Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSSについて説明します

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for hirari123 hirari123
March 18, 2021
Programming
0
77

 XSSについて説明します

非エンジニアがXSS(クロスサイトスクリプティング)について調べてみて説明しました。

Avatar for hirari123

hirari123

March 18, 2021
Tweet

Other Decks in Programming

See All in Programming
高速開発のためのコード整理術
Avatar for sutetotanuki sutetotanuki
1
380
The Past, Present, and Future of Enterprise Java
Avatar for ivargrimstad ivargrimstad
0
460
AI 駆動開発ライフサイクル(AI-DLC):ソフトウェアエンジニアリングの再構築 / AI-DLC Introduction
Avatar for kanamsasa kanamasa
12
6.4k
そのAIレビュー、レビューしてますか? / Are you reviewing those AI reviews?
Avatar for r-kagaya rkaga
6
4.5k
Fragmented Architectures
Avatar for Denys Poltorak denyspoltorak
0
140
AIによるイベントストーミング図からのコード生成 / AI-powered code generation from Event Storming diagrams
Avatar for nrs nrslib
2
1.8k
Unicodeどうしてる? PHPから見たUnicode対応と他言語での対応についてのお伺い
Avatar for てきめん tekimen youkidearitai
PRO
1
1.1k
AI時代の認知負荷との向き合い方
Avatar for OptFit Corp. optfit
0
130
今こそ知るべき耐量子計算機暗号(PQC)入門 / PQC: What You Need to Know Now
Avatar for mackey0225 mackey0225
3
370
20260127_試行錯誤の結晶を1冊に。著者が解説 先輩データサイエンティストからの指南書 / author's_commentary_ds_instructions_guide
Avatar for nash_efp nash_efp
0
870
カスタマーサクセス業務を変革したヘルススコアの実現と学び
Avatar for Tomoyuki Hamaguchi _hummer0724
0
530
コマンドとリード間の連携に対する脅威分析フレームワーク
Avatar for Aja9tochin pandayumi
1
440

Featured

See All Featured
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.4k
Leadership Guide Workshop - DevTernity 2021
Avatar for David Neal reverentgeek
1
200
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.2k
Building Better People: How to give real-time feedback that sticks.
Avatar for Will Jessup wjessup
370
20k
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
1
97
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
50
First, design no harm
Avatar for Per Axbom axbom
PRO
2
1.1k
Efficient Content Optimization with Google Search Console & Apps Script
Avatar for Katarina Dahlin katarinadahlin
PRO
0
310
Making the Leap to Tech Lead
Avatar for Ryan Cromwell cromwellryan
135
9.7k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
Avatar for Yuki Nakata chikuwait chikuwait
0
320
We Have a Design System, Now What?
Avatar for Morgane Peng morganepeng
54
8k
Stewardship and Sustainability of Urban and Community Forests
Avatar for Eric Wiseman pwiseman
0
110

Transcript

  1. ฏ઒ɹ঵ଠ XSSʹ͍ͭͯઆ໌͠·͢ɻ

  2. XSSͬͯԿͧ΍🤔 • XSS(ΫϩεαΠτεΫϦϓςΟϯά) ܝࣔ൘αΠτ΍TwitterͷΑ͏ͳɺϢʔβʔ͔Βͷೖྗ಺༰ʹΑͬͯද͕ࣔಈతʹมΘΔ Webϖʔδ΍WebΞϓϦέʔγϣϯʹ͓͍ͯɺWebαΠτʢඪతαΠτʣͷ੬ऑੑ ʢXSS੬ऑੑʣΛར༻ͨ͠߈ܸख๏Λࢦ͢ɻ

  3. ߈ܸͷྲྀΕ ᶄϢʔβʔ͕ܝࣔ൘αΠτBΛӾཡ͢Δɻ ᶃ߈ܸऀC͕XSSʹରͯ͠੬ऑੑͷ͋ΔAࣾΛൃݟ͠ɺAࣾʹ ڵຯΛ࣋ͪͦ͏ͳϢʔβʔͷ͍Δܝࣔ൘αΠτBʹ᠘Λ࢓ֻ͚Δ (ྫɿεΫϦϓτ෇͖ϦϯΫΛషΔͳͲ) ᶅܝࣔ൘αΠτB಺ͰεΫϦϓτ࣮ߦ ᶆϢʔβʔ͸εΫϦϓτ৘ใΛ࣋ͬͨ··AࣾͷϖʔδʹҠಈ ʢΫϩεαΠτʣ͢Δɻ ᶇεΫϦϓτͷޮՌʹΑΓʮAࣾͷαΠτͱͯ͠ʯදࣔ͞Εͨ ِαΠτʹδϟϯϓ͢Δɻὃ͞ΕͨϢʔβʔ͕৘ใΛೖྗͨ͠

