Upgrade to Pro — share decks privately, control downloads, hide ads and more …

実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss

mala
September 26, 2016
Programming
25
8.4k

実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss

LINE Developer Meetup in Fukuoka #16
http://connpass.com/event/38413/

mala

September 26, 2016
Tweet

More Decks by mala

See All by mala
The Evolution of Alert & Notification System / Becks Japan #1
mala
11
8.1k
TBD/Shibuya.XSS techtalk #8
mala
5
2.2k
超絶技巧CSRF / Shibuya.XSS techtalk #7
mala
40
13k
How to hack metacpan.org
mala
7
1.2k
SECCON2013 slide
mala
14
2.6k

Other Decks in Programming

See All in Programming
UICollectionViewのAPIを活用してシンプルなコードにリファクタリングする
hicka04
1
530
Kotlinにおける型の世界と エラーハンドリング / Type World and Error Handling in Kotlin
makomakok
0
210
Compose で手に入れた UI の Unit test
mkeeda
1
330
たのしいRubyの構文解析ツアー
coe401_
1
610
鹿児島Ruby会議02
ericgpks
1
750
Recon Slides by Anon_Y0gi
y0gi
0
210
Blazor WASMのアプリをMAUI Blazorに移行してみる
tomokusaba
0
140
日常業務のカイゼンで図る開発チームへの貢献 - YAPC::Kyoto 2023
koluku
3
260
nekoIoTLT_CatAndColorSensor
nearmugi
0
570
コルーチンのエラーをテストするためのTips / Tips for testing Kotlin Coroutine errors
tkmnzm
0
150
PDF_TDX_2023_Apex__What_s_New_and_What_s_Coming.pdf
fishofprey
3
780
ANDPADの攻めと守り
andpad
1
260

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
Writing Fast Ruby
sferik
613
58k
What the flash - Photography Introduction
edds
64
10k
Building Adaptive Systems
keathley
28
1.4k
Fantastic passwords and where to find them - at NoRuKo
philnash
32
1.9k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
How to Ace a Technical Interview
jacobian
270
22k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
38
3.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
22
1.7k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.7k
Three Pipe Problems
jasonvnalue
89
9k
StorybookのUI Testing Handbookを読んだ
zakiyama
8
3.4k

Transcript

  1. ࣮ྫʹֶͿXSS੬ऑੑͷ
    ൃݟͱमਖ਼ํ๏
    ma.la

    View Slide

  2. ςʔϚ
    • ͍͔ͭ͘ࠓ·ͰXSSʹؔͯ͠ൃද͖ͯͨ͠(AppSec,AVTokyo, etc)
    • ओʹ޿ൣͳαΠτʹӨڹ͢ΔϥΠϒϥϦͷ੬ऑੑͳͲΛղઆ
    • ࠓճ͸ൃݟํ๏΍ࣄྫʹ͍ͭͯத৺ʹղઆ
    • αΠτ։ൃऀଆͰͷରࡦ͕ඞཁͳՕॴ

    View Slide

  3. Part0. XSSͬͯԿ
    • αʔϏεΛఏڙ͍ͯ͠ΔυϝΠϯ্Ͱɺ೚ҙͷJavaScriptίʔυ͕࣮ߦ
    Ͱ͖Δ੬ऑੑ
    • ͦͷυϝΠϯͰදࣔ͞ΕΔ৘ใΛ౪Έग़ͨ͠Γɺউखʹߋ৽͢Δ͜ͱ͕
    ग़དྷΔ
    • डಈత߈ܸ: ඃ֐Λड͚Δͷ͸߈ܸϦϯΫΛ౿ΜͩϢʔβʔ

    View Slide

  4. Part1. How to find XSS

    View Slide

  5. ίʔυϨϏϡʔͷϙΠϯτ
    • ೖྗՕॴͱධՁ͢ΔՕॴʹ஫໨͢Δ
    • source ͱ sink ͱݺ͹ΕͨΓ͢Δ

    View Slide

  6. ୯७ͳXSSͷ৔߹
    • αʔόʔଆͷHTML templateͰͷग़ྗՕॴɺධՁՕॴ΋ಉ͡
    • ग़ྗՕॴͰhtml tag΍scriptΛදࣔ

    • ίʔυΛ௥͍͚ͬͯ͹େମશ෦ݟ͔ͭΔ
    • Ұ෦Λআ͖ɺࣗಈΤεέʔϓͰશ෦௚Δ

    View Slide

  7. ୯७Ͱ͸ͳ͍XSSͷࣄྫ
    • JavaScriptίʔυͷಈతੜ੒
    • URLͷՕॴʹ javascript:xxx
    • HTML escapeͰ๷͛ͳ͍
    • DOM based XSSͱݺ͹ΕΔ΋ͷ

