実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss

Transcript

1. ࣮ྫʹֶͿXSS੬ऑੑͷ ൃݟͱमਖ਼ํ๏ ma.la

2. ςʔϚ • ͍͔ͭ͘ࠓ·ͰXSSʹؔͯ͠ൃද͖ͯͨ͠(AppSec,AVTokyo, etc) • ओʹ޿ൣͳαΠτʹӨڹ͢ΔϥΠϒϥϦͷ੬ऑੑͳͲΛղઆ • ࠓճ͸ൃݟํ๏΍ࣄྫʹ͍ͭͯத৺ʹղઆ • αΠτ։ൃऀଆͰͷରࡦ͕ඞཁͳՕॴ

3. Part0. XSSͬͯԿ • αʔϏεΛఏڙ͍ͯ͠ΔυϝΠϯ্Ͱɺ೚ҙͷJavaScriptίʔυ͕࣮ߦ Ͱ͖Δ੬ऑੑ • ͦͷυϝΠϯͰදࣔ͞ΕΔ৘ใΛ౪Έग़ͨ͠Γɺউखʹߋ৽͢Δ͜ͱ͕ ग़དྷΔ • डಈత߈ܸ:

   ඃ֐Λड͚Δͷ͸߈ܸϦϯΫΛ౿ΜͩϢʔβʔ

4. Part1. How to find XSS

5. ίʔυϨϏϡʔͷϙΠϯτ • ೖྗՕॴͱධՁ͢ΔՕॴʹ஫໨͢Δ • source ͱ sink ͱݺ͹ΕͨΓ͢Δ

6. ୯७ͳXSSͷ৔߹ • αʔόʔଆͷHTML templateͰͷग़ྗՕॴɺධՁՕॴ΋ಉ͡ • ग़ྗՕॴͰhtml tag΍scriptΛදࣔ
 • ίʔυΛ௥͍͚ͬͯ͹େମશ෦ݟ͔ͭΔ •

   Ұ෦Λআ͖ɺࣗಈΤεέʔϓͰશ෦௚Δ

7. ୯७Ͱ͸ͳ͍XSSͷࣄྫ • JavaScriptίʔυͷಈతੜ੒ • URLͷՕॴʹ javascript:xxx • HTML escapeͰ๷͛ͳ͍ •

   DOM based XSSͱݺ͹ΕΔ΋ͷ

8. DOM based XSSͷ৔߹ • ೖྗՕॴͱධՁ͢ΔՕॴ͕ҧ͏ • JavaScriptͷίʔυΛ௥Θͳ͍ͱ෼͔Βͳ͍ • ൃݟ͕೉͍͠ݪҼ

9. ೖྗՕॴͷྫ location.* (location.href, location.hash, etc) document.* (document.URL, document.cookie, etc) window.name

10. ධՁ͢ΔՕॴͷྫ ೖྗ͞Εͨύϥϝʔλ͕ग़ྗ͞ΕΔՕॴ URLͱͯ͠ධՁɺJavaScriptίʔυͱͯ͠ධՁɺHTMLͱͯ͠ධՁ

11. URLͱͯ͠ධՁ • location.href = , iframe.src = • ajax, XMLHttpRequest

    ͰͷಡΈࠐΈ • etc

12. ίʔυͱͯ͠ධՁ • ίʔυΛಈతʹੜ੒͢ΔΑ͏ͳ࢖͍ํ (͋·Γແ͍) • eval() • จࣈྻͰͷ setTimeout() setInterval()

    (͋·Γ࢖ΘΕͳ͍) • Function() (͋·Γ࢖ΘΕͳ͍) • etc

13. HTMLग़ྗ • innerHTML = • document.write() • jQuery() $() $(el).html()

    • ֤छςϯϓϨʔτΛ࢖ͬͨग़ྗ • etc

14. ίʔυͷྲྀΕΛ௥͍ͬͯ͘ • ag ͳͲͷίʔυݕࡧπʔϧΛ࢖͏ • ҆શͩͱ֬ೝ͕Ͱ͖ͨ৔ॴ͸আ֎͍ͯ͘͠ • ag innerHTML |

    ag -v "safe" • ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰ΋ո͍͠Օॴ͸ݟ͔ͭΔ

15. ݟམͱ͕ͪ͠ͳϙΠϯτ

16. document.cookie / localStorage • ݕࡧΩʔϫʔυ΍ཤྺΛอ࣋͢Δػೳ • ೚ҙͷ஋Λอଘग़དྷΔ͜ͱ͕͋Δ • ೖྗ࣌ͱग़ྗ࣌Ͱ͕࣌ؒࠩൃੜ͢Δ͜ͱ͕͋Δ

17. Persistent DOM XSS • DOM based XSSͷӬଓԽ͕Մೳ • cookie /

    localStorageʹ߈ܸ༻ͷίʔυΛอଘ • දࣔ͢Δͨͼʹ࣮ߦ͞ΕΔΑ͏ͳέʔε • → ࣗࣾͰͷࣄྫ΍ɺ޿ࠂωοτϫʔΫͷiframeͰ࣮ྫ͋Γ

18. ಛʹ cookie ͷ৔߹ • αϒυϝΠϯ͔ΒͰ΋ઃఆ͕Մೳ • vuln.example.com → .example.com •

    ੬ऑੑͷ͋ΔαϒυϝΠϯ͔ΒcookieΛset
 • ߈ܸର৅ͷυϝΠϯͰ cookie ىҼͷ DOM based XSS
 • MITM attackͰ΋cookieͷઃఆ͕Մೳ

19. CookieΛ࢖ͬͨ߈ܸ (XSS or ServerSide) • ͦͷαʔϏεͰ͸৴༻Ͱ͖Δ஋͔͠ग़ྗ͠ͳ͍৔߹Ͱ΋XSSՄೳ • MITMͰͷcookieઃఆ → HSTS

    include subdomainΛ࢖Θͳ͍ͱ๷͛ͳ͍ • JS Ͱ΋serverͰ΋৴པͰ͖ͳ͍஋͕ೖΔ͜ͱΛલఏʹઃܭ͢Δඞཁ͕͋Δ
 • ࡉ޻ͨ͠cookieΛ࢖ͬͨremote code executionͷࣄྫ͍͔ͭ͋͘Γ

20. Part2. मਖ਼ํ๏

21. ग़ྗՕॴʹԠͯ҆͡શʹ͢Δ • ධՁ͞ΕΔίϯςΩετʹԠͯ͡ରࡦ͸ҧ͏ • શͯʹରͯ͠༗ޮͳvalidation΍escape rule͸ଘࡏ͠ͳ͍ • յΕͯ΋ྑ͍ͳΒҰ཯ϑΟϧλ͢ΔΑ͏ͳॲཧ͸࡞ΕΔ
 <> ͕ೖྗ͞Ε͍ͯΔͱ໰౴ແ༻ͰΤϥʔʂ

22. JavaScriptͷม਺ग़ྗ • ͦ΋ͦ΋ආ͚Δ • data-xxx="html escaped value" ͰຒΊࠐΈΛਪ঑ • ಉ͡escape

    ruleͰରԠՄೳɺίϯςΩετΛҙࣝ͠ͳ͍͍ͯ͘ • Ͳ͏ͯ͠΋ඞཁͰ͋Ε͹ɺhtml escapeͰ͸ͳ͘js escape

23. URLΛग़ྗ͢Δ৔߹ • javascript: xxx ͕ೖͬͯ͸͍͚ͳ͍ • ̋ validation ruleΛ࡞ͬͯద༻͢Δ •

    HTML Escape / JS escape ͚ͩͰ͸ෆे෼ • URLΛೖग़ྗ͢ΔΑ͏ͳՕॴ͸ɺͲͷΈͪvalidation͕͋Δ͸ͣ

24. ίʔυΛੜ੒͢Δ৔߹ • eval() ͦ΋ͦ΋࢖Θͳ͍Α͏ʹ͢Δ • JSON.parseͷ୅༻ͱͯ͠ɺͨ·ʹݟΔ
 → ΋͏͍Βͳ͍ɺpolyfill࢖༻͢Ε͹Α͍

25. HTMLΛग़ྗ͢Δ৔߹ • innerHTMLΛͳΔ΂͘࢖Θͳ͍(࠷ऴతͳग़ྗ࣌ͷΈ) • ࣗಈescapeՄೳͳtemplate engine࢖͏ → mustache ͳͲ •

    jQuery ͷ html() → ෆཁͰ͋Ε͹ text() ʹஔ͖׵͑Δ • html() ͷଟ༻͸ϨϏϡʔͷෛ୲ʹͳΔ

26. XSSͷݟ͚ͭํͱ௚͠ํ͸ಉ͡ • ag ͳͲͷίʔυݕࡧπʔϧΛ࢖͏ • ҆શͩͱ֬ೝ͕Ͱ͖ͨ৔ॴ͸আ֎͍ͯ͘͠ • ag innerHTML |

    ag -v "safe" • ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰ΋ո͍͠Օॴ͸ݟ͔ͭΔ

27. मਖ਼ํ๏ͷϙΠϯτ • ։ൃऀ͔Βݟͯ҆શ != ϨϏϡΞʔ͔Βݟͯ҆શ
 • ։ൃऀ͸ةݥ͕ແ͍ύϥϝʔλͱ஌͍ͬͯͯ΋ύοͱݟͰ͸Θ͔Βͳ͍
 • ιʔείʔυݕࡧͰɺո͍͠Օॴ͕ݟ͔ͭΒͳ͍ঢ়ଶ •

