Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
0.0.0.0 day
Search
circled9
August 23, 2024
Programming
0
110
0.0.0.0 day
Niigata 5min Tech #11で発表したスライドです。
circled9
August 23, 2024
Tweet
Share
More Decks by circled9
See All by circled9
キースイッチ入門
circled9
0
80
CloudflareのAI関連の機能さわってみた
circled9
0
680
小数の丸め誤差の話
circled9
0
150
数値の文字列をパースしよう
circled9
0
240
🔥 Hono v4 やってみた
circled9
1
200
JetBrains AI Assistant を試してみた
circled9
1
540
Fresh
circled9
0
250
React Hooks 勉強会 vol.3
circled9
2
440
JSON.stringify()
circled9
2
500
Other Decks in Programming
See All in Programming
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
350
1から理解するWeb Push
dora1998
7
1.9k
機能追加とリーダー業務の類似性
rinchoku
2
1.3k
CloudflareのChat Agent Starter Kitで簡単!AIチャットボット構築
syumai
2
510
請來的 AI Agent 同事們在寫程式時,怎麼用 pytest 去除各種幻想與盲點
keitheis
0
130
意外と簡単!?フロントエンドでパスキー認証を実現する WebAuthn
teamlab
PRO
2
780
OSS開発者という働き方
andpad
5
1.7k
奥深くて厄介な「改行」と仲良くなる20分
oguemon
1
570
@Environment(\.keyPath)那么好我不允许你们不知道! / atEnvironment keyPath is so good and you should know it!
lovee
0
130
The Past, Present, and Future of Enterprise Java with ASF in the Middle
ivargrimstad
0
190
API Platform 4.2: Redefining API Development
soyuka
0
230
テストコードはもう書かない:JetBrains AI Assistantに委ねる非同期処理のテスト自動設計・生成
makun
0
550
Featured
See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
352
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
368
19k
Building Adaptive Systems
keathley
43
2.7k
4 Signs Your Business is Dying
shpigford
184
22k
How to Ace a Technical Interview
jacobian
279
23k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
590
The Cost Of JavaScript in 2023
addyosmani
53
8.9k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
229
22k
It's Worth the Effort
3n
187
28k
A Tale of Four Properties
chriscoyier
160
23k
Transcript
0.0.0.0 day Niigata 5min Tech #11 @circled9
ࣗݾհ @circled9 দҪ ਖ਼ࢤ (Matsui Masashi) גࣜձࣾϞχΫϧ IPΞυϨε127.0.0.1Ͱ͢
ࠓ͢͜ͱ • 0.0.0.0 dayͱ͍͏੬ऑੑͷհΛ͠·͢ • ৄ͘͜͠ͷهࣄΛࢀর͍ͯͩ͘͠͞ • https://www.oligo.security/blog/0-0-0-0-day- exploiting-localhost-apis-from-the-browser 3
֓ཁ • ֎෦ϖʔδ͔ΒϩʔΧϧʹ͚ͯϦΫΤετΛඈͤΔͱ͍͏ • ϩʔΧϧͰಈ͍͍ͯΔαʔϏε͕ૂΘΕΔ͜ͱ͕͋Δ • ֤ϒϥβͷରԠ͜Ε͔Βʢ8݄த०࣌ʣ 4
ͪΐͬͱੲͷ • ֎෦ϖʔδ͔ΒϩʔΧϧͷΞυϨεʹରͯ͠ϦΫΤετΛඈͤͨ • ͦΕΛར༻ͯ͠Ϛγϯ্Ͱಈ͍͍ͯΔαʔόʔͷϙʔτΛεΩϟϯ͠ ͯݸਓΛࣝผ͠Α͏ͱ͢Δ͍ํ͞Ε͍ͯͨ • ͍ΘΏΔϑΟϯΨʔϓϦϯςΟϯά • ͦΕҎ֎ʹϩʔΧϧωοτϫʔΫͷϧʔλʔʹରͯ͠߈ܸΛࢼΈΔ
έʔε͋ͬͨΓͨ͠ 5
CORS (Cross-Origin Resource Sharing) • CORSҟͳΔυϝΠϯʹର͢ΔϦιʔεͷΞΫηεͷ੍ޚΛ͢Δ • CORSʹΑΓ֎෦ϖʔδ͔ΒϩʔΧϧʹରͯ͠উखʹΞΫηε͠Α͏ ͱ͢Δͱ͔ΕΔΑ͏ʹͳͬͨ •
ϩʔΧϧΞΫηεʹΑΔϑΟϯΨʔϓϦϯςΟϯά͕͛ΔΑ͏ʹ ͳͬͨʂ 6
ϦΫΤετ͕࣮ߦ͞ΕΔ • CORSϨεϙϯεΛ੍ޚ͢Δ࡞Γʹͳ͍ͬͯΔ • ͦͷͨΊϦΫΤετͦͷͷ࣮ߦ͞ΕΔ • ϦΫΤετ͕࣮ߦ͞ΕΔ͚ͩͰཱ͢Δ߈ܸʹରͯ͠ແඋ 7
PNA (Private Network Access) • Chromeʹ࣮͞Ε͍ͯΔ༷ • ҆શੑͷ͍ίϯςΩετ͔Β҆શੑͷߴ͍ίϯςΩετʹ௨৴Ͱ ͖ͳ͍ͱ͍͏Έ •
CORSͱҧ͍ϦΫΤετͷ࣮ߦΛ੍ޚ͢Δ 8
https://developer.chrome.com/blog/private-network-access-update?hl=ja 9
͜ΕͰ҆৺ʂ
None
0.0.0.0͕ͳ͍
ࠓޙͷ༧ఆ • Chrome0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • 128͔ΒϩʔϧΞτͯ͠133·Ͱʹྃ༧ఆ • Safari0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • Webkitʹ0.0.0.0ΛϒϩοΫ͢Δมߋ͕ೖͬͨ •
FirefoxͷରԠະఆ • MDNͷ༷ͷํΛߋ৽ͨͬ͠Ά͍ͷͰϒϩοΫ͢Δͣ 13
Α͘Θ͔ͬͯͳ͍͜ͱ • 0.0.0.0ΛϒϩοΫ͢ΔΛ͍ͯ͠Δ͕ɺͦΕҎલʹSafariͱ FirefoxPNAΛ࣮ͯ͠ͳ͍ • 0.0.0.0ΛϒϩοΫ͢Δ͚ͩͰޮՌ͕ബ͍ͷͰʁ • ͋ͱɺखݩͰPNAͷϔομʔ͚ͭͯ௨৴ڐՄ͢Δ࣮Ͱ͖ͳ͔ͬͨɺ Θ͔ΒΜ 14
͓͠·͍