$30 off During Our Annual Pro Sale. View Details »

実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss

mala
September 26, 2016
Programming
25
8.9k

実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss

LINE Developer Meetup in Fukuoka #16
http://connpass.com/event/38413/

mala

September 26, 2016
Tweet

More Decks by mala

See All by mala
The Evolution of Alert & Notification System / Becks Japan #1
mala
11
8.3k
TBD/Shibuya.XSS techtalk #8
mala
5
2.3k
超絶技巧CSRF / Shibuya.XSS techtalk #7
mala
40
14k
How to hack metacpan.org
mala
7
1.2k
SECCON2013 slide
mala
14
2.7k

Other Decks in Programming

See All in Programming
Kyo - Functional Scala 2023
fwbrasil
0
290
バイナリビューアを使ってクラスファイルを読んでみよう! #jjug_ccc
yujisoftware
1
270
[Helvetic Ruby 2023] Profiling Ruby tests with Swiss precision
palkan
0
330
Java 8 から 21 へのバージョンアップでどう変わる?:実アプリケーションで学ぶ実装のポイント / 20231111 Key Implementation Points from Java 8 to 21
mackey0225
6
530
Using AI in Software Design: How ChatGPT Can Help With Creating a Solution Architecture
rdmueller
0
150
エンジニアだけでスポンサーブースを出したら大変なことになった
zakky21
1
340
Developing a Vim plugin with Ruby
okuramasafumi
0
220
実践PubSubマイクロサービス / Implementation Pub Sub microservice
nrslib
3
950
DIGGLEの分析基盤アーキテクチャ
zakky21
0
110
Kaggle-Vesuvius-Challenge-Ink-Detection-2nd-Solution
mipypf
0
840
Open Source Malware Hunting Lab
disconinja
1
440
Flutterで構築する漫画ビューア / FlutterKaigi 2023
katsu8686
0
2.5k

Featured

See All Featured
How to name files
jennybc
59
87k
Happy Clients
brianwarren
91
6.1k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.2k
How GitHub Uses GitHub to Build GitHub
holman
467
280k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
From Idea to $5000 a Month in 5 Months
shpigford
376
45k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
113
17k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
24
2k
In The Pink: A Labor of Love
frogandcode
135
21k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
152
14k
10 Git Anti Patterns You Should be Aware of
lemiorhan
644
57k
How STYLIGHT went responsive
nonsquared
89
4.5k

Transcript

  1. ࣮ྫʹֶͿXSS੬ऑੑͷ
    ൃݟͱमਖ਼ํ๏
    ma.la

    View Slide

  2. ςʔϚ
    • ͍͔ͭ͘ࠓ·ͰXSSʹؔͯ͠ൃද͖ͯͨ͠(AppSec,AVTokyo, etc)
    • ओʹ޿ൣͳαΠτʹӨڹ͢ΔϥΠϒϥϦͷ੬ऑੑͳͲΛղઆ
    • ࠓճ͸ൃݟํ๏΍ࣄྫʹ͍ͭͯத৺ʹղઆ
    • αΠτ։ൃऀଆͰͷରࡦ͕ඞཁͳՕॴ

    View Slide

  3. Part0. XSSͬͯԿ
    • αʔϏεΛఏڙ͍ͯ͠ΔυϝΠϯ্Ͱɺ೚ҙͷJavaScriptίʔυ͕࣮ߦ
    Ͱ͖Δ੬ऑੑ
    • ͦͷυϝΠϯͰදࣔ͞ΕΔ৘ใΛ౪Έग़ͨ͠Γɺউखʹߋ৽͢Δ͜ͱ͕
    ग़དྷΔ
    • डಈత߈ܸ: ඃ֐Λड͚Δͷ͸߈ܸϦϯΫΛ౿ΜͩϢʔβʔ

