Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSについて説明します
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
hirari123
March 18, 2021
Programming
89
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
XSSについて説明します
非エンジニアがXSS(クロスサイトスクリプティング)について調べてみて説明しました。
hirari123
March 18, 2021
Other Decks in Programming
See All in Programming
鹿野さんに聞く!『TypeScriptコードレシピ集』で磨く実践力
tonkotsuboy_com
4
860
IBM Bobを活用したレガシーアプリの最新化
oniak3ibm
PRO
1
220
作って学ぶ、 JSX (TSX) ランタイムの基本
syumai
7
1.7k
はてなアカウント基盤 State of the Union
cockscomb
1
950
Contextとはなにか
chiroruxx
1
380
AI 輔助遺留系統現代化的經驗分享
jame2408
1
1.1k
AIで効率化できた業務・日常
ochtum
0
150
Semantic Version 単位で戦略を柔軟に変えて、パッケージアップデートを自動化する
daitasu
1
310
Signal Forms: Details & Live Coding @enterJS 2026 in Mannheim
manfredsteyer
PRO
0
200
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
130
Hatena Engineer Seminar #37「言語モデルの活用に関する研究」
slashnephy
0
250
JavaDoc 再入門
nagise
1
420
Featured
See All Featured
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
ryanjones
0
170
Music & Morning Musume
bryan
47
7.2k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
170
The Mindset for Success: Future Career Progression
greggifford
PRO
0
370
Optimising Largest Contentful Paint
csswizardry
37
3.7k
The untapped power of vector embeddings
frankvandijk
2
1.8k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