    View Slide

  8. DOM based XSSͷ৔߹
    • ೖྗՕॴͱධՁ͢ΔՕॴ͕ҧ͏
    • JavaScriptͷίʔυΛ௥Θͳ͍ͱ෼͔Βͳ͍
    • ൃݟ͕೉͍͠ݪҼ

    View Slide

  9. ೖྗՕॴͷྫ
    location.* (location.href, location.hash, etc)
    document.* (document.URL, document.cookie, etc)
    window.name

    View Slide

  10. ධՁ͢ΔՕॴͷྫ
    ೖྗ͞Εͨύϥϝʔλ͕ग़ྗ͞ΕΔՕॴ
    URLͱͯ͠ධՁɺJavaScriptίʔυͱͯ͠ධՁɺHTMLͱͯ͠ධՁ

    View Slide

  11. URLͱͯ͠ධՁ
    • location.href = , iframe.src =
    • ajax, XMLHttpRequest ͰͷಡΈࠐΈ
    • etc

    View Slide

  12. ίʔυͱͯ͠ධՁ
    • ίʔυΛಈతʹੜ੒͢ΔΑ͏ͳ࢖͍ํ (͋·Γແ͍)
    • eval()
    • จࣈྻͰͷ setTimeout() setInterval() (͋·Γ࢖ΘΕͳ͍)
    • Function() (͋·Γ࢖ΘΕͳ͍)
    • etc

    View Slide

  13. HTMLग़ྗ
    • innerHTML =
    • document.write()
    • jQuery() $() $(el).html()
    • ֤छςϯϓϨʔτΛ࢖ͬͨग़ྗ
    • etc

    View Slide

  14. ίʔυͷྲྀΕΛ௥͍ͬͯ͘
    • ag ͳͲͷίʔυݕࡧπʔϧΛ࢖͏
    • ҆શͩͱ֬ೝ͕Ͱ͖ͨ৔ॴ͸আ֎͍ͯ͘͠
    • ag innerHTML | ag -v "safe"
    • ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰ΋ո͍͠Օॴ͸ݟ͔ͭΔ

    View Slide

  15. ݟམͱ͕ͪ͠ͳϙΠϯτ

    View Slide

  16. document.cookie / localStorage
    • ݕࡧΩʔϫʔυ΍ཤྺΛอ࣋͢Δػೳ
    • ೚ҙͷ஋Λอଘग़དྷΔ͜ͱ͕͋Δ
    • ೖྗ࣌ͱग़ྗ࣌Ͱ͕࣌ؒࠩൃੜ͢Δ͜ͱ͕͋Δ

    View Slide

  17. Persistent DOM XSS
    • DOM based XSSͷӬଓԽ͕Մೳ
    • cookie / localStorageʹ߈ܸ༻ͷίʔυΛอଘ
    • දࣔ͢Δͨͼʹ࣮ߦ͞ΕΔΑ͏ͳέʔε
    • → ࣗࣾͰͷࣄྫ΍ɺ޿ࠂωοτϫʔΫͷiframeͰ࣮ྫ͋Γ

    View Slide

  18. ಛʹ cookie ͷ৔߹
    • αϒυϝΠϯ͔ΒͰ΋ઃఆ͕Մೳ
    • vuln.example.com → .example.com
    • ੬ऑੑͷ͋ΔαϒυϝΠϯ͔ΒcookieΛset

    • ߈ܸର৅ͷυϝΠϯͰ cookie ىҼͷ DOM based XSS

    • MITM attackͰ΋cookieͷઃఆ͕Մೳ

    View Slide

  19. CookieΛ࢖ͬͨ߈ܸ (XSS or ServerSide)
    • ͦͷαʔϏεͰ͸৴༻Ͱ͖Δ஋͔͠ग़ྗ͠ͳ͍৔߹Ͱ΋XSSՄೳ
    • MITMͰͷcookieઃఆ → HSTS include subdomainΛ࢖Θͳ͍ͱ๷͛ͳ͍
    • JS Ͱ΋serverͰ΋৴པͰ͖ͳ͍஋͕ೖΔ͜ͱΛલఏʹઃܭ͢Δඞཁ͕͋Δ

    • ࡉ޻ͨ͠cookieΛ࢖ͬͨremote code executionͷࣄྫ͍͔ͭ͋͘Γ

    View Slide

  20. Part2. मਖ਼ํ๏

    View Slide

  21. ग़ྗՕॴʹԠͯ҆͡શʹ͢Δ
    • ධՁ͞ΕΔίϯςΩετʹԠͯ͡ରࡦ͸ҧ͏
    • શͯʹରͯ͠༗ޮͳvalidation΍escape rule͸ଘࡏ͠ͳ͍
    • յΕͯ΋ྑ͍ͳΒҰ཯ϑΟϧλ͢ΔΑ͏ͳॲཧ͸࡞ΕΔ

    <> ͕ೖྗ͞Ε͍ͯΔͱ໰౴ແ༻ͰΤϥʔʂ

    View Slide

  22. JavaScriptͷม਺ग़ྗ
    • ͦ΋ͦ΋ආ͚Δ
    • data-xxx="html escaped value" ͰຒΊࠐΈΛਪ঑
    • ಉ͡escape ruleͰରԠՄೳɺίϯςΩετΛҙࣝ͠ͳ͍͍ͯ͘
    • Ͳ͏ͯ͠΋ඞཁͰ͋Ε͹ɺhtml escapeͰ͸ͳ͘js escape

    View Slide

  23. URLΛग़ྗ͢Δ৔߹
    • javascript: xxx ͕ೖͬͯ͸͍͚ͳ͍
    • ̋ validation ruleΛ࡞ͬͯద༻͢Δ
    • HTML Escape / JS escape ͚ͩͰ͸ෆे෼
    • URLΛೖग़ྗ͢ΔΑ͏ͳՕॴ͸ɺͲͷΈͪvalidation͕͋Δ͸ͣ

    View Slide

  24. ίʔυΛੜ੒͢Δ৔߹
    • eval() ͦ΋ͦ΋࢖Θͳ͍Α͏ʹ͢Δ
    • JSON.parseͷ୅༻ͱͯ͠ɺͨ·ʹݟΔ

    → ΋͏͍Βͳ͍ɺpolyfill࢖༻͢Ε͹Α͍

    View Slide

  25. HTMLΛग़ྗ͢Δ৔߹
    • innerHTMLΛͳΔ΂͘࢖Θͳ͍(࠷ऴతͳग़ྗ࣌ͷΈ)
    • ࣗಈescapeՄೳͳtemplate engine࢖͏ → mustache ͳͲ
    • jQuery ͷ html() → ෆཁͰ͋Ε͹ text() ʹஔ͖׵͑Δ
    • html() ͷଟ༻͸ϨϏϡʔͷෛ୲ʹͳΔ

    View Slide

  26. XSSͷݟ͚ͭํͱ௚͠ํ͸ಉ͡
    • ag ͳͲͷίʔυݕࡧπʔϧΛ࢖͏
    • ҆શͩͱ֬ೝ͕Ͱ͖ͨ৔ॴ͸আ֎͍ͯ͘͠
    • ag innerHTML | ag -v "safe"
    • ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰ΋ո͍͠Օॴ͸ݟ͔ͭΔ

    View Slide

  27. मਖ਼ํ๏ͷϙΠϯτ
    • ։ൃऀ͔Βݟͯ҆શ != ϨϏϡΞʔ͔Βݟͯ҆શ

    • ։ൃऀ͸ةݥ͕ແ͍ύϥϝʔλͱ஌͍ͬͯͯ΋ύοͱݟͰ͸Θ͔Βͳ͍

    • ιʔείʔυݕࡧͰɺո͍͠Օॴ͕ݟ͔ͭΒͳ͍ঢ়ଶ
    • ϨϏϡʔ͠΍͍͢ίʔυʹ͢Δ → ࣗ෼Ͱ΋ίʔυݕࡧͯ͠ΈΔͱྑ͍

    View Slide

  28. Part3. ൃੜཁҼͷ܏޲
    • ͲͷλΠϛϯάͰԿʹ஫ҙ͢Ε͹ྑ͍ͷ͔෼͔Βͳ͍
    • ةݥͳ͜ͱΛ͍ͯ͠Δ͕֮ࣗͳ͍
    • ʮԿΛ͠Α͏ͱͯ͠ى͖ͨͷ͔ʯΛओ࣠ʹղઆ

    View Slide

  29. ࣄྫ: ݕࡧΩʔϫʔυͷදࣔ
    • ϦϑΝϥ͔Βऔಘ
    • ݕࡧΫΤϦ͔Βͷऔಘ
    • ޿ࠂ࠷దԽ༻ͷύϥϝʔλ΍ΩʔϫʔυϋΠϥΠτͰ࢖͍ͬͯͨ
    • ऩӹ૿ՃͷͨΊʹ͋ΒΏΔαʔϏεʹXSS͕௥Ճ͞Ε͍ͯͨ

    View Slide

  30. ۩ମྫ
    var keyword = '[% param.keyword | html %]'; // ͜Ε͕

    ↓

    var keyword = ''; alert(1); ''; // ͜͏ͳΔ
    • ౰࣌࢖͍ͬͯͨςϯϓϨʔτΤϯδϯ͕ɺγϯάϧΫΦʔτΛΤεέʔ
    ϓ͠ͳ͔ͬͨ
    • ࠓͰ͸͋·ΓΈͳ͍
    • ϦϑΝϥ͔Βऔಘ͢Δ΋ͷ͸ → DOM based XSSʹ

    View Slide

  31. ϦϑΝϥΛ࢖ͬͨXSS
    • ϦϑΝϥ͔ΒΩʔϫʔυऔಘͯ͠Φεεϝهࣄදࣔ
    • ϦϑΝϥʹ ه߸΍HTMLλά͕ೖΔ͜ͱΛ૝ఆ͍ͯ͠ͳ͍

    View Slide

  32. ֶͼ
    • ϓϥεΞϧϑΝͷػೳͰXSS͕ى͖͍ͯΔ
    • αʔϏεͷຊମͷػೳ͡Όͳ͍෦෼Ͱ͍ͭͷؒʹ͔XSS͕ग़དྷͯΔ
    • ։ൃ͸ऴΘͬͯΔΜ͚ͩͲɺ༉அͯ͠Δͱ͜ΖͰɻɻ
    • ιʔγϟϧϘλϯ௥Ճ → ݱࡏͷURLΛdocument.writeͰग़ྗɺ౳

    View Slide

  33. ࣄྫ: HTML EntityͷղऍΛ͍ͨ͠
    • $(el).text() Λ࢖ͬͯද͍ࣔͯͨ͠Β HTML࣮ମࢀরɺ਺஋ࢀরจࣈ͕ද
    ࣔ͞Εͳ͘ͳͬͨ
    • ͜͏͍͏ͷͶ B'z → B'z
    • → $(el).html() ʹมߋ΍ɺࣗಈΤεέʔϓ֎͢ॲཧΛೖΕͯ͠·͏
    • Ϣʔβʔೖྗ͕ೖΒͳ͍͔Ͳ͏͔֬ೝ͕ඞཁ
    • ҆શͳೖྗՕॴͰ͋ͬͯ΋ϨϏϡʔ͕େมʹͳΔ

    View Slide

  34. Ͳ͏͢Ε͹ྑ͍ʁ
    • HTML entityͷղऍͷͨΊʹɺhtml() Λ࢖Θͳ͍ɻ
    • html() Λ࢖͏ͱɺ͋Δ೔ಥવةݥʹͳΔ
    • ඞཁͳॲཧ͸htmlग़ྗͰ͸ͳ͘ɺdecode html entities
    • textarea hack $("").html(value).text()

    View Slide

  35. ࣅͨࣄྫ: escapeํࣜͷมߋ
    • αʔόʔαΠυͰ΋ΤεέʔϓɺjsͰͷग़ྗͰ΋Τεέʔϓ
    • ೋॏescapeʹͳͬͯ͠·ͬͨʂ & ΍ " ͳͲ͕ը໘ʹදࣔ͞Ε
    Δ
    • html escape → js escape ΁ͷมߋ
    • ͜Εࣗମ͸ਖ਼͍͕͠ɺຊ౰ʹେৎ෉ʁ

    View Slide

  36. escapeํࣜมߋʹ൐͏໰୊
    • A: ̋ js escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ
    • B: ˚ html escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ → 

    ೋॏescape
    • C: ☓ js escapeͰม਺ຒΊࠐΈ → innerHTML ΍ $() html() Ͱग़ྗՕॴ͕͋Δ

    View Slide

  37. Կ͕໰୊͔ʁ
    • ೋॏΤεέʔϓ͸όά͚ͩͲ XSS ͸੬ऑੑ
    • B → C ʹѱԽ͢ΔՄೳੑ͕͋Δ (όάΛ௚ͯ͠੬ऑੑ͕ൃݱ)
    • पลՕॴͷϨϏϡʔ΋ηοτͰߦΘͳ͍ͱμϝ

