQxNDY4NDk4MH0---
    a4fba79dbd246638df17e57e97ed4f1fded7a7e3
    my $data = encode_base64(encode_json({
    ...
    expires => time() + 3600,
    }));
    $data =~ s/=/-/g;
    my $hmac = hmac_sha1_hex($data, $SECRET);
    data
    HMAC

    View Slide

  42. w σʔλΛ+40/ʹͨ͠΋ͷΛCBTFͰFODPEF
    w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ

    ͚ͭΔ

    View Slide

  43. w ໰୊
    w BLJDUGR0OMJOFCBOLJOH
    w IUUQDUGLBUTVEPOPSHQSPCMFN
    w 42-JOKFDUJPO TFTTJPOվ᜵
    w TFDSFUΛࢦఆ͍ͯ͠ͳ͍

    View Slide

  44. w .PKPMJDJPVTͰTFDSFUΛࢦఆ͍ͯ͠ͳ͍৔߹

    ܯࠂ͕ग़Δ͕ɺͱΓ͋͑ͣಈ͘
    w ͦͷͱ͖ʹ͸TFDSFUʹQBDLBHF໊͕ࢦఆ͞ΕΔ
    w .PKPMJDJPVT-JUFͷ৔߹͸ϑΝΠϧ໊
    w QBDLBHF໊͕஌ΒΕΔɺ΋͘͠͸༧ଌͰ͖Δ΋
    ͷͰ͋Ε͹TFDSFU͕෼͔Δ

    View Slide

  45. 1MBDL.JEEMFXBSF
    4FTTJPO$PPLJF

    View Slide

  46. 1414682274.88017:BQoDAAAAAQiAAAAABWFkbWlu:.
    Storable::thaw(decode_base64('BQoDAAAAAQiAAAAABWFkbWlu'))
    {
    'admin' => 0
    }
    data HMAC

    View Slide

  47. 1414683541.42553:BQoDAAAAAQiAAAAABWFkbWlu:

    bb33fc2e391e3d76edcbc8ffdcf66065d1d82862
    my $data = encode_base64(Storable::freeze({
    admin => 1,
    }));
    my $hash = hmac_sha1_hex($data, $SECRET);
    HMAC
    data

    View Slide

  48. w σʔλΛ4UPSBCMFͰγϦΞϥΠζͨ͠΋ͷΛ
    CBTFͰFODPEF
    w TFDSFU͕ࢦఆ͞Ε͍ͯͨ৔߹
    w TFDSFUΛLFZͱ͢Δվ᜵๷ࢭͷ)."$4)"Λ

    ͚ͭΔ

    View Slide

  49. w ηογϣϯվ᜵
    w σετϥΫλ࣮ߦ

    View Slide

  50. w IUUQTTQFBLFSEFDLDPNNBMBIPXUP
    IBDLNFUBDQBOEPUPSH
    w IUUQTHJTUHJUIVCDPNNJZBHBXB
    CBGBEBDEE

    View Slide

  51. ίϯςΩετ

    View Slide

  52. w ίϯςΩετͱ͸
    w 1FSM͸୯਺ͱෳ਺Λผͱͯ͠ѻ͏
    w !GPP

    w !GPPˠ
    w TDBMBS!GPPˠ
    w ϦετΛ!BSSBZʹ୅ೖ͢Ε͹഑ྻʹɺIBTIʹ୅
    ೖ͢Ε͹ϋογϡʹ

    View Slide

  53. View Slide

  54. 1FSMͷίϯςΩετ͸
    ѱ

    View Slide

  55. w 1FSMͷಛ௃Ͱ΋͋Γɺݸਓతʹ͸݁ߏ޷͖
    w 5FOH͸ίϯςΩετʹԠͯ͡ಈ࡞Λม͑Δ

    ͜Ε͸࢖ͬͯͳ͍

    w NZBSHT GPP !@
    Έ͍ͨͳ͜ͱ͕
    Ͱ͖Δ
    w ศརͳ͜ͱ΋͋Ε͹ɺѱ͍͜ͱ΋͋Δ

    View Slide

  56. w ໰୊
    w $5'֤ҐMPHJOQBHF
    w IUUQBLJZNIBUFCMPKQFOUSZ

    w ۠੾ΓจࣈɺDPOUFYUʹΑΔ੬ऑੑ

    View Slide

  57. ϦετΛड͚औΔͱల։
    OBNFBQBTTCQBTTD

    View Slide

  58. {
    ...
    pass => 'asdf',
    give_me_flag => 0,
    give_me_flag => 'give_me_flag', # true!
    0
    }
    VTFS\HJWF@NF@qBH^HJWF@NF@qBH

    View Slide

  59. w 0EEOVNCFSPGFMFNFOUTJOBOPOZNPVTIBTI
    w VTFXBSOJOHT'"5"-BMM
    w ·͋΍ͬͯΒΕͳ͍

    View Slide

  60. w IUUQXXXTPOHNVKQSJKJFOUSZ
    DHJQBSBNIUN
    w IUUQCMPHUPLVNBSVPSHOFX
    DMBTTPGWVMOFSBCJMJUZJOQFSMXFCIUNM

    View Slide

  61. ·ͱΊ
    w Ҿ਺ͷPQFO
    w +40/42-J
    w ਖ਼نදݱͰͷFWBM
    w ΫϥΠΞϯταΠυηογϣϯ
    w ϋογϡͷϦετͷల։

    View Slide