    ݁ՌɺεΫϦϓτ͕ѱ͞Λ͢Δ ᶈ߈ܸऀCͷखʹΑΓɺϢʔβʔʹର༷ͯ͠ʑͳඃ֐͕ൃੜ ʢϚϧ΢ΣΞײછɾ߈ܸऀC΁ͷ৘ใ࿙ӮͳͲʣ ൓ࣹܕXSS

  4. ߈ܸͷݪҼ XSSͷࠜຊతͳݪҼ͸ɺ߈ܸऀ͕ෆਖ਼ͳεΫϦϓτΛૠೖ͢Δ͜ ͱ͕Ͱ͖Δ؀ڥΛ༩͑ͯ͠·͏͜ͱʹ͋Δɻ XSSʹରͯ͠੬ऑੑΛ࣋ͭಈతαΠτͷ์ஔͰ͋Δɻ ͜ͷεΫϦϓτจষʹ͸ɺΤϯυϢʔβʔଆ͕อ༗͢Δݸਓ৘ใ ΛඪతαΠτͱ͸ผͷαΠτʹૹ৴͢ΔΑ͏ʹઃఆ͞Ε͓ͯΓɺ ͜Ε͕௚઀తͳඃ֐ΛੜΈग़͢ݪҼͱͳ͍ͬͯΔɻ

  5. ߈ܸඃ֐ͷӨڹ XSSʹΑΔ߈ܸ͸ɺඪతαΠτͷΤϯυϢʔβʔ͕ඃ֐Λड͚Δ͜ ͱͰൃੜ͢Δɻ୅දతͳඃ֐ྫͱͯ͠͸ɺ •Cookie৘ใΛར༻ͨ͠ɺͳΓ͢·͠ͷෆਖ਼ΞΫηε (ηογϣϯϋΠδϟοΫ) •HTMLλάΛ࢖ͬͨೖྗϑΥʔϜʹΑΔ৘ใऩू •ِαΠτΛ࢖ͬͨϑΟογϯά࠮ٗ

  6. ඃ֐ࣄྫ YouTubeෆਖ਼ΞΫηεࣄ݅ (2010/7/4ʙ7/5) ถYouTubeΛૂͬͨ߈ܸ͕ൃੜ͠ɺγϣοΫͳ σϚ͕ྲྀΕͨΓɺίϝϯτ͕දࣔ͞Εͳ͘ͳΔ ͳͲͷӨڹ͕޿͕ͬͨɻ χϡʔε଎ใ!! ՎखͷδϟεςΟϯɾϏʔόʔ͕ ަ௨ࣄނͰࢮ๢

  7. ඃ֐ࣄྫ ͜ͷ߈ܸͰ͸YouTubeͷίϝϯτγεςϜʹଘࡏ͢ΔXSSͷ੬ऑੑ͕ ѱ༻͞Εͨɻ ۩ମతʹ͸ɺίϝϯτΞϓϦέʔγϣϯͷग़ྗσʔλͷ҉߸Խॲཧʹ ໰୊͕ଘࡏ͓ͯ͠Γɺ͜ΕΛಥ͍ͯ߈ܸऀ͕CookieΛ౪Έɺ JavaScriptίʔυΛ࢓ࠐΜͰϢʔβʔͷWebϒϥ΢βͰ࣮ߦ͞ΕΔ͜ ͱ͕Ͱ͖ͯ͠·ͬͨͱݟΒΕΔɻ ͦͷଞʹ΋ෆਖ਼ͳϙοϓΞοϓ͕ग़ͨΓɺѱझຯͳWEBαΠτʹϦμ ΠϨΫτ͞ΕͨΓ͢Δέʔε͕૬͍࣍Ͱ͍ͨͱݴΘΕ͍ͯΔɻ

  8. WebαΠτͷ੬ऑੑͷछྨผͷಧग़ঢ়گ 2019೥ୈ4࢛൒ظ(10݄ʙ12݄)

  9. ߈ܸ͞Εͳ͍ͨΊͷରࡦ 1.ೖྗ஋ͷ੍ݶ ྫɿID΍ύεϫʔυΛೖྗ͢ΔϑΥʔϜͰ͸ʮ൒֯ӳ਺ࣈ◦จࣈ·Ͱʯ ͳͲ੍ݶ͢Δ αʔόʔଆͰͷೖྗ஋ͷ੍ݶΛ͢ΔͨΊʹJavaScriptΛ࢖ͬͯϢʔβʔଆͷ ϒϥ΢βͰߦΘͤΔํ๏΋͋Δ͕ɺϢʔβʔ͕JavaScriptΛແޮʹ͍ͯ͠Ε͹ ೖྗ஋ͷ੍ݶ͕ߦΘΕͳ͍ͷͰXSS߈ܸͷର৅ʹͳΒͳ͍ɻ