    View Slide

  4. Part1. How to find XSS

    View Slide

  5. ίʔυϨϏϡʔͷϙΠϯτ
    • ೖྗՕॴͱධՁ͢ΔՕॴʹ஫໨͢Δ
    • source ͱ sink ͱݺ͹ΕͨΓ͢Δ

    View Slide

  6. ୯७ͳXSSͷ৔߹
    • αʔόʔଆͷHTML templateͰͷग़ྗՕॴɺධՁՕॴ΋ಉ͡
    • ग़ྗՕॴͰhtml tag΍scriptΛදࣔ

    • ίʔυΛ௥͍͚ͬͯ͹େମશ෦ݟ͔ͭΔ
    • Ұ෦Λআ͖ɺࣗಈΤεέʔϓͰશ෦௚Δ

    View Slide

  7. ୯७Ͱ͸ͳ͍XSSͷࣄྫ
    • JavaScriptίʔυͷಈతੜ੒
    • URLͷՕॴʹ javascript:xxx
    • HTML escapeͰ๷͛ͳ͍
    • DOM based XSSͱݺ͹ΕΔ΋ͷ

    View Slide

  8. DOM based XSSͷ৔߹
    • ೖྗՕॴͱධՁ͢ΔՕॴ͕ҧ͏
    • JavaScriptͷίʔυΛ௥Θͳ͍ͱ෼͔Βͳ͍
    • ൃݟ͕೉͍͠ݪҼ

    View Slide

  9. ೖྗՕॴͷྫ
    location.* (location.href, location.hash, etc)
    document.* (document.URL, document.cookie, etc)
    window.name

    View Slide

  10. ධՁ͢ΔՕॴͷྫ
    ೖྗ͞Εͨύϥϝʔλ͕ग़ྗ͞ΕΔՕॴ
    URLͱͯ͠ධՁɺJavaScriptίʔυͱͯ͠ධՁɺHTMLͱͯ͠ධՁ

    View Slide

  11. URLͱͯ͠ධՁ
    • location.href = , iframe.src =
    • ajax, XMLHttpRequest ͰͷಡΈࠐΈ
    • etc

    View Slide

  12. ίʔυͱͯ͠ධՁ
    • ίʔυΛಈతʹੜ੒͢ΔΑ͏ͳ࢖͍ํ (͋·Γແ͍)
    • eval()
    • จࣈྻͰͷ setTimeout() setInterval() (͋·Γ࢖ΘΕͳ͍)
    • Function() (͋·Γ࢖ΘΕͳ͍)
    • etc

    View Slide

  13. HTMLग़ྗ
    • innerHTML =
    • document.write()
    • jQuery() $() $(el).html()
    • ֤छςϯϓϨʔτΛ࢖ͬͨग़ྗ
    • etc

    View Slide

  14. ίʔυͷྲྀΕΛ௥͍ͬͯ͘
    • ag ͳͲͷίʔυݕࡧπʔϧΛ࢖͏
    • ҆શͩͱ֬ೝ͕Ͱ͖ͨ৔ॴ͸আ֎͍ͯ͘͠
    • ag innerHTML | ag -v "safe"
    • ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰ΋ո͍͠Օॴ͸ݟ͔ͭΔ

    View Slide

  15. ݟམͱ͕ͪ͠ͳϙΠϯτ

    View Slide

  16. document.cookie / localStorage
    • ݕࡧΩʔϫʔυ΍ཤྺΛอ࣋͢Δػೳ
    • ೚ҙͷ஋Λอଘग़དྷΔ͜ͱ͕͋Δ
    • ೖྗ࣌ͱग़ྗ࣌Ͱ͕࣌ؒࠩൃੜ͢Δ͜ͱ͕͋Δ

    View Slide

  17. Persistent DOM XSS
    • DOM based XSSͷӬଓԽ͕Մೳ
    • cookie / localStorageʹ߈ܸ༻ͷίʔυΛอଘ
    • දࣔ͢Δͨͼʹ࣮ߦ͞ΕΔΑ͏ͳέʔε
    • → ࣗࣾͰͷࣄྫ΍ɺ޿ࠂωοτϫʔΫͷiframeͰ࣮ྫ͋Γ

    View Slide

  18. ಛʹ cookie ͷ৔߹
    • αϒυϝΠϯ͔ΒͰ΋ઃఆ͕Մೳ
    • vuln.example.com → .example.com
    • ੬ऑੑͷ͋ΔαϒυϝΠϯ͔ΒcookieΛset

    • ߈ܸର৅ͷυϝΠϯͰ cookie ىҼͷ DOM based XSS

    • MITM attackͰ΋cookieͷઃఆ͕Մೳ

    View Slide

  19. CookieΛ࢖ͬͨ߈ܸ (XSS or ServerSide)
    • ͦͷαʔϏεͰ͸৴༻Ͱ͖Δ஋͔͠ग़ྗ͠ͳ͍৔߹Ͱ΋XSSՄೳ
    • MITMͰͷcookieઃఆ → HSTS include subdomainΛ࢖Θͳ͍ͱ๷͛ͳ͍
    • JS Ͱ΋serverͰ΋৴པͰ͖ͳ͍஋͕ೖΔ͜ͱΛલఏʹઃܭ͢Δඞཁ͕͋Δ

    • ࡉ޻ͨ͠cookieΛ࢖ͬͨremote code executionͷࣄྫ͍͔ͭ͋͘Γ

    View Slide

  20. Part2. मਖ਼ํ๏

    View Slide

  21. ग़ྗՕॴʹԠͯ҆͡શʹ͢Δ
    • ධՁ͞ΕΔίϯςΩετʹԠͯ͡ରࡦ͸ҧ͏
    • શͯʹରͯ͠༗ޮͳvalidation΍escape rule͸ଘࡏ͠ͳ͍
    • յΕͯ΋ྑ͍ͳΒҰ཯ϑΟϧλ͢ΔΑ͏ͳॲཧ͸࡞ΕΔ

    <> ͕ೖྗ͞Ε͍ͯΔͱ໰౴ແ༻ͰΤϥʔʂ

    View Slide

  22. JavaScriptͷม਺ग़ྗ
    • ͦ΋ͦ΋ආ͚Δ
    • data-xxx="html escaped value" ͰຒΊࠐΈΛਪ঑
    • ಉ͡escape ruleͰରԠՄೳɺίϯςΩετΛҙࣝ͠ͳ͍͍ͯ͘
    • Ͳ͏ͯ͠΋ඞཁͰ͋Ε͹ɺhtml escapeͰ͸ͳ͘js escape

    View Slide

  23. URLΛग़ྗ͢Δ৔߹
    • javascript: xxx ͕ೖͬͯ͸͍͚ͳ͍
    • ̋ validation ruleΛ࡞ͬͯద༻͢Δ
    • HTML Escape / JS escape ͚ͩͰ͸ෆे෼
    • URLΛೖग़ྗ͢ΔΑ͏ͳՕॴ͸ɺͲͷΈͪvalidation͕͋Δ͸ͣ

    View Slide

  24. ίʔυΛੜ੒͢Δ৔߹
    • eval() ͦ΋ͦ΋࢖Θͳ͍Α͏ʹ͢Δ
    • JSON.parseͷ୅༻ͱͯ͠ɺͨ·ʹݟΔ

    → ΋͏͍Βͳ͍ɺpolyfill࢖༻͢Ε͹Α͍

    View Slide

  25. HTMLΛग़ྗ͢Δ৔߹
    • innerHTMLΛͳΔ΂͘࢖Θͳ͍(࠷ऴతͳग़ྗ࣌ͷΈ)
    • ࣗಈescapeՄೳͳtemplate engine࢖͏ → mustache ͳͲ
    • jQuery ͷ html() → ෆཁͰ͋Ε͹ text() ʹஔ͖׵͑Δ
    • html() ͷଟ༻͸ϨϏϡʔͷෛ୲ʹͳΔ

    View Slide

  26. XSSͷݟ͚ͭํͱ௚͠ํ͸ಉ͡
    • ag ͳͲͷίʔυݕࡧπʔϧΛ࢖͏
    • ҆શͩͱ֬ೝ͕Ͱ͖ͨ৔ॴ͸আ֎͍ͯ͘͠
    • ag innerHTML | ag -v "safe"
    • ೖྗՕॴɺग़ྗՕॴɺͲͪΒ͔ΒͰ΋ո͍͠Օॴ͸ݟ͔ͭΔ

    View Slide

  27. मਖ਼ํ๏ͷϙΠϯτ
    • ։ൃऀ͔Βݟͯ҆શ != ϨϏϡΞʔ͔Βݟͯ҆શ

    • ։ൃऀ͸ةݥ͕ແ͍ύϥϝʔλͱ஌͍ͬͯͯ΋ύοͱݟͰ͸Θ͔Βͳ͍

    • ιʔείʔυݕࡧͰɺո͍͠Օॴ͕ݟ͔ͭΒͳ͍ঢ়ଶ
    • ϨϏϡʔ͠΍͍͢ίʔυʹ͢Δ → ࣗ෼Ͱ΋ίʔυݕࡧͯ͠ΈΔͱྑ͍

    View Slide

  28. Part3. ൃੜཁҼͷ܏޲
    • ͲͷλΠϛϯάͰԿʹ஫ҙ͢Ε͹ྑ͍ͷ͔෼͔Βͳ͍
    • ةݥͳ͜ͱΛ͍ͯ͠Δ͕֮ࣗͳ͍
    • ʮԿΛ͠Α͏ͱͯ͠ى͖ͨͷ͔ʯΛओ࣠ʹղઆ

    View Slide

  29. ࣄྫ: ݕࡧΩʔϫʔυͷදࣔ
    • ϦϑΝϥ͔Βऔಘ
    • ݕࡧΫΤϦ͔Βͷऔಘ
    • ޿ࠂ࠷దԽ༻ͷύϥϝʔλ΍ΩʔϫʔυϋΠϥΠτͰ࢖͍ͬͯͨ
    • ऩӹ૿ՃͷͨΊʹ͋ΒΏΔαʔϏεʹXSS͕௥Ճ͞Ε͍ͯͨ

    View Slide

  30. ۩ମྫ
    var keyword = '[% param.keyword | html %]'; // ͜Ε͕

    ↓

    var keyword = ''; alert(1); ''; // ͜͏ͳΔ
    • ౰࣌࢖͍ͬͯͨςϯϓϨʔτΤϯδϯ͕ɺγϯάϧΫΦʔτΛΤεέʔ
    ϓ͠ͳ͔ͬͨ
    • ࠓͰ͸͋·ΓΈͳ͍
    • ϦϑΝϥ͔Βऔಘ͢Δ΋ͷ͸ → DOM based XSSʹ

    View Slide

  31. ϦϑΝϥΛ࢖ͬͨXSS
    • ϦϑΝϥ͔ΒΩʔϫʔυऔಘͯ͠Φεεϝهࣄදࣔ
    • ϦϑΝϥʹ ه߸΍HTMLλά͕ೖΔ͜ͱΛ૝ఆ͍ͯ͠ͳ͍

    View Slide

  32. ֶͼ
    • ϓϥεΞϧϑΝͷػೳͰXSS͕ى͖͍ͯΔ
    • αʔϏεͷຊମͷػೳ͡Όͳ͍෦෼Ͱ͍ͭͷؒʹ͔XSS͕ग़དྷͯΔ
    • ։ൃ͸ऴΘͬͯΔΜ͚ͩͲɺ༉அͯ͠Δͱ͜ΖͰɻɻ
    • ιʔγϟϧϘλϯ௥Ճ → ݱࡏͷURLΛdocument.writeͰग़ྗɺ౳

    View Slide

  33. ࣄྫ: HTML EntityͷղऍΛ͍ͨ͠
    • $(el).text() Λ࢖ͬͯද͍ࣔͯͨ͠Β HTML࣮ମࢀরɺ਺஋ࢀরจࣈ͕ද
    ࣔ͞Εͳ͘ͳͬͨ
    • ͜͏͍͏ͷͶ B'z → B'z
    • → $(el).html() ʹมߋ΍ɺࣗಈΤεέʔϓ֎͢ॲཧΛೖΕͯ͠·͏
    • Ϣʔβʔೖྗ͕ೖΒͳ͍͔Ͳ͏͔