Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
0.0.0.0 day
Search
circled9
August 23, 2024
Programming
0
61
0.0.0.0 day
Niigata 5min Tech #11で発表したスライドです。
circled9
August 23, 2024
Tweet
Share
More Decks by circled9
See All by circled9
キースイッチ入門
circled9
0
40
CloudflareのAI関連の機能さわってみた
circled9
0
300
小数の丸め誤差の話
circled9
0
75
数値の文字列をパースしよう
circled9
0
110
🔥 Hono v4 やってみた
circled9
1
130
JetBrains AI Assistant を試してみた
circled9
1
360
Fresh
circled9
0
220
React Hooks 勉強会 vol.3
circled9
2
400
JSON.stringify()
circled9
2
450
Other Decks in Programming
See All in Programming
MLOps in Mercari Group’s Trust and Safety ML Team
cjhj
1
130
Re:PandasAI:生成AIがデータ分析業務にもたらすパラダイムシフト【増補改訂版】
negi111111
1
1.1k
Why I Choose NetBeans for Jakarta EE
ivargrimstad
0
540
いかにして不足・不整合なくデータ移行したか
tjmtmmnk
0
230
フロントエンドの現在地とこれから
koba04
10
4.6k
perl for shell, awk and sed programmers
mackee
2
880
Cloud Adoption Framework にみる組織とクラウド導入戦略
tomokusaba
2
590
空間の中でアイドルとレッスンする技術 - 1st "Vision" / Spatial Lesson technologies with my idol - 1st "Vision"
banjun
PRO
0
220
NEWTにおけるiOS18対応の進め方
ryu1sazae
0
320
Compose Multiplatform과 Ktor로 플랫폼의 경계를 넘어보자
kwakeuijin
0
290
Successful with Signals: 3 Rules for Your Architecture
manfredsteyer
PRO
0
110
Integrating AI in Your Enterprise Java Applications
ivargrimstad
0
560
Featured
See All Featured
How to Think Like a Performance Engineer
csswizardry
17
1k
Writing Fast Ruby
sferik
626
60k
How STYLIGHT went responsive
nonsquared
95
5.1k
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
59k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
610
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Building Your Own Lightsaber
phodgson
102
6k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
48k
Navigating Team Friction
lara
183
14k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Transcript
0.0.0.0 day Niigata 5min Tech #11 @circled9
ࣗݾհ @circled9 দҪ ਖ਼ࢤ (Matsui Masashi) גࣜձࣾϞχΫϧ IPΞυϨε127.0.0.1Ͱ͢
ࠓ͢͜ͱ • 0.0.0.0 dayͱ͍͏੬ऑੑͷհΛ͠·͢ • ৄ͘͜͠ͷهࣄΛࢀর͍ͯͩ͘͠͞ • https://www.oligo.security/blog/0-0-0-0-day- exploiting-localhost-apis-from-the-browser 3
֓ཁ • ֎෦ϖʔδ͔ΒϩʔΧϧʹ͚ͯϦΫΤετΛඈͤΔͱ͍͏ • ϩʔΧϧͰಈ͍͍ͯΔαʔϏε͕ૂΘΕΔ͜ͱ͕͋Δ • ֤ϒϥβͷରԠ͜Ε͔Βʢ8݄த०࣌ʣ 4
ͪΐͬͱੲͷ • ֎෦ϖʔδ͔ΒϩʔΧϧͷΞυϨεʹରͯ͠ϦΫΤετΛඈͤͨ • ͦΕΛར༻ͯ͠Ϛγϯ্Ͱಈ͍͍ͯΔαʔόʔͷϙʔτΛεΩϟϯ͠ ͯݸਓΛࣝผ͠Α͏ͱ͢Δ͍ํ͞Ε͍ͯͨ • ͍ΘΏΔϑΟϯΨʔϓϦϯςΟϯά • ͦΕҎ֎ʹϩʔΧϧωοτϫʔΫͷϧʔλʔʹରͯ͠߈ܸΛࢼΈΔ
έʔε͋ͬͨΓͨ͠ 5
CORS (Cross-Origin Resource Sharing) • CORSҟͳΔυϝΠϯʹର͢ΔϦιʔεͷΞΫηεͷ੍ޚΛ͢Δ • CORSʹΑΓ֎෦ϖʔδ͔ΒϩʔΧϧʹରͯ͠উखʹΞΫηε͠Α͏ ͱ͢Δͱ͔ΕΔΑ͏ʹͳͬͨ •
ϩʔΧϧΞΫηεʹΑΔϑΟϯΨʔϓϦϯςΟϯά͕͛ΔΑ͏ʹ ͳͬͨʂ 6
ϦΫΤετ͕࣮ߦ͞ΕΔ • CORSϨεϙϯεΛ੍ޚ͢Δ࡞Γʹͳ͍ͬͯΔ • ͦͷͨΊϦΫΤετͦͷͷ࣮ߦ͞ΕΔ • ϦΫΤετ͕࣮ߦ͞ΕΔ͚ͩͰཱ͢Δ߈ܸʹରͯ͠ແඋ 7
PNA (Private Network Access) • Chromeʹ࣮͞Ε͍ͯΔ༷ • ҆શੑͷ͍ίϯςΩετ͔Β҆શੑͷߴ͍ίϯςΩετʹ௨৴Ͱ ͖ͳ͍ͱ͍͏Έ •
CORSͱҧ͍ϦΫΤετͷ࣮ߦΛ੍ޚ͢Δ 8
https://developer.chrome.com/blog/private-network-access-update?hl=ja 9
͜ΕͰ҆৺ʂ
None
0.0.0.0͕ͳ͍
ࠓޙͷ༧ఆ • Chrome0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • 128͔ΒϩʔϧΞτͯ͠133·Ͱʹྃ༧ఆ • Safari0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • Webkitʹ0.0.0.0ΛϒϩοΫ͢Δมߋ͕ೖͬͨ •
FirefoxͷରԠະఆ • MDNͷ༷ͷํΛߋ৽ͨͬ͠Ά͍ͷͰϒϩοΫ͢Δͣ 13
Α͘Θ͔ͬͯͳ͍͜ͱ • 0.0.0.0ΛϒϩοΫ͢ΔΛ͍ͯ͠Δ͕ɺͦΕҎલʹSafariͱ FirefoxPNAΛ࣮ͯ͠ͳ͍ • 0.0.0.0ΛϒϩοΫ͢Δ͚ͩͰޮՌ͕ബ͍ͷͰʁ • ͋ͱɺखݩͰPNAͷϔομʔ͚ͭͯ௨৴ڐՄ͢Δ࣮Ͱ͖ͳ͔ͬͨɺ Θ͔ΒΜ 14
͓͠·͍