1
1.8k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
kimpetersen
PRO
1
750
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
2k
Building Adaptive Systems
keathley
44
3.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Designing Powerful Visuals for Engaging Learning
tmiket
1
430
Transcript
ฏɹଠ XSSʹ͍ͭͯઆ໌͠·͢ɻ
XSSͬͯԿͧ🤔 • XSS(ΫϩεαΠτεΫϦϓςΟϯά) ܝࣔ൘αΠτTwitterͷΑ͏ͳɺϢʔβʔ͔Βͷೖྗ༰ʹΑͬͯද͕ࣔಈతʹมΘΔ WebϖʔδWebΞϓϦέʔγϣϯʹ͓͍ͯɺWebαΠτʢඪతαΠτʣͷ੬ऑੑ ʢXSS੬ऑੑʣΛར༻ͨ͠߈ܸख๏Λࢦ͢ɻ
߈ܸͷྲྀΕ ᶄϢʔβʔ͕ܝࣔ൘αΠτBΛӾཡ͢Δɻ ᶃ߈ܸऀC͕XSSʹରͯ͠੬ऑੑͷ͋ΔAࣾΛൃݟ͠ɺAࣾʹ ڵຯΛ࣋ͪͦ͏ͳϢʔβʔͷ͍Δܝࣔ൘αΠτBʹ᠘Λֻ͚Δ (ྫɿεΫϦϓτ͖ϦϯΫΛషΔͳͲ) ᶅܝࣔ൘αΠτBͰεΫϦϓτ࣮ߦ ᶆϢʔβʔεΫϦϓτใΛ࣋ͬͨ··AࣾͷϖʔδʹҠಈ ʢΫϩεαΠτʣ͢Δɻ ᶇεΫϦϓτͷޮՌʹΑΓʮAࣾͷαΠτͱͯ͠ʯදࣔ͞Εͨ ِαΠτʹδϟϯϓ͢Δɻὃ͞ΕͨϢʔβʔ͕ใΛೖྗͨ͠
݁ՌɺεΫϦϓτ͕ѱ͞Λ͢Δ ᶈ߈ܸऀCͷखʹΑΓɺϢʔβʔʹର༷ͯ͠ʑͳඃ͕ൃੜ ʢϚϧΣΞײછɾ߈ܸऀCͷใ࿙ӮͳͲʣ ࣹܕXSS
߈ܸͷݪҼ XSSͷࠜຊతͳݪҼɺ߈ܸऀ͕ෆਖ਼ͳεΫϦϓτΛૠೖ͢Δ͜ ͱ͕Ͱ͖ΔڥΛ༩͑ͯ͠·͏͜ͱʹ͋Δɻ XSSʹରͯ͠੬ऑੑΛ࣋ͭಈతαΠτͷ์ஔͰ͋Δɻ ͜ͷεΫϦϓτจষʹɺΤϯυϢʔβʔଆ͕อ༗͢Δݸਓใ ΛඪతαΠτͱผͷαΠτʹૹ৴͢ΔΑ͏ʹઃఆ͞Ε͓ͯΓɺ ͜Ε͕తͳඃΛੜΈग़͢ݪҼͱͳ͍ͬͯΔɻ
߈ܸඃͷӨڹ XSSʹΑΔ߈ܸɺඪతαΠτͷΤϯυϢʔβʔ͕ඃΛड͚Δ͜ ͱͰൃੜ͢Δɻදతͳඃྫͱͯ͠ɺ •CookieใΛར༻ͨ͠ɺͳΓ͢·͠ͷෆਖ਼ΞΫηε (ηογϣϯϋΠδϟοΫ) •HTMLλάΛͬͨೖྗϑΥʔϜʹΑΔใऩू •ِαΠτΛͬͨϑΟογϯάٗ
ඃࣄྫ YouTubeෆਖ਼ΞΫηεࣄ݅ (2010/7/4ʙ7/5) ถYouTubeΛૂͬͨ߈ܸ͕ൃੜ͠ɺγϣοΫͳ σϚ͕ྲྀΕͨΓɺίϝϯτ͕දࣔ͞Εͳ͘ͳΔ ͳͲͷӨڹ͕͕ͬͨɻ χϡʔεใ!! ՎखͷδϟεςΟϯɾϏʔόʔ͕ ަ௨ࣄނͰࢮ
ඃࣄྫ ͜ͷ߈ܸͰYouTubeͷίϝϯτγεςϜʹଘࡏ͢ΔXSSͷ੬ऑੑ͕ ѱ༻͞Εͨɻ ۩ମతʹɺίϝϯτΞϓϦέʔγϣϯͷग़ྗσʔλͷ҉߸Խॲཧʹ ͕ଘࡏ͓ͯ͠Γɺ͜ΕΛಥ͍ͯ߈ܸऀ͕CookieΛ౪Έɺ JavaScriptίʔυΛࠐΜͰϢʔβʔͷWebϒϥβͰ࣮ߦ͞ΕΔ͜ ͱ͕Ͱ͖ͯ͠·ͬͨͱݟΒΕΔɻ ͦͷଞʹෆਖ਼ͳϙοϓΞοϓ͕ग़ͨΓɺѱझຯͳWEBαΠτʹϦμ ΠϨΫτ͞ΕͨΓ͢Δέʔε͕૬͍࣍Ͱ͍ͨͱݴΘΕ͍ͯΔɻ
WebαΠτͷ੬ऑੑͷछྨผͷಧग़ঢ়گ 2019ୈ4࢛ظ(10݄ʙ12݄)
߈ܸ͞Εͳ͍ͨΊͷରࡦ 1.ೖྗͷ੍ݶ ྫɿIDύεϫʔυΛೖྗ͢ΔϑΥʔϜͰʮ֯ӳࣈ◦จࣈ·Ͱʯ ͳͲ੍ݶ͢Δ αʔόʔଆͰͷೖྗͷ੍ݶΛ͢ΔͨΊʹJavaScriptΛͬͯϢʔβʔଆͷ ϒϥβͰߦΘͤΔํ๏͋Δ͕ɺϢʔβʔ͕JavaScriptΛແޮʹ͍ͯ͠Ε ೖྗͷ੍ݶ͕ߦΘΕͳ͍ͷͰXSS߈ܸͷରʹͳΒͳ͍ɻ
߈ܸ͞Εͳ͍ͨΊͷରࡦ 2.αχλΠδϯά(Τεέʔϓ) αΠτͷϑΥʔϜͳͲεΫϦϓτͷߏʹඞཁͱͳΔจࣈ͕ೖྗ͞Εͨ߹ʹɺ ͦͷจࣈΛผͷจࣈॻ͖͑ͯ͠·͏ख๏ͷ͜ͱɻ ͜ΕʹΑΓɺԾʹ߈ܸऀ͕εΫϦϓτΛຒΊࠐ͏ͱͯ͠ແޮԽ͢Δ͜ͱ͕Ͱ͖ Δɻ ରͷจࣈ ฦؐޙͷจࣈྻ < <
> > & & “ " ‘ #39; αχλΠδϯά͖͢จࣈڥʹΑͬͯҟͳΔ͕ɺ ӈͷද͕දతͳྫͰ͢ɻ
߈ܸ͞Εͳ͍ͨΊͷରࡦ 3.WAF(Web Application Firewall)ͷઃఆ WebΞϓϦέʔγϣϯઐ༻ͷϑΝΠΞΥʔϧͰ͋Δɻ ϑΝΠΞΥʔϧͱ͍͏ͱɺϙʔτ൪߸IPΞυϨεͳͲʹΑΓ߈ܸΛޚ͢Δ ωοτϫʔΫϨϕϧͷํ͕Α͘ΒΕ͍ͯΔɻ͕ͩɺܝࣔ൘ͳͲͰೖྗ͞Εͨ ༰·ͰνΣοΫ͠ͳ͍ɻͦ͜Ͱ͜ͷWAF͕ඞཁʹͳΔɻ WAFɺWebΞϓϦέʔγϣϯʹର͢Δ௨৴༰ΛνΣοΫ͠ɺٙΘ͍͠༰͕ ͋ΕϒϩοΫ͢Δ͜ͱ͕ՄೳͰ͋Δɻ
੬ऑੑΛѲ͓ͯ͜͠͏ • XSSͷ੬ऑੑɺ։ൃऀଆ͕ιʔείʔυΛ֬ೝ͢Δ͜ͱͰ੬ऑੑΛνΣοΫ͢Δ͜ ͱՄೳͰ͋Δɻ • ੬ऑੑΛ࡞Γࠐ·ͳ͍Α͏։ൃ͢ΔͨΊʹɺIPA(ಠཱߦ๏ਓɹใॲཧਪਐػߏ) ͕ެ։͍ͯ͠Δʮ҆શͳΣϒαΠτͷ࡞ΓํʯʮIPA ISEC ηΩϡΞɾϓϩάϥ ϛϯάߨ࠲ʯΛࢀߟʹ্ͨ͠ɺඞཁͳ҆શରࡦΛ࣮ࢪͯ͠ɺ։ൃΛҕୗ͢Δ߹ʹ
ࣗࣾͰ։ൃ͢Δ߹ͱಉ༷ʹ͜ΕΒͷରࡦΛ࣮ࢪ͢Δ͜ͱΦεεϝͰ͢ɻ
·ͱΊ • XSS͕ඇৗʹةݥͳαʔόʔ߈ܸͰ͋Δ͜ͱɺաڈͷେنͳෆਖ਼ΞΫηεࣄ͔݅ Β໌Β͔Ͱ͋Δɻ • ݸਓใͷऩूΛతͱͨ͠߈ܸऀʹΑΓ࣮ߦ͞ΕΔͱɺଟେͳΔඃΛٴ΅͢͜ͱ ʹͳͬͯ͠·͏ɻ • ࠜຊతͳରࡦઃܭ࣌ͷεΫϦϓτ͔Βݟ͢ඞཁ͕͋ΔͨΊʹඇৗʹ͍͠ͳ ͷͰɺαΠτͷ੍࡞ऀ͔ͬ͠ΓͱใΛௐ͔ࠪͯ͠Βͷ࡞͕ඞཁͰ͋Δɻ
• ϢʔβʔଆΤϯυϙΠϯτͷηΩϡϦςΟιϑτΛಋೖ͢ΔͳͲɺجຊతͳηΩϡ ϦςΟରࡦߦ͓ͬͯ͘͜ͱ͕ॏཁͰ͋Δɻ
ࢀߟʹͨ͠αΠτɾॻ੶ • αΠτ ɹCyber security.com ʮΫϩεαΠτεΫϦϓςΟϯάͱ?ʯΈࣄྫ͔Βߟ͑Δରࡦ • ॻ੶ ʰ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํʱ120ʙ149ϖʔδ
🙇͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠🙇