Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
2015.04.02 從滲透測試談企業常見資安風險
Search
DEVCORE
April 02, 2015
Technology
0
160
2015.04.02 從滲透測試談企業常見資安風險
2014.04.02 iThome 資安大會
DEVCORE
April 02, 2015
Tweet
Share
More Decks by DEVCORE
See All by DEVCORE
2017.03 雲端時代企業面臨的攻擊威脅
devcore
0
160
2016.11.30 電商業者的資安困境
devcore
0
530
2015.01.09 HITCON 戴夫寇爾 2014 年度弱點回顧
devcore
0
140
[2014/10/06] HITCON Freetalk - App Security on Android
devcore
0
160
Other Decks in Technology
See All in Technology
生産性向上チームの紹介
cybozuinsideout
PRO
1
870
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
270
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
350
ユーザーストーリーのレビューを自動化したみたの
bun913
1
420
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
450
SIEMを用いて、セキュリティログ分析の可視化と分析を実現し、PDCAサイクルを回してみた
coconala_engineer
0
280
20240418_Google ColabにLLMが搭載されたようなのでPython x データ分析の勉強方法を考えてみる
doradora09
0
120
FrontDoorとWebAppsを組み合わせた際のリダイレクト処理の注意点
kenichirokimura
1
500
オーナーシップを持つ領域を明確にする
konifar
13
3.1k
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.7k
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
300
Compose Compiler Metricsを使った実践的なコードレビュー
tomorrowkey
1
220
Featured
See All Featured
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
Navigating Team Friction
lara
178
13k
Designing with Data
zakiwarfel
96
4.8k
Gamification - CAS2011
davidbonilla
76
4.6k
A better future with KSS
kneath
231
16k
Mobile First: as difficult as doing things right
swwweet
216
8.6k
Making the Leap to Tech Lead
cromwellryan
124
8.5k
Making Projects Easy
brettharned
108
5.5k
Documentation Writing (for coders)
carmenintech
60
3.9k
A Philosophy of Restraint
colly
197
16k
GitHub's CSS Performance
jonrohan
1025
450k
RailsConf 2023
tenderlove
4
540
Transcript
ЮΆ㘓ా༢㣉ἤЮ㦖 ໙ᦉ⾾ⱒⲗϮᖱ⯊ⶳయ㕚㐖 ␃ុᙏ"MMFO0XO BMMFOPXO!EFWDPSF ৢடᬕ⒘̶ፒ㊶Ӭٰ J5IPNF▄᧫⳽୷য়ፎ
ⳝ⓱≼ύ ␃ុᙏ "MMFO0XO ৢடᬕ%&7$03&घ⨭㉅ BMMFOPXO!EFWDPSF ٪᧫㓲ஆൖፎ)*5$0/ᐥܓ ொ㉅㡩㓲ஆሟᇌစՁᎵơᣑ⼈ᡄ⮜
None
None
None
Hacks In Taiwan Conference Community 2015/8/28 ~ 29 தԝݚڀӃ
ϰΙ⯡⯡ƫᣑ⼈ᡄ⮜Ƭ
ⶳయΦϨ⥝ᴑ Φأ㔑㏄ ΦϨể᷒ᎇ ΦⲐᒩ ᣑ⼆ᡄ⮚ ሲ⒣⭥⌕ ྭⱻ⭝ᵍ ⳻୷⼎ृ ˰̲ᣬ⌕ ⋸ྭⱻ
˰̲⢥᱙ ቆͥ㈠ⱙ สغずය
ⶳయΦϨ⥝ᴑ Φأ㔑㏄ ΦϨể᷒ᎇ ΦⲐᒩ ᣑ⼆ᡄ⮚ ሲ⒣⭥⌕ ྭⱻ⭝ᵍ ⳻୷⼎ृ ˰̲ᣬ⌕ ⋸ྭⱻ
˰̲⢥᱙ ቆͥ㈠ⱙ สغずය
΅๎Ṧ˒Ḣᣢ⼙ᡕ⮭ዕ̚㞹㢂
Αᴟƪᣑ⼆ᡄ⮚ӱƫრᄚơ ˷ৠ٨̨ᡄ⮚Ϫ*1㡙 ྭ⮤ө✇॓٨̨Хڑ㡬 ृڮʫஂፒณ⯇ृ ̵ʾḣዕ
΅๎Ṧ˒Ḣᣢ⼙ᡕ⮭ዕ̚㞹㢂
΅ٶⓨ٣է˻ˁਡḢቂ⒴Ʈ
ֳḢᣢ⼙ᡕ⮭ ٤Βᴟ╹ֽתӲრᄚԺृگ ृگ⯉ՓᰃṞᵑ㕸 Җᐩ㋳θơͧҖ٩ါჽơʬᘟ⼟⨭য়ぞ*1 ឧⱶᴚ㡢Ӭ̛㡮㡣՚ஆ⻇Ӭஈ⼟⨭ፖׁ
ᦉ⾾ⱒᐎٷ Ø ̩㓲ஆ⋞Ժḋ㡦ᕻᇣሟᇌḑ⋞⼟⨭ሟᇌᡄ ⮜Ƣᴨⶳయ㕏ࠔςධᚇ㡦どṕᕵ⼟⨭ᣑ⼈ဪ Ժො㞾㡦㍳Βᴟ╹ֽתӲრᄚᴜᴚृگƢ Ø ⮧⊁ဪԺፒሟᇌḑ٩ⓗ㡦Ϋ㐹㋵⁰൷⼟⨭Ձ ≲㡦⮧⊁ՍԺፒሟᇌḑᙑ㕌㡦˂ᄛΩϙ⪒ḑය ⱬƢᩜ╹ֽתრᄚӲḑ⯉ՓƢ
чᷗ☱ٳڠධ֧ᚇ Ўᐎࣞ ᚇς߉чᷗ☱ٳڠධ֧ Ø ╹ֽתӲᩜ̍Փቱ㡦ബፒ⯉ृݞ㐘 Ø ᩜΫᇘʵټ⋣ⶦᏌᕀِॽ⼟⨭ᗏᡄ Ø ᩜ⼈⼱ᣩដ⼟⨭ፄᠥӧḑᗏᡄ Ø
╹ֽתӲ٩ⓗḄ᷂ٖᗏ͙ፖࠨ Ø ᗏᡄ̍ܓ܃ⴗ㌢̩ყჾ
☱ٳڠධ֧ᷔ᷒৺ݥỉ㣟 16
ⶳయ㕏ࠔςධᚇ Ўᐎࣞ ⶳయ㕏ࠔ Ø ▎༃༦ሟᇌ㓲ஆࢢټʬϫာ⨱ᛡൕ㡦Βᴟ㓲ஆḑ ⋞⼟⨭̍ᗏᡄ㡦ፒሧဪԺሟᇌፎᴟḑሟᇌᕻƢ Ø どሟᇌḑሟᇌታ⼟⨭㊣ेِϙ⪒Ƣ Ø ⼈⼱Ӭ㉐ḑ⳽ᢋِ̩㓲ஆἃⱛൻ㡦்ဪ͙ፖࠨṞ㊋ḑ
ធᣩ⳽ቛِ̩ᣩដ⳽⭠㡦ᴟ⼏˼⳽⭠ؓ֨ᣑ⼈ᡄ⮜Ƣ
ⶳయ㕏ࠔςධᚇ fasdf ֝ざ⎛⹜ Ўᐎࣞ ⶳయ㕏ࠔ ⎅ᷠᦡᡂᦉ⾾ Ø ᐦᇘʵټॽ㡦⋍ᴨᗏᡄḑ͙ፖࠨᣑ⼈Ө⾠⋣ⶦƢ Ø ٩̩ፒሧผἃቂ㕴̹ᓹ⋣ⶦၐ㓲ஆḑ㊣ⓗ֣Ƣ
⯁Άኄ⓱ỉ༰⎖ɗ⯫㣟ɗႽ Ⴞ▏ฤӛ㏄⃥
ϮᖱἍأỉయ֞⇳〉㦖
http://en.wikipedia.org/wiki/Liebig's_law_of_the_minimum
ᐢᓽᴑⲢ Ø ⳽⭠୷өḑ㊣Ɱ℻≲㡦ዅม፪ᎩˆፌἈḑ⽴ᬜ㕸൷ Ιᜐஂ㡦ᛡʬஂม⽴⽣ឪԺΙƢ Ø ⳽୷ↀˆ㡦٤⬋ፒࢩታᵡ১㡦ፎ⼖ቂϫ≕ ⊶ḑءƢ Ø ̹ᓹˆ⳽୷༦ⱛፌ⠆ොḑ̍㡦฿ஂፎ᨟ሟᇌӧ βḑ⎛ٞƢ
ʔࠅϓމԟ෯௰ٙ˝ؐl
ฎฯϮᖱⶳయᦡᡂय㕏
ฎฯᦡᡂ⍮Ⱅ5PQ ٓேⶠ┠፭ሟᇌ$SPTT4JUF4DSJQUJOH 944 ⳽ቛൻᝥӧሟᇌ42-*OKFDUJPO ݘᓹ⽦⺔ㅟ⯉#VTJOFTT-PHJD'MBX
ⶠӾٽ⯤ᛩ$SPTT4JUF3FRVFTU'PSHFSZ ⳽⭠ធᣩ*OGPSNBUJPO-FBLBHF
ฎฯᦡᡂ⍮Ⱅ 29.9% 6.4% 9.6% 13.1% 15.1% 25.9% Cross-Site Scripting SQL
Injection Business Logic Flaw Cross-Site Request Forgery Information Leakage Others
ฎฯᦡᡂ⍮Ⱅ 08"415PQ 29.9% 6.4% 9.6% 13.1% 15.1% 25.9% 2013 A3
2013 A1 Business Logic Flaw 2013 A8 2007 A6 Others
⹖↫◘ᐥኄ $SPTT4JUF4DSJQUJOH 944