    ϨϏϡʔ͠΍͍͢ίʔυʹ͢Δ → ࣗ෼Ͱ΋ίʔυݕࡧͯ͠ΈΔͱྑ͍

28. Part3. ൃੜཁҼͷ܏޲ • ͲͷλΠϛϯάͰԿʹ஫ҙ͢Ε͹ྑ͍ͷ͔෼͔Βͳ͍ • ةݥͳ͜ͱΛ͍ͯ͠Δ͕֮ࣗͳ͍ • ʮԿΛ͠Α͏ͱͯ͠ى͖ͨͷ͔ʯΛओ࣠ʹղઆ

29. ࣄྫ: ݕࡧΩʔϫʔυͷදࣔ • ϦϑΝϥ͔Βऔಘ • ݕࡧΫΤϦ͔Βͷऔಘ • ޿ࠂ࠷దԽ༻ͷύϥϝʔλ΍ΩʔϫʔυϋΠϥΠτͰ࢖͍ͬͯͨ • ऩӹ૿ՃͷͨΊʹ͋ΒΏΔαʔϏεʹXSS͕௥Ճ͞Ε͍ͯͨ

30. ۩ମྫ var keyword = '[% param.keyword | html %]'; //

    ͜Ε͕
 ↓
 var keyword = ''; alert(1); ''; // ͜͏ͳΔ • ౰࣌࢖͍ͬͯͨςϯϓϨʔτΤϯδϯ͕ɺγϯάϧΫΦʔτΛΤεέʔ ϓ͠ͳ͔ͬͨ • ࠓͰ͸͋·ΓΈͳ͍ • ϦϑΝϥ͔Βऔಘ͢Δ΋ͷ͸ → DOM based XSSʹ

31. ϦϑΝϥΛ࢖ͬͨXSS • ϦϑΝϥ͔ΒΩʔϫʔυऔಘͯ͠Φεεϝهࣄදࣔ • ϦϑΝϥʹ ه߸΍HTMLλά͕ೖΔ͜ͱΛ૝ఆ͍ͯ͠ͳ͍

32. ֶͼ • ϓϥεΞϧϑΝͷػೳͰXSS͕ى͖͍ͯΔ • αʔϏεͷຊମͷػೳ͡Όͳ͍෦෼Ͱ͍ͭͷؒʹ͔XSS͕ग़དྷͯΔ • ։ൃ͸ऴΘͬͯΔΜ͚ͩͲɺ༉அͯ͠Δͱ͜ΖͰɻɻ • ιʔγϟϧϘλϯ௥Ճ →

    ݱࡏͷURLΛdocument.writeͰग़ྗɺ౳

33. ࣄྫ: HTML EntityͷղऍΛ͍ͨ͠ • $(el).text() Λ࢖ͬͯද͍ࣔͯͨ͠Β HTML࣮ମࢀরɺ਺஋ࢀরจࣈ͕ද ࣔ͞Εͳ͘ͳͬͨ • ͜͏͍͏ͷͶ

    B'z → B&#39;z • → $(el).html() ʹมߋ΍ɺࣗಈΤεέʔϓ֎͢ॲཧΛೖΕͯ͠·͏ • Ϣʔβʔೖྗ͕ೖΒͳ͍͔Ͳ͏͔֬ೝ͕ඞཁ • ҆શͳೖྗՕॴͰ͋ͬͯ΋ϨϏϡʔ͕େมʹͳΔ

34. Ͳ͏͢Ε͹ྑ͍ʁ • HTML entityͷղऍͷͨΊʹɺhtml() Λ࢖Θͳ͍ɻ • html() Λ࢖͏ͱɺ͋Δ೔ಥવةݥʹͳΔ • ඞཁͳॲཧ͸htmlग़ྗͰ͸ͳ͘ɺdecode

    html entities • textarea hack $("<textarea/>").html(value).text()

35. ࣅͨࣄྫ: escapeํࣜͷมߋ • αʔόʔαΠυͰ΋ΤεέʔϓɺjsͰͷग़ྗͰ΋Τεέʔϓ • ೋॏescapeʹͳͬͯ͠·ͬͨʂ &amp; ΍ &quot; ͳͲ͕ը໘ʹදࣔ͞Ε

    Δ • html escape → js escape ΁ͷมߋ • ͜Εࣗମ͸ਖ਼͍͕͠ɺຊ౰ʹେৎ෉ʁ

36. escapeํࣜมߋʹ൐͏໰୊ • A: ̋ js escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ

    • B: ˚ html escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ → 
 ೋॏescape • C: ☓ js escapeͰม਺ຒΊࠐΈ → innerHTML ΍ $() html() Ͱग़ྗՕॴ͕͋Δ

