Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
0.0.0.0 day
Search
circled9
August 23, 2024
Programming
0
110
0.0.0.0 day
Niigata 5min Tech #11で発表したスライドです。
circled9
August 23, 2024
Tweet
Share
More Decks by circled9
See All by circled9
キースイッチ入門
circled9
0
80
CloudflareのAI関連の機能さわってみた
circled9
0
670
小数の丸め誤差の話
circled9
0
150
数値の文字列をパースしよう
circled9
0
240
🔥 Hono v4 やってみた
circled9
1
200
JetBrains AI Assistant を試してみた
circled9
1
540
Fresh
circled9
0
250
React Hooks 勉強会 vol.3
circled9
2
440
JSON.stringify()
circled9
2
500
Other Decks in Programming
See All in Programming
AI時代のUIはどこへ行く?
yusukebe
16
8.4k
Go言語での実装を通して学ぶLLMファインチューニングの仕組み / fukuokago22-llm-peft
monochromegane
0
120
アプリの "かわいい" を支えるアニメーションツールRiveについて
uetyo
0
210
AIを活用し、今後に備えるための技術知識 / Basic Knowledge to Utilize AI
kishida
20
5.1k
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
430
Improving my own Ruby thereafter
sisshiki1969
1
160
Laravel Boost 超入門
fire_arlo
2
210
go test -json そして testing.T.Attr / Kyoto.go #63
utgwkk
3
270
AIコーディングAgentとの向き合い方
eycjur
0
260
Updates on MLS on Ruby (and maybe more)
sylph01
1
180
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
380
ソフトウェアテスト徹底指南書の紹介
goyoki
1
140
Featured
See All Featured
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
358
30k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
4 Signs Your Business is Dying
shpigford
184
22k
Writing Fast Ruby
sferik
628
62k
Building an army of robots
kneath
306
46k
Faster Mobile Websites
deanohume
309
31k
Become a Pro
speakerdeck
PRO
29
5.5k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.1k
Docker and Python
trallard
45
3.5k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Transcript
0.0.0.0 day Niigata 5min Tech #11 @circled9
ࣗݾհ @circled9 দҪ ਖ਼ࢤ (Matsui Masashi) גࣜձࣾϞχΫϧ IPΞυϨε127.0.0.1Ͱ͢
ࠓ͢͜ͱ • 0.0.0.0 dayͱ͍͏੬ऑੑͷհΛ͠·͢ • ৄ͘͜͠ͷهࣄΛࢀর͍ͯͩ͘͠͞ • https://www.oligo.security/blog/0-0-0-0-day- exploiting-localhost-apis-from-the-browser 3
֓ཁ • ֎෦ϖʔδ͔ΒϩʔΧϧʹ͚ͯϦΫΤετΛඈͤΔͱ͍͏ • ϩʔΧϧͰಈ͍͍ͯΔαʔϏε͕ૂΘΕΔ͜ͱ͕͋Δ • ֤ϒϥβͷରԠ͜Ε͔Βʢ8݄த०࣌ʣ 4
ͪΐͬͱੲͷ • ֎෦ϖʔδ͔ΒϩʔΧϧͷΞυϨεʹରͯ͠ϦΫΤετΛඈͤͨ • ͦΕΛར༻ͯ͠Ϛγϯ্Ͱಈ͍͍ͯΔαʔόʔͷϙʔτΛεΩϟϯ͠ ͯݸਓΛࣝผ͠Α͏ͱ͢Δ͍ํ͞Ε͍ͯͨ • ͍ΘΏΔϑΟϯΨʔϓϦϯςΟϯά • ͦΕҎ֎ʹϩʔΧϧωοτϫʔΫͷϧʔλʔʹରͯ͠߈ܸΛࢼΈΔ
έʔε͋ͬͨΓͨ͠ 5
CORS (Cross-Origin Resource Sharing) • CORSҟͳΔυϝΠϯʹର͢ΔϦιʔεͷΞΫηεͷ੍ޚΛ͢Δ • CORSʹΑΓ֎෦ϖʔδ͔ΒϩʔΧϧʹରͯ͠উखʹΞΫηε͠Α͏ ͱ͢Δͱ͔ΕΔΑ͏ʹͳͬͨ •
ϩʔΧϧΞΫηεʹΑΔϑΟϯΨʔϓϦϯςΟϯά͕͛ΔΑ͏ʹ ͳͬͨʂ 6
ϦΫΤετ͕࣮ߦ͞ΕΔ • CORSϨεϙϯεΛ੍ޚ͢Δ࡞Γʹͳ͍ͬͯΔ • ͦͷͨΊϦΫΤετͦͷͷ࣮ߦ͞ΕΔ • ϦΫΤετ͕࣮ߦ͞ΕΔ͚ͩͰཱ͢Δ߈ܸʹରͯ͠ແඋ 7
PNA (Private Network Access) • Chromeʹ࣮͞Ε͍ͯΔ༷ • ҆શੑͷ͍ίϯςΩετ͔Β҆શੑͷߴ͍ίϯςΩετʹ௨৴Ͱ ͖ͳ͍ͱ͍͏Έ •
CORSͱҧ͍ϦΫΤετͷ࣮ߦΛ੍ޚ͢Δ 8
https://developer.chrome.com/blog/private-network-access-update?hl=ja 9
͜ΕͰ҆৺ʂ
None
0.0.0.0͕ͳ͍
ࠓޙͷ༧ఆ • Chrome0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • 128͔ΒϩʔϧΞτͯ͠133·Ͱʹྃ༧ఆ • Safari0.0.0.0ΛϒϩοΫ͢Δ༧ఆ • Webkitʹ0.0.0.0ΛϒϩοΫ͢Δมߋ͕ೖͬͨ •
FirefoxͷରԠະఆ • MDNͷ༷ͷํΛߋ৽ͨͬ͠Ά͍ͷͰϒϩοΫ͢Δͣ 13
Α͘Θ͔ͬͯͳ͍͜ͱ • 0.0.0.0ΛϒϩοΫ͢ΔΛ͍ͯ͠Δ͕ɺͦΕҎલʹSafariͱ FirefoxPNAΛ࣮ͯ͠ͳ͍ • 0.0.0.0ΛϒϩοΫ͢Δ͚ͩͰޮՌ͕ബ͍ͷͰʁ • ͋ͱɺखݩͰPNAͷϔομʔ͚ͭͯ௨৴ڐՄ͢Δ࣮Ͱ͖ͳ͔ͬͨɺ Θ͔ΒΜ 14
͓͠·͍