  10. ߈ܸ͞Εͳ͍ͨΊͷରࡦ 2.αχλΠδϯά(Τεέʔϓ) αΠτͷϑΥʔϜͳͲ΁εΫϦϓτͷߏ੒ʹඞཁͱͳΔจࣈ͕ೖྗ͞Εͨ৔߹ʹɺ ͦͷจࣈΛผͷจࣈ΁ॻ͖׵͑ͯ͠·͏ख๏ͷ͜ͱɻ ͜ΕʹΑΓɺԾʹ߈ܸऀ͕εΫϦϓτΛຒΊࠐ΋͏ͱͯ͠΋ແޮԽ͢Δ͜ͱ͕Ͱ͖ Δɻ ର৅ͷจࣈ ฦؐޙͷจࣈྻ < &lt;

    > &gt; & &amp; “ &quot; ‘ #39; αχλΠδϯά͢΂͖จࣈ͸؀ڥʹΑͬͯҟͳΔ͕ɺ ӈͷද͕୅දతͳྫͰ͢ɻ

  11. ߈ܸ͞Εͳ͍ͨΊͷରࡦ 3.WAF(Web Application Firewall)ͷઃఆ WebΞϓϦέʔγϣϯઐ༻ͷϑΝΠΞ΢ΥʔϧͰ͋Δɻ ϑΝΠΞ΢Υʔϧͱ͍͏ͱɺϙʔτ൪߸΍IPΞυϨεͳͲʹΑΓ߈ܸΛ๷ޚ͢Δ ωοτϫʔΫϨϕϧͷํ͕Α͘஌ΒΕ͍ͯΔɻ͕ͩɺܝࣔ൘ͳͲͰೖྗ͞Εͨ಺ ༰·Ͱ͸νΣοΫ͠ͳ͍ɻͦ͜Ͱ͜ͷWAF͕ඞཁʹͳΔɻ WAF͸ɺWebΞϓϦέʔγϣϯʹର͢Δ௨৴಺༰ΛνΣοΫ͠ɺٙΘ͍͠಺༰͕ ͋Ε͹ϒϩοΫ͢Δ͜ͱ͕ՄೳͰ͋Δɻ

  12. ੬ऑੑΛ೺Ѳ͓ͯ͜͠͏ • XSSͷ੬ऑੑ͸ɺ։ൃऀଆ͕ιʔείʔυΛ֬ೝ͢Δ͜ͱͰ੬ऑੑΛνΣοΫ͢Δ͜ ͱ΋ՄೳͰ͋Δɻ • ੬ऑੑΛ࡞Γࠐ·ͳ͍Α͏։ൃ͢ΔͨΊʹɺIPA(ಠཱߦ੓๏ਓɹ৘ใॲཧਪਐػߏ) ͕ެ։͍ͯ͠Δʮ҆શͳ΢ΣϒαΠτͷ࡞Γํʯ΍ʮIPA ISEC ηΩϡΞɾϓϩάϥ ϛϯάߨ࠲ʯΛࢀߟʹ্ͨ͠ɺඞཁͳ҆શରࡦΛ࣮ࢪͯ͠ɺ։ൃΛҕୗ͢Δ৔߹ʹ΋

    ࣗࣾͰ։ൃ͢Δ৔߹ͱಉ༷ʹ͜ΕΒͷରࡦΛ࣮ࢪ͢Δ͜ͱ͸ΦεεϝͰ͢ɻ

  13. ·ͱΊ • XSS͕ඇৗʹةݥͳαʔόʔ߈ܸͰ͋Δ͜ͱ͸ɺաڈͷେن໛ͳෆਖ਼ΞΫηεࣄ͔݅ Β΋໌Β͔Ͱ͋Δɻ • ݸਓ৘ใͷऩूΛ໨తͱͨ͠߈ܸऀʹΑΓ࣮ߦ͞ΕΔͱɺଟେͳΔඃ֐Λٴ΅͢͜ͱ ʹͳͬͯ͠·͏ɻ • ࠜຊతͳରࡦ͸ઃܭ࣌ͷεΫϦϓτ͔Βݟ௚͢ඞཁ͕͋ΔͨΊʹඇৗʹ೉͍͠໰୊ͳ ͷͰɺαΠτͷ੍࡞ऀ͸͔ͬ͠Γͱ৘ใΛௐ͔ࠪͯ͠Βͷ࡞੒͕ඞཁͰ͋Δɻ

    • Ϣʔβʔଆ͸ΤϯυϙΠϯτͷηΩϡϦςΟιϑτΛಋೖ͢ΔͳͲɺجຊతͳηΩϡ ϦςΟରࡦ͸ߦ͓ͬͯ͘͜ͱ͕ॏཁͰ͋Δɻ

  14. ࢀߟʹͨ͠αΠτɾॻ੶ • αΠτ ɹCyber security.com ʮΫϩεαΠτεΫϦϓςΟϯάͱ͸?ʯ࢓૊Έࣄྫ͔Βߟ͑Δରࡦ • ॻ੶ ʰ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํʱ120ʙ149ϖʔδ

  15. 🙇͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠🙇