Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
0.0.0.0 day
Search
circled9
August 23, 2024
Programming
0
89
0.0.0.0 day
Niigata 5min Tech #11で発表したスライドです。
circled9
August 23, 2024
Tweet
Share
More Decks by circled9
See All by circled9
キースイッチ入門
circled9
0
58
CloudflareのAI関連の機能さわってみた
circled9
0
480
小数の丸め誤差の話
circled9
0
120
数値の文字列をパースしよう
circled9
0
180
🔥 Hono v4 やってみた
circled9
1
180
JetBrains AI Assistant を試してみた
circled9
1
460
Fresh
circled9
0
230
React Hooks 勉強会 vol.3
circled9
2
420
JSON.stringify()
circled9
2
480
Other Decks in Programming
See All in Programming
Devin入門 〜月500ドルから始まるAIチームメイトとの開発生活〜 / Introduction Devin 〜Development With AI Teammates〜
rkaga
3
1.4k
高セキュリティ・高耐障害性・サブシステム化。そして2億円
tasukulab280
2
380
バッチを作らなきゃとなったときに考えること
irof
2
560
PEPCは何を変えようとしていたのか
ken7253
3
320
はじめての Go * WASM * OCR
sgash708
1
130
Generating OpenAPI schema from serializers throughout the Rails stack - Kyobashi.rb #5
envek
1
450
Modern Angular with Signals and Signal StoreNew Rules for Your Architecture @bastacon 2025 in Frankfurt
manfredsteyer
PRO
0
150
iOSでQRコード生成奮闘記
ktcryomm
2
140
Rails 1.0 のコードで学ぶ find_by* と method_missing の仕組み / Learn how find_by_* and method_missing work in Rails 1.0 code
maimux2x
1
270
自力でTTSモデルを作った話
zgock999
0
130
Jakarta EE meets AI
ivargrimstad
0
810
フロントエンドオブザーバビリティ on Google Cloud
yunosukey
0
110
Featured
See All Featured
Building Adaptive Systems
keathley
40
2.4k
4 Signs Your Business is Dying
shpigford
183
22k
Statistics for Hackers
jakevdp
797
220k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
251
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Thoughts on Productivity
jonyablonski
69
4.5k
Designing for humans not robots
tammielis
250
25k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
Writing Fast Ruby
sferik
628
61k
Fireside Chat
paigeccino
35
3.2k
Bash Introduction
62gerente
611
210k
Transcript
0.0.0.0 day Niigata 5min Tech #11 @circled9
ࣗݾհ @circled9 দҪ ਖ਼ࢤ (Matsui Masashi) גࣜձࣾϞχΫϧ IPΞυϨε127.0.0.1Ͱ͢
ࠓ͢͜ͱ • 0.0.0.0 dayͱ͍͏੬ऑੑͷհΛ͠·͢ • ৄ͘͜͠ͷهࣄΛࢀর͍ͯͩ͘͠͞ • https://www.oligo.security/blog/0-0-0-0-day- exploiting-localhost-apis-from-the-browser 3
֓ཁ • ֎෦ϖʔδ͔ΒϩʔΧϧʹ͚ͯϦΫΤετΛඈͤΔͱ͍͏ • ϩʔΧϧͰಈ͍͍ͯΔαʔϏε͕ૂΘΕΔ͜ͱ͕͋Δ • ֤ϒϥβͷରԠ͜Ε͔Βʢ8݄த०࣌ʣ 4
ͪΐͬͱੲͷ • ֎෦ϖʔδ͔ΒϩʔΧϧͷΞυϨεʹରͯ͠ϦΫΤετΛඈͤͨ • ͦΕΛར༻ͯ͠Ϛγϯ্Ͱಈ͍͍ͯΔαʔόʔͷϙʔτΛεΩϟϯ͠ ͯݸਓΛࣝผ͠Α͏ͱ͢Δ͍ํ͞Ε͍ͯͨ • ͍ΘΏΔϑΟϯΨʔϓϦϯςΟϯά • ͦΕҎ֎ʹϩʔΧϧωοτϫʔΫͷϧʔλʔʹରͯ͠߈ܸΛࢼΈΔ
έʔε͋ͬͨΓͨ͠ 5
CORS (Cross-Origin Resource Sharing) • CORSҟͳΔυϝΠϯʹର͢ΔϦιʔεͷΞΫηεͷ੍ޚΛ͢Δ • CORSʹΑΓ֎෦ϖʔδ͔ΒϩʔΧϧʹରͯ͠উखʹΞΫηε͠Α͏ ͱ͢Δͱ͔ΕΔΑ͏ʹͳͬͨ •
ϩʔΧϧΞΫηεʹΑΔϑΟϯΨʔϓϦϯςΟϯά͕͛ΔΑ͏ʹ ͳͬͨʂ 6
ϦΫΤετ͕࣮ߦ͞ΕΔ • CORSϨεϙϯεΛ੍ޚ͢Δ࡞Γʹͳ͍ͬͯΔ • ͦͷͨΊϦΫΤετͦͷͷ࣮ߦ͞ΕΔ • ϦΫΤετ͕࣮ߦ͞ΕΔ͚ͩͰཱ͢Δ߈ܸʹରͯ͠ແඋ 7
PNA (Private Network Access) • Chromeʹ࣮͞Ε͍ͯΔ༷ • ҆શੑͷ͍ίϯςΩετ͔Β҆શੑͷߴ͍ίϯςΩετʹ௨৴Ͱ ͖ͳ͍ͱ͍͏Έ •
CORSͱҧ͍ϦΫΤετͷ࣮ߦΛ੍ޚ͢Δ 8
https://developer.chrome.com/blog/private-network-access-update?hl=ja 9
͜ΕͰ҆৺ʂ
None
0.0.0.0͕ͳ͍
ࠓޙͷ༧ఆ • Chrome0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • 128͔ΒϩʔϧΞτͯ͠133·Ͱʹྃ༧ఆ • Safari0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • Webkitʹ0.0.0.0ΛϒϩοΫ͢Δมߋ͕ೖͬͨ •
FirefoxͷରԠະఆ • MDNͷ༷ͷํΛߋ৽ͨͬ͠Ά͍ͷͰϒϩοΫ͢Δͣ 13
Α͘Θ͔ͬͯͳ͍͜ͱ • 0.0.0.0ΛϒϩοΫ͢ΔΛ͍ͯ͠Δ͕ɺͦΕҎલʹSafariͱ FirefoxPNAΛ࣮ͯ͠ͳ͍ • 0.0.0.0ΛϒϩοΫ͢Δ͚ͩͰޮՌ͕ബ͍ͷͰʁ • ͋ͱɺखݩͰPNAͷϔομʔ͚ͭͯ௨৴ڐՄ͢Δ࣮Ͱ͖ͳ͔ͬͨɺ Θ͔ΒΜ 14
͓͠·͍