    View Slide

  38. ֶͼ
    • ද͕ࣔόάͬͯ·͢ → ҰൠϢʔβʔ΍QA͔Βͷใࠂ
    • ରॲྍ๏తʹ௚͢ɺ෼͔ͬͯΔਓ͕ϨϏϡʔ͠ͳ͍··ద༻
    • ೋॏΤεέʔϓόά͕XSSͱͯ͠ѱԽͯ͠͠·͏
    • ௚ͨ͠ຊਓ͸όάΛ௚ͨͭ͠΋Γ

    View Slide

  39. ࣄྫ: ίϝϯτΞ΢τ
    ׂͱ௝͍͠λΠϓ

    View Slide

  40. JavaScriptதͷม਺ग़ྗՕॴͷίϝϯτΞ΢τ
    • /* */ Λ࢖͏έʔε
    • */ ΛೖΕΔ͜ͱͰίϝϯτΛڧ੍ऴྃ͢Δ
    /* var keyword = '[% keyword %]' */

    /* var keyword = '*/ alert(1) /*' */

    View Slide

  41. // Λ࢖͏έʔε
    • վߦͰಥഁՄೳ
    // var keyword = '

    alert(1)//‘
    • U+2028 / U+2029 Ͱ΋ಥഁՄೳ
    • վߦΛϑΟϧλͳΜͯத్൒୺ͳ͜ͱ͸͠ͳ͍Α͏ʹɻ

    View Slide

  42. ίϝϯτΞ΢τ໰୊
    • jsͷಈతੜ੒ɺม਺ຒΊࠐΈΛ΍ΊΔɺͱ͍͏ݪଇͰରԠՄೳ
    • ม਺ग़ྗՕॴͷจ຺Λҙࣝ͢Δ͜ͱͰ๷͙ → ೉͍͠

    • JavaScriptத͔ͩΒjs escape!! ͱ͍͏ܒ໤͕ग़དྷ͍ͯͯ΋ൃੜ͢Δ
    • ͦ΋ͦ΋ίϝϯτΞ΢τ͠ͳ͍Ͱؙ͝ͱফ͢ɺgitʹϩά࢒Δ

    View Slide

  43. ࣄྫ: ίϯςϯπͷಈతͳϩʔυ
    • HTMLஅยΛදࣔ͢ΔΑ͏ͳέʔε
    • Single page appͷྲྀߦͰଟ͘ͳͬͨ → router͕ͪΌΜͱॻ͔Ε͍ͯ
    Ε͹੬ऑੑ͸গͳ͍
    • ͪΐͬͱલʹ࡞ΒΕͨΑ͏ͳαΠτɺlocation.hash ͔Βऔಘ
    • ΞχϝެࣜαΠτ΍ϥϯσΟϯάϖʔδͳͲͰΑ͘ݟΔ

    View Slide

  44. HTMLஅยϩʔυͷ໰୊఺
    • ಉҰυϝΠϯʹ੍ݶ͍ͯͯ͠΋҆શͰ͸ͳ͍έʔε͕͋Δ
    • ಉҰυϝΠϯʹΦʔϓϯϦμΠϨΫλ
    • ಉҰυϝΠϯͰ <> ΛؚΉίϯςϯπΛಈతੜ੒Մೳ(JSONP API౳)
    • ඞཁͳ͜ͱ → ૝ఆͨ͠path͔Ͳ͏͔ͷݫ֨ͳνΣοΫ

    View Slide

  45. ϥΠϒϥϦͰͷ໰୊
    • ಉҰυϝΠϯͷίϯςϯπ͸҆શͰ͋Δɺͱ͍͏ࢥ͍ࠐΈ
    • jQuery mobile → ϋογϡࢦఆͰಉҰυϝΠϯ಺ϩʔυ
    • Rails ͷ turbolinks → ϦϯΫઌΛAjaxͰಡΈࠐΜͰߴ଎Խ
    • ύονॻ͍ͨΓͨ͠ (ಈతϩʔυΛߦͳ͏content-typeͷ੍ݶ)

    View Slide

  46. ·ͱΊ
    • XSS͸΍΍ͯ͘͜͠೉͍͠
    • ҆શʹ͢ΔͨΊͷγϯϓϧͳݪଇ͸͋Δ
    • ಈతͳίʔυੜ੒Λආ͚ΔɺࣗಈΤεέʔϓΛ࢖͏
    • + ݪଇΛ֎Εͨ࣌ʹةݥͩͱ࡯஌͢Δηϯε͕ඞཁ

    View Slide