2015.04.02 從滲透測試談企業常見資安風險

ЮΆ⿬㘓ా༢㣉ἤЮ࡯㦖 ໙ᦉ⾾᣼ⱒⲗϮᖱ෤⯊ⶳయ㕚㐖 ␃ុᙏ"MMFO0XO BMMFOPXO!EFWDPSF ࿵ৢடᬕ⒘̶ፒ㊶Ӭٰ J5IPNF▄᧫⳽୷য়ፎ

ⳝ⓱≼ύ ␃ុᙏ "MMFO0XO ࿵ৢடᬕ%&7$03&घ⨭㉅ BMMFOPXO!EFWDPSF ٪᧫㓲ஆൖፎ)*5$0/ᐥ฾࿜ܓ ொ㉅㡩㓲ஆሟᇌစ᝖ՁᎵơᣑ⼈ᡄ⮜

Hacks In Taiwan Conference Community 2015/8/28 ~ 29 தԝݚڀӃ

࿝ϰΙ⯡⯡ƫᣑ⼈ᡄ⮜Ƭ

ⶳయΦϨ⥝ᴑ Φأ㔑㏄ ΦϨể᷒ᎇ Φ໏Ⲑᒩ ᣑ⼆ᡄ⮚ ሲ⒣⭥⌕ ྭⱻ⭝ᵍ ⳻୷⼎ृ ˰̲ᣬ⌕ ⋸๾ྭⱻ
˰̲⢥᱙ ቆͥ㈠ⱙ สغずය

΅๎Ṧ˒Ḣᣢ⼙ᡕ⮭ዕ̚㞹㢂

Αᴟƪᣑ⼆ᡄ⮚೸ӱƫრᄚơ ˷ৠ٨̨ᡄ⮚Ϫ*1㡙 ྭ⮤ө✇॓٨̨Х୹ڑ㡬 ृڮʫஂፒณ৙⯇ृ ̵ʾḣዕ
΅๎Ṧ˒Ḣᣢ⼙ᡕ⮭ዕ̚㞹㢂

΅ٶⓨ٣է˻ˁਡḢቂ⒴Ʈ

ֳ⴨Ḣᣢ⼙ᡕ⮭ ٤Βᴟ╹ֽת೸ӲრᄚԺृگ ृگ⯉ՓᰃṞᵑ㕸 Җᐩ㋳θơͧҖ٩ါჽơʬᘟ⼟⨭য়ぞ*1 ឧ೸ⱶᴚ㡢Ӭ̛㡮㡣՚ஆ࿶⻇Ӭஈ⼟⨭ፖׁ

ᦉ⾾᣼ⱒᐎٷ Ø ̩㓲ஆ๸⋞Ժḋ㡦ᕻᇣሟᇌ␹ḑ๸⋞⼟⨭ሟᇌᡄ ⮜Ƣᴨⶳయ㕏ࠔςධᚇ᣼㡦ど௏ṕᕵ⼟⨭ᣑ⼈ဪ Ժො㞾㡦␽㍳Βᴟ╹ֽת೸ӲრᄚᴜᴚृگƢ Ø ⮧⊁ဪԺ࿼ፒሟᇌḑ٩ⓗ㡦Ϋ᪊㐹㋵⁰൷⼟⨭Ձ ≲㡦⮧⊁ՍԺ࿼ፒሟᇌḑᙑ㕌㡦˂ᄛΩϙ⪒ḑය ⱬƢᩜ╹ֽתრᄚ೸Ӳḑ⯉Փ໬෷Ƣ

чᷗ☱ٳڠධ֧ᚇ᣼ Ўᐎࣞ ᚇ᣼ς߉чᷗ☱ٳڠධ֧ Ø ╹ֽת೸Ӳᩜ̍೸Փቱ㡦ബፒ⯉ृݞ㐘 Ø ᩜ᝖Ϋᇘʵټ⋣ⶦᏌᕀِ໬ॽ⼟⨭ᗏᡄ Ø ᩜ᝖⼈⼱ᣩដ⼟⨭ፄᠥӧḑᗏᡄ Ø
╹ֽת೸Ӳ٩ⓗḄ᷂ٖᗏ͙ፖࠨ Ø ᗏᡄ̍ܓ܃ⴗ㌢̩ყჾ

☱ٳڠධ֧ᷔ᷒৺ݥỉ⑓㣟 16

ⶳయ㕏ࠔςධᚇ᣼ Ўᐎࣞ ⶳయ㕏ࠔ Ø ▎༃༦ሟᇌ␹㓲ஆ⃳ࢢټʬϫာ⨱ᛡൕ㡦Βᴟ㓲ஆḑ๸ ⋞⼟⨭̍೸ᗏᡄ㡦ፒሧဪԺሟᇌ␹ፎ՗ᴟḑሟᇌᕻ෇Ƣ Ø ど௏ሟᇌ␹ḑሟᇌታ෇⼟⨭㊣ेِϙ⪒Ƣ Ø ⼈⼱Ӭ㉐ḑ⳽ᢋِ̩㓲ஆἃⱛൻ㡦்ဪ⶘͙ፖࠨṞ㊋ḑ
ធᣩ⳽ቛِ̩ᣩដ⳽⭠㡦՗ᴟ⼏˼⳽⭠ؓ֨ᣑ⼈ᡄ⮜Ƣ

ⶳయ㕏ࠔςධᚇ᣼ fasdf ֝ざ⎛⹜ Ўᐎࣞ ⶳయ㕏ࠔ ⎅ᷠᦡᡂᦉ⾾ Ø ᐦᇘʵټ໬ॽ㡦⋍ᴨᗏᡄḑ͙ፖࠨᣑ⼈Ө⾠⋣ⶦƢ Ø ٩̩ፒሧผἃቂ㕴̹ᓹ⋣ⶦၐ‭㓲ஆḑ㊣‭ⓗ֣Ƣ

⯁Ά⿬዗ኄ⓱ỉ༰⎖ɗ⯫㣟ɗႽ᠎ Ⴞ▏໭ฤӛ૊㏄⃥

ϮᖱἍأỉయ֞⇳〉㦖

http://en.wikipedia.org/wiki/Liebig's_law_of_the_minimum

ᐢᓽᴑⲢ Ø ⳽⭠୷өḑ㊣Ɱ℻≲㡦ዅม፪ᎩˆፌἈḑ⽴ᬜ㕸൷ Ιᜐஂ㡦ᛡʬஂม⽴⽣ឪԺΙƢ Ø ⳽୷᳉ↀˆ㡦٤⬋ፒ௑ࢩታᵡ১㡦௡ፎ⼖࿜ቂϫ≕ ⊶ḑء஑Ƣ Ø ̹ᓹˆ⳽୷༦ⱛፌ⠆ොḑ̍㡦฿ஂፎ࿜᨟ሟᇌ␹ӧ βḑ⎛ٞƢ

ʔࠅϓމԟ෯௰೵ٙ˝ؐl

ฎฯϮᖱⶳయᦡᡂय㕏

ฎฯᦡᡂ⍮Ⱅ5PQ ٓே෇ⶠ⃳┠፭ሟᇌ$SPTT4JUF4DSJQUJOH 944 ⳽ቛൻᝥӧሟᇌ42-*OKFDUJPO ݘᓹ⽦⺔ㅟ⯉#VTJOFTT-PHJD'MBX
ⶠ⃳Ӿٽ⯤ᛩ$SPTT4JUF3FRVFTU'PSHFSZ ⳽⭠ធᣩ*OGPSNBUJPO-FBLBHF

ฎฯᦡᡂ⍮Ⱅ 29.9% 6.4% 9.6% 13.1% 15.1% 25.9% Cross-Site Scripting SQL
Injection Business Logic Flaw Cross-Site Request Forgery Information Leakage Others

ฎฯᦡᡂ⍮Ⱅ 08"415PQ 29.9% 6.4% 9.6% 13.1% 15.1% 25.9% 2013 A3
2013 A1 Business Logic Flaw 2013 A8 2007 A6 Others

⹖↫◘ᐥ዗ኄ $SPTT4JUF4DSJQUJOH 944

$SPTT4JUF4DSJQUJOH Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 944 Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ

Ᏹ৯ʾ⯢ዟ㡽 ⑇ഴ㡽Ʒ̚㞹ዕ944㢂Ƹ ୹ᴫ㡽ƹᦼ⭃࠵፞ⶻBMFSUՇΥƺ ⑇ഴ㡽ƷƸ

$SPTT4JUF4DSJQUJOH Ø ࿜ࡻ㡩㉐ḋ␹፫⼱ᦝ⺛ӧВ㡦ṛჽ௉ٍቆሡӧ⋣㏣ˆ㡦Β ሟᇌ␹٩̵༦ᄝӧ)5.-ӏ≸㡦ΝਗJGSBNFơTDSJQU℻ Ø ሟᇌ⊛Ꮏ㡩 Ø ⃮ٕʬ▪ᴟ࿶ơⅳ᱙␹ന⢬ Ø ぜቭௐځ༃༦⋣⃳
Ø ⃪ሞ⋣⃳৖⬵ᕼ෇ Ø ข㏡㡩Βᴟ␹ന⢬⩰⃮ٕ㡢ኴ⽈⮍㔔㌉࢙ᴟΙṇٕϫ⳽˂ ⼟ʬᙑ՗ᴟ㡦࢒ӨഀፒᐲΝ㡣

↦܋෠⥣ᡢℨ Ḋӧ ٕผ$PPLJF ⋍ᴨ944ᣩដ  $PPLJF⽈⃮ ٕผ$PPLJF .BMJDJPVT4FSWFS "UUBDLFS 7VMOFSBCMF4FSWFS 7JDUJN
ჾ՟ന⢬

8PSTU1SBDUJDF Ø ࢢDMJFOUTJEFΒᴟ+BWB4DSJQU⼟⨭㊣‭  Βᴟʬ˼⳽୷೸Ӳأ٩⍧⼱+BWB4DSJQUḑᗏᏱ

8PSTU1SBDUJDF Ø ̧ٕ୕ˊ㡩⼫՚TDSJQU࿡TDSJQU௡̧ٕ࿜₶୕ˊ Ø ⺛ӧTDTDSJQUSJQUâ̧ٕ୹ทսʳTDSJQU Ø ⺛ӧDSJQUâ፫̧ٕTDSJQU

944'JMUFS&WBTJPO$IFBU4IFFU https://www.owasp.org/index.php/ XSS_Filter_Evasion_Cheat_Sheet

ⶳጓำ᠝֜዗ኄ 42-*OKFDUJPO

ٛᏱ৯ʾ⯢ዟ㡽 ⑇ഴ㡽Ʒ̚㞹ዕ42-*OKFDUJPO㢂Ƹ ୹ᴫ㡽ƹ03ƺ ⑇ഴ㡽ƷƸ

Ᏹ⮇ўඵݥ㡽 ᔉ˛㡽Ʒਦͺ㊸ᇝ42-*OKFDUJPO㢂Ƹ ඵݥ㡽ƹṽէ௰ዕሯᇜ㡯ƺ 㔃க㡽Ʒۃ㢂Ƹ

42-*OKFDUJPO Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 42-*OKFDUJPO Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ

42-*OKFDUJPO Ø ࿜ࡻ㡩㉐ḋ␹Βᴟ୕ˊ⊓ٸḑታ෇ය⃯42-⯅٠㡦ټዏَ ፫⼱ᦝٍቆ㡦Βሟᇌ␹٩ᒸӧ༃༦42-⯅᝖ Ø ሟᇌ⊛Ꮏ㡩 ➡ ϫ⳽৖ធ ➡ ⅳ᱙␹ന⢬ஞᾋ৖ធ
Ø ข㏡㡩য়ぞϫ⳽৖ធơ̹ᓹ᫙⼮⳽ቛ৖ធ

ఢⓉ㘓ా༰⎖

ῲ⯺IBTI

Ể֜QIQ.Z"ENJO

ტಅ㉌ⱿⰖཬ

౲֜XFCTIFMM

ఢⓉ㘓ా༰⎖ Ø ٕผஞᾋIBTI㡦ˀ՚(PPHMF࿡Ἲ⭄⋣⃳Ᏹ⮚ Ø ٕผΒᴟ␹ኯቒஞᾋ㡦ႈًἺ⭄QIQ.Z"ENJOന⢬ Ø ဪ்ዅڑፒ≕⊶ⶦนơ͙ፖࠨᘐ㊶ჾⅳʵᵑ℻ො㞾 Ø ஺ӧXFCTIFMM Ø
߲⮜ٓ⼙ჾ՟ Ø ᄛᘐٕผፌ㕸ᘐ㊶

ࠎᖱ〜⽊ᦡᡂ #VTJOFTT-PHJD'MBXT

#VTJOFTT-PHJD'MBXT Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 #VTJOFTT -PHJD7VMOFSBCJMJUZ Ø ḋᴚ̹ᓹḍՁᚚ㡩
፫ḋᴚ̸ᓹ ḋᴚ̸ᓹ

#VTJOFTT-PHJD'MBXT Ø ࿜ࡻ㡩㉐ḋ␹፫ᗏᏱΒᴟ␹ዅڑፒᘐ㊶௏ᬿஂ⳽ቛ⼟⨭Ᏹ⮚ơ ϙሞơ՘㋃㡦ௐ╿Βᴟ␹٩̵༦ᇎ͵⮦⳽ቛ Ø ሟᇌ⊛Ꮏ㡩 ➡ ̂ኴだ㐙⽈՚⃪ሞ ➡ ⭛ޢኯ⊁ơϫ⳽৖ធ
➡ ⅳ᱙␹ന⢬⽈՚⃪ሞ Ø ข㏡㡩য়ぞϫ⳽৖ធơΒᴟ␹ന⢬⩰⃮ٕ

෤⯊ᓪђ IUUQEFWDPSFQBZQIQ JUFNBCDBNPVOU

෤⯊ᓪђ $POUE Ø ࢢፒˊだឪḑ̹ᓹˆ㡦㕸⼷ḑ̹ᓹḋᴚᙐݞ㐘 Ø ḋᴚػࡻ㡩ṛჽ᪊だឪݘᄛΩḑↂ፭ᆼ஺⁰෇㡦˥፫㕇ⱍ̂ ኴ⊛Ꮏዅڑᙏᾉ Ø ข㏡㡩 Ø
ᩜ̍೸௏ന㡩য়ぞだㅓᅆ১ Ø ፒ̍೸௏ന㡩঎֥௏ന֣̍Ⳛᇓ

㑒ࠎ⎛↫ㄖᡢᡢℨ ៖Ⳳ␹ だឪݘ ㌱ݘ⋣⃳ ⴦ᬳ ௐځ╾だឪݘ ̟ᘲ
⼐ἃ̟ᘲ୹࿜

㑒ࠎ⎛↫ㄖᡢᡢℨ ៖Ⳳ␹ だឪݘ ㌱ݘ⋣⃳ ௐځ╾だឪݘ ̟ᘲ
чᷗᩣ⯨ࣞἓᆵಈܷ

㑒ࠎ⎛↫ㄖᡢᡢℨ ៖Ⳳ␹ だឪݘ ㌱ݘ⋣⃳ ⴦ᬳ ௐځ╾だឪݘ ↢ዖϔᛪㄖ㔺
⿆Άϔᛪఱ႔

෤⯊ᓪђ IUUQEFWDPSFVTFS@JOGPQIQ JE%&7$03&

෤⯊ᓪђ $POUE IUUQEFWDPSFVTFS@JOGPQIQ JE)*5$0/

⹖↫ֳܳⲚឡ $SPTT4JUF3FRVFTU'PSHFSZ $43'

$SPTT4JUF3FRVFTU'PSHFSZ Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 $43' Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ

$SPTT4JUF3FRVFTU'PSHFSZ Ø ࿜ࡻ㡩㉐ḋ␹፫ᗏᏱSFRVFTUዅڑ᨟Βᴟ␹፭⸽ḋԺḑֽ͵㡦 ௐ╿ሟᇌ␹٩̩Ӿᴟʬ▪Βᴟ␹ḑ⸽̶घ⨭ᬿஂᇎ͵ Ø ሟᇌᐲΝ ➡ Βᴟ␹╹ֽʳޢ⴦ᬳ ➡ Βᴟ␹╹ֽϙሞஞᾋ
➡ ⧾⧠ሟᇌ Ø ข㏡㡩Βᴟ␹ኴࢢʵἃ໬᭱ᝄघ⨭ᬿஂֽ͵

$43'዗ኄᡢℨ Ḋӧ ㉐ݧ༃ ༦⼙⊛࿡ ϕ̳ .BMJDJPVT 4FSWFS WVMTFSWFS 7JDUJN JNHTSDIUUQWVMTFSWFSCVZQIQ
JUFNBCD (&5CVZQIQ JUFNBCD

෤⯊ᓪђ

ⶳⰖᡊᦡ *OGPSNBUJPO-FBLBHF

*OGPSNBUJPO-FBLBHF Ø ൖ൷ො㞾ḍՁᚚ㡩 Ӱ̜ො㞼 *OGPNBUJPO-FBLBHF Ø ḋᴚ̹ᓹḍՁᚚ㡩 ፫ḋᴚ̸ᓹ
ḋᴚ̸ᓹ

*OGPSNBUJPO-FBLBHF Ø ࿜ࡻ㡩⋞⼮̍ܓ࿡㉐ḋ␹⭶ஂㅟ⯉㡦ௐ╿≕⊶ᖤሪ⳽⭠ធᣩ ት⋣⃳ʲ Ø ബ⬔᭱ᝄ Ø ػ੉ᾋធᣩന⢬ஞᾋơធᣩท٪ṕㄻ Ø ㅟ⯉⭠ິធᣩ⋣⃳⁰෇ⶦนơធᣩ⾠Ձػ੉ᾋ
Ø ធᣩ͵ᓹ≕⊶ơ'SBNFXPSL㐦ِࣘᬝ፭ Ø ё̶ᗃᐲធᣩ⋣⃳Ꮜᕀơػ੉ᾋ Ø ข㏡㡩ʵʬஂፒ⃯أ㐹㋵㡦͡⊛ٸӱ̝ො㞾ዏข㏡٩য়٩௑

۱ଁ⁃ᡊᦡⶳጓำ෠⥣ౖ⁃

ᡊᦡ໏ܠЛ⑸

Ԇϫᙻᡊᦡ⎛↫۱ଁ⁃

ϮᖱⶳయΦϨ႔ऱ

ⶳయዢ㇠ฯМ Ø ̩᨟ᜥፒṛჽṬ՚ḑ᎛⬊௡ʵፎ⩰ဋ ➡ "OESPJEBQQơJ04BQQḑ"1*TFSWFS Ø ᜥፒ㊋ᝥፌቭᣩដ ➡ 0QFO44-)FBSUCMFFE ➡
4IFMMTIPDL ➡ 100%-& Ø ⺀๢ො㞾⊓ٸሟᇌḑ੶֣㡦Νਗ$43' 944

⼶༚໏ܠ㏄⃥ Ø ࢢӨ⋣ḑ≕⊶୹өᜥፒ㊣‭ᖤ՟ ➡ ท٪ӑᣜٵ₇*OKFDUJPO㡦㉐ⵖ৙TFSWJDF GUQ STZOD Ø ท٪ͦ⏀ৡ਒ᮯ
➡ IUUQEFWDPSFBENJO ➡ IUUQBENJOEFWDPSF Ø ท٪ٕϫ຃ٽ୕͹⍍ဪʵ՚˯ڒ ➡ (PPHMF)BDLJOH

ӛ⿧ӥᚇಙ໶యΤ㦖 Ø ̩խፊЦ⼱ᣑ⼈ᡄ⮜㡦ℨ˲ᘟЦᣑ⼈ᡄ⮜ӻ൷ဪ՚⭸৙㕸㐹㋵ො㞾 Ø ොஞᾋဋᙛʵሞ Ø Ϋⴟ⭶ё㡢8"'㡣

⑓ΐΦ໏⾱⺼ᙜؕ Ø Ṍჾ≕⊶ ➡ *%4ơ*14 ➡ ឪぞ ➡ ᗃᐲᵐֽ Ø
-PH ➡ ϑୖ።㊶ৡἈ㡢යⱬ╾௓ϑୖ؍ൖ㡣 ➡ ፫ᵐࢩё̶

ฎጥ⸤پ㦖

ሟᇌ␹ ⳽୷⭶ё ⋣⃳ ⳽ቛൻ #PUOFU #PUOFUሯᇜ

ጥମ▕㦖〔፽♉ᶲ⭉ጥコ㦖 Ø ⋣ⶦ⭶ёơ⳽୷⭶ё˥ፒ୷ө㐹㋵㡦ᴖ╾٩ⓗࡻ᨟⭶ ёௐ╿ӧβ╾Ө⋣Ƣ Ø *P5ḑዏ̧㡦ஔ㌱ơ₺࿵෇⪓⏀⨴٩⼙⋣㡦˥ፒ⩰ӧ βḑ㐹㋵Ƣ Ø ̹ᓹơஔˆᠮ⴦ḑ⭶ё㡦₳⃶ዅʵዅ෋ᮚӧஈ㡮

Ўᐎࣞ ㏄᪪ᯓ ⶳጓำ Ϯᖱ% Ўᐎࣞ Ўᐎࣞ ዗ኄ⓱

▟㔃கӼᴫƭ▟㑊㌆Ӽ୥

♆㘓ా֤᷒ɗ♆㕚㐖֤ఎ Ø ዏዏፄቭ⳽୷⬵๝㡦ἃ೿ἃฉḍ࿲ʵ๺ Ø ᣩដዅ⊓ٸሟᇌḑ Ø ٤Ц⼱ʬᘟᣑ⼈ᡄ⮜˂㍳✈ᩜʬ১ Ø ᣩដᄳ㍝ൕ٪
➡ 7VM3FQPSU IUUQTWVMSFQPSUOFU

ḝ഼㔃கዕ▊എ̙ 㟅◭ᴭᔉဖዕͅᔉḢቓ̙

࿪ⳟગౌ㦃 ␃ុᙏ"MMFO0XO BMMFOPXO!EFWDPSF ࿵ৢடᬕ⒘̶ፒ㊶Ӭٰ

2015.04.02 從滲透測試談企業常見資安風險

2015.04.02 從滲透測試談企業常見資安風險

More Decks by DEVCORE

Other Decks in Technology

Featured

Transcript