Upgrade to Pro — share decks privately, control downloads, hide ads and more …

フロントエンドエンジニアのためのセキュリティ対策

Avatar for CarstayJP CarstayJP
February 26, 2022
Technology
1
1.4k

 フロントエンドエンジニアのためのセキュリティ対策

Avatar for CarstayJP

CarstayJP

February 26, 2022
Tweet

More Decks by CarstayJP

See All by CarstayJP
Google App Script(GAS)
Avatar for CarstayJP carstayjp
0
420
C向けスタートアップのプロダクト開発の進め方
Avatar for CarstayJP carstayjp
0
510

Other Decks in Technology

See All in Technology
How to Quickly Call American Airlines®️ U.S. Customer Care : Full Guide
Avatar for goldfinch3710 flyaahelpguide
0
150
Zero Data Loss Autonomous Recovery Service サービス概要
Avatar for oracle4engineer oracle4engineer
PRO
2
7.8k
面倒な作業はAIにおまかせ。Flutter開発をスマートに効率化
Avatar for Rui ruideengineer
0
400
MobileActOsaka_250704.pdf
Avatar for AKAI Tadaaki akaitadaaki
0
170
United Airlines Customer Service– Call 1-833-341-3142 Now!
Avatar for vivankilkenny548+imnfc airhelp
0
170
【あのMCPって、どんな処理してるの?】 AWS CDKでの開発で便利なAWS MCP Servers特集
Avatar for yoshimi0227 yoshimi0227
4
300
Enhancing SaaS Product Reliability and Release Velocity through Optimized Testing Approach
Avatar for ropQa ropqa
1
240
LLM時代の検索
Avatar for shibuiwilliam shibuiwilliam
2
430
Rethinking Incident Response: Context-Aware AI in Practice
Avatar for rrreeeyyy rrreeeyyy
1
130
20250707-AI活用の個人差を埋めるチームづくり
Avatar for shnjtk shnjtk
6
4k
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
Avatar for Haruka Sakihara harukasakihara
2
130
SEQUENCE object comparison - db tech showcase 2025 LT2
Avatar for Noriyoshi Shinoda nori_shinoda
0
190

Featured

See All Featured
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
346
40k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
351
20k
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
29
9.6k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
613
210k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.5k
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
40
1.9k
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
301
51k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
329
21k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
173
14k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1k

Transcript

  1. ϑϩϯτΤϯυΤϯδχΞ΋஌ ͓͖͍ͬͯͨηΩϡϦςΟରࡦ XSSฤ 2022/02/26

  2. Carstayגࣜձࣾɿ֓ཁ 2

  3. Carstayגࣜձࣾɿϛογϣϯ 3 Stay Anywhere, Anytime. ୭΋͕޷͖ͳͱ͖ʹɺ޷͖ͳ৔ॴͰɺ޷͖ͳਓͱաͤ͝ΔੈքΛͭ͘Δ

  4. CarstayגࣜձࣾɿϓϩμΫτ 4 ʮCarstayʯ͸೔ຊͰ།ҰɺΩϟϯϐϯάΧʔͱंதധεϙοτΛ༧໿͢Δ͜ͱ͕Ͱ͖ΔεϚϗΞϓϦͰ͢ ৐Βͳ͍ظؒʹ༡ٳं྆ΛγΣΞ͍ͨ͠Φʔφʔɺۭ͖஍Λ༗ޮ׆༻͍ͨ͠றं৔Φʔφʔ͕ొ࿥͍ͯ͠·͢

  5. ࣗݾ঺հ Ngo Van Thang | ϑϧελοΫΤϯδχΞ ▼ ܦྺ ɾ2014೥ʹଔۀޙʹདྷ೔ ɾ2014೥

    ιʔγϟϧήʔϜӡӦձࣾʹೖࣾ ɹɾήʔϜαʔόӡ༻ ɾ2016೥ ೿ݣձࣾʹೖࣾ ɹɾίʔσΟϯάςεταʔϏεɺLINE഑৴αʔϏε։ൃ ɾ2018೥ ϒϩοΫνΣʔϯձࣾʹೖࣾ ɹɾϒϩοΫνΣʔϯΛ࢖ͬͨΫϦΤʔλͱاۀͷϚονϯάαʔϏεɺӽڥEC։ൃ ɾ2020೥ Carstayגࣜձࣾʹೖࣾ | Tech Lead ɹɾ։ൃશൠ؅ཧɺίʔυϨϏϡʔɺ΢ΣϒɾΞϓϦ։ൃ ▼झຯ ɾήʔϜʢΞΫγϣϯήʔϜɺFPS etcʣ ɾαοΧʔ ɾίϚϯυϥΠϯ͕޷͖ Ngo Van Thangʢ30ࡀʣ @nooptr https://www.facebook.com/thanghedspi 5

  6. Agenda • ੬ऑੑ(XSS)ͷ࢓૊Έͱରࡦ • σϞ • ·ͱΊ 6

  7. ΢ΣϒαΠτͷ੬ऑੑͷछྨผʢ೥ʣ 7 11% 2% 2% 3% 11% 13% 58% https://www.ipa.go.jp/files/000082044.pdf

    XSS ʢΫϩεαΠτɾεΫϦϓςΟϯά ʣ DNS৘ใͷઃఆෆඋ SQLΠϯδΣΫγϣϯ ϑΝΠϧͷޡͬͨެ։ σΟϨΫτϦɾτϥόʔαϧ HTTPSͷෆద੾ͳར༻ ͦͷଞ

  8. XSS ΫϩεαΠτɾεΫϦϓςΟϯά

  9. XSSʢΫϩεαΠτεΫϦϓςΟϯάʣͱ͸ ར༻ऀ͕ೖྗͨ͠಺༰Λදࣔ͢ΔΑ͏ͳߏ੒ͷWebαΠτʹଘࡏ͢Δܽ ؕΛѱ༻ͯ͠ɺ߈ܸऀ͕༻ҙͨ͠ѱҙͷ͋ΔεΫϦϓτΛར༻ऀͷݩʹ ૹΓࠐΜͰ࣮ߦͤ͞Δ߈ܸख๏ɻ 9

  10. XSSͷ࢓૊Έ 10 Source: https://yamory.io/blog/about-xss/

  11. ReactͷXSS

  12. dangerouslySetInnerHTML 12 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ

  13. dangerouslySetInnerHTML 13 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ DEMO: https://codesandbox.io/s/react-xss-example-forked-9n3exm

  14. dangerouslySetInnerHTML 14 ▪ରࡦɿ 
 ɾ࢖Θͳ͍ɻͲ͏ͯ͠΋ར༻͍ͨ͠৔߹͸ɺపఈతʹΤεέʔϓΛߦ͏ɻ ɾdompurifyͳͲͷϥΠϒϥϦΛ࢖͏͜ͱͰɺXSSͷ໰୊ΛղܾͰ͖Δɻ https://github.com/cure53/DOMPurify

  15. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 15

  16. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 16 DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  17. ▪ରࡦɿ ɾεΩʔϜΛhttp:// ͔ https://ͷΈʹ੍ޚ͢Δ ɾઌ಄ʹ / Λ͚ͭΔ Javascript: εΩʔϜ 17

    DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  18. JSON.stringify(str) 18 ੬ऑ෦෼ ҎԼͷ஋ؚ͕·ΕΔͱɺXSS͕ੜ͡Δ Server Renderingͷ࣌ʹɺReactଆͰ࢖͑ΔΑ͏ʹɺԼهͷΑ͏ͳίʔυ͕͋Δ

  19. 19 ID/ύεϫʔυ͕࿙Εͳ͔ͬͨΒຊ౰ʹେৎ෉ʁ

  20. 20 ͦΜͳ͜ͱͳ͍Ͱ͢Α

  21. 21 DEMO

  22. ·ͱΊ

  23. ·ͱΊ 23 ɾ࠷΋ଟ͍੬ऑੑ͸XSS ɾXSSରࡦʹ͸จࣈྻΛΤεέʔϓ͢Δ ɾXSSͷݪཧΛ஌Βͳ͍ͱɺ؆୯ʹXSSͷ੬ऑੑΛ࡞ΓࠐΜͰ͠·͏ͷͰɺXSSͷཧղ͸ඞཁ ɾID/ύεϫʔυΛ஌Βͳͯ͘΋ɺCookie৘ใ͕Θ͔ͬͨΒɺϩάΠϯͰ͖ͯ͠·͏ͷͰɺ PC࢖Θͳ͍࣌͸ඞͣը໘ΛϩοΫ͠·͠ΐ͏

  24. CarstayɺઈࢍΤϯδχΞืूதͰ͢ʂ 24 ˒ CTOީิΤϯδχΞ ɾϑϩϯτΤϯυΤϯδχΞ ɾΞϓϦΤϯδχΞ ɾαʔόʔαΠυΤϯδχΞ ։ൃݴޠɿTypescriptɹ։ൃϑϨʔϜϫʔΫɿReactJS, React NativeɹWebαʔόɿNodeJS

    ͥͻ͓ؾܰʹ͝࿈བྷ͍ͩ͘͞ ⏬

  25. 25 ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