Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web技術の基本 7回目 / Introduction to Web technologies 7th class

muttan
April 24, 2018

Web技術の基本 7回目 / Introduction to Web technologies 7th class

muttan

April 24, 2018
Tweet

More Decks by muttan

Other Decks in Technology

Transcript

  1. Webٕज़ͷجຊ ୈ7ճ
    Keisuke KAMIYA

    View full-size slide

  2. ࠓճͷςʔϚ

    View full-size slide

  3. Chapter 6
    WebͷηΩϡϦςΟͱೝূ

    View full-size slide

  4. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  5. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  6. WebγεςϜͷηΩϡϦςΟ
    • WebγεςϜ͸೔ʑൃୡ͠, ৽ͨͳػೳ͕௥Ճ͞ΕΔ
    ‣ ৽ػೳΛѱ༻ͯ͠߈ܸΛ࢓ֻ͚Δ͜ͱ͕ଟʑ͋Δ
    - ݸਓ৘ใΛҾ͖ൈ͘
    - ແବʹෛՙΛ͔͚Δ
    • WebγεςϜΛӡ༻্͍ͯ͘͠Ͱ, ηΩϡϦςΟରࡦ͸
    ඞਢࣄ߲
    ‣ ৗʹ৽ͨͳ߈ܸख๏ʹ͍ͭͯΞϯςφΛష͓ͬͯ͘ඞ
    ཁ͕͋Δ

    View full-size slide

  7. WebγεςϜͷηΩϡϦςΟ
    • ৘ใηΩϡϦςΟ

    ҎԼͷ3ͭΛҡ࣋͢Δ͜ͱʢISO/IEC17799ΑΓʣ
    ‣ ػີੑ(Confidentiality)

    ڐՄ͞Εͨਓ͚͕ͩ৘ใʹΞΫηεͰ͖Δ͜ͱ
    ‣ ׬શੑ(Integrity)

    ৘ใ͕ഁյɾվ͟Μɾফڈ͞Ε͍ͯͳ͍͜ͱ
    ‣ Մ༻ੑ(Availability)

    ඞཁͳ࣌ʹ͍ͭͰ΋ΞΫηεͰ͖Δ͜ͱ
    ৘ใͷCIAͱ΋ݺ͹ΕΔ

    View full-size slide

  8. WebγεςϜͷηΩϡϦςΟ
    • ηΩϡϦςΟରࡦ͸ҎԼͷ3ͭʹ෼͚ͯߟ͑Δ
    ‣ ϦεΫ

    ৘ใηΩϡϦςΟ͕ҡ࣋Ͱ͖Δ, ԿΒ͔ͷଛࣦ͕ൃੜ
    ͢ΔՄೳੑ
    ‣ ڴҖ

    ϦεΫΛݱ࣮Խͤ͞ΔཁҼ
    ‣ ੬ऑੑ

    ڴҖʹର͢ΔऑΈ

    View full-size slide

  9. WebγεςϜͷηΩϡϦςΟ
    ػີ৘ใ
    ෆਖ਼ΞΫηε
    ڴҖ
    ෆਖ਼ΞΫηεΛڐ͢
    ηΩϡϦςΟʔϗʔϧ
    ੬ऑੑ
    ৘ใγεςϜ
    ؅ཧऀ
    ϦεΫ
    ػີ৘ใΛୣΘΕΔͱ
    ࣾձత৴༻Λࣦ͏

    View full-size slide

  10. WebγεςϜͷηΩϡϦςΟ
    • ιϑτ΢ΣΞͷΞοϓσʔτʹ͸, ੬ऑੑରࡦ͕੝Γࠐ
    ·Ε͍ͯΔ΋ͷ͕ଟ͍
    ‣ ୯ʹػೳ௥ՃͰΞοϓσʔτ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍
    ‣ WindowsͰ͋Ε͹, Widows UpdateͰఏڙ
    • اۀ͕੬ऑੑରࡦύονΛ഑෍͢ΔલʹϢʔβʔʹ߈
    ܸΛ࢓ֻ͚ΔθϩσΠ߈ܸͱ͍͏ڴҖ΋ଘࡏ͢Δ
    ‣ Bashͷ੬ऑੑͰ͜Μͳͷ͕͋Γ·ͨ͠Ͷ
    WebγεςϜͷηΩϡϦςΟ ऴྃ

    View full-size slide

  11. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  12. ύεϫʔυΫϥοΩϯά
    DOS߈ܸ

    View full-size slide

  13. ύεϫʔυΫϥοΩϯά
    • ύεϫʔυΫϥοΩϯά

    IDͱύεϫʔυʹΑΔೝূΛߦͳ͏ձһ੍WebαΠτ
    ͔ΒϢʔβʔͷύεϫʔυΛൈ͖ग़ͦ͏ͱ͢Δ߈ܸ
    ‣ ༗໊ͳ߈ܸख๏
    - Dictionary Attack
    - Brute-force Attack

    View full-size slide

  14. ύεϫʔυΫϥοΩϯά(Dictionary Attack)
    • Dictionary Attack(ࣙॻ߈ܸ)

    Α͘࢖ΘΕΔύεϫʔυʹ࢖ΘΕΔ୯ޠΛ·ͱΊͨ
    ϑΝΠϧʢࣙॻʣΛ༻ҙ͓͖ͯ͠, ॱ൪ʹࢼ͢ํ๏
    %JDUJPOBSZ"UUBDL
    123456
    abcdef
    aaaaaa
    password
    admin
    Α͘࢖ΘΕΔ
    ύεϫʔυͷҰཡΛࢼ͢

    View full-size slide

  15. ύεϫʔυΫϥοΩϯά(Dictionary Attack)
    • ຖ೥SplashData(ηΩϡϦςΟاۀ)͸ʮ࠷ѱͷύεϫʔυʯϥ
    ϯΩϯάΛൃද͍ͯ͠Δ
    • ࣍ͷΑ͏ͳ΋ͷ্͕Ґʹೖ͍ͬͯΔ
    ‣ 123456
    ‣ password
    ‣ welcome
    ‣ starwars
    ‣ 123123
    • ͦͷଞ͸ҎԼ͔Β

    https://www.teamsid.com/worst-passwords-2017-full-list/

    View full-size slide

  16. ύεϫʔυΫϥοΩϯά(Dictionary Attack)
    • OWASPͷSecListsʹ͸, ϋοΫ͞ΕΔՄೳੑͷߴ͍ύε
    ϫʔυ΍IDͷϦετ͕ࡌ͍ͬͯΔ
    ‣ OWASP͸, The Open Web Application Security
    Projectͱ͍͏ηΩϡϦςΟؔ࿈ͷίϛϡχςΟ
    ‣ GitHub্ʹͰެ։͞Ε͍ͯΔ

    https://github.com/danielmiessler/SecLists

    View full-size slide

  17. ύεϫʔυΫϥοΩϯά(Dictionary Attack)
    ༨ஊ
    • ͋Δ೔, “Remove my password from lists so hackers
    won’t be able to hack me”ͱ͍͏Pull Request͕…
    ‣ ͋ΔϢʔβʔ͕ࣗ෼ͷύεϫʔυ͕ࡌ͍ͬͯΔ͜ͱ
    ʹযͬͯ, ࡟আͨ͠ϑΝΠϧͰPull RequestΛૹͬ
    ͨͬΆ͍
    ‣ ίϝϯτཝ͕େتརձ৔ʹͳͬͯ·ͨ͠

    https://github.com/danielmiessler/SecLists/pull/155

    View full-size slide

  18. ύεϫʔυΫϥοΩϯά(Dictionary Attack)
    ༁ɿࠓ͸999ݸͷύεϫʔυͳͷͰ, ϑΝΠϧ໊Λม͑ΔͷΛ๨Εͳ͍Ͱ

    View full-size slide

  19. ύεϫʔυΫϥοΩϯά(Dictionary Attack)
    ༁ɿ͜Ε͸ηΩϡϦςΟʔϗʔϧͩ, ૣ͘Ϛʔδ͠ͳ͍ͱ
    ༁ɿdolphinsͳΒ҆৺ͩͧʢ࡟আ͞ΕͨͷͰʣ

    View full-size slide

  20. ύεϫʔυΫϥοΩϯά(Brute-force Attack)
    • Brute-force Attack(૯౰Γ߈ܸ)

    ύεϫʔυʹ࢖༻Մೳͳจࣈͷ૊Έ߹ΘͤΛશͯࢼ͢
    ૯౰Γํࣜͷ߈ܸ
    #SVUFGPSDF"UUBDL
    111111
    ͢΂ͯͷύλʔϯΛ
    ࢼߦ͢Δ
    111112
    111113
    111114
    111115

    View full-size slide

  21. ύεϫʔυΫϥοΩϯά(Brute-force Attack)
    • ύεϫʔυΛઃఆ͢Δ࣌ʹʮจࣈྻͷ௕͕͞୹͍ʯ΍
    ʮ࢖༻͢Δจࣈछ͕গͳ͍ʯͱ͜ͷ߈ܸͷඃ֐ʹ߹͏
    Մೳੑ͕ߴ͘ͳΔ
    ‣ ύεϫʔυʹ࢖͏จࣈྻ͸࣍ͷΑ͏ͳ఺ʹ஫ҙ͢Δ
    - ୹͗͢ΔύεϫʔυΛආ͚Δ

    ୹͗͢ΔͱಥഁͰ͖ͯ͠·͏
    - ӳ਺ࣈ͚ͩͰͳ͘ه߸΋࢖༻͢Δ

    ૊Έ߹ΘͤΛෳࡶʹ͢Δ

    View full-size slide

  22. ύεϫʔυΫϥοΩϯά
    DOS߈ܸ

    View full-size slide

  23. DOS߈ܸ
    • DoS(Denial of Service)߈ܸ

    ୹࣌ؒʹαʔό͕ॲཧ͖͠Εͳ͍Α͏ͳେྔͷΞΫηε
    Λߦͳ͏͜ͱͰ, αʔϏεఀࢭʹؕΒͤΔ߈ܸ
    ‣ ओͳखஈ
    - SYN Flood߈ܸ
    - F5 ߈ܸ
    - ping flood

    ICMP echo request(ping)ΛେྔʹૹΓ͚ͭΔ

    View full-size slide

  24. DOS߈ܸ(SYN Flood)
    • SYN Flood߈ܸ

    TCPͷίωΫγϣϯཱ֬ʹ࢖༻͢ΔSYNύέοτΛѱ༻
    ͨ͠߈ܸ
    • ߈ܸํ๏
    1. SYNύέοτΛ߈ܸର৅ʹେྔʹૹΔ
    2. SYN ACKύέοτ͕ฦͬͯ͘Δ
    3. ͜ͷSYN ACKύέοτʹରͯ͠Ԡ౴Λ͠ͳ͍
    - ߈ܸର৅ͷαʔό͸͠͹Β͘Ԡ౴Λ଴ͪଓ͚Δ

    View full-size slide

  25. DOS߈ܸ(SYN Flood)
    • Ԡ౴Λ଴ͭؒ, αʔό͸ϝϞϦΛফඅ͢Δ
    ‣ Ұ౓ʹେྔʹϦΫΤετΛૹΓϝϞϦΛେྔফඅ
    SYNύέοτ
    SYN ACKύέοτ
    SYNύέοτ
    SYN ACKύέοτ
    SYNύέοτ
    SYN ACKύέοτ
    SYNύέοτ
    4:/"$,ύέοτΛฦ͢΋ͷͷ ͦΕҎ߱ͷ
    Ԡ౴͕ͳ͍ͷͰ΢ΣΠϋϯυγΣΠΫͷ్தঢ়ଶ
    Ͱ଴ͪଓ͚Δ
    αʔό͕৽͍͠4:/ύέοτʹରԠͰ͖ͳ͘ͳΓ
    ผͷϢʔβʔ͕ΞΫηεͰ͖ͳ͘ͳΔ
    4:/ύέοτΛେྔʹૹΔ

    View full-size slide

  26. DOS߈ܸ(F5 Attack)
    • F5߈ܸ

    ߈ܸର৅ͷαʔόʹ୹࣌ؒʹେྔͷΞΫηεΛߦ͏͜ͱ
    Ͱ, ෛՙΛߴΊॲཧΛෆՄೳʹ͢Δ߈ܸ
    ‣ F5Ωʔʹϒϥ΢βͷWebϖʔδͷ࠶ಡࠐػೳׂ͕Γ
    ౰ͯΒΕ͍ͯΔ͜ͱ͔Β໋໊
    ϖʔδͷ࠶ಡࠐ
    ϖʔδͷ࠶ಡࠐ
    ϖʔδͷ࠶ಡࠐ
    ϖʔδͷ࠶ಡࠐ
    ϖʔδͷཁٻ
    େྔͷϦΫΤετ͕དྷΔͨΊߴෛՙʹ

    View full-size slide

  27. DDoS߈ܸ
    • DDoS(Distributed Denial of Service)߈ܸ

    DoS߈ܸͱ͸ҟͳΓ, ෳ਺ͷίϯϐϡʔλ͔Βಉ࣌ʹ߈
    ܸΛ࢓ֻ͚Δํ๏
    ‣ ओͳखஈ
    - Smurf

    ICMP echo request(ping)Λ

    ϒϩʔυΩϟετ͢Δ

    View full-size slide

  28. DDoS߈ܸ(Smurf)
    • Smurf߈ܸ

    ICMP echo request(ping)ͷੑ࣭Λར༻ͨ͠߈ܸ
    ‣ ѼઌΛ౿Έ୆ͷωοτϫʔΫΞυϨεʹ͢Δ
    10.0.22.0/24
    ѼઌΛ౿Έ୆ͷωοτϫʔΫ
    ͷϒϩʔυΩϟετΞυϨεʹ
    ૹ৴ݩΛ߈ܸର৅ͷΞυϨεʹ͢Δ͜ͱͰ,
    ICMP echo reply͕େྔʹૹΒΕΔ

    View full-size slide

  29. ICMPͱ͸
    • ICMP(Internet Control Message Protocol)

    IPωοτϫʔΫͰ༻͍ΒΕΔϓϩτίϧͰ͋Γ, Τϥʔ
    ͷ௨஌΍ωοτϫʔΫͷ৘ใΛরձ͢ΔͨΊʹ࢖༻
    ‣ RFC792Ͱنఆ
    ‣ ICMP͸શͯͷIPϞδϡʔϧ(ιϑτ΢ΣΞ)ʹ࣮૷͞Ε
    ͍ͯͳ͚Ε͹ͳΒͳ͍͙Β͍ॏཁ

    View full-size slide

  30. ICMPͱ͸
    • ICMPͷ༻్͸ओʹ2ͭ
    1. Τϥʔ௨஌

    ܦ࿏ͷ్தͰΤϥʔ͕ൃੜͨ͜͠ͱΛૹ৴ݩʹ௨஌
    2. ৘ใরձ

    ૹ৴ݩͷϗετ͕ଞͷػثʹ৘ใΛ໰͍߹ΘͤΔ
    ‣ ໨తIPϗετͷଘࡏ֬ೝ, ωοτϚεΫ, ࣌ࠁͳͲ
    • ͜ΕΒͷ৘ใ͸λΠϓͱίʔυͷ૊Έ߹ΘͤͰදݱ
    ‣ Ұ෦Λ঺հ

    View full-size slide

  31. ICMPͱ͸
    λΠϓ ίʔυ ಺༰ छྨ
    ΤίʔԠ౴ ৘ใরձ

    Ѽઌ౸ୡෆೳ Τϥʔ௨஌
    ѼઌωοτϫʔΫʹ౸ୡͰ͖ͳ͍
    Ѽઌϗετʹ౸ୡͰ͖ͳ͍
    ʜ
    ૹ৴ݩ཈੍ʢύέοτͷૹग़཈੍௨஌ʣ Τϥʔ௨஌

    ϦμΠϨΫτ Τϥʔ௨஌
    ࢦఆωοτϫʔΫ΁ͷ࠷దܦ࿏௨஌
    ࢦఆϗετ΁ͷ࠷దܦ࿏௨஌
    ʜ
    Τίʔཁٻ ৘ใরձ
    ʜ

    View full-size slide

  32. DOS߈ܸ(Smurf)
    • ICMPͱ͍͏ϓϩτίϧ͸ඇৗʹॏཁͰ͸͋Δ͕, ௨ৗ
    ϧʔλଆͰःஅ͍ͯ͠Δ͜ͱ͕ଟ͍
    ‣ ߈ܸʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ
    • ةͳ͍ͳΒશͯࢭΊͯ͠·͑͹ྑͦ͞͏
    ‣ IP௨৴͕શ͘Ͱ͖ͳ͘ͳΔ͜ͱ͸ͳ͍
    ‣ ͕, ϒϥοΫϗʔϧϧʔλͷΑ͏ͳ͜ͱ΋
    • ඞཁͳtypeͷΈ௨͢Α͏ͳઃఆΛ͢Δ΂͖
    ύεϫʔυΫϥοΩϯά, DoS߈ܸ ऴྃ

    View full-size slide

  33. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  34. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    • ҎԼͷ2ͭͷ߈ܸʹ͍ͭͯղઆ
    1. ηογϣϯϋΠδϟοΫ

    ηογϣϯIDΛ౪ΜͰෆਖ਼ʹΞΫηε
    2. σΟϨΫτϦτϥόʔαϧ

    ./΍../ͱ͍͏จࣈΛ࢖ͬͯ, ௨ৗΞΫηεෆՄೳͳ
    ϑΝΠϧʹΞΫηε

    View full-size slide

  35. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    • ηογϣϯϋΠδϟοΫ
    ‣ ηογϣϯIDΛ౪ௌ͢Δ͜ͱͰ, ଞਓʹͳΓ͢·ͯ͠
    ௨৴Λߦ͏߈ܸ
    - ϩάΠϯͯ͠࢖༻͢ΔWebγεςϜͰ͸, Cookie΍
    ηογϣϯIDΛ࢖ͬͯϩάΠϯϢʔβʔΛ؅ཧ
    - ηογϣϯID͕෼͔Ε͹, ଞਓʹͳΓ͢·ͤΔ

    View full-size slide

  36. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    ϢʔβʔID, ύεϫʔυ
    ηογϣϯIDͷൃߦ
    BCD
    ϦΫΤετ(SID=abc123)
    ௨ৗͷϩάΠϯ
    ϢʔβʔID, ύεϫʔυ
    ηογϣϯIDͷൃߦ
    BCD
    ηογϣϯϋΠδϟοΫ
    ౪ௌ
    ϦΫΤετ(SID=abc123)

    View full-size slide

  37. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    • σΟϨΫτϦτϥόʔαϧ
    ‣ ʮ./ʯ΍ʮ../ʯͳͲͷจࣈྻΛ࢖༻͢Δ͜ͱͰ, ௨ৗ
    ެ։͍ͯ͠ͳ͍৘ใʹΞΫηε͢Δ߈ܸ
    - index.html͔Β, /etc/passwordʹΞΫηε
    /
    etc/
    user
    passwd
    var/
    www/
    index.html
    /
    etc/
    user
    passwd
    var/
    www/
    index.html
    /index.html ../../etc/passwd

    View full-size slide

  38. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    GET /index.html
    JOEFYIUNM
    ௨ৗͷϦΫΤετ
    GET ../../etc/password
    QBTTXPSE
    σΟϨΫτϦτϥόʔαϧ
    ͸্̍ͭͷσΟϨΫτϦΛද͢ಛघͳจࣈྻ
    8FCެ։σΟϨΫτϦΑΓ্ͷ֊૚΁ḷ͍͖ͬͯ
    ެ։͞Ε͍ͯͳ͍ϑΝΠϧΛૹ৴ͤͯ͞͠·͏

    View full-size slide

  39. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    • PHPͷ࣮૷ͰݟͯΈΔ(WikiΑΓҾ༻)
    $template = 'blue.php';
    if ( is_set( $_COOKIE['TEMPLATE'] ) )
    $template = $_COOKIE['TEMPLATE'];
    include ( "/home/users/phpguru/templates/" . $template );
    ?>
    1)1ͷϓϩάϥϜ
    )551ϦΫΤετ
    GET /vulnerable.php HTTP/1.0
    Cookie: TEMPLATE=../../../../../../../../../etc/passwd

    View full-size slide

  40. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    • αʔόͷԠ౴͸࣍ͷΑ͏ʹͳΔ
    ‣ /etc/passwdͷத਎͕ݟ͑ͯ͠·͍ͬͯΔ
    HTTP/1.0 200 OK
    Content-Type: text/html
    Server: Apache
    root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh
    daemon:*:1:1::/tmp:
    phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh
    Ҿ༻ɿhttps://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ
    • ͜ͷΑ͏ͳจࣈྻΛड͚෇͚ͳ͍Α͏ʹϓϩάϥϜଆ
    ͰνΣοΫ͢Δඞཁ͕͋Δ
    WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ ऴྃ

    View full-size slide

  41. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  42. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    • ҎԼͷ3ͭͷख๏ʹ͍ͭͯղઆ
    1. ΫϩεαΠτεΫϦϓςΟϯά(XSS)

    ೖྗ಺༰Λදࣔ͢ΔWebϖʔδʹର͢Δ߈ܸ
    2. ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)

    ϢʔβΛὃ͠, Ϣʔβ͕ҙਤ͠ͳ͍ϦΫΤετΛαʔόʹૹ
    ৴͢Δ
    3. SQLΠϯδΣΫγϣϯ

    ૹ৴͢Δ৘ใʹSQLΛຒΊࠐΉ͜ͱͰ, DBʹҙਤ͠ͳ͍ಈ
    ࡞ΛߦΘͤΔ

    View full-size slide

  43. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    • ΫϩεαΠτεΫϦϓςΟϯά(XSS)

    ܝࣔ൘αΠτͷΑ͏ͳ, Ϣʔβͷೖྗ಺༰Λදࣔ͢Δλ
    ΠϓͷWebαΠτͷ੬ऑੑΛಥ͘߈ܸ
    ‣ ѱҙͷ͋ΔϢʔβʔ͕εΫϦϓτΛೖྗ͢Δ͜ͱͰ,
    ೚ҙͷϢʔβʔͷը໘ʹεΫϦϓτ͕දࣔ͞ΕΔ
    - ϑΥʔϜʹJavaScriptͷalertλάΛ࢓ࠐΉ
    - ϖʔδΛڧ੍సૹͤ͞Δͱ͔
    - ηογϣϯϋΠδϟοΫ

    View full-size slide

  44. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    εΫϦϓτ͕
    ຒΊࠐ·Εͨϖʔδ
    ᶄѱҙͷ͋ΔαΠτͷ
    ϦϯΫʹΞΫηε ᶅѱҙͷ͋ΔεΫϦϓτΛܝࣔ൘ʹॻ͖
    ࠐΉΫϥΠΞϯτεΫϦϓτ͕ૹΒΕΔ
    ᶃѱҙͷ͋ΔεΫϦϓτΛࣗಈతʹ
    ܝࣔ൘ʹॻ͖ࠐΜͰ͠·͏ϦϯΫΛ
    දࣔ
    ᶆҙਤͤͣѱҙͷ͋ΔεΫ
    ϦϓτΛॻ͖͜ΜͰ͠·͏
    ѱҙͷ͋Δϖʔδ
    ᶇϖʔδΛදࣔ
    ᶈܝࣔ൘ʹදࣔ͞Εͨѱҙ
    ͷ͋ΔεΫϦϓτΛ࣮ߦ

    View full-size slide

  45. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    • ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)

    ʮϩάΠϯ͕ඞཁͳαΠτʹରͯ͠ૢ࡞Λߦ͏ʯϦϯΫ
    ʹϢʔβʔ͕ΞΫηε͢Δ͜ͱͰඃ֐Λड͚Δ߈ܸ
    ‣ ͍ͨͣΒతॻ͖ࠐΈ
    ‣ ෆਖ਼αΠτ΁ͷ༠ಋ
    ‣ ෆਖ਼ͳॻ͖ࠐΈΛେྔʹߦͳ͏DoS߈ܸ
    - CSRF(γʔαʔϑ)ͱΑΈ·͢

    View full-size slide

  46. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    SNS
    ᶄѱҙͷ͋ΔαΠτͷ
    ϦϯΫʹΞΫηε ᶅ4/4ͷૢ࡞Λߦͳ͏ΫϥΠΞϯτεΫ
    Ϧϓτ͕ૹΒΕΔ
    ᶃ4/4ͳͲʹରͯ͠ૢ࡞Λߦ͏Α͏
    ͳϦϯΫΛදࣔ͢Δ
    ᶆࣄલʹ4/4ʹϩάΠϯ͍ͯ͠Δͱ ҙਤ͠
    ͳ͍ૢ࡞Λߦͬͯ͠·͏
    ѱҙͷ͋Δϖʔδ
    ᶇ4/4ଆ͸ϩάΠϯͨ͠ຊਓ͔Βͷૢ࡞ʹݟ͑ͯ͠·͏

    View full-size slide

  47. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    • SQLΠϯδΣΫγϣϯ

    SQLΛ࢖༻͢ΔλΠϓͷσʔλϕʔεΛ࢖༻͢ΔΞϓϦ
    έʔγϣϯʹରͯ͠, ຊདྷೖྗͱͯ͠࢖͏͜ͱ͕૝ఆ͞
    Ε͍ͯͳ͍SQLจΛૠೖ͠߈ܸ͢Δํ๏
    ‣ ࣮ࡍʹSQLจΛݟͯߟ͑ͯΈΔ

    View full-size slide

  48. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    JE VTFS@JE QBTTXPSE NBJM@BEES
    :4% :4%!FYBNQMFDPN
    VTFSTςʔϒϧ
    RVFSZ 1)1Λ૝ఆ

    $query = <<SELECT mail_addr
    FROM user
    WHERE user_id = '$user_id' AND password = '$password'
    EOL;

    View full-size slide

  49. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    RVFSZ 1)1Λ૝ఆ

    $query = <<SELECT mail_addr
    FROM user
    WHERE user_id = ‘1’ or ‘1’ = ‘1’; — ’ AND password = '$password'
    EOL;
    • ѱҙͷ͋ΔϢʔβʔ͕, ϑΥʔϜͷidཝʹʮ1’ or ‘1’ =
    ‘1’; —ʯͱॻ͘ͱϝʔϧΞυϨεΛऔಘͰ͖ͯ͠·͏
    $query = SELECT mail_addr FROM user WHERE user_id = ‘1’ or ‘1’ = ‘1’;ͱಉ౳
    → ৗʹWHERE͕۟TRUEʹͳΔ

    View full-size slide

  50. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    ΠϯδΣΫγϣϯରࡦ
    • จࣈྻ݁߹Λ࢖ͬͯSQLจΛ૊Έཱͯͳ͍
    ‣ ΤεέʔϓॲཧΛ͔ͬ͠Γߦͳ͏
    - ϓϨʔεϗϧμʔ, ม਺όΠϯυ, ϓϦϖΞʔ౓ε
    ςʔτϝϯτ
    ʢࢀߟʣSQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ

    https://www.ipa.go.jp/files/000024396.pdf
    ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ऴྃ

    View full-size slide

  51. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  52. WebγεςϜͷ੬ऑੑ
    • WebγεςϜͷ੬ऑੑΛ׬શʹແ͘͢͜ͱ͸ࠔ೉
    Ҿ༻ɿ1. 2017೥ୈ4࢛൒ظɹιϑτ΢ΣΞ౳ͷ੬ऑੑؔ࿈৘ใʹؔ͢Δಧग़ঢ়گ(2018/1/25ܝࡌ)
    https://www.ipa.go.jp/security/vuln/report/vuln2017q4.html

    View full-size slide

  53. ηΩϡϦςΟϗʔϧ
    θϩσΠ߈ܸ

    View full-size slide

  54. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ
    • ηΩϡϦςΟϗʔϧ

    ιϑτ΢ΣΞ੡඼ͷܽؕʹΑΓ, ݖݶ͕ͳ͍ͱຊདྷͰ͖
    ͳ͍͸ͣͷૢ࡞͕ݖݶΛ࣋ͨͳ͍ϢʔβʔͰ΋࣮ߦͰ͖
    ͯ͠·ͬͨΓ, ݟ͑Δ΂͖Ͱͳ͍৘ใ͕ݟ͑ͯ͠·͏Α
    ͏ͳෆ۩߹
    ‣ Windows΍LinuxͳͲͷOS, Apache΍nginxͳͲͷ
    WebαʔόͳͲͷιϑτ΢ΣΞ͔Βൃݟ

    View full-size slide

  55. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ
    • ൃݟ͞ΕͨηΩϡϦςΟϗʔϧ͸, ੬ऑੑରࡦ৘ใσʔ
    λϕʔεͰ؅ཧ͞Ε͍ͯΔ
    ‣ ࠃ಺֎ͷ੬ऑੑରࡦ৘ใ͕ܝࡌ͞Ε͍ͯΔ

    https://jvndb.jvn.jp/
    ‣ ੬ऑੑͷҰͭҰͭʹ൪߸͕ৼΒΕ͍ͯΔ
    - JVNDB-xxxx-xxxxxx
    - CVE-xxxx-xxx

    View full-size slide

  56. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ
    • ੬ऑੑରࡦ৘ใσʔλϕʔεʹ͸ҎԼͷ৘ใ͕ܝࡌ
    ‣ ֓ཁ
    ‣ ਂࠁ౓
    ‣ ରࡦ
    ‣ ϕϯμ৘ใʢ੬ऑੑ΁ͷରԠঢ়گʣ
    ‣ CVEʢڞ௨੬ऑੑࣝผࢠʣ
    • JVNDBͱCVE͸Կ͕ҧ͏ͷ͔ʁ

    View full-size slide

  57. WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ
    • CVE(Common Vulnerabilities and Exposures)

    ڞ௨੬ऑੑࣝผࢠͱݺ͹ΕΔ΋ͷͰ, ΞϝϦΧͷMITRE
    ͕ࣾ࠾൪͍ͯ͠Δ੬ऑੑࣝผࢠͷ͜ͱ.
    ‣ ੬ऑੑରࡦ৘ใσʔλϕʔεಉ༷, ੬ऑੑ৘ใ͕ެ։
    ͞Ε͍ͯΔ(http://cve.mitre.org/)
    • JVN͸CVEޓ׵ೝఆΛड͚͍ͯΔ
    ‣ ੬ऑੑϖʔδͷԼͷํʹCVE΋ॻ͍ͯ͋Δ
    ࢀߟϦϯΫɿhttps://www.ipa.go.jp/security/vuln/CVE.html

    View full-size slide

  58. ηΩϡϦςΟϗʔϧ
    θϩσΠ߈ܸ

    View full-size slide

  59. θϩσΠ߈ܸ
    • θϩσΠ߈ܸ

    ൃݟ͞ΕͨηΩϡϦςΟϗʔϧʹର͢Δमਖ਼ϓϩάϥϜ
    ͕։ൃ͞ΕΔલʹ, ηΩϡϦςΟϗʔϧΛར༻ͨ͠߈ܸ
    Λ࢓ֻ͚Δ͜ͱ
    ‣ मਖ਼ϓϩάϥϜ͕഑෍͞ΕΔલͳͷͰ, ͸͖ͬΓͱ͠
    ͨରԠࡦ͕ͳ͍
    ‣ ϕϯμ͕Ұ࣌ճආࡦͳͲΛެද͍ͯ͠Δࣄ͕ଟ͍ͷͰ
    ৘ใΛऩू͢Δඞཁ͕͋Δ
    WebγεςϜͷ੬ऑੑ ऴྃ

    View full-size slide

  60. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  61. ϑΝΠΞʔ΢Υʔϧ
    • ϑΝΠΞʔ΢Υʔϧ

    Πϯλʔωοτͱ಺෦ωοτϫʔΫͷؒʹઃஔ͠, ૹड
    ৴͞ΕΔσʔλΛ؂ࢹͯ͠௨৴ͷڐՄɾڋ൱Λߦͳ͏
    ΋ͷ
    Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό
    ߈ܸऀ
    ڐՄ͞Εͨ௨৴Ҏ֎͸௨աͤ͞ͳ͍
    ಺෦ωοτϫʔΫ

    View full-size slide

  62. ϑΝΠΞʔ΢Υʔϧ
    • ύέοτϑΟϧλܕϑΝΠΞʔ΢Υʔϧ

    ૹड৴͞ΕΔύέοτͷIPΞυϨεͱϙʔτ൪߸ΛνΣο
    Ϋ͢Δ͜ͱͰ, ௨৴ͷڐՄ/ڋ൱Λߦͳ͏΋ͷ
    ‣ ࣾ಺Ϣʔβʔ޲͚ͷWebγεςϜΛྫʹߟ͑Δ
    ϑΝΠΞʔ΢Υʔϧ Webαʔό
    ߈ܸऀ

    View full-size slide

  63. ϑΝΠΞʔ΢Υʔϧʢࣾ಺޲͚ʣ
    ϑΝΠΞʔ΢Υʔϧ Webαʔό
    ߈ܸऀ
    ϑΟϧλ৚݅
    ʲڐՄʳ
    ํ޲ɿΠϯλʔωοτˠ಺෦
    ૹ৴ݩ*1ΞυϨεɿຊࣾɾࢧࣾͷ*1ΞυϨε
    ૹ৴ݩϙʔτ൪߸ɿશͯ
    Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε
    Ѽઌϙʔτ൪߸ɿ
    ʲڋ൱ʳ
    ্هҎ֎͢΂ͯ
    ͦ΋ͦ΋ΞΫηεͰ͖ͳ͍

    View full-size slide

  64. ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ
    • ͨͩ͠ෆಛఆଟ਺޲͚ͷαʔϏεͰ͸, ࣾ಺޲͚ͷΑ͏
    ʹૹ৴ݩIPΞυϨεͰϑΟϧλϦϯά͢Δͷ͸೉͍͠
    ‣ ϙʔτͷڐՄ͸࠷௿ݶʹͯ͠, ڐՄͨ͠ϙʔτʹର͠
    ͯͷ߈ܸ͸͔ͬ͠Γͱରࡦ͢Δඞཁ͕͋Δ
    ϑΝΠΞʔ΢Υʔϧ Webαʔό
    ߈ܸऀ

    View full-size slide

  65. ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ
    ϑΝΠΞʔ΢Υʔϧ Webαʔό
    ϑΟϧλ৚݅
    ʲڐՄʳ
    ํ޲ɿΠϯλʔωοτˠ಺෦
    ૹ৴ݩ*1ΞυϨεɿ͢΂ͯ
    ૹ৴ݩϙʔτ൪߸ɿશͯ
    Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε
    Ѽઌϙʔτ൪߸ɿ
    ʲڋ൱ʳ
    ্هҎ֎͢΂ͯ
    ڐՄ͞Εͨϙʔτʹ͔͠ΞΫηε
    Ͱ͖ͳ͍ͷͰ ߈ܸखஈ͕ݶΒΕΔ
    ߈ܸऀ
    80ͱ443͸։͚͍ͯΔͷͰ,
    ͜͜΁ͷ߈ܸ͸ରࡦ͕ඞཁ
    ϑΝΠΞʔ΢Υʔϧ ऴྃ

    View full-size slide

  66. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  67. IDS, IPS
    • ϑΝΠΞʔ΢ΥʔϧͰ๷͖͗Εͳ͍߈ܸΛ๷͙खஈ
    ‣ IDS(Intrusion Detection System)

    ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δ
    ‣ IPS(Intrusion Prevention System)

    ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δͱͱ΋
    ʹ௨৴Λःஅ͢Δ
    Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό
    ωοτϫʔΫܕIDS/IPS

    View full-size slide

  68. IDS, IPS
    • ෆਖ਼ͳ௨৴Λःஅ͢ΔIPSͷํ͕ڧݻͳηΩϡϦςΟΛ
    ࣮ݱՄೳ
    ‣ ҟৗͳ௨৴ͷݕ஌΋׬શͰ͸ͳ͘, ௨ৗͷ௨৴Λޡݕ
    ஌ͯ͠͠·͏͜ͱ΋ʢ௨৴ͷःஅʣ
    ‣ Մ༻ੑͷ௿Լʹͭͳ͕Δ
    • IDSͱIPS͸ద౰ʹ࢖͍෼͚Δ͜ͱ͕ඞཁ

    View full-size slide

  69. IDS, IPS
    Webαʔό
    IDS
    ߈ܸऀ
    ҟৗΛݕ஌
    Webαʔό
    IPS
    ߈ܸऀ
    ҟৗΛݕ஌
    *%4
    *14
    ௨৴Λ
    ःஅ͢Δ
    ௨৴͸
    ͦͷ··௨͢

    View full-size slide

  70. IDS, IPSͷݕ஌ํ๏
    • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ
    ‣ γάωνϟܕʢෆਖ਼ݕ஌ܕʣ

    طଘͷ߈ܸख๏ʹ͓͚Δ௨৴ύλʔϯ͕ొ࿥͞Εͨσʔ
    λϕʔεʢγάωνϟʣΛ༻ҙ͓͖ͯ͠, ίϨͱরΒ͠
    ߹ΘͤΔ͜ͱͰҟৗݕ஌Λߦͳ͏. (SYN Floodͱ͔)
    ‣ ΞϊϚϦʔܕʢҟৗݕ஌ܕʣ

    ਖ਼ৗͰ͋Δঢ়ଶΛఆ͓͖ٛͯ͠, ͦΕ͔Β֎Εͨ৔߹͕
    ҟৗͱΈͳ͢
    IDS/IPS ऴྃ

    View full-size slide

  71. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  72. WAF
    • WAF(Web Application Framework)

    WebΞϓϦέʔγϣϯͷલͰ, ѱҙͷ͋Δσʔλؚ͕·
    Ε͍ͯͳ͍͔νΣοΫ͢ΔϑΝΠΞʔ΢Υʔϧ
    ‣ IDS/IPSΛ࢖͏͜ͱͰ, DoS߈ܸ౳ʹ͸ର߅Ͱ͖Δ
    - ͔͠͠, SQLΠϯδΣΫγϣϯ΍XSS, ύϥϝʔλվ
    ͟ΜͳͲͷ߈ܸ͸๷͙͜ͱ͜ͱ͕Ͱ͖ͳ͍ͨΊ
    WAFΛ࢖༻͢Δ

    View full-size slide

  73. WAF
    ΠϯϑϥωοτϫʔΫ
    ʢར༻͞ΕΔιϑτ΢ΣΞʣ
    ιϑτ΢ΣΞ04

    ར༻͞ΕΔιϑτ΢ΣΞ

    8FCΞϓϦέʔγϣϯ

    αΠτຖʹ։ൃ͞Εͨ෦෼

    '8
    कΔ෦෼ ੬ऑੑΛແ֐Խ
    *%4
    *14
    8"'
    F/WɿϑΝΠΞʔ΢Υʔϧ

    View full-size slide

  74. WAF
    • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ
    ‣ ϒϥοΫϦετܕ

    ಛఆͷύλʔϯʢϒϥοΫϦετʣͱরΒ͠߹Θͤͯѱҙͷ͋
    Δ௨৴Λःஅ͢Δํ๏
    - ৽ͨͳڴҖ͕ൃݟ͞Εͨ৔߹, Ϧετͷߋ৽͕͋Δ·Ͱରࡦ
    ෆՄೳ
    ‣ ϗϫΠτϦετܕ

    ਖ਼ৗͳύλʔϯʢϗϫΠτϦετʣͱরΒ͠߹ΘͤͯͦΕʹద
    ߹͢Δ௨৴ͷΈ௨͢
    - ਖ਼ৗͳ௨৴Λ௨͢ઃఆΛਖ਼͘͠ઃఆ͢Δඞཁ͋Γ

    View full-size slide

  75. WAF
    F/W IDS/IPS WAF
    F/W IDS/IPS WAF
    ϒϥοΫϦετܕ
    ϗϫΠτϦετܕ
    ߈ܸऀ
    ߈ܸऀ
    8"'ͷ։ൃݩ͔Βͷ
    ѱҙͷ͋ΔύλʔϯΛجʹর߹
    ਖ਼ৗͳ௨৴ΛࣗΒͰఆٛͯ͠

    νΣοΫ
    WAF ऴྃ

    View full-size slide

  76. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  77. ҉߸Խ
    • ҉߸Խ(Encryption)

    ݩͷσʔλʢฏจʣΛ҉߸ԽΞϧΰϦζϜͰୈࡾऀ͕ಡ
    ΈऔΕͳ͍σʔλʢ҉߸จʣʹม׵͢Δ͜ͱ
    ‣ ໭͢͜ͱ͸෮߸ͱ͍͏
    • ͜͜Ͱ͸҉߸ԽΛ2छྨʹ෼͚͔ͯ౤͛Δ
    1. ௨৴ܦ࿏Ͱͷ҉߸Խ
    2. อଘσʔλͷ҉߸Խ

    View full-size slide

  78. ௨৴ܦ࿏Ͱͷ҉߸Խ
    อଘσʔλͷ҉߸Խ

    View full-size slide

  79. ௨৴ܦ࿏Ͱͷ҉߸Խ
    • Ϣʔβʔͱͷσʔλͷ΍ΓऔΓʹ͸, ౪ௌ͞ΕΔͱࠔΔ
    σʔλ΋ଘࡏ͢Δ
    ‣ ࢯ໊΍ॅॴͳͲͷݸਓ৘ใ
    ‣ ΫϨδοτΧʔυ৘ใͷΑ͏ͳػີ৘ใ
    • ͜ͷΑ͏ͳσʔλ͸ฏจͰૹΔ΂͖Ͱ͸ͳ͍
    ‣ HTTPͰ͸ͳ͘HTTPSΛ࢖༻͢Δ
    ‣ HTTPSͰ΋WebαΠτͦͷ΋ͷ͕ѱ࣭ͳ΋ͷͩͱμ
    ϝͳͷͰ, ࢖͏લʹ1౓͔֬ΊΔʢͦΕ͸ͦ͏ʣ

    View full-size slide

  80. ௨৴ܦ࿏Ͱͷ҉߸Խ
    อଘσʔλͷ҉߸Խ

    View full-size slide

  81. อଘσʔλͷ҉߸Խ
    • αʔό΁ෆਖ਼৵ೖ͞Εͨ৔߹, ߈ܸऀ͸αʔό಺ͷσʔ
    λΛ؆୯ʹ౪Έग़͢͜ͱ͕ग़དྷͯ͠·͏
    • ʢ࿦֎͚ͩͲʣύεϫʔυΛฏจͷ··σʔλϕʔε಺
    ʹอଘ͢Δͷ͸ةݥ
    ‣ ສ͕Ұͷ͜ͱΛߟ͑ͯ, αʔό಺ͷσʔλΛ҉߸Խ

    View full-size slide

  82. อଘσʔλͷ҉߸Խ
    • ࣌୅ͱڞʹ৭ʑߟҊ͞Εͨ
    ‣ ϓϨʔϯςΩετʢͦͷ··ʣ
    ‣ HashԽ

    จࣈྻΛmd5ͱ͔ͰϋογϡԽ͢Δ
    ‣ SALT(MD5→SHA2)

    ݩͷจࣈྻ+SALTͰϋογϡԽ
    ‣ ετϨονϯά
    ‣ bcrypt

    View full-size slide

  83. อଘσʔλͷ҉߸Խ
    • ετϨονϯά

    σʔλʹରͯ͠ϋογϡؔ਺Λෳ਺ճద༻ͯ͠อଘ͢Δ
    σʔλΛੜ੒͢Δํ๏
    • BCrypt

    Blowfish҉߸ͷ࣮૷. ҎԼͷΑ͏ͳจࣈྻ͕ੜ੒͞ΕΔ
    $2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa
    ҉߸Խ ऴྃ

    View full-size slide

  84. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  85. ެ։伴ূ໌ॻ
    • ެ։伴ূ໌ॻ

    ΍ΓऔΓ͢Δ૬ख͕ຊ෺Ͱ͋Δ͜ͱΛূ໌͢Δ΋ͷ
    ‣ ެ։伴҉߸ʹ࢖༻͢Δެ։伴ͷਖ਼౰ੑΛূ໌͢Δͨ
    Ίʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ,SSLূ໌ॻͱ΋ݺ͹ΕΔ
    • ެ։伴ূ໌ॻͷ໾ׂ
    ‣ HTTPSʹ࢖͏ͨΊͷެ։伴ͷ࣋ͪओͷূ໌
    ‣ ެ։伴ͷ࣋ͪओ͕ଘࡏ͢Δ͜ͱͷূ໌ʢ࣮ࡏূ໌ʣ

    View full-size slide

  86. ެ։伴ূ໌ॻ
    • ެ։伴ূ໌ॻ͸, ೝূہ(CA:Certificate Authority)ͱݺ
    ͹ΕΔୈࡾऀػ͕ؔൃߦ͍ͯ͠Δ
    ‣ ঎༻͸༗ྉ͕ଟ͍͕, Let’s Encryptͱ͔ແྉͰ͢Ͷ
    • ূ໌ॻʹ͸༗ޮظݶ͕͋ΔͨΊ, ߋ৽࡞ۀ͕ඞཁ
    ‣ ߋ৽๨Ε͍ͯΔαΠτʹೖΔͱܯࠂ͕ग़Δϒϥ΢βͱ
    ͔͋Γ·͢ΑͶ
    • ࣗݾূ໌ॻʢΦϨΦϨূ໌ॻʣͬͯͷ΋͋Γ·͢
    ‣ ͏ͪͷେֶͰ͢
    ެ։伴ূ໌ॻ ऴྃ

    View full-size slide

  87. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  88. ೝূ
    • ೝূ

    ձһ੍αΠτͳͲͰ, IDͱύεϫʔυΛ࢖༻͠ຊਓ֬ೝ
    Λߦ͏ॲཧͷ͜ͱ
    ‣ ͔ͭͯೝূͱ͍͑͹, ֤αΠτ͝ͱʹIDͱύεϫʔυ
    ͕ඞཁͩͬͨ
    - ݱࡏͰ͸, Google΍Twitter, FacebookͳͲͷଞαʔ
    ϏεͷΞΧ΢ϯτΛ࢖༻͢Δ͜ͱͰೝূΛߦ͏αΠ
    τ͕૿Ճ

    View full-size slide

  89. ೝূ
    DBαʔό
    Webαʔό
    ར༻ऀʢϒϥ΢βʣ
    ID:ozisan
    password:kfAD2%
    ID:ozisan
    password:kfAD2%
    ϩάΠϯڐՄ
    ϩάΠϯ੒ޭ
    ར༻αΠτ͕૿Ճ͢Δͱʜ
    Webαʔό
    ར༻ऀʢϒϥ΢βʣ
    ೝূ
    ೝূ
    ೝূ

    View full-size slide

  90. ೝূ
    • ଞͷαʔϏεͷೝূγεςϜΛ࢖༻Մೳ
    ‣ Ϣʔβ

    ࣗ਎͕؅ཧ͢ΔΞΧ΢ϯτͷ਺͕গͳ͘ͳΔ
    ‣ αΠτӡӦࣾ

    ଞࣾͷγεςϜΛར༻͢ΔΑ͏ʹࣗ਎ͷWebαΠτ
    Λ࣮૷͢Δ͜ͱͰ, ݸผʹར༻ऀ৘ใΛ؅ཧ͢Δඞཁ
    ͕ແ͍

    View full-size slide

  91. ೝূ
    Webαʔό
    ར༻ऀʢϒϥ΢βʣ
    ར༻
    ར༻
    ར༻
    ೝূ
    Google
    (PPHMFͷΞΧ΢ϯτͰ
    ೝূΛߦ͏
    WebαΠτ͝ͱͷೝূ͕ෆཁͳ͚ͩͰͳ͘,
    ϩάΠϯ৘ใΛѻ͏ඞཁ͕ͳ͍

    View full-size slide

  92. ೝূʢೝূAPIʣ
    • ೝূAPI

    ೝূΛߦ͏ॲཧͷAPI.
    ‣ ೝূΛߦͳ͏WebΞϓϦέʔγϣϯ͕ϢʔβʔΛೝ
    ূAPIʹ༠ಋ͠, ೝূAPI͔Βೝূ݁Ռͷ௨஌Λ΋Β͏
    ͜ͱʹΑͬͯϩάΠϯ͢Δ.

    View full-size slide

  93. ೝূʢೝূAPIʣ
    ར༻ऀʢϒϥ΢βʣ
    ᶃϩάΠϯͷཁٻ
    ೝূαΠτ
    ᶄೝূAPI΁ͷϩάΠϯࢦࣔ
    ᶇϩάΠϯ੒ޭ௨஌
    ᶅϩάΠϯ ᶆೝূ׬ྃͷ௨஌
    ೝূ"1*Λఏڙ͢ΔαΠτʹ
    ΞΧ΢ϯτ͕ଘࡏ͢Δඞཁ͕͋Δ
    ձһ੍αΠτ
    ʢཁϩάΠϯʣ

    View full-size slide

  94. ೝূʢೝূAPIʣ
    • ೝূAPIͷܽ఺
    ‣ Ϣʔβʔ͕, ೝূAPIఏڙଆͷΞΧ΢ϯτΛ͍࣋ͬͯ
    ͳ͍ͱೝূ͢Δ͜ͱ͕Ͱ͖ͳ͍
    ‣ ֤ࣾ͝ͱʹAPIͷ࢓༷͕ҟͳ͍ͬͯΔͷͰ, ͦΕͧΕ
    ʹผͷίʔυͰରԠ͠ͳ͍ͱ͍͚ͳ͍
    • ͜ΕΛղܾ͢ΔͨΊʹOpenID͕͋Δ

    View full-size slide

  95. ೝূʢOpenIDʣ
    • OpenID

    ೝূAPIͷʮ֤αʔϏε͝ͱʹAPIͷ࢓༷͕ҟͳΔʯͱ
    ͍͏໰୊఺Λղܾ͢ΔͨΊʹ, ೝূॲཧΛඪ४Խͨ͠ϓ
    ϩτίϧ
    ‣ OpenIDΛ༻͍ͨγεςϜͷ৔߹, 1ͭͷIDͱύεϫʔ
    υ͕͋Ε͹ෳ਺ͷαΠτʹϩάΠϯ͕Մೳʢಛఆͷ
    αʔϏεͷΞΧ΢ϯτʹґଘ͠ͳ͍ʣ

    View full-size slide

  96. ೝূʢOpenIDʣ
    ձһ੍αΠτ
    ʢཁϩάΠϯʣ
    ར༻ऀʢϒϥ΢βʣ
    ᶃOpenIDΞΧ΢ϯτ
    ೝূαΠτ
    ᶅOpenID΁ͷϩάΠϯࢦࣔ
    ᶈϩάΠϯ੒ޭ௨஌
    ᶆϩάΠϯ ᶇೝূ׬ྃͷ௨஌
    0QFO*%αΠτͷ͍ͣΕ͔ʹ
    ΞΧ΢ϯτ͕͋Ε͹Α͍
    ᶄΞΧ΢ϯτΛ࣋ͭαΠτΛ
    ݕࡧ͠, ҉߸Խ伴Λަ׵
    ೝূ ऴྃ

    View full-size slide

  97. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  98. ೝՄ
    • ೝূͱೝՄͷҧ͍
    ‣ ೝূ

    ௨৴ͷ૬ख͕୭Ͱ͋Δ͔֬ೝ͠, ਖ਼نͷར༻ऀʢຊ
    ਓʣͰ͋Δ͜ͱΛ֬ೝ͢Δ͜ͱ
    ‣ ೝՄ

    ೝূʹΑͬͯ֬ೝ͞Εͨར༻ऀʹରͯ͠, αʔϏεͷ
    ڐՄΛߦͳ͏͜ͱ
    - ࠓճ͸ͬͪ͜ͷ࿩

    View full-size slide

  99. ೝՄ
    • ͨͱ͑͹TwitterͰߟ͑ͯΈΔͱ…
    ‣ ೝূ

    user_Aͱ͍͏ΞΧ΢ϯτͰϩάΠϯ
    ‣ ೝՄ

    user_A໊ٛͷ౤ߘʹ͍ͭͯ͸ฤूandӾཡΛڐՄ͠,
    ͦͷଞͷΞΧ΢ϯτͷ౤ߘʹ͍ͭͯ͸ӾཡͷΈڐՄ
    ͢Δ
    • ͜ͷྫͩͱೝূͱೝՄ͕ີ݁߹

    View full-size slide

  100. ೝՄ
    • ͔͠͠, ೝূͱೝՄΛผʹߟ͑Δ͜ͱ͕ଟ͘ͳͬͨ
    ‣ TwitterͰ͍͑͹, ୈࡾऀ͕ఏڙ͍ͯ͠ΔΫϥΠΞϯτ
    ͔ΒαʔϏεΛར༻ͨ͠Γ, ΞϓϦ͔ΒTwitterʹγΣ
    ΞΛߦͳ͏ػೳͳͲ
    - ೝՄͷҕৡΛߦͳ͏ඞཁ͕͋Δ
    • ͜ΕΛ࣮ݱ͢Δํ๏
    ‣ OAuth
    ‣ OpenID Connect

    View full-size slide

  101. ೝՄʢOAuthʣ
    • OAuth

    αΠτΛ·͍ͨͩೝՄʢݖݶͷೝՄʣΛ࣮ݱ͢ΔͨΊʹ
    ඪ४Խ͞Εͨϓϩτίϧ
    ‣ ݖݶͷೝՄΛߦͳ͏͚ͩͰ, ೝূ͸ߦΘͳ͍
    ‣ ୈࡾऀʹIDͱύεϫʔυΛ౉͢͜ͱແ͘֎෦αʔϏεΛ
    ར༻͢Δ͜ͱ͕Մೳ
    ‣ τʔΫϯΛൃߦ͢Δ͜ͱͰ, ͦͷτʔΫϯΛ࣋ͬͨΫϥ
    ΠΞϯτʹݖݶΛҕৡ͢Δ
    • OAuthͷཧղʹ͸4ͭͷ୯ޠΛ஌͍ͬͯΔඞཁ͕͋Δ

    View full-size slide

  102. ೝՄʢOAuthʣ
    • ϦιʔεΦʔφʔʢΤϯυϢʔβʔʣ

    αʔϏεΛར༻͍ͯ͠ΔϢʔβʔ
    • ೝՄαʔόʔ

    ೝՄΛߦ͍τʔΫϯΛൃߦ͢Δαʔό
    ‣ ϦιʔεαʔόͱಉҰͷαʔόͰ͋Δ͜ͱ͕͋Δ
    • Ϧιʔεαʔό

    σʔλ͕ஔ͔Ε͍ͯΔαʔό
    • ΫϥΠΞϯτ

    αʔϏεΛར༻͢ΔWebαΠτ΍ΞϓϦ

    View full-size slide

  103. ೝՄʢOAuthʣ
    • ॲཧͷྲྀΕ
    1. ΫϥΠΞϯτ͕ϦιʔεΦʔφʔʹڐՄΛཁٻ
    2. ϦιʔεΦʔφʔ͕ڐՄ
    3. ೝূαʔόʹτʔΫϯൃߦͷґཔ
    4. ڐՄͷਖ਼౰ੑΛ֬ೝ͠τʔΫϯΛൃߦ
    5. τʔΫϯΛ༻͍ͯαʔϏεʹ౤ߘ

    View full-size slide

  104. ೝՄʢOAuthʣ
    ᶃڐՄཁٻ
    ᶄڐՄ
    ᶅτʔΫϯͷཁٻ
    ᶆτʔΫϯΛ
    ఏࣔ͠౤ߘ
    ᶇτʔΫϯΛఏࣔ͠౤ߘ
    'BDFCPPL

    ʢΫϥΠΞϯτʣ
    5XJUUFS

    ʢϦιʔεαʔόʣ
    Ϣʔβʔ

    ʢϦιʔεΦʔφʔʣ

    View full-size slide

  105. ೝՄʢOpenID Connectʣ
    • OpenID Connect

    OAuth2.0Λϕʔεʹೝূػೳ͕௥Ճ͞Εͨϓϩτίϧ
    ‣ ೝূػೳ+ೝՄػೳΛಉ࣌ʹ࣮ݱͰ͖ΔͷͰ, OAuth
    ͷΑ͏ʹผ్ೝূͷํ๏Λ༻ҙ͢Δඞཁ͕ͳ͍
    ‣ ͜ͷεϥΠυ͕Θ͔Γ΍ͦ͢͏

    https://www.slideshare.net/kura_lab/openid-
    connect-id
    ೝՄ ऴྃ

    View full-size slide

  106. ໨࣍
    1. WebγεςϜͷηΩϡϦςΟ
    2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ
    3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ
    4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ
    5. WebγεςϜͷ੬ऑੑ
    6. ϑΝΠΞʔ΢Υʔϧ
    7. IDS, IPS
    8. WAF
    9. ҉߸Խ
    10.ެ։伴ূ໌ॻ
    11.ೝূ
    12.ೝՄ
    13.CAPTCHA

    View full-size slide

  107. CAPTCHA
    • CAPTCHA

    ΫϥΠΞϯτ͕ίϯϐϡʔλ͔ਓ͔Λ൑அ͢Δ΋ͷ
    ‣ Completely Automated Public Turing Test To Tell
    Computers and Humans Apart(ίϯϐϡʔλͱਓؒ
    Λ۠ผ͢ΔͨΊͷ׬શʹࣗಈԽ͞Εͨެ։νϡʔϦ
    ϯάςετʣͷུ

    View full-size slide

  108. CAPTCHA
    • ਓؒʹ͸༰қʹ(?)࣮ࢪͰ͖Δ͕, ίϯϐϡʔλͰ͸ࠔ೉
    ͳॲཧΛߦΘͤΔ͜ͱͰ, ίϯϐϡʔλͰࣗಈԽͨ͠େ
    ྔ౤ߘεΫϦϓτͳͲΛ๷͙
    ‣ ୅දతͳ΋ͷʹʮ࿪ΜͩจࣈͷಡΈऔΓʯ͕͋Δ
    Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html
    ͜Εͨ·ʹਓ΋ಡΈऔΕͳ͍ͷ͋Γ·ͤΜ͔…ʁ

    View full-size slide

  109. CAPTCHA
    • จࣈͷಡΈऔΓ͚ͩͰ͸ͳ͘, ʮը૾ͷू߹ͷத͔Βࢦ
    ఆͨ͠छྨͷ΋ͷ͚ͩΛΫϦοΫ͢Δʯ΋ͷ΍, ʮύζ
    ϧͷϐʔεΛυϥοάͯ͠ਖ਼͍͠Ґஔʹ͸ΊΔʯͱ͍ͬ
    ͨΑ͏ͳ΋ͷ΋͋Δʢେม໘౗ʣ
    • Google͕։ൃͨ͠reCAPTCHAͰ͸ͦͷΑ͏ͳૢ࡞͕
    ෆཁʹ
    ‣ ඍົͳ৔߹͸ࠓ·ͰͷΑ͏ͳCAPTCHAͷ൑ఆΛߦ͏
    ৔߹΋͋Δ
    Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html CAPTCHA ऴྃ

    View full-size slide

  110. ࢀߟϦϯΫ
    • ৘ใηΩϡϦςΟϚωδϝϯτͷن֨΍ඪ४(IPA)

    https://www.ipa.go.jp/security/manager/protect/pdca/
    risk_ass.html
    • ηογϣϯϋΠδϟοΫ

    https://ja.wikipedia.org/wiki/ηογϣϯϋΠδϟοΫ
    • σΟϨΫτϦτϥόʔαϧ

    https://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ
    • ඿দ޻ۀߴߍ ωοτϫʔΫٕज़ࢿྉ

    View full-size slide

  111. ࢀߟϦϯΫ
    • ΫϩεαΠτεΫϦϓςΟϯά(XSS)

    https://www.trendmicro.com/ja_jp/security-intelligence/
    research-reports/threat-solution/xss.html
    • ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)

    https://www.trendmicro.com/ja_jp/security-intelligence/
    research-reports/threat-solution/csrf.html
    • SQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ

    https://www.ipa.go.jp/files/000024396.pdf
    • ڞ௨੬ऑੑࣝผࢠCVE֓આ

    https://www.ipa.go.jp/security/vuln/CVE.html

    View full-size slide

  112. ࢀߟϦϯΫ
    • WAFɺIPS/IDSɺF/W(ϑΝΠΞ΢Υʔϧ)ͱͷҧ͍

    https://www.websecurity.symantec.com/ja/jp/theme/
    waf-ips-ids
    • ύεϫʔυอଘํ๏ͷաڈͱݱࡏͦͯ͠ະདྷ

    http://kengos.jp/2015/09/13/password.html
    • Α͘Θ͔ΔೝূͱೝՄ

    https://dev.classmethod.jp/security/authentication-
    and-authorization/
    • ͍Β͢ͱ΍

    https://www.irasutoya.com/

    View full-size slide