Web技術の基本 7回目 / Introduction to Web technologies 7th class

Fd09da0d9751bb7875ef4ff7e6201860?s=47 muttan
April 24, 2018

Web技術の基本 7回目 / Introduction to Web technologies 7th class

Fd09da0d9751bb7875ef4ff7e6201860?s=128

muttan

April 24, 2018
Tweet

Transcript

  1. Webٕज़ͷجຊ ୈ7ճ Keisuke KAMIYA

  2. ࠓճͷςʔϚ

  3. Chapter 6 WebͷηΩϡϦςΟͱೝূ

  4. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  5. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  6. WebγεςϜͷηΩϡϦςΟ • WebγεςϜ͸೔ʑൃୡ͠, ৽ͨͳػೳ͕௥Ճ͞ΕΔ ‣ ৽ػೳΛѱ༻ͯ͠߈ܸΛ࢓ֻ͚Δ͜ͱ͕ଟʑ͋Δ - ݸਓ৘ใΛҾ͖ൈ͘ - ແବʹෛՙΛ͔͚Δ

    • WebγεςϜΛӡ༻্͍ͯ͘͠Ͱ, ηΩϡϦςΟରࡦ͸ ඞਢࣄ߲ ‣ ৗʹ৽ͨͳ߈ܸख๏ʹ͍ͭͯΞϯςφΛష͓ͬͯ͘ඞ ཁ͕͋Δ
  7. WebγεςϜͷηΩϡϦςΟ • ৘ใηΩϡϦςΟ
 ҎԼͷ3ͭΛҡ࣋͢Δ͜ͱʢISO/IEC17799ΑΓʣ ‣ ػີੑ(Confidentiality)
 ڐՄ͞Εͨਓ͚͕ͩ৘ใʹΞΫηεͰ͖Δ͜ͱ ‣ ׬શੑ(Integrity)
 ৘ใ͕ഁյɾվ͟Μɾফڈ͞Ε͍ͯͳ͍͜ͱ

    ‣ Մ༻ੑ(Availability)
 ඞཁͳ࣌ʹ͍ͭͰ΋ΞΫηεͰ͖Δ͜ͱ ৘ใͷCIAͱ΋ݺ͹ΕΔ
  8. WebγεςϜͷηΩϡϦςΟ • ηΩϡϦςΟରࡦ͸ҎԼͷ3ͭʹ෼͚ͯߟ͑Δ ‣ ϦεΫ
 ৘ใηΩϡϦςΟ͕ҡ࣋Ͱ͖Δ, ԿΒ͔ͷଛࣦ͕ൃੜ ͢ΔՄೳੑ ‣ ڴҖ


    ϦεΫΛݱ࣮Խͤ͞ΔཁҼ ‣ ੬ऑੑ
 ڴҖʹର͢ΔऑΈ
  9. WebγεςϜͷηΩϡϦςΟ ػີ৘ใ ෆਖ਼ΞΫηε ڴҖ ෆਖ਼ΞΫηεΛڐ͢ ηΩϡϦςΟʔϗʔϧ ੬ऑੑ ৘ใγεςϜ ؅ཧऀ ϦεΫ

    ػີ৘ใΛୣΘΕΔͱ ࣾձత৴༻Λࣦ͏
  10. WebγεςϜͷηΩϡϦςΟ • ιϑτ΢ΣΞͷΞοϓσʔτʹ͸, ੬ऑੑରࡦ͕੝Γࠐ ·Ε͍ͯΔ΋ͷ͕ଟ͍ ‣ ୯ʹػೳ௥ՃͰΞοϓσʔτ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ ‣ WindowsͰ͋Ε͹, Widows

    UpdateͰఏڙ • اۀ͕੬ऑੑରࡦύονΛ഑෍͢ΔલʹϢʔβʔʹ߈ ܸΛ࢓ֻ͚ΔθϩσΠ߈ܸͱ͍͏ڴҖ΋ଘࡏ͢Δ ‣ Bashͷ੬ऑੑͰ͜Μͳͷ͕͋Γ·ͨ͠Ͷ WebγεςϜͷηΩϡϦςΟ ऴྃ
  11. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  12. ύεϫʔυΫϥοΩϯά DOS߈ܸ

  13. ύεϫʔυΫϥοΩϯά • ύεϫʔυΫϥοΩϯά
 IDͱύεϫʔυʹΑΔೝূΛߦͳ͏ձһ੍WebαΠτ ͔ΒϢʔβʔͷύεϫʔυΛൈ͖ग़ͦ͏ͱ͢Δ߈ܸ ‣ ༗໊ͳ߈ܸख๏ - Dictionary Attack

    - Brute-force Attack
  14. ύεϫʔυΫϥοΩϯά(Dictionary Attack) • Dictionary Attack(ࣙॻ߈ܸ)
 Α͘࢖ΘΕΔύεϫʔυʹ࢖ΘΕΔ୯ޠΛ·ͱΊͨ ϑΝΠϧʢࣙॻʣΛ༻ҙ͓͖ͯ͠, ॱ൪ʹࢼ͢ํ๏ %JDUJPOBSZ"UUBDL 123456

    abcdef aaaaaa password admin Α͘࢖ΘΕΔ ύεϫʔυͷҰཡΛࢼ͢
  15. ύεϫʔυΫϥοΩϯά(Dictionary Attack) • ຖ೥SplashData(ηΩϡϦςΟاۀ)͸ʮ࠷ѱͷύεϫʔυʯϥ ϯΩϯάΛൃද͍ͯ͠Δ • ࣍ͷΑ͏ͳ΋ͷ্͕Ґʹೖ͍ͬͯΔ ‣ 123456 ‣

    password ‣ welcome ‣ starwars ‣ 123123 • ͦͷଞ͸ҎԼ͔Β
 https://www.teamsid.com/worst-passwords-2017-full-list/
  16. ύεϫʔυΫϥοΩϯά(Dictionary Attack) • OWASPͷSecListsʹ͸, ϋοΫ͞ΕΔՄೳੑͷߴ͍ύε ϫʔυ΍IDͷϦετ͕ࡌ͍ͬͯΔ ‣ OWASP͸, The Open

    Web Application Security Projectͱ͍͏ηΩϡϦςΟؔ࿈ͷίϛϡχςΟ ‣ GitHub্ʹͰެ։͞Ε͍ͯΔ
 https://github.com/danielmiessler/SecLists
  17. ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༨ஊ • ͋Δ೔, “Remove my password from lists

    so hackers won’t be able to hack me”ͱ͍͏Pull Request͕… ‣ ͋ΔϢʔβʔ͕ࣗ෼ͷύεϫʔυ͕ࡌ͍ͬͯΔ͜ͱ ʹযͬͯ, ࡟আͨ͠ϑΝΠϧͰPull RequestΛૹͬ ͨͬΆ͍ ‣ ίϝϯτཝ͕େتརձ৔ʹͳͬͯ·ͨ͠
 https://github.com/danielmiessler/SecLists/pull/155
  18. ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༁ɿࠓ͸999ݸͷύεϫʔυͳͷͰ, ϑΝΠϧ໊Λม͑ΔͷΛ๨Εͳ͍Ͱ

  19. ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༁ɿ͜Ε͸ηΩϡϦςΟʔϗʔϧͩ, ૣ͘Ϛʔδ͠ͳ͍ͱ ༁ɿdolphinsͳΒ҆৺ͩͧʢ࡟আ͞ΕͨͷͰʣ

  20. ύεϫʔυΫϥοΩϯά(Brute-force Attack) • Brute-force Attack(૯౰Γ߈ܸ)
 ύεϫʔυʹ࢖༻Մೳͳจࣈͷ૊Έ߹ΘͤΛશͯࢼ͢ ૯౰Γํࣜͷ߈ܸ #SVUFGPSDF"UUBDL 111111 ͢΂ͯͷύλʔϯΛ

    ࢼߦ͢Δ 111112 111113 111114 111115
  21. ύεϫʔυΫϥοΩϯά(Brute-force Attack) • ύεϫʔυΛઃఆ͢Δ࣌ʹʮจࣈྻͷ௕͕͞୹͍ʯ΍ ʮ࢖༻͢Δจࣈछ͕গͳ͍ʯͱ͜ͷ߈ܸͷඃ֐ʹ߹͏ Մೳੑ͕ߴ͘ͳΔ ‣ ύεϫʔυʹ࢖͏จࣈྻ͸࣍ͷΑ͏ͳ఺ʹ஫ҙ͢Δ - ୹͗͢ΔύεϫʔυΛආ͚Δ


    ୹͗͢ΔͱಥഁͰ͖ͯ͠·͏ - ӳ਺ࣈ͚ͩͰͳ͘ه߸΋࢖༻͢Δ
 ૊Έ߹ΘͤΛෳࡶʹ͢Δ
  22. ύεϫʔυΫϥοΩϯά DOS߈ܸ

  23. DOS߈ܸ • DoS(Denial of Service)߈ܸ
 ୹࣌ؒʹαʔό͕ॲཧ͖͠Εͳ͍Α͏ͳେྔͷΞΫηε Λߦͳ͏͜ͱͰ, αʔϏεఀࢭʹؕΒͤΔ߈ܸ ‣ ओͳखஈ

    - SYN Flood߈ܸ - F5 ߈ܸ - ping flood
 ICMP echo request(ping)ΛେྔʹૹΓ͚ͭΔ
  24. DOS߈ܸ(SYN Flood) • SYN Flood߈ܸ
 TCPͷίωΫγϣϯཱ֬ʹ࢖༻͢ΔSYNύέοτΛѱ༻ ͨ͠߈ܸ • ߈ܸํ๏ 1.

    SYNύέοτΛ߈ܸର৅ʹେྔʹૹΔ 2. SYN ACKύέοτ͕ฦͬͯ͘Δ 3. ͜ͷSYN ACKύέοτʹରͯ͠Ԡ౴Λ͠ͳ͍ - ߈ܸର৅ͷαʔό͸͠͹Β͘Ԡ౴Λ଴ͪଓ͚Δ
  25. DOS߈ܸ(SYN Flood) • Ԡ౴Λ଴ͭؒ, αʔό͸ϝϞϦΛফඅ͢Δ ‣ Ұ౓ʹେྔʹϦΫΤετΛૹΓϝϞϦΛେྔফඅ SYNύέοτ SYN ACKύέοτ

    SYNύέοτ SYN ACKύέοτ SYNύέοτ SYN ACKύέοτ SYNύέοτ 4:/"$,ύέοτΛฦ͢΋ͷͷ ͦΕҎ߱ͷ Ԡ౴͕ͳ͍ͷͰ΢ΣΠϋϯυγΣΠΫͷ్தঢ়ଶ Ͱ଴ͪଓ͚Δ αʔό͕৽͍͠4:/ύέοτʹରԠͰ͖ͳ͘ͳΓ  ผͷϢʔβʔ͕ΞΫηεͰ͖ͳ͘ͳΔ 4:/ύέοτΛେྔʹૹΔ
  26. DOS߈ܸ(F5 Attack) • F5߈ܸ
 ߈ܸର৅ͷαʔόʹ୹࣌ؒʹେྔͷΞΫηεΛߦ͏͜ͱ Ͱ, ෛՙΛߴΊॲཧΛෆՄೳʹ͢Δ߈ܸ ‣ F5Ωʔʹϒϥ΢βͷWebϖʔδͷ࠶ಡࠐػೳׂ͕Γ ౰ͯΒΕ͍ͯΔ͜ͱ͔Β໋໊

    ϖʔδͷ࠶ಡࠐ ϖʔδͷ࠶ಡࠐ ϖʔδͷ࠶ಡࠐ ϖʔδͷ࠶ಡࠐ ϖʔδͷཁٻ େྔͷϦΫΤετ͕དྷΔͨΊߴෛՙʹ
  27. DDoS߈ܸ • DDoS(Distributed Denial of Service)߈ܸ
 DoS߈ܸͱ͸ҟͳΓ, ෳ਺ͷίϯϐϡʔλ͔Βಉ࣌ʹ߈ ܸΛ࢓ֻ͚Δํ๏ ‣

    ओͳखஈ - Smurf
 ICMP echo request(ping)Λ
 ϒϩʔυΩϟετ͢Δ
  28. DDoS߈ܸ(Smurf) • Smurf߈ܸ
 ICMP echo request(ping)ͷੑ࣭Λར༻ͨ͠߈ܸ ‣ ѼઌΛ౿Έ୆ͷωοτϫʔΫΞυϨεʹ͢Δ 10.0.22.0/24 ѼઌΛ౿Έ୆ͷωοτϫʔΫ

    ͷϒϩʔυΩϟετΞυϨεʹ ૹ৴ݩΛ߈ܸର৅ͷΞυϨεʹ͢Δ͜ͱͰ, ICMP echo reply͕େྔʹૹΒΕΔ
  29. ICMPͱ͸ • ICMP(Internet Control Message Protocol)
 IPωοτϫʔΫͰ༻͍ΒΕΔϓϩτίϧͰ͋Γ, Τϥʔ ͷ௨஌΍ωοτϫʔΫͷ৘ใΛরձ͢ΔͨΊʹ࢖༻ ‣

    RFC792Ͱنఆ ‣ ICMP͸શͯͷIPϞδϡʔϧ(ιϑτ΢ΣΞ)ʹ࣮૷͞Ε ͍ͯͳ͚Ε͹ͳΒͳ͍͙Β͍ॏཁ
  30. ICMPͱ͸ • ICMPͷ༻్͸ओʹ2ͭ 1. Τϥʔ௨஌
 ܦ࿏ͷ్தͰΤϥʔ͕ൃੜͨ͜͠ͱΛૹ৴ݩʹ௨஌ 2. ৘ใরձ
 ૹ৴ݩͷϗετ͕ଞͷػثʹ৘ใΛ໰͍߹ΘͤΔ ‣

    ໨తIPϗετͷଘࡏ֬ೝ, ωοτϚεΫ, ࣌ࠁͳͲ • ͜ΕΒͷ৘ใ͸λΠϓͱίʔυͷ૊Έ߹ΘͤͰදݱ ‣ Ұ෦Λ঺հ
  31. ICMPͱ͸ λΠϓ ίʔυ ಺༰ छྨ   ΤίʔԠ౴ ৘ใরձ 