37. Կ͕໰୊͔ʁ • ೋॏΤεέʔϓ͸όά͚ͩͲ XSS ͸੬ऑੑ • B → C ʹѱԽ͢ΔՄೳੑ͕͋Δ

    (όάΛ௚ͯ͠੬ऑੑ͕ൃݱ) • पลՕॴͷϨϏϡʔ΋ηοτͰߦΘͳ͍ͱμϝ

38. ֶͼ • ද͕ࣔόάͬͯ·͢ → ҰൠϢʔβʔ΍QA͔Βͷใࠂ • ରॲྍ๏తʹ௚͢ɺ෼͔ͬͯΔਓ͕ϨϏϡʔ͠ͳ͍··ద༻ • ೋॏΤεέʔϓόά͕XSSͱͯ͠ѱԽͯ͠͠·͏ •

    ௚ͨ͠ຊਓ͸όάΛ௚ͨͭ͠΋Γ

39. ࣄྫ: ίϝϯτΞ΢τ ׂͱ௝͍͠λΠϓ

40. JavaScriptதͷม਺ग़ྗՕॴͷίϝϯτΞ΢τ • /* */ Λ࢖͏έʔε • */ ΛೖΕΔ͜ͱͰίϝϯτΛڧ੍ऴྃ͢Δ /* var

    keyword = '[% keyword %]' */ ↓ /* var keyword = '*/ alert(1) /*' */

41. // Λ࢖͏έʔε • վߦͰಥഁՄೳ // var keyword = '
 alert(1)//‘

    • U+2028 / U+2029 Ͱ΋ಥഁՄೳ • վߦΛϑΟϧλͳΜͯத్൒୺ͳ͜ͱ͸͠ͳ͍Α͏ʹɻ

42. ίϝϯτΞ΢τ໰୊ • jsͷಈతੜ੒ɺม਺ຒΊࠐΈΛ΍ΊΔɺͱ͍͏ݪଇͰରԠՄೳ • ม਺ग़ྗՕॴͷจ຺Λҙࣝ͢Δ͜ͱͰ๷͙ → ೉͍͠
 • JavaScriptத͔ͩΒjs escape!!

    ͱ͍͏ܒ໤͕ग़དྷ͍ͯͯ΋ൃੜ͢Δ • ͦ΋ͦ΋ίϝϯτΞ΢τ͠ͳ͍Ͱؙ͝ͱফ͢ɺgitʹϩά࢒Δ

43. ࣄྫ: ίϯςϯπͷಈతͳϩʔυ • HTMLஅยΛදࣔ͢ΔΑ͏ͳέʔε • Single page appͷྲྀߦͰଟ͘ͳͬͨ → router͕ͪΌΜͱॻ͔Ε͍ͯ

    Ε͹੬ऑੑ͸গͳ͍ • ͪΐͬͱલʹ࡞ΒΕͨΑ͏ͳαΠτɺlocation.hash ͔Βऔಘ • ΞχϝެࣜαΠτ΍ϥϯσΟϯάϖʔδͳͲͰΑ͘ݟΔ

44. HTMLஅยϩʔυͷ໰୊఺ • ಉҰυϝΠϯʹ੍ݶ͍ͯͯ͠΋҆શͰ͸ͳ͍έʔε͕͋Δ • ಉҰυϝΠϯʹΦʔϓϯϦμΠϨΫλ • ಉҰυϝΠϯͰ <> ΛؚΉίϯςϯπΛಈతੜ੒Մೳ(JSONP API౳)

    • ඞཁͳ͜ͱ → ૝ఆͨ͠path͔Ͳ͏͔ͷݫ֨ͳνΣοΫ

45. ϥΠϒϥϦͰͷ໰୊ • ಉҰυϝΠϯͷίϯςϯπ͸҆શͰ͋Δɺͱ͍͏ࢥ͍ࠐΈ • jQuery mobile → ϋογϡࢦఆͰಉҰυϝΠϯ಺ϩʔυ • Rails

    ͷ turbolinks → ϦϯΫઌΛAjaxͰಡΈࠐΜͰߴ଎Խ • ύονॻ͍ͨΓͨ͠ (ಈతϩʔυΛߦͳ͏content-typeͷ੍ݶ)

46. ·ͱΊ • XSS͸΍΍ͯ͘͜͠೉͍͠ • ҆શʹ͢ΔͨΊͷγϯϓϧͳݪଇ͸͋Δ • ಈతͳίʔυੜ੒Λආ͚ΔɺࣗಈΤεέʔϓΛ࢖͏ • + ݪଇΛ֎Εͨ࣌ʹةݥͩͱ࡯஌͢Δηϯε͕ඞཁ