$SPTT4JUF4DSJQUJOH Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 944 Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ
Ᏹ৯ʾ⯢ዟ㡽 ⑇ഴ㡽Ʒ̚㞹ዕ944㢂Ƹ ᴫ㡽ƹᦼ⭃࠵፞ⶻBMFSUՇΥƺ ⑇ഴ㡽ƷƸ
None
$SPTT4JUF4DSJQUJOH Ø ࡻ㡩㉐ḋ፫⼱ᦝ⺛ӧВ㡦ṛჽٍቆሡӧ⋣㏣ˆ㡦Β ሟᇌ٩̵༦ᄝӧ)5.-ӏ≸㡦ΝਗJGSBNFơTDSJQU℻ Ø ሟᇌ⊛Ꮏ㡩 Ø ⃮ٕʬ▪ᴟơⅳ᱙ന⢬ Ø ぜቭௐځ༃༦⋣
Ø ⃪ሞ⋣⬵ᕼ Ø ข㏡㡩Βᴟന⢬⩰⃮ٕ㡢ኴ⽈⮍㔔㌉࢙ᴟΙṇٕϫ⳽˂ ⼟ʬᙑᴟ㡦ӨഀፒᐲΝ㡣
↦܋⥣ᡢℨ Ḋӧ ٕผ$PPLJF ⋍ᴨ944ᣩដ $PPLJF⽈⃮ ٕผ$PPLJF .BMJDJPVT4FSWFS "UUBDLFS 7VMOFSBCMF4FSWFS 7JDUJN
ჾ՟ന⢬
8PSTU1SBDUJDF Ø ࢢDMJFOUTJEFΒᴟ+BWB4DSJQU⼟⨭㊣ Βᴟʬ˼⳽୷Ӳأ٩⍧⼱+BWB4DSJQUḑᗏᏱ
8PSTU1SBDUJDF Ø ̧ٕ୕ˊ㡩⼫՚TDSJQUTDSJQU̧ٕ₶୕ˊ Ø ⺛ӧTDTDSJQUSJQUâ̧ٕทսʳTDSJQU Ø ⺛ӧDSJQUâ፫̧ٕTDSJQU
944'JMUFS&WBTJPO$IFBU4IFFU https://www.owasp.org/index.php/ XSS_Filter_Evasion_Cheat_Sheet
ⶳጓำ֜ኄ 42-*OKFDUJPO
None
ٛᏱ৯ʾ⯢ዟ㡽 ⑇ഴ㡽Ʒ̚㞹ዕ42-*OKFDUJPO㢂Ƹ ᴫ㡽ƹ03ƺ ⑇ഴ㡽ƷƸ
Ᏹ⮇ўඵݥ㡽 ᔉ˛㡽Ʒਦͺ㊸ᇝ42-*OKFDUJPO㢂Ƹ ඵݥ㡽ƹṽէ௰ዕሯᇜ㡯ƺ 㔃க㡽Ʒۃ㢂Ƹ
42-*OKFDUJPO Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 42-*OKFDUJPO Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ
42-*OKFDUJPO Ø ࡻ㡩㉐ḋΒᴟ୕ˊ⊓ٸḑታය⃯42-⯅٠㡦ټዏَ ፫⼱ᦝٍቆ㡦Βሟᇌ٩ᒸӧ༃༦42-⯅ Ø ሟᇌ⊛Ꮏ㡩 ➡ ϫ⳽ធ ➡ ⅳ᱙ന⢬ஞᾋធ
Ø ข㏡㡩য়ぞϫ⳽ធơ̹ᓹ⼮⳽ቛធ
ఢⓉ㘓ా༰⎖
ῲ⯺IBTI
Ể֜QIQ.Z"ENJO
ტಅ㉌ⱿⰖཬ
֜XFCTIFMM
ఢⓉ㘓ా༰⎖ Ø ٕผஞᾋIBTI㡦ˀ՚(PPHMFἺ⭄⋣Ᏹ⮚ Ø ٕผΒᴟኯቒஞᾋ㡦ႈًἺ⭄QIQ.Z"ENJOന⢬ Ø ဪ்ዅڑፒ≕⊶ⶦนơ͙ፖࠨᘐ㊶ჾⅳʵᵑ℻ො㞾 Ø ӧXFCTIFMM Ø
߲⮜ٓ⼙ჾ՟ Ø ᄛᘐٕผፌ㕸ᘐ㊶
ࠎᖱ〜⽊ᦡᡂ #VTJOFTT-PHJD'MBXT
#VTJOFTT-PHJD'MBXT Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 #VTJOFTT -PHJD7VMOFSBCJMJUZ Ø ḋᴚ̹ᓹḍՁᚚ㡩
፫ḋᴚ̸ᓹ ḋᴚ̸ᓹ
#VTJOFTT-PHJD'MBXT Ø ࡻ㡩㉐ḋ፫ᗏᏱΒᴟዅڑፒᘐ㊶ᬿஂ⳽ቛ⼟⨭Ᏹ⮚ơ ϙሞơ㋃㡦ௐ╿Βᴟ٩̵༦ᇎ͵⮦⳽ቛ Ø ሟᇌ⊛Ꮏ㡩 ➡ ̂ኴだ㐙⽈՚⃪ሞ ➡ ⭛ޢኯ⊁ơϫ⳽ធ
➡ ⅳ᱙ന⢬⽈՚⃪ሞ Ø ข㏡㡩য়ぞϫ⳽ធơΒᴟന⢬⩰⃮ٕ
⯊ᓪђ IUUQEFWDPSFQBZQIQ JUFNBCDBNPVOU
⯊ᓪђ $POUE Ø ࢢፒˊだឪḑ̹ᓹˆ㡦㕸⼷ḑ̹ᓹḋᴚᙐݞ㐘 Ø ḋᴚػࡻ㡩ṛჽだឪݘᄛΩḑↂ፭ᆼ⁰㡦˥፫㕇ⱍ̂ ኴ⊛Ꮏዅڑᙏᾉ Ø ข㏡㡩 Ø
ᩜ̍ന㡩য়ぞだㅓᅆ১ Ø ፒ̍ന㡩֥ന֣̍Ⳛᇓ
㑒ࠎ⎛↫ㄖᡢᡢℨ ៖Ⳳ だឪݘ ㌱ݘ⋣ ᬳ ௐځ╾だឪݘ ̟ᘲ
⼐ἃ̟ᘲ
㑒ࠎ⎛↫ㄖᡢᡢℨ ៖Ⳳ だឪݘ ㌱ݘ⋣ ௐځ╾だឪݘ ̟ᘲ
чᷗᩣ⯨ࣞἓᆵಈܷ
㑒ࠎ⎛↫ㄖᡢᡢℨ ៖Ⳳ だឪݘ ㌱ݘ⋣ ᬳ ௐځ╾だឪݘ ↢ዖϔᛪㄖ㔺
⿆Άϔᛪఱ႔
None
⯊ᓪђ IUUQEFWDPSFVTFS@JOGPQIQ JE%&7$03&
⯊ᓪђ $POUE IUUQEFWDPSFVTFS@JOGPQIQ JE)*5$0/
⹖↫ֳܳⲚឡ $SPTT4JUF3FRVFTU'PSHFSZ $43'
$SPTT4JUF3FRVFTU'PSHFSZ Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 $43' Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ
$SPTT4JUF3FRVFTU'PSHFSZ Ø ࡻ㡩㉐ḋ፫ᗏᏱSFRVFTUዅڑ᨟Βᴟ፭⸽ḋԺḑֽ͵㡦 ௐ╿ሟᇌ٩̩Ӿᴟʬ▪Βᴟḑ⸽̶घ⨭ᬿஂᇎ͵ Ø ሟᇌᐲΝ ➡ Βᴟ╹ֽʳޢᬳ ➡ Βᴟ╹ֽϙሞஞᾋ
➡ ⧾⧠ሟᇌ Ø ข㏡㡩Βᴟኴࢢʵἃ᭱ᝄघ⨭ᬿஂֽ͵
$43'ኄᡢℨ Ḋӧ ㉐ݧ༃ ༦⼙⊛ ϕ̳ .BMJDJPVT 4FSWFS WVMTFSWFS 7JDUJN JNHTSDIUUQWVMTFSWFSCVZQIQ
JUFNBCD (&5CVZQIQ JUFNBCD
⯊ᓪђ
ⶳⰖᡊᦡ *OGPSNBUJPO-FBLBHF
*OGPSNBUJPO-FBLBHF Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 *OGPNBUJPO-FBLBHF Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ
*OGPSNBUJPO-FBLBHF Ø ࡻ㡩⋞⼮̍ܓ㉐ḋ⭶ஂㅟ⯉㡦ௐ╿≕⊶ᖤሪ⳽⭠ធᣩ ት⋣ʲ Ø ബ⬔᭱ᝄ Ø ػᾋធᣩന⢬ஞᾋơធᣩท٪ṕㄻ Ø ㅟ⯉⭠ິធᣩ⋣⁰ⶦนơធᣩ⾠Ձػᾋ
Ø ធᣩ͵ᓹ≕⊶ơ'SBNFXPSL㐦ِࣘᬝ፭ Ø ё̶ᗃᐲធᣩ⋣Ꮜᕀơػᾋ Ø ข㏡㡩ʵʬஂፒ⃯أ㐹㋵㡦͡⊛ٸӱ̝ො㞾ዏข㏡٩য়٩
۱ଁ⁃ᡊᦡⶳጓำ⥣ౖ⁃
ᡊᦡܠЛ⑸
Ԇϫᙻᡊᦡ⎛↫۱ଁ⁃
ϮᖱⶳయΦϨ႔ऱ
ⶳయዢ㇠ฯМ Ø ̩᨟ᜥፒṛჽṬ՚ḑ⬊ʵፎ⩰ဋ ➡ "OESPJEBQQơJ04BQQḑ"1*TFSWFS Ø ᜥፒ㊋ᝥፌቭᣩដ ➡ 0QFO44-)FBSUCMFFE ➡
4IFMMTIPDL ➡ 100%-& Ø ⺀ො㞾⊓ٸሟᇌḑ੶֣㡦Νਗ$43' 944
⼶༚ܠ㏄⃥ Ø ࢢӨ⋣ḑ≕⊶өᜥፒ㊣ᖤ՟ ➡ ท٪ӑᣜٵ₇*OKFDUJPO㡦㉐ⵖTFSWJDF GUQ STZOD Ø ท٪ͦ⏀ৡᮯ
➡ IUUQEFWDPSFBENJO ➡ IUUQBENJOEFWDPSF Ø ท٪ٕϫٽ୕⍍ဪʵ՚˯ڒ ➡ (PPHMF)BDLJOH
ӛӥᚇಙయΤ㦖 Ø ̩խፊЦ⼱ᣑ⼈ᡄ⮜㡦ℨ˲ᘟЦᣑ⼈ᡄ⮜ӻ൷ဪ՚⭸㕸㐹 ㋵ො㞾 Ø ොஞᾋဋᙛʵሞ Ø Ϋⴟ⭶ё㡢8"'㡣
ΐΦ⾱⺼ᙜؕ Ø Ṍჾ≕⊶ ➡ *%4ơ*14 ➡ ឪぞ ➡ ᗃᐲᵐֽ Ø
-PH ➡ ϑୖ።㊶ৡἈ㡢යⱬ╾ϑୖ؍ൖ㡣 ➡ ፫ᵐࢩё̶
ฎጥ⸤پ㦖
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU #PUOFUሯᇜ
ሟᇌ ⳽୷⭶ё ⋣ ⳽ቛൻ #PUOFU #PUOFUሯᇜ
None
None
None
None
ጥମ▕㦖〔♉ᶲ⭉ጥコ㦖 Ø ⋣ⶦ⭶ёơ⳽୷⭶ё˥ፒ୷ө㐹㋵㡦ᴖ╾٩ⓗࡻ᨟⭶ ёௐ╿ӧβ╾Ө⋣Ƣ Ø *P5ḑዏ̧㡦ஔ㌱ơ₺⪓⏀⨴٩⼙⋣㡦˥ፒ⩰ӧ βḑ㐹㋵Ƣ Ø ̹ᓹơஔˆᠮḑ⭶ё㡦₳ዅʵዅᮚӧஈ㡮
Ўᐎࣞ ㏄᪪ᯓ ⶳጓำ Ϯᖱ% Ўᐎࣞ Ўᐎࣞ ኄ⓱
Ўᐎࣞ ㏄᪪ᯓ ⶳጓำ Ϯᖱ% Ўᐎࣞ Ўᐎࣞ ኄ⓱
Ўᐎࣞ ㏄᪪ᯓ ⶳጓำ Ϯᖱ% Ўᐎࣞ Ўᐎࣞ ኄ⓱
▟㔃கӼᴫƭ▟㑊㌆Ӽ
♆㘓ా֤᷒ɗ♆㕚㐖֤ఎ Ø ዏዏፄቭ⳽୷⬵㡦ἃἃฉḍʵ Ø ᣩដዅ⊓ٸሟᇌḑ Ø ٤Ц⼱ʬᘟᣑ⼈ᡄ⮜˂㍳✈ᩜʬ১ Ø ᣩដᄳ㍝ൕ٪
➡ 7VM3FQPSU IUUQTWVMSFQPSUOFU
ḝ഼㔃கዕ▊എ̙ 㟅◭ᴭᔉဖዕͅᔉḢቓ̙
ⳟગౌ㦃 ␃ុᙏ"MMFO0XO BMMFOPXO!EFWDPSF ৢடᬕ⒘̶ፒ㊶Ӭٰ