    Ѽઌ౸ୡෆೳ Τϥʔ௨஌  ѼઌωοτϫʔΫʹ౸ୡͰ͖ͳ͍  Ѽઌϗετʹ౸ୡͰ͖ͳ͍ ʜ   ૹ৴ݩ཈੍ʢύέοτͷૹग़཈੍௨஌ʣ Τϥʔ௨஌  ϦμΠϨΫτ Τϥʔ௨஌  ࢦఆωοτϫʔΫ΁ͷ࠷దܦ࿏௨஌  ࢦఆϗετ΁ͷ࠷దܦ࿏௨஌ ʜ   Τίʔཁٻ ৘ใরձ ʜ
  32. DOS߈ܸ(Smurf) • ICMPͱ͍͏ϓϩτίϧ͸ඇৗʹॏཁͰ͸͋Δ͕, ௨ৗ ϧʔλଆͰःஅ͍ͯ͠Δ͜ͱ͕ଟ͍ ‣ ߈ܸʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ • ةͳ͍ͳΒશͯࢭΊͯ͠·͑͹ྑͦ͞͏ ‣

    IP௨৴͕શ͘Ͱ͖ͳ͘ͳΔ͜ͱ͸ͳ͍ ‣ ͕, ϒϥοΫϗʔϧϧʔλͷΑ͏ͳ͜ͱ΋ • ඞཁͳtypeͷΈ௨͢Α͏ͳઃఆΛ͢Δ΂͖ ύεϫʔυΫϥοΩϯά, DoS߈ܸ ऴྃ
  33. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  34. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • ҎԼͷ2ͭͷ߈ܸʹ͍ͭͯղઆ 1. ηογϣϯϋΠδϟοΫ
 ηογϣϯIDΛ౪ΜͰෆਖ਼ʹΞΫηε 2. σΟϨΫτϦτϥόʔαϧ
 ./΍../ͱ͍͏จࣈΛ࢖ͬͯ, ௨ৗΞΫηεෆՄೳͳ

    ϑΝΠϧʹΞΫηε
  35. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • ηογϣϯϋΠδϟοΫ ‣ ηογϣϯIDΛ౪ௌ͢Δ͜ͱͰ, ଞਓʹͳΓ͢·ͯ͠ ௨৴Λߦ͏߈ܸ - ϩάΠϯͯ͠࢖༻͢ΔWebγεςϜͰ͸, Cookie΍

    ηογϣϯIDΛ࢖ͬͯϩάΠϯϢʔβʔΛ؅ཧ - ηογϣϯID͕෼͔Ε͹, ଞਓʹͳΓ͢·ͤΔ
  36. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ ϢʔβʔID, ύεϫʔυ ηογϣϯIDͷൃߦ BCD ϦΫΤετ(SID=abc123) ௨ৗͷϩάΠϯ ϢʔβʔID, ύεϫʔυ ηογϣϯIDͷൃߦ

    BCD ηογϣϯϋΠδϟοΫ ౪ௌ ϦΫΤετ(SID=abc123)
  37. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • σΟϨΫτϦτϥόʔαϧ ‣ ʮ./ʯ΍ʮ../ʯͳͲͷจࣈྻΛ࢖༻͢Δ͜ͱͰ, ௨ৗ ެ։͍ͯ͠ͳ͍৘ใʹΞΫηε͢Δ߈ܸ - index.html͔Β, /etc/passwordʹΞΫηε

    / etc/ user passwd var/ www/ index.html / etc/ user passwd var/ www/ index.html /index.html ../../etc/passwd
  38. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ GET /index.html JOEFYIUNM ௨ৗͷϦΫΤετ GET ../../etc/password QBTTXPSE σΟϨΫτϦτϥόʔαϧ ͸্̍ͭͷσΟϨΫτϦΛද͢ಛघͳจࣈྻ

    8FCެ։σΟϨΫτϦΑΓ্ͷ֊૚΁ḷ͍͖ͬͯ  ެ։͞Ε͍ͯͳ͍ϑΝΠϧΛૹ৴ͤͯ͞͠·͏
  39. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • PHPͷ࣮૷ͰݟͯΈΔ(WikiΑΓҾ༻) <?php $template = 'blue.php'; if ( is_set(

    $_COOKIE['TEMPLATE'] ) ) $template = $_COOKIE['TEMPLATE']; include ( "/home/users/phpguru/templates/" . $template ); ?> 1)1ͷϓϩάϥϜ )551ϦΫΤετ GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd
  40. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • αʔόͷԠ౴͸࣍ͷΑ͏ʹͳΔ ‣ /etc/passwdͷத਎͕ݟ͑ͯ͠·͍ͬͯΔ HTTP/1.0 200 OK Content-Type: text/html

    Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh Ҿ༻ɿhttps://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ • ͜ͷΑ͏ͳจࣈྻΛड͚෇͚ͳ͍Α͏ʹϓϩάϥϜଆ ͰνΣοΫ͢Δඞཁ͕͋Δ WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ ऴྃ
  41. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  42. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • ҎԼͷ3ͭͷख๏ʹ͍ͭͯղઆ 1. ΫϩεαΠτεΫϦϓςΟϯά(XSS)
 ೖྗ಺༰Λදࣔ͢ΔWebϖʔδʹର͢Δ߈ܸ 2. ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)
 ϢʔβΛὃ͠, Ϣʔβ͕ҙਤ͠ͳ͍ϦΫΤετΛαʔόʹૹ

    ৴͢Δ 3. SQLΠϯδΣΫγϣϯ
 ૹ৴͢Δ৘ใʹSQLΛຒΊࠐΉ͜ͱͰ, DBʹҙਤ͠ͳ͍ಈ ࡞ΛߦΘͤΔ
  43. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • ΫϩεαΠτεΫϦϓςΟϯά(XSS)
 ܝࣔ൘αΠτͷΑ͏ͳ, Ϣʔβͷೖྗ಺༰Λදࣔ͢Δλ ΠϓͷWebαΠτͷ੬ऑੑΛಥ͘߈ܸ ‣ ѱҙͷ͋ΔϢʔβʔ͕εΫϦϓτΛೖྗ͢Δ͜ͱͰ, ೚ҙͷϢʔβʔͷը໘ʹεΫϦϓτ͕දࣔ͞ΕΔ -

    ϑΥʔϜʹJavaScriptͷalertλάΛ࢓ࠐΉ - ϖʔδΛڧ੍సૹͤ͞Δͱ͔ - ηογϣϯϋΠδϟοΫ
  44. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ εΫϦϓτ͕ ຒΊࠐ·Εͨϖʔδ ᶄѱҙͷ͋ΔαΠτͷ ϦϯΫʹΞΫηε ᶅѱҙͷ͋ΔεΫϦϓτΛܝࣔ൘ʹॻ͖ ࠐΉΫϥΠΞϯτεΫϦϓτ͕ૹΒΕΔ ᶃѱҙͷ͋ΔεΫϦϓτΛࣗಈతʹ ܝࣔ൘ʹॻ͖ࠐΜͰ͠·͏ϦϯΫΛ දࣔ

    ᶆҙਤͤͣѱҙͷ͋ΔεΫ ϦϓτΛॻ͖͜ΜͰ͠·͏ ѱҙͷ͋Δϖʔδ ᶇϖʔδΛදࣔ ᶈܝࣔ൘ʹදࣔ͞Εͨѱҙ ͷ͋ΔεΫϦϓτΛ࣮ߦ
  45. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)
 ʮϩάΠϯ͕ඞཁͳαΠτʹରͯ͠ૢ࡞Λߦ͏ʯϦϯΫ ʹϢʔβʔ͕ΞΫηε͢Δ͜ͱͰඃ֐Λड͚Δ߈ܸ ‣ ͍ͨͣΒతॻ͖ࠐΈ ‣ ෆਖ਼αΠτ΁ͷ༠ಋ ‣

    ෆਖ਼ͳॻ͖ࠐΈΛେྔʹߦͳ͏DoS߈ܸ - CSRF(γʔαʔϑ)ͱΑΈ·͢
  46. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ SNS ᶄѱҙͷ͋ΔαΠτͷ ϦϯΫʹΞΫηε ᶅ4/4ͷૢ࡞Λߦͳ͏ΫϥΠΞϯτεΫ Ϧϓτ͕ૹΒΕΔ ᶃ4/4ͳͲʹରͯ͠ૢ࡞Λߦ͏Α͏ ͳϦϯΫΛදࣔ͢Δ ᶆࣄલʹ4/4ʹϩάΠϯ͍ͯ͠Δͱ ҙਤ͠

    ͳ͍ૢ࡞Λߦͬͯ͠·͏ ѱҙͷ͋Δϖʔδ ᶇ4/4ଆ͸ϩάΠϯͨ͠ຊਓ͔Βͷૢ࡞ʹݟ͑ͯ͠·͏
  47. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • SQLΠϯδΣΫγϣϯ
 SQLΛ࢖༻͢ΔλΠϓͷσʔλϕʔεΛ࢖༻͢ΔΞϓϦ έʔγϣϯʹରͯ͠, ຊདྷೖྗͱͯ͠࢖͏͜ͱ͕૝ఆ͞ Ε͍ͯͳ͍SQLจΛૠೖ͠߈ܸ͢Δํ๏ ‣ ࣮ࡍʹSQLจΛݟͯߟ͑ͯΈΔ

  48. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ JE VTFS@JE QBTTXPSE NBJM@BEES  :4%  :4%!FYBNQMFDPN VTFSTςʔϒϧ

    RVFSZ 1)1Λ૝ఆ $query = <<<EOL SELECT mail_addr FROM user WHERE user_id = '$user_id' AND password = '$password' EOL;
  49. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ RVFSZ 1)1Λ૝ఆ $query = <<<EOL SELECT mail_addr FROM user

    WHERE user_id = ‘1’ or ‘1’ = ‘1’; — ’ AND password = '$password' EOL; • ѱҙͷ͋ΔϢʔβʔ͕, ϑΥʔϜͷidཝʹʮ1’ or ‘1’ = ‘1’; —ʯͱॻ͘ͱϝʔϧΞυϨεΛऔಘͰ͖ͯ͠·͏ $query = SELECT mail_addr FROM user WHERE user_id = ‘1’ or ‘1’ = ‘1’;ͱಉ౳ → ৗʹWHERE͕۟TRUEʹͳΔ
  50. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ΠϯδΣΫγϣϯରࡦ • จࣈྻ݁߹Λ࢖ͬͯSQLจΛ૊Έཱͯͳ͍ ‣ ΤεέʔϓॲཧΛ͔ͬ͠Γߦͳ͏ - ϓϨʔεϗϧμʔ, ม਺όΠϯυ, ϓϦϖΞʔ౓ε

    ςʔτϝϯτ ʢࢀߟʣSQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ
 https://www.ipa.go.jp/files/000024396.pdf ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ऴྃ
  51. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  52. WebγεςϜͷ੬ऑੑ • WebγεςϜͷ੬ऑੑΛ׬શʹແ͘͢͜ͱ͸ࠔ೉ Ҿ༻ɿ1. 2017೥ୈ4࢛൒ظɹιϑτ΢ΣΞ౳ͷ੬ऑੑؔ࿈৘ใʹؔ͢Δಧग़ঢ়گ(2018/1/25ܝࡌ) https://www.ipa.go.jp/security/vuln/report/vuln2017q4.html

  53. ηΩϡϦςΟϗʔϧ θϩσΠ߈ܸ

  54. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ηΩϡϦςΟϗʔϧ
 ιϑτ΢ΣΞ੡඼ͷܽؕʹΑΓ, ݖݶ͕ͳ͍ͱຊདྷͰ͖ ͳ͍͸ͣͷૢ࡞͕ݖݶΛ࣋ͨͳ͍ϢʔβʔͰ΋࣮ߦͰ͖ ͯ͠·ͬͨΓ, ݟ͑Δ΂͖Ͱͳ͍৘ใ͕ݟ͑ͯ͠·͏Α ͏ͳෆ۩߹ ‣

    Windows΍LinuxͳͲͷOS, Apache΍nginxͳͲͷ WebαʔόͳͲͷιϑτ΢ΣΞ͔Βൃݟ
  55. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ൃݟ͞ΕͨηΩϡϦςΟϗʔϧ͸, ੬ऑੑରࡦ৘ใσʔ λϕʔεͰ؅ཧ͞Ε͍ͯΔ ‣ ࠃ಺֎ͷ੬ऑੑରࡦ৘ใ͕ܝࡌ͞Ε͍ͯΔ
 https://jvndb.jvn.jp/ ‣ ੬ऑੑͷҰͭҰͭʹ൪߸͕ৼΒΕ͍ͯΔ

    - JVNDB-xxxx-xxxxxx - CVE-xxxx-xxx
  56. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ੬ऑੑରࡦ৘ใσʔλϕʔεʹ͸ҎԼͷ৘ใ͕ܝࡌ ‣ ֓ཁ ‣ ਂࠁ౓ ‣ ରࡦ ‣

    ϕϯμ৘ใʢ੬ऑੑ΁ͷରԠঢ়گʣ ‣ CVEʢڞ௨੬ऑੑࣝผࢠʣ • JVNDBͱCVE͸Կ͕ҧ͏ͷ͔ʁ
  57. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • CVE(Common Vulnerabilities and Exposures)
 ڞ௨੬ऑੑࣝผࢠͱݺ͹ΕΔ΋ͷͰ, ΞϝϦΧͷMITRE ͕ࣾ࠾൪͍ͯ͠Δ੬ऑੑࣝผࢠͷ͜ͱ. ‣

    ੬ऑੑରࡦ৘ใσʔλϕʔεಉ༷, ੬ऑੑ৘ใ͕ެ։ ͞Ε͍ͯΔ(http://cve.mitre.org/) • JVN͸CVEޓ׵ೝఆΛड͚͍ͯΔ ‣ ੬ऑੑϖʔδͷԼͷํʹCVE΋ॻ͍ͯ͋Δ ࢀߟϦϯΫɿhttps://www.ipa.go.jp/security/vuln/CVE.html
  58. ηΩϡϦςΟϗʔϧ θϩσΠ߈ܸ

  59. θϩσΠ߈ܸ • θϩσΠ߈ܸ
 ൃݟ͞ΕͨηΩϡϦςΟϗʔϧʹର͢Δमਖ਼ϓϩάϥϜ ͕։ൃ͞ΕΔલʹ, ηΩϡϦςΟϗʔϧΛར༻ͨ͠߈ܸ Λ࢓ֻ͚Δ͜ͱ ‣ मਖ਼ϓϩάϥϜ͕഑෍͞ΕΔલͳͷͰ, ͸͖ͬΓͱ͠

    ͨରԠࡦ͕ͳ͍ ‣ ϕϯμ͕Ұ࣌ճආࡦͳͲΛެද͍ͯ͠Δࣄ͕ଟ͍ͷͰ ৘ใΛऩू͢Δඞཁ͕͋Δ WebγεςϜͷ੬ऑੑ ऴྃ
  60. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  61. ϑΝΠΞʔ΢Υʔϧ • ϑΝΠΞʔ΢Υʔϧ
 Πϯλʔωοτͱ಺෦ωοτϫʔΫͷؒʹઃஔ͠, ૹड ৴͞ΕΔσʔλΛ؂ࢹͯ͠௨৴ͷڐՄɾڋ൱Λߦͳ͏ ΋ͷ Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό

    ߈ܸऀ ڐՄ͞Εͨ௨৴Ҏ֎͸௨աͤ͞ͳ͍ ಺෦ωοτϫʔΫ
  62. ϑΝΠΞʔ΢Υʔϧ • ύέοτϑΟϧλܕϑΝΠΞʔ΢Υʔϧ
 ૹड৴͞ΕΔύέοτͷIPΞυϨεͱϙʔτ൪߸ΛνΣο Ϋ͢Δ͜ͱͰ, ௨৴ͷڐՄ/ڋ൱Λߦͳ͏΋ͷ ‣ ࣾ಺Ϣʔβʔ޲͚ͷWebγεςϜΛྫʹߟ͑Δ ϑΝΠΞʔ΢Υʔϧ Webαʔό

    ߈ܸऀ
  63. ϑΝΠΞʔ΢Υʔϧʢࣾ಺޲͚ʣ ϑΝΠΞʔ΢Υʔϧ Webαʔό ߈ܸऀ ϑΟϧλ৚݅ ʲڐՄʳ ํ޲ɿΠϯλʔωοτˠ಺෦ ૹ৴ݩ*1ΞυϨεɿຊࣾɾࢧࣾͷ*1ΞυϨε ૹ৴ݩϙʔτ൪߸ɿશͯ Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε

    Ѽઌϙʔτ൪߸ɿ  ʲڋ൱ʳ ্هҎ֎͢΂ͯ ͦ΋ͦ΋ΞΫηεͰ͖ͳ͍
  64. ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ • ͨͩ͠ෆಛఆଟ਺޲͚ͷαʔϏεͰ͸, ࣾ಺޲͚ͷΑ͏ ʹૹ৴ݩIPΞυϨεͰϑΟϧλϦϯά͢Δͷ͸೉͍͠ ‣ ϙʔτͷڐՄ͸࠷௿ݶʹͯ͠, ڐՄͨ͠ϙʔτʹର͠ ͯͷ߈ܸ͸͔ͬ͠Γͱରࡦ͢Δඞཁ͕͋Δ ϑΝΠΞʔ΢Υʔϧ

    Webαʔό ߈ܸऀ
  65. ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ ϑΝΠΞʔ΢Υʔϧ Webαʔό ϑΟϧλ৚݅ ʲڐՄʳ ํ޲ɿΠϯλʔωοτˠ಺෦ ૹ৴ݩ*1ΞυϨεɿ͢΂ͯ ૹ৴ݩϙʔτ൪߸ɿશͯ Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε Ѽઌϙʔτ൪߸ɿ

     ʲڋ൱ʳ ্هҎ֎͢΂ͯ ڐՄ͞Εͨϙʔτʹ͔͠ΞΫηε Ͱ͖ͳ͍ͷͰ ߈ܸखஈ͕ݶΒΕΔ ߈ܸऀ 80ͱ443͸։͚͍ͯΔͷͰ, ͜͜΁ͷ߈ܸ͸ରࡦ͕ඞཁ ϑΝΠΞʔ΢Υʔϧ ऴྃ
  66. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  67. IDS, IPS • ϑΝΠΞʔ΢ΥʔϧͰ๷͖͗Εͳ͍߈ܸΛ๷͙खஈ ‣ IDS(Intrusion Detection System)
 ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δ

    ‣ IPS(Intrusion Prevention System)
 ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δͱͱ΋ ʹ௨৴Λःஅ͢Δ Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό ωοτϫʔΫܕIDS/IPS
  68. IDS, IPS • ෆਖ਼ͳ௨৴Λःஅ͢ΔIPSͷํ͕ڧݻͳηΩϡϦςΟΛ ࣮ݱՄೳ ‣ ҟৗͳ௨৴ͷݕ஌΋׬શͰ͸ͳ͘, ௨ৗͷ௨৴Λޡݕ ஌ͯ͠͠·͏͜ͱ΋ʢ௨৴ͷःஅʣ ‣

    Մ༻ੑͷ௿Լʹͭͳ͕Δ • IDSͱIPS͸ద౰ʹ࢖͍෼͚Δ͜ͱ͕ඞཁ
  69. IDS, IPS Webαʔό IDS ߈ܸऀ ҟৗΛݕ஌ Webαʔό IPS ߈ܸऀ ҟৗΛݕ஌

    *%4 *14 ௨৴Λ ःஅ͢Δ ௨৴͸ ͦͷ··௨͢
  70. IDS, IPSͷݕ஌ํ๏ • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ ‣ γάωνϟܕʢෆਖ਼ݕ஌ܕʣ
 طଘͷ߈ܸख๏ʹ͓͚Δ௨৴ύλʔϯ͕ొ࿥͞Εͨσʔ λϕʔεʢγάωνϟʣΛ༻ҙ͓͖ͯ͠, ίϨͱরΒ͠ ߹ΘͤΔ͜ͱͰҟৗݕ஌Λߦͳ͏.

