Upgrade to Pro — share decks privately, control downloads, hide ads and more …

フロントエンドエンジニアのためのセキュリティ対策

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for CarstayJP CarstayJP
February 26, 2022
Technology
1.6k
1

 フロントエンドエンジニアのためのセキュリティ対策

Avatar for CarstayJP

CarstayJP

February 26, 2022

More Decks by CarstayJP

See All by CarstayJP
Google App Script(GAS)
Avatar for CarstayJP carstayjp
0
450
C向けスタートアップのプロダクト開発の進め方
Avatar for CarstayJP carstayjp
0
540

Other Decks in Technology

See All in Technology
AWS Security Hub CSPMの成功・失敗体験
Avatar for cm-usuda-keisuke cmusudakeisuke
0
240
いまさら聞けない「仕様駆動開発入門」 〜AI活用時代の開発プロセスを考える〜
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
2
160
徹底討論!ECS vs EKS!
Avatar for 高棹大樹 daitak
0
160
2026TECHFRESH畢業分享會 - Lightning Talk - 資料也要 CI/CD? 用 Airbyte 自動化資料同步
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.3k
RAG を使わないという選択肢
Avatar for tatsutaka tatsutaka
1
270
SteampipeとExcel Power QueryでAWS構成定義書の作成を自動化する
Avatar for jhashimoto jhashimoto
0
150
10年間のブログ発信を振り返って見えたWebアプリケーションエンジニアとしての軌跡
Avatar for すてにゃん stefafafan
0
160
Claude Codeをどのように キャッチアップしているか
Avatar for Oikon oikon48
13
8.5k
あなたの知らないPDFのアクセシビリティ
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
220
Oracle AI Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.5k
2026TECHFRESH畢業分享會 - 葬送的通靈師:化系統與用戶雜訊成行動訊號
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
1.3k
【Snowflake Summit 2026 Recap!!】Snowflake Summit Deep Dive: Security & Governance
Avatar for Civitaspo civitaspo
1
260

Featured

See All Featured
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
4.2k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
370
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
2
1.5k
It's Worth the Effort
Avatar for 3n 3n
188
29k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
133
19k
Exploring anti-patterns in Rails
Avatar for Elle Meredith aemeredith
3
410
New Earth Scene 8
Avatar for Sydney Stone popppiees
3
2.3k
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
7.6k
Marketing to machines
Avatar for Jono Alderson jonoalderson
1
5.5k
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
4k
Music & Morning Musume
Avatar for Bryan Veloso bryan
47
7.2k

Transcript

  1. ϑϩϯτΤϯυΤϯδχΞ΋஌ ͓͖͍ͬͯͨηΩϡϦςΟରࡦ XSSฤ 2022/02/26

  2. Carstayגࣜձࣾɿ֓ཁ 2

  3. Carstayגࣜձࣾɿϛογϣϯ 3 Stay Anywhere, Anytime. ୭΋͕޷͖ͳͱ͖ʹɺ޷͖ͳ৔ॴͰɺ޷͖ͳਓͱաͤ͝ΔੈքΛͭ͘Δ

  4. CarstayגࣜձࣾɿϓϩμΫτ 4 ʮCarstayʯ͸೔ຊͰ།ҰɺΩϟϯϐϯάΧʔͱंதധεϙοτΛ༧໿͢Δ͜ͱ͕Ͱ͖ΔεϚϗΞϓϦͰ͢ ৐Βͳ͍ظؒʹ༡ٳं྆ΛγΣΞ͍ͨ͠Φʔφʔɺۭ͖஍Λ༗ޮ׆༻͍ͨ͠றं৔Φʔφʔ͕ొ࿥͍ͯ͠·͢

  5. ࣗݾ঺հ Ngo Van Thang | ϑϧελοΫΤϯδχΞ ▼ ܦྺ ɾ2014೥ʹଔۀޙʹདྷ೔ ɾ2014೥

    ιʔγϟϧήʔϜӡӦձࣾʹೖࣾ ɹɾήʔϜαʔόӡ༻ ɾ2016೥ ೿ݣձࣾʹೖࣾ ɹɾίʔσΟϯάςεταʔϏεɺLINE഑৴αʔϏε։ൃ ɾ2018೥ ϒϩοΫνΣʔϯձࣾʹೖࣾ ɹɾϒϩοΫνΣʔϯΛ࢖ͬͨΫϦΤʔλͱاۀͷϚονϯάαʔϏεɺӽڥEC։ൃ ɾ2020೥ Carstayגࣜձࣾʹೖࣾ | Tech Lead ɹɾ։ൃશൠ؅ཧɺίʔυϨϏϡʔɺ΢ΣϒɾΞϓϦ։ൃ ▼झຯ ɾήʔϜʢΞΫγϣϯήʔϜɺFPS etcʣ ɾαοΧʔ ɾίϚϯυϥΠϯ͕޷͖ Ngo Van Thangʢ30ࡀʣ @nooptr https://www.facebook.com/thanghedspi 5

  6. Agenda • ੬ऑੑ(XSS)ͷ࢓૊Έͱରࡦ • σϞ • ·ͱΊ 6

  7. ΢ΣϒαΠτͷ੬ऑੑͷछྨผʢ೥ʣ 7 11% 2% 2% 3% 11% 13% 58% https://www.ipa.go.jp/files/000082044.pdf

    XSS ʢΫϩεαΠτɾεΫϦϓςΟϯά ʣ DNS৘ใͷઃఆෆඋ SQLΠϯδΣΫγϣϯ ϑΝΠϧͷޡͬͨެ։ σΟϨΫτϦɾτϥόʔαϧ HTTPSͷෆద੾ͳར༻ ͦͷଞ

  8. XSS ΫϩεαΠτɾεΫϦϓςΟϯά

  9. XSSʢΫϩεαΠτεΫϦϓςΟϯάʣͱ͸ ར༻ऀ͕ೖྗͨ͠಺༰Λදࣔ͢ΔΑ͏ͳߏ੒ͷWebαΠτʹଘࡏ͢Δܽ ؕΛѱ༻ͯ͠ɺ߈ܸऀ͕༻ҙͨ͠ѱҙͷ͋ΔεΫϦϓτΛར༻ऀͷݩʹ ૹΓࠐΜͰ࣮ߦͤ͞Δ߈ܸख๏ɻ 9

  10. XSSͷ࢓૊Έ 10 Source: https://yamory.io/blog/about-xss/

  11. ReactͷXSS

  12. dangerouslySetInnerHTML 12 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ

  13. dangerouslySetInnerHTML 13 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ DEMO: https://codesandbox.io/s/react-xss-example-forked-9n3exm

  14. dangerouslySetInnerHTML 14 ▪ରࡦɿ 
 ɾ࢖Θͳ͍ɻͲ͏ͯ͠΋ར༻͍ͨ͠৔߹͸ɺపఈతʹΤεέʔϓΛߦ͏ɻ ɾdompurifyͳͲͷϥΠϒϥϦΛ࢖͏͜ͱͰɺXSSͷ໰୊ΛղܾͰ͖Δɻ https://github.com/cure53/DOMPurify

  15. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 15

  16. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 16 DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  17. ▪ରࡦɿ ɾεΩʔϜΛhttp:// ͔ https://ͷΈʹ੍ޚ͢Δ ɾઌ಄ʹ / Λ͚ͭΔ Javascript: εΩʔϜ 17

    DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  18. JSON.stringify(str) 18 ੬ऑ෦෼ ҎԼͷ஋ؚ͕·ΕΔͱɺXSS͕ੜ͡Δ Server Renderingͷ࣌ʹɺReactଆͰ࢖͑ΔΑ͏ʹɺԼهͷΑ͏ͳίʔυ͕͋Δ

  19. 19 ID/ύεϫʔυ͕࿙Εͳ͔ͬͨΒຊ౰ʹେৎ෉ʁ

  20. 20 ͦΜͳ͜ͱͳ͍Ͱ͢Α

  21. 21 DEMO

  22. ·ͱΊ

  23. ·ͱΊ 23 ɾ࠷΋ଟ͍੬ऑੑ͸XSS ɾXSSରࡦʹ͸จࣈྻΛΤεέʔϓ͢Δ ɾXSSͷݪཧΛ஌Βͳ͍ͱɺ؆୯ʹXSSͷ੬ऑੑΛ࡞ΓࠐΜͰ͠·͏ͷͰɺXSSͷཧղ͸ඞཁ ɾID/ύεϫʔυΛ஌Βͳͯ͘΋ɺCookie৘ใ͕Θ͔ͬͨΒɺϩάΠϯͰ͖ͯ͠·͏ͷͰɺ PC࢖Θͳ͍࣌͸ඞͣը໘ΛϩοΫ͠·͠ΐ͏

  24. CarstayɺઈࢍΤϯδχΞืूதͰ͢ʂ 24 ˒ CTOީิΤϯδχΞ ɾϑϩϯτΤϯυΤϯδχΞ ɾΞϓϦΤϯδχΞ ɾαʔόʔαΠυΤϯδχΞ ։ൃݴޠɿTypescriptɹ։ൃϑϨʔϜϫʔΫɿReactJS, React NativeɹWebαʔόɿNodeJS

    ͥͻ͓ؾܰʹ͝࿈བྷ͍ͩ͘͞ ⏬

  25. 25 ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