Upgrade to Pro — share decks privately, control downloads, hide ads and more …

フロントエンドエンジニアのためのセキュリティ対策

1c7c5f4254748d5e3da9a1095e42d85c?s=47 CarstayJP
February 26, 2022
Technology
1
220

 フロントエンドエンジニアのためのセキュリティ対策

1c7c5f4254748d5e3da9a1095e42d85c?s=128

CarstayJP

February 26, 2022
Tweet

More Decks by CarstayJP

See All by CarstayJP
Google App Script(GAS)
1c7c5f4254748d5e3da9a1095e42d85c?s=48 carstayjp
0
110
C向けスタートアップのプロダクト開発の進め方
1c7c5f4254748d5e3da9a1095e42d85c?s=48 carstayjp
0
230

Other Decks in Technology

See All in Technology
複数のスクラムチームをサポートするエンジニアリングマネジメントの話
4bddf664b03da8ad6b8d61660dcdc682?s=48 okeicalm
0
1.1k
Security Hub のマルチアカウント 管理・運用をサーバレスでやってみる
640727b1a8120669de9b6d7f1d469893?s=48 ch6noota
0
840
さいきんのRaspberry Pi。 / osc22do-rpi
74476e142a767a018d68c5e72e34ee2f?s=48 akkiesoft
6
5.2k
Custom AppをIP制限ありのままで審査に通す方法
Df8bc8c531e2c5c89c1a007db1cf79a3?s=48 yusuga
0
680
インフラのCI/CDはGitHub Actionsに任せた
F5c597c41d9bc6a80cce50adbd6c7bd9?s=48 mihyon
0
110
The application of formal methods in Kafka reliability engineering
A3966f193f4bef226a0d3e3c1f728d7f?s=48 line_developers
PRO
1
190
DOM Invader - prototype pollution対応の衝撃 - / DOM Invader - prototype pollution
2c4ef0f20c4f05ca30e6c9917f0c17b6?s=48 okuken
0
150
データエンジニアと作るデータ文化
465cba0ac1de7e490c6ea484da327572?s=48 yuki_saito
4
1.6k
音のような言葉 〜ちゃちゃっとチャットで楽しむちょっとしたコツ〜 / words like sounds
8db3c91c8b3d3e5686f62fbf43c303dd?s=48 satoryu
1
1.4k
アーキテクチャを明文化して開発に臨んだ話
903c7dbf16067d22e7b03ead7d8acdc5?s=48 akkie76
0
330
Data in Google I/O - IO Extended GDG Seoul
3bd69093dbe39b14603242b96cfbd7c6?s=48 kennethanceyer
0
150
Target SDK Versionを上げない Notification runtime permission対応
0c5e92294cc0cfba620641c589db9378?s=48 napplecomputer
0
140

Featured

See All Featured
The Web Native Designer (August 2011)
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.9k
The MySQL Ecosystem @ GitHub 2015
Be9caeb9d4ef9944d151af909063ed6e?s=48 samlambert
238
11k
Ruby is Unlike a Banana
6804f1775cb4babfcc3851298566fbce?s=48 tanoku
91
9.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
7
1.1k
Clear Off the Table
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
79
280k
Art, The Web, and Tiny UX
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
280
17k
KATA
E9221b172e78e888355fa2fe4541b595?s=48 mclloyd
7
8.7k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
C44e1f7e22c3f23cff7bc130871047ef?s=48 eileencodes
119
28k
GraphQLとの向き合い方2022年版
893f54413c2bd9ba41d11d753aacaf2c?s=48 quramy
16
8.3k
Designing for humans not robots
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
241
23k
The Art of Programming - Codeland 2020
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
32
11k
Practical Orchestrator
168ccec72eee0530b818d44f3fedaacf?s=48 shlominoach
178
8.6k

Transcript

  1. ϑϩϯτΤϯυΤϯδχΞ΋஌ ͓͖͍ͬͯͨηΩϡϦςΟରࡦ XSSฤ 2022/02/26

  2. Carstayגࣜձࣾɿ֓ཁ 2

  3. Carstayגࣜձࣾɿϛογϣϯ 3 Stay Anywhere, Anytime. ୭΋͕޷͖ͳͱ͖ʹɺ޷͖ͳ৔ॴͰɺ޷͖ͳਓͱաͤ͝ΔੈքΛͭ͘Δ

  4. CarstayגࣜձࣾɿϓϩμΫτ 4 ʮCarstayʯ͸೔ຊͰ།ҰɺΩϟϯϐϯάΧʔͱंதധεϙοτΛ༧໿͢Δ͜ͱ͕Ͱ͖ΔεϚϗΞϓϦͰ͢ ৐Βͳ͍ظؒʹ༡ٳं྆ΛγΣΞ͍ͨ͠Φʔφʔɺۭ͖஍Λ༗ޮ׆༻͍ͨ͠றं৔Φʔφʔ͕ొ࿥͍ͯ͠·͢

  5. ࣗݾ঺հ Ngo Van Thang | ϑϧελοΫΤϯδχΞ ▼ ܦྺ ɾ2014೥ʹଔۀޙʹདྷ೔ ɾ2014೥

    ιʔγϟϧήʔϜӡӦձࣾʹೖࣾ ɹɾήʔϜαʔόӡ༻ ɾ2016೥ ೿ݣձࣾʹೖࣾ ɹɾίʔσΟϯάςεταʔϏεɺLINE഑৴αʔϏε։ൃ ɾ2018೥ ϒϩοΫνΣʔϯձࣾʹೖࣾ ɹɾϒϩοΫνΣʔϯΛ࢖ͬͨΫϦΤʔλͱاۀͷϚονϯάαʔϏεɺӽڥEC։ൃ ɾ2020೥ Carstayגࣜձࣾʹೖࣾ | Tech Lead ɹɾ։ൃશൠ؅ཧɺίʔυϨϏϡʔɺ΢ΣϒɾΞϓϦ։ൃ ▼झຯ ɾήʔϜʢΞΫγϣϯήʔϜɺFPS etcʣ ɾαοΧʔ ɾίϚϯυϥΠϯ͕޷͖ Ngo Van Thangʢ30ࡀʣ @nooptr https://www.facebook.com/thanghedspi 5

  6. Agenda • ੬ऑੑ(XSS)ͷ࢓૊Έͱରࡦ • σϞ • ·ͱΊ 6

  7. ΢ΣϒαΠτͷ੬ऑੑͷछྨผʢ೥ʣ 7 11% 2% 2% 3% 11% 13% 58% https://www.ipa.go.jp/files/000082044.pdf

    XSS ʢΫϩεαΠτɾεΫϦϓςΟϯά ʣ DNS৘ใͷઃఆෆඋ SQLΠϯδΣΫγϣϯ ϑΝΠϧͷޡͬͨެ։ σΟϨΫτϦɾτϥόʔαϧ HTTPSͷෆద੾ͳར༻ ͦͷଞ

  8. XSS ΫϩεαΠτɾεΫϦϓςΟϯά

  9. XSSʢΫϩεαΠτεΫϦϓςΟϯάʣͱ͸ ར༻ऀ͕ೖྗͨ͠಺༰Λදࣔ͢ΔΑ͏ͳߏ੒ͷWebαΠτʹଘࡏ͢Δܽ ؕΛѱ༻ͯ͠ɺ߈ܸऀ͕༻ҙͨ͠ѱҙͷ͋ΔεΫϦϓτΛར༻ऀͷݩʹ ૹΓࠐΜͰ࣮ߦͤ͞Δ߈ܸख๏ɻ 9

  10. XSSͷ࢓૊Έ 10 Source: https://yamory.io/blog/about-xss/

  11. ReactͷXSS

  12. dangerouslySetInnerHTML 12 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ

  13. dangerouslySetInnerHTML 13 ▪ dangerouslySetInnerHTMLͱ͸ ɾReactެࣜͷΤεέʔϓΛແޮԽ͢ΔΦϓγϣϯ ɾHTMLͱͯ͠ೝ͍ࣝͤͨ͞৔߹ͳͲʹར༻͢Δ DEMO: https://codesandbox.io/s/react-xss-example-forked-9n3exm

  14. dangerouslySetInnerHTML 14 ▪ରࡦɿ 
 ɾ࢖Θͳ͍ɻͲ͏ͯ͠΋ར༻͍ͨ͠৔߹͸ɺపఈతʹΤεέʔϓΛߦ͏ɻ ɾdompurifyͳͲͷϥΠϒϥϦΛ࢖͏͜ͱͰɺXSSͷ໰୊ΛղܾͰ͖Δɻ https://github.com/cure53/DOMPurify

  15. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 15

  16. hrefଐੑ͸ɺઌ಄͕javascript:͔Β࢝·Δ৔߹͸ͦΕҎ߱ͷจࣈྻΛ javascriptͱ࣮ͯ͠ߦ͞ΕΔ Javascript: εΩʔϜ 16 DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  17. ▪ରࡦɿ ɾεΩʔϜΛhttp:// ͔ https://ͷΈʹ੍ޚ͢Δ ɾઌ಄ʹ / Λ͚ͭΔ Javascript: εΩʔϜ 17

    DEMO: https://codesandbox.io/s/react-xss-example-forked-g8hs86

  18. JSON.stringify(str) 18 ੬ऑ෦෼ ҎԼͷ஋ؚ͕·ΕΔͱɺXSS͕ੜ͡Δ Server Renderingͷ࣌ʹɺReactଆͰ࢖͑ΔΑ͏ʹɺԼهͷΑ͏ͳίʔυ͕͋Δ

  19. 19 ID/ύεϫʔυ͕࿙Εͳ͔ͬͨΒຊ౰ʹେৎ෉ʁ

  20. 20 ͦΜͳ͜ͱͳ͍Ͱ͢Α

  21. 21 DEMO

  22. ·ͱΊ

  23. ·ͱΊ 23 ɾ࠷΋ଟ͍੬ऑੑ͸XSS ɾXSSରࡦʹ͸จࣈྻΛΤεέʔϓ͢Δ ɾXSSͷݪཧΛ஌Βͳ͍ͱɺ؆୯ʹXSSͷ੬ऑੑΛ࡞ΓࠐΜͰ͠·͏ͷͰɺXSSͷཧղ͸ඞཁ ɾID/ύεϫʔυΛ஌Βͳͯ͘΋ɺCookie৘ใ͕Θ͔ͬͨΒɺϩάΠϯͰ͖ͯ͠·͏ͷͰɺ PC࢖Θͳ͍࣌͸ඞͣը໘ΛϩοΫ͠·͠ΐ͏

  24. CarstayɺઈࢍΤϯδχΞืूதͰ͢ʂ 24 ˒ CTOީิΤϯδχΞ ɾϑϩϯτΤϯυΤϯδχΞ ɾΞϓϦΤϯδχΞ ɾαʔόʔαΠυΤϯδχΞ ։ൃݴޠɿTypescriptɹ։ൃϑϨʔϜϫʔΫɿReactJS, React NativeɹWebαʔόɿNodeJS

    ͥͻ͓ؾܰʹ͝࿈བྷ͍ͩ͘͞ ⏬

  25. 25 ͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ʂ