    (SYN Floodͱ͔) ‣ ΞϊϚϦʔܕʢҟৗݕ஌ܕʣ
 ਖ਼ৗͰ͋Δঢ়ଶΛఆ͓͖ٛͯ͠, ͦΕ͔Β֎Εͨ৔߹͕ ҟৗͱΈͳ͢ IDS/IPS ऴྃ
  71. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  72. WAF • WAF(Web Application Framework)
 WebΞϓϦέʔγϣϯͷલͰ, ѱҙͷ͋Δσʔλؚ͕· Ε͍ͯͳ͍͔νΣοΫ͢ΔϑΝΠΞʔ΢Υʔϧ ‣ IDS/IPSΛ࢖͏͜ͱͰ,

    DoS߈ܸ౳ʹ͸ର߅Ͱ͖Δ - ͔͠͠, SQLΠϯδΣΫγϣϯ΍XSS, ύϥϝʔλվ ͟ΜͳͲͷ߈ܸ͸๷͙͜ͱ͜ͱ͕Ͱ͖ͳ͍ͨΊ WAFΛ࢖༻͢Δ
  73. WAF ΠϯϑϥωοτϫʔΫ ʢར༻͞ΕΔιϑτ΢ΣΞʣ ιϑτ΢ΣΞ04
 ར༻͞ΕΔιϑτ΢ΣΞ 8FCΞϓϦέʔγϣϯ
 αΠτຖʹ։ൃ͞Εͨ෦෼ '8 कΔ෦෼ ੬ऑੑΛແ֐Խ

    *%4 *14 8"' F/WɿϑΝΠΞʔ΢Υʔϧ
  74. WAF • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ ‣ ϒϥοΫϦετܕ
 ಛఆͷύλʔϯʢϒϥοΫϦετʣͱরΒ͠߹Θͤͯѱҙͷ͋ Δ௨৴Λःஅ͢Δํ๏ - ৽ͨͳڴҖ͕ൃݟ͞Εͨ৔߹, Ϧετͷߋ৽͕͋Δ·Ͱରࡦ

    ෆՄೳ ‣ ϗϫΠτϦετܕ
 ਖ਼ৗͳύλʔϯʢϗϫΠτϦετʣͱরΒ͠߹ΘͤͯͦΕʹద ߹͢Δ௨৴ͷΈ௨͢ - ਖ਼ৗͳ௨৴Λ௨͢ઃఆΛਖ਼͘͠ઃఆ͢Δඞཁ͋Γ
  75. WAF F/W IDS/IPS WAF F/W IDS/IPS WAF ϒϥοΫϦετܕ ϗϫΠτϦετܕ ߈ܸऀ

    ߈ܸऀ 8"'ͷ։ൃݩ͔Βͷ ѱҙͷ͋ΔύλʔϯΛجʹর߹ ਖ਼ৗͳ௨৴ΛࣗΒͰఆٛͯ͠
 νΣοΫ WAF ऴྃ
  76. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  77. ҉߸Խ • ҉߸Խ(Encryption)
 ݩͷσʔλʢฏจʣΛ҉߸ԽΞϧΰϦζϜͰୈࡾऀ͕ಡ ΈऔΕͳ͍σʔλʢ҉߸จʣʹม׵͢Δ͜ͱ ‣ ໭͢͜ͱ͸෮߸ͱ͍͏ • ͜͜Ͱ͸҉߸ԽΛ2छྨʹ෼͚͔ͯ౤͛Δ 1.

    ௨৴ܦ࿏Ͱͷ҉߸Խ 2. อଘσʔλͷ҉߸Խ
  78. ௨৴ܦ࿏Ͱͷ҉߸Խ อଘσʔλͷ҉߸Խ

  79. ௨৴ܦ࿏Ͱͷ҉߸Խ • Ϣʔβʔͱͷσʔλͷ΍ΓऔΓʹ͸, ౪ௌ͞ΕΔͱࠔΔ σʔλ΋ଘࡏ͢Δ ‣ ࢯ໊΍ॅॴͳͲͷݸਓ৘ใ ‣ ΫϨδοτΧʔυ৘ใͷΑ͏ͳػີ৘ใ •

    ͜ͷΑ͏ͳσʔλ͸ฏจͰૹΔ΂͖Ͱ͸ͳ͍ ‣ HTTPͰ͸ͳ͘HTTPSΛ࢖༻͢Δ ‣ HTTPSͰ΋WebαΠτͦͷ΋ͷ͕ѱ࣭ͳ΋ͷͩͱμ ϝͳͷͰ, ࢖͏લʹ1౓͔֬ΊΔʢͦΕ͸ͦ͏ʣ
  80. ௨৴ܦ࿏Ͱͷ҉߸Խ อଘσʔλͷ҉߸Խ

  81. อଘσʔλͷ҉߸Խ • αʔό΁ෆਖ਼৵ೖ͞Εͨ৔߹, ߈ܸऀ͸αʔό಺ͷσʔ λΛ؆୯ʹ౪Έग़͢͜ͱ͕ग़དྷͯ͠·͏ • ʢ࿦֎͚ͩͲʣύεϫʔυΛฏจͷ··σʔλϕʔε಺ ʹอଘ͢Δͷ͸ةݥ ‣ ສ͕Ұͷ͜ͱΛߟ͑ͯ,

    αʔό಺ͷσʔλΛ҉߸Խ
  82. อଘσʔλͷ҉߸Խ • ࣌୅ͱڞʹ৭ʑߟҊ͞Εͨ ‣ ϓϨʔϯςΩετʢͦͷ··ʣ ‣ HashԽ
 จࣈྻΛmd5ͱ͔ͰϋογϡԽ͢Δ ‣ SALT(MD5→SHA2)


    ݩͷจࣈྻ+SALTͰϋογϡԽ ‣ ετϨονϯά ‣ bcrypt
  83. อଘσʔλͷ҉߸Խ • ετϨονϯά
 σʔλʹରͯ͠ϋογϡؔ਺Λෳ਺ճద༻ͯ͠อଘ͢Δ σʔλΛੜ੒͢Δํ๏ • BCrypt
 Blowfish҉߸ͷ࣮૷. ҎԼͷΑ͏ͳจࣈྻ͕ੜ੒͞ΕΔ $2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa

    ҉߸Խ ऴྃ
  84. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  85. ެ։伴ূ໌ॻ • ެ։伴ূ໌ॻ
 ΍ΓऔΓ͢Δ૬ख͕ຊ෺Ͱ͋Δ͜ͱΛূ໌͢Δ΋ͷ ‣ ެ։伴҉߸ʹ࢖༻͢Δެ։伴ͷਖ਼౰ੑΛূ໌͢Δͨ Ίʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ,SSLূ໌ॻͱ΋ݺ͹ΕΔ • ެ։伴ূ໌ॻͷ໾ׂ ‣

    HTTPSʹ࢖͏ͨΊͷެ։伴ͷ࣋ͪओͷূ໌ ‣ ެ։伴ͷ࣋ͪओ͕ଘࡏ͢Δ͜ͱͷূ໌ʢ࣮ࡏূ໌ʣ
  86. ެ։伴ূ໌ॻ • ެ։伴ূ໌ॻ͸, ೝূہ(CA:Certificate Authority)ͱݺ ͹ΕΔୈࡾऀػ͕ؔൃߦ͍ͯ͠Δ ‣ ঎༻͸༗ྉ͕ଟ͍͕, Let’s Encryptͱ͔ແྉͰ͢Ͷ

    • ূ໌ॻʹ͸༗ޮظݶ͕͋ΔͨΊ, ߋ৽࡞ۀ͕ඞཁ ‣ ߋ৽๨Ε͍ͯΔαΠτʹೖΔͱܯࠂ͕ग़Δϒϥ΢βͱ ͔͋Γ·͢ΑͶ • ࣗݾূ໌ॻʢΦϨΦϨূ໌ॻʣͬͯͷ΋͋Γ·͢ ‣ ͏ͪͷେֶͰ͢ ެ։伴ূ໌ॻ ऴྃ
  87. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  88. ೝূ • ೝূ
 ձһ੍αΠτͳͲͰ, IDͱύεϫʔυΛ࢖༻͠ຊਓ֬ೝ Λߦ͏ॲཧͷ͜ͱ ‣ ͔ͭͯೝূͱ͍͑͹, ֤αΠτ͝ͱʹIDͱύεϫʔυ ͕ඞཁͩͬͨ

    - ݱࡏͰ͸, Google΍Twitter, FacebookͳͲͷଞαʔ ϏεͷΞΧ΢ϯτΛ࢖༻͢Δ͜ͱͰೝূΛߦ͏αΠ τ͕૿Ճ
  89. ೝূ DBαʔό Webαʔό ར༻ऀʢϒϥ΢βʣ ID:ozisan password:kfAD2% ID:ozisan password:kfAD2% ϩάΠϯڐՄ ϩάΠϯ੒ޭ

    ར༻αΠτ͕૿Ճ͢Δͱʜ Webαʔό ར༻ऀʢϒϥ΢βʣ ೝূ ೝূ ೝূ
  90. ೝূ • ଞͷαʔϏεͷೝূγεςϜΛ࢖༻Մೳ ‣ Ϣʔβ
 ࣗ਎͕؅ཧ͢ΔΞΧ΢ϯτͷ਺͕গͳ͘ͳΔ ‣ αΠτӡӦࣾ
 ଞࣾͷγεςϜΛར༻͢ΔΑ͏ʹࣗ਎ͷWebαΠτ Λ࣮૷͢Δ͜ͱͰ,

    ݸผʹར༻ऀ৘ใΛ؅ཧ͢Δඞཁ ͕ແ͍
  91. ೝূ Webαʔό ར༻ऀʢϒϥ΢βʣ ར༻ ར༻ ར༻ ೝূ Google (PPHMFͷΞΧ΢ϯτͰ ೝূΛߦ͏

    WebαΠτ͝ͱͷೝূ͕ෆཁͳ͚ͩͰͳ͘, ϩάΠϯ৘ใΛѻ͏ඞཁ͕ͳ͍
  92. ೝূʢೝূAPIʣ • ೝূAPI
 ೝূΛߦ͏ॲཧͷAPI. ‣ ೝূΛߦͳ͏WebΞϓϦέʔγϣϯ͕ϢʔβʔΛೝ ূAPIʹ༠ಋ͠, ೝূAPI͔Βೝূ݁Ռͷ௨஌Λ΋Β͏ ͜ͱʹΑͬͯϩάΠϯ͢Δ.

  93. ೝূʢೝূAPIʣ ར༻ऀʢϒϥ΢βʣ ᶃϩάΠϯͷཁٻ ೝূαΠτ ᶄೝূAPI΁ͷϩάΠϯࢦࣔ ᶇϩάΠϯ੒ޭ௨஌ ᶅϩάΠϯ ᶆೝূ׬ྃͷ௨஌ ೝূ"1*Λఏڙ͢ΔαΠτʹ ΞΧ΢ϯτ͕ଘࡏ͢Δඞཁ͕͋Δ

    ձһ੍αΠτ ʢཁϩάΠϯʣ
  94. ೝূʢೝূAPIʣ • ೝূAPIͷܽ఺ ‣ Ϣʔβʔ͕, ೝূAPIఏڙଆͷΞΧ΢ϯτΛ͍࣋ͬͯ ͳ͍ͱೝূ͢Δ͜ͱ͕Ͱ͖ͳ͍ ‣ ֤ࣾ͝ͱʹAPIͷ࢓༷͕ҟͳ͍ͬͯΔͷͰ, ͦΕͧΕ

    ʹผͷίʔυͰରԠ͠ͳ͍ͱ͍͚ͳ͍ • ͜ΕΛղܾ͢ΔͨΊʹOpenID͕͋Δ
  95. ೝূʢOpenIDʣ • OpenID
 ೝূAPIͷʮ֤αʔϏε͝ͱʹAPIͷ࢓༷͕ҟͳΔʯͱ ͍͏໰୊఺Λղܾ͢ΔͨΊʹ, ೝূॲཧΛඪ४Խͨ͠ϓ ϩτίϧ ‣ OpenIDΛ༻͍ͨγεςϜͷ৔߹, 1ͭͷIDͱύεϫʔ

    υ͕͋Ε͹ෳ਺ͷαΠτʹϩάΠϯ͕Մೳʢಛఆͷ αʔϏεͷΞΧ΢ϯτʹґଘ͠ͳ͍ʣ
  96. ೝূʢOpenIDʣ ձһ੍αΠτ ʢཁϩάΠϯʣ ར༻ऀʢϒϥ΢βʣ ᶃOpenIDΞΧ΢ϯτ ೝূαΠτ ᶅOpenID΁ͷϩάΠϯࢦࣔ ᶈϩάΠϯ੒ޭ௨஌ ᶆϩάΠϯ ᶇೝূ׬ྃͷ௨஌

    0QFO*%αΠτͷ͍ͣΕ͔ʹ ΞΧ΢ϯτ͕͋Ε͹Α͍ ᶄΞΧ΢ϯτΛ࣋ͭαΠτΛ ݕࡧ͠, ҉߸Խ伴Λަ׵ ೝূ ऴྃ
  97. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  98. ೝՄ • ೝূͱೝՄͷҧ͍ ‣ ೝূ
 ௨৴ͷ૬ख͕୭Ͱ͋Δ͔֬ೝ͠, ਖ਼نͷར༻ऀʢຊ ਓʣͰ͋Δ͜ͱΛ֬ೝ͢Δ͜ͱ ‣ ೝՄ


    ೝূʹΑͬͯ֬ೝ͞Εͨར༻ऀʹରͯ͠, αʔϏεͷ ڐՄΛߦͳ͏͜ͱ - ࠓճ͸ͬͪ͜ͷ࿩
  99. ೝՄ • ͨͱ͑͹TwitterͰߟ͑ͯΈΔͱ… ‣ ೝূ
 user_Aͱ͍͏ΞΧ΢ϯτͰϩάΠϯ ‣ ೝՄ
 user_A໊ٛͷ౤ߘʹ͍ͭͯ͸ฤूandӾཡΛڐՄ͠, ͦͷଞͷΞΧ΢ϯτͷ౤ߘʹ͍ͭͯ͸ӾཡͷΈڐՄ

    ͢Δ • ͜ͷྫͩͱೝূͱೝՄ͕ີ݁߹
  100. ೝՄ • ͔͠͠, ೝূͱೝՄΛผʹߟ͑Δ͜ͱ͕ଟ͘ͳͬͨ ‣ TwitterͰ͍͑͹, ୈࡾऀ͕ఏڙ͍ͯ͠ΔΫϥΠΞϯτ ͔ΒαʔϏεΛར༻ͨ͠Γ, ΞϓϦ͔ΒTwitterʹγΣ ΞΛߦͳ͏ػೳͳͲ

    - ೝՄͷҕৡΛߦͳ͏ඞཁ͕͋Δ • ͜ΕΛ࣮ݱ͢Δํ๏ ‣ OAuth ‣ OpenID Connect
  101. ೝՄʢOAuthʣ • OAuth
 αΠτΛ·͍ͨͩೝՄʢݖݶͷೝՄʣΛ࣮ݱ͢ΔͨΊʹ ඪ४Խ͞Εͨϓϩτίϧ ‣ ݖݶͷೝՄΛߦͳ͏͚ͩͰ, ೝূ͸ߦΘͳ͍ ‣ ୈࡾऀʹIDͱύεϫʔυΛ౉͢͜ͱແ͘֎෦αʔϏεΛ

    ར༻͢Δ͜ͱ͕Մೳ ‣ τʔΫϯΛൃߦ͢Δ͜ͱͰ, ͦͷτʔΫϯΛ࣋ͬͨΫϥ ΠΞϯτʹݖݶΛҕৡ͢Δ • OAuthͷཧղʹ͸4ͭͷ୯ޠΛ஌͍ͬͯΔඞཁ͕͋Δ
  102. ೝՄʢOAuthʣ • ϦιʔεΦʔφʔʢΤϯυϢʔβʔʣ
 αʔϏεΛར༻͍ͯ͠ΔϢʔβʔ • ೝՄαʔόʔ
 ೝՄΛߦ͍τʔΫϯΛൃߦ͢Δαʔό ‣ ϦιʔεαʔόͱಉҰͷαʔόͰ͋Δ͜ͱ͕͋Δ •

    Ϧιʔεαʔό
 σʔλ͕ஔ͔Ε͍ͯΔαʔό • ΫϥΠΞϯτ
 αʔϏεΛར༻͢ΔWebαΠτ΍ΞϓϦ
  103. ೝՄʢOAuthʣ • ॲཧͷྲྀΕ 1. ΫϥΠΞϯτ͕ϦιʔεΦʔφʔʹڐՄΛཁٻ 2. ϦιʔεΦʔφʔ͕ڐՄ 3. ೝূαʔόʹτʔΫϯൃߦͷґཔ 4.

    ڐՄͷਖ਼౰ੑΛ֬ೝ͠τʔΫϯΛൃߦ 5. τʔΫϯΛ༻͍ͯαʔϏεʹ౤ߘ
  104. ೝՄʢOAuthʣ ᶃڐՄཁٻ ᶄڐՄ ᶅτʔΫϯͷཁٻ ᶆτʔΫϯΛ ఏࣔ͠౤ߘ ᶇτʔΫϯΛఏࣔ͠౤ߘ 'BDFCPPL
 ʢΫϥΠΞϯτʣ 5XJUUFS


    ʢϦιʔεαʔόʣ Ϣʔβʔ
 ʢϦιʔεΦʔφʔʣ
  105. ೝՄʢOpenID Connectʣ • OpenID Connect
 OAuth2.0Λϕʔεʹೝূػೳ͕௥Ճ͞Εͨϓϩτίϧ ‣ ೝূػೳ+ೝՄػೳΛಉ࣌ʹ࣮ݱͰ͖ΔͷͰ, OAuth ͷΑ͏ʹผ్ೝূͷํ๏Λ༻ҙ͢Δඞཁ͕ͳ͍

    ‣ ͜ͷεϥΠυ͕Θ͔Γ΍ͦ͢͏
 https://www.slideshare.net/kura_lab/openid- connect-id ೝՄ ऴྃ
  106. ໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ

    5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA
  107. CAPTCHA • CAPTCHA
 ΫϥΠΞϯτ͕ίϯϐϡʔλ͔ਓ͔Λ൑அ͢Δ΋ͷ ‣ Completely Automated Public Turing Test

    To Tell Computers and Humans Apart(ίϯϐϡʔλͱਓؒ Λ۠ผ͢ΔͨΊͷ׬શʹࣗಈԽ͞Εͨެ։νϡʔϦ ϯάςετʣͷུ
  108. CAPTCHA • ਓؒʹ͸༰қʹ(?)࣮ࢪͰ͖Δ͕, ίϯϐϡʔλͰ͸ࠔ೉ ͳॲཧΛߦΘͤΔ͜ͱͰ, ίϯϐϡʔλͰࣗಈԽͨ͠େ ྔ౤ߘεΫϦϓτͳͲΛ๷͙ ‣ ୅දతͳ΋ͷʹʮ࿪ΜͩจࣈͷಡΈऔΓʯ͕͋Δ Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html

    ͜Εͨ·ʹਓ΋ಡΈऔΕͳ͍ͷ͋Γ·ͤΜ͔…ʁ
  109. CAPTCHA • จࣈͷಡΈऔΓ͚ͩͰ͸ͳ͘, ʮը૾ͷू߹ͷத͔Βࢦ ఆͨ͠छྨͷ΋ͷ͚ͩΛΫϦοΫ͢Δʯ΋ͷ΍, ʮύζ ϧͷϐʔεΛυϥοάͯ͠ਖ਼͍͠Ґஔʹ͸ΊΔʯͱ͍ͬ ͨΑ͏ͳ΋ͷ΋͋Δʢେม໘౗ʣ • Google͕։ൃͨ͠reCAPTCHAͰ͸ͦͷΑ͏ͳૢ࡞͕

    ෆཁʹ ‣ ඍົͳ৔߹͸ࠓ·ͰͷΑ͏ͳCAPTCHAͷ൑ఆΛߦ͏ ৔߹΋͋Δ Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html CAPTCHA ऴྃ
  110. ࢀߟϦϯΫ

  111. ࢀߟϦϯΫ • ৘ใηΩϡϦςΟϚωδϝϯτͷن֨΍ඪ४(IPA)
 https://www.ipa.go.jp/security/manager/protect/pdca/ risk_ass.html • ηογϣϯϋΠδϟοΫ
 https://ja.wikipedia.org/wiki/ηογϣϯϋΠδϟοΫ • σΟϨΫτϦτϥόʔαϧ


    https://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ • ඿দ޻ۀߴߍ ωοτϫʔΫٕज़ࢿྉ
  112. ࢀߟϦϯΫ • ΫϩεαΠτεΫϦϓςΟϯά(XSS)
 https://www.trendmicro.com/ja_jp/security-intelligence/ research-reports/threat-solution/xss.html • ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)
 https://www.trendmicro.com/ja_jp/security-intelligence/ research-reports/threat-solution/csrf.html •

    SQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ
 https://www.ipa.go.jp/files/000024396.pdf • ڞ௨੬ऑੑࣝผࢠCVE֓આ
 https://www.ipa.go.jp/security/vuln/CVE.html
  113. ࢀߟϦϯΫ • WAFɺIPS/IDSɺF/W(ϑΝΠΞ΢Υʔϧ)ͱͷҧ͍
 https://www.websecurity.symantec.com/ja/jp/theme/ waf-ips-ids • ύεϫʔυอଘํ๏ͷաڈͱݱࡏͦͯ͠ະདྷ
 http://kengos.jp/2015/09/13/password.html • Α͘Θ͔ΔೝূͱೝՄ


    https://dev.classmethod.jp/security/authentication- and-authorization/ • ͍Β͢ͱ΍
 https://www.irasutoya.com/