Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSSについて説明します

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for hirari123 hirari123
March 18, 2021
Programming
85
0

 XSSについて説明します

非エンジニアがXSS(クロスサイトスクリプティング)について調べてみて説明しました。

Avatar for hirari123

hirari123

March 18, 2021

Other Decks in Programming

See All in Programming
TiDBのアーキテクチャから学ぶ分散システム入門 〜MySQL互換のNewSQLは何を解決するのか〜 / tidb-architecture-study
Avatar for DPon dznbk
1
180
SkillがSkillを生む:QA観点出しを自動化した
Avatar for sontixyou sontixyou
6
3.5k
mruby on C#: From VM Implementation to Game Scripting (RubyKaigi 2026)
Avatar for hadashiA hadashia
2
590
クラウドネイティブなエンジニアに向ける Raycastの魅力と実際の活用事例
Avatar for Nealle nealle
2
220
AI時代のPhpStorm最新事情 #phpcon_odawara
Avatar for yusuke yusuke
0
190
From Formal Specification to Property Based Test
Avatar for Masato Ohba ohbarye
0
200
AI時代のエンジニアリングの原則 / Engineering Principles in the AI ​​Era
Avatar for haru860 haru860
0
580
ふりがな Deep Dive try! Swift Tokyo 2026
Avatar for watura watura
0
230
t *testing.T は どこからやってくるの?
Avatar for Kotaro Otaka otakakot
1
710
10 Tips of AWS ~Gen AI on AWS~
Avatar for matsukada licux
5
450
iOS機能開発のAI環境と起きた変化
Avatar for Ryu-nakayama ryunakayama
0
190
Programming with a DJ Controller — not vibe coding
Avatar for seki at druby.org m_seki
3
140

Featured

See All Featured
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
23k
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
120
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.4k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
Avatar for Tech SEO Connect techseoconnect
PRO
0
110
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Exploring the relationship between traditional SERPs and Gen AI search
Avatar for Ray Grieselhuber raygrieselhuber
PRO
2
3.8k
Code Review Best Practice
Avatar for Trisha Gee trishagee
74
20k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
440
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.3k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
110
Skip the Path - Find Your Career Trail
Avatar for Mark Kilby mkilby
1
110
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
150

Transcript

  1. ฏ઒ɹ঵ଠ XSSʹ͍ͭͯઆ໌͠·͢ɻ

  2. XSSͬͯԿͧ΍🤔 • XSS(ΫϩεαΠτεΫϦϓςΟϯά) ܝࣔ൘αΠτ΍TwitterͷΑ͏ͳɺϢʔβʔ͔Βͷೖྗ಺༰ʹΑͬͯද͕ࣔಈతʹมΘΔ Webϖʔδ΍WebΞϓϦέʔγϣϯʹ͓͍ͯɺWebαΠτʢඪతαΠτʣͷ੬ऑੑ ʢXSS੬ऑੑʣΛར༻ͨ͠߈ܸख๏Λࢦ͢ɻ

  3. ߈ܸͷྲྀΕ ᶄϢʔβʔ͕ܝࣔ൘αΠτBΛӾཡ͢Δɻ ᶃ߈ܸऀC͕XSSʹରͯ͠੬ऑੑͷ͋ΔAࣾΛൃݟ͠ɺAࣾʹ ڵຯΛ࣋ͪͦ͏ͳϢʔβʔͷ͍Δܝࣔ൘αΠτBʹ᠘Λ࢓ֻ͚Δ (ྫɿεΫϦϓτ෇͖ϦϯΫΛషΔͳͲ) ᶅܝࣔ൘αΠτB಺ͰεΫϦϓτ࣮ߦ ᶆϢʔβʔ͸εΫϦϓτ৘ใΛ࣋ͬͨ··AࣾͷϖʔδʹҠಈ ʢΫϩεαΠτʣ͢Δɻ ᶇεΫϦϓτͷޮՌʹΑΓʮAࣾͷαΠτͱͯ͠ʯදࣔ͞Εͨ ِαΠτʹδϟϯϓ͢Δɻὃ͞ΕͨϢʔβʔ͕৘ใΛೖྗͨ͠

    ݁ՌɺεΫϦϓτ͕ѱ͞Λ͢Δ ᶈ߈ܸऀCͷखʹΑΓɺϢʔβʔʹର༷ͯ͠ʑͳඃ֐͕ൃੜ ʢϚϧ΢ΣΞײછɾ߈ܸऀC΁ͷ৘ใ࿙ӮͳͲʣ ൓ࣹܕXSS

  4. ߈ܸͷݪҼ XSSͷࠜຊతͳݪҼ͸ɺ߈ܸऀ͕ෆਖ਼ͳεΫϦϓτΛૠೖ͢Δ͜ ͱ͕Ͱ͖Δ؀ڥΛ༩͑ͯ͠·͏͜ͱʹ͋Δɻ XSSʹରͯ͠੬ऑੑΛ࣋ͭಈతαΠτͷ์ஔͰ͋Δɻ ͜ͷεΫϦϓτจষʹ͸ɺΤϯυϢʔβʔଆ͕อ༗͢Δݸਓ৘ใ ΛඪతαΠτͱ͸ผͷαΠτʹૹ৴͢ΔΑ͏ʹઃఆ͞Ε͓ͯΓɺ ͜Ε͕௚઀తͳඃ֐ΛੜΈग़͢ݪҼͱͳ͍ͬͯΔɻ

  5. ߈ܸඃ֐ͷӨڹ XSSʹΑΔ߈ܸ͸ɺඪతαΠτͷΤϯυϢʔβʔ͕ඃ֐Λड͚Δ͜ ͱͰൃੜ͢Δɻ୅දతͳඃ֐ྫͱͯ͠͸ɺ •Cookie৘ใΛར༻ͨ͠ɺͳΓ͢·͠ͷෆਖ਼ΞΫηε (ηογϣϯϋΠδϟοΫ) •HTMLλάΛ࢖ͬͨೖྗϑΥʔϜʹΑΔ৘ใऩू •ِαΠτΛ࢖ͬͨϑΟογϯά࠮ٗ

  6. ඃ֐ࣄྫ YouTubeෆਖ਼ΞΫηεࣄ݅ (2010/7/4ʙ7/5) ถYouTubeΛૂͬͨ߈ܸ͕ൃੜ͠ɺγϣοΫͳ σϚ͕ྲྀΕͨΓɺίϝϯτ͕දࣔ͞Εͳ͘ͳΔ ͳͲͷӨڹ͕޿͕ͬͨɻ χϡʔε଎ใ!! ՎखͷδϟεςΟϯɾϏʔόʔ͕ ަ௨ࣄނͰࢮ๢

  7. ඃ֐ࣄྫ ͜ͷ߈ܸͰ͸YouTubeͷίϝϯτγεςϜʹଘࡏ͢ΔXSSͷ੬ऑੑ͕ ѱ༻͞Εͨɻ ۩ମతʹ͸ɺίϝϯτΞϓϦέʔγϣϯͷग़ྗσʔλͷ҉߸Խॲཧʹ ໰୊͕ଘࡏ͓ͯ͠Γɺ͜ΕΛಥ͍ͯ߈ܸऀ͕CookieΛ౪Έɺ JavaScriptίʔυΛ࢓ࠐΜͰϢʔβʔͷWebϒϥ΢βͰ࣮ߦ͞ΕΔ͜ ͱ͕Ͱ͖ͯ͠·ͬͨͱݟΒΕΔɻ ͦͷଞʹ΋ෆਖ਼ͳϙοϓΞοϓ͕ग़ͨΓɺѱझຯͳWEBαΠτʹϦμ ΠϨΫτ͞ΕͨΓ͢Δέʔε͕૬͍࣍Ͱ͍ͨͱݴΘΕ͍ͯΔɻ

  8. WebαΠτͷ੬ऑੑͷछྨผͷಧग़ঢ়گ 2019೥ୈ4࢛൒ظ(10݄ʙ12݄)

  9. ߈ܸ͞Εͳ͍ͨΊͷରࡦ 1.ೖྗ஋ͷ੍ݶ ྫɿID΍ύεϫʔυΛೖྗ͢ΔϑΥʔϜͰ͸ʮ൒֯ӳ਺ࣈ◦จࣈ·Ͱʯ ͳͲ੍ݶ͢Δ αʔόʔଆͰͷೖྗ஋ͷ੍ݶΛ͢ΔͨΊʹJavaScriptΛ࢖ͬͯϢʔβʔଆͷ ϒϥ΢βͰߦΘͤΔํ๏΋͋Δ͕ɺϢʔβʔ͕JavaScriptΛແޮʹ͍ͯ͠Ε͹ ೖྗ஋ͷ੍ݶ͕ߦΘΕͳ͍ͷͰXSS߈ܸͷର৅ʹͳΒͳ͍ɻ

  10. ߈ܸ͞Εͳ͍ͨΊͷରࡦ 2.αχλΠδϯά(Τεέʔϓ) αΠτͷϑΥʔϜͳͲ΁εΫϦϓτͷߏ੒ʹඞཁͱͳΔจࣈ͕ೖྗ͞Εͨ৔߹ʹɺ ͦͷจࣈΛผͷจࣈ΁ॻ͖׵͑ͯ͠·͏ख๏ͷ͜ͱɻ ͜ΕʹΑΓɺԾʹ߈ܸऀ͕εΫϦϓτΛຒΊࠐ΋͏ͱͯ͠΋ແޮԽ͢Δ͜ͱ͕Ͱ͖ Δɻ ର৅ͷจࣈ ฦؐޙͷจࣈྻ < &lt;

    > &gt; & &amp; “ &quot; ‘ #39; αχλΠδϯά͢΂͖จࣈ͸؀ڥʹΑͬͯҟͳΔ͕ɺ ӈͷද͕୅දతͳྫͰ͢ɻ

  11. ߈ܸ͞Εͳ͍ͨΊͷରࡦ 3.WAF(Web Application Firewall)ͷઃఆ WebΞϓϦέʔγϣϯઐ༻ͷϑΝΠΞ΢ΥʔϧͰ͋Δɻ ϑΝΠΞ΢Υʔϧͱ͍͏ͱɺϙʔτ൪߸΍IPΞυϨεͳͲʹΑΓ߈ܸΛ๷ޚ͢Δ ωοτϫʔΫϨϕϧͷํ͕Α͘஌ΒΕ͍ͯΔɻ͕ͩɺܝࣔ൘ͳͲͰೖྗ͞Εͨ಺ ༰·Ͱ͸νΣοΫ͠ͳ͍ɻͦ͜Ͱ͜ͷWAF͕ඞཁʹͳΔɻ WAF͸ɺWebΞϓϦέʔγϣϯʹର͢Δ௨৴಺༰ΛνΣοΫ͠ɺٙΘ͍͠಺༰͕ ͋Ε͹ϒϩοΫ͢Δ͜ͱ͕ՄೳͰ͋Δɻ

  12. ੬ऑੑΛ೺Ѳ͓ͯ͜͠͏ • XSSͷ੬ऑੑ͸ɺ։ൃऀଆ͕ιʔείʔυΛ֬ೝ͢Δ͜ͱͰ੬ऑੑΛνΣοΫ͢Δ͜ ͱ΋ՄೳͰ͋Δɻ • ੬ऑੑΛ࡞Γࠐ·ͳ͍Α͏։ൃ͢ΔͨΊʹɺIPA(ಠཱߦ੓๏ਓɹ৘ใॲཧਪਐػߏ) ͕ެ։͍ͯ͠Δʮ҆શͳ΢ΣϒαΠτͷ࡞Γํʯ΍ʮIPA ISEC ηΩϡΞɾϓϩάϥ ϛϯάߨ࠲ʯΛࢀߟʹ্ͨ͠ɺඞཁͳ҆શରࡦΛ࣮ࢪͯ͠ɺ։ൃΛҕୗ͢Δ৔߹ʹ΋

    ࣗࣾͰ։ൃ͢Δ৔߹ͱಉ༷ʹ͜ΕΒͷରࡦΛ࣮ࢪ͢Δ͜ͱ͸ΦεεϝͰ͢ɻ

  13. ·ͱΊ • XSS͕ඇৗʹةݥͳαʔόʔ߈ܸͰ͋Δ͜ͱ͸ɺաڈͷେن໛ͳෆਖ਼ΞΫηεࣄ͔݅ Β΋໌Β͔Ͱ͋Δɻ • ݸਓ৘ใͷऩूΛ໨తͱͨ͠߈ܸऀʹΑΓ࣮ߦ͞ΕΔͱɺଟେͳΔඃ֐Λٴ΅͢͜ͱ ʹͳͬͯ͠·͏ɻ • ࠜຊతͳରࡦ͸ઃܭ࣌ͷεΫϦϓτ͔Βݟ௚͢ඞཁ͕͋ΔͨΊʹඇৗʹ೉͍͠໰୊ͳ ͷͰɺαΠτͷ੍࡞ऀ͸͔ͬ͠Γͱ৘ใΛௐ͔ࠪͯ͠Βͷ࡞੒͕ඞཁͰ͋Δɻ

    • Ϣʔβʔଆ͸ΤϯυϙΠϯτͷηΩϡϦςΟιϑτΛಋೖ͢ΔͳͲɺجຊతͳηΩϡ ϦςΟରࡦ͸ߦ͓ͬͯ͘͜ͱ͕ॏཁͰ͋Δɻ

  14. ࢀߟʹͨ͠αΠτɾॻ੶ • αΠτ ɹCyber security.com ʮΫϩεαΠτεΫϦϓςΟϯάͱ͸?ʯ࢓૊Έࣄྫ͔Βߟ͑Δରࡦ • ॻ੶ ʰ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํʱ120ʙ149ϖʔδ

  15. 🙇͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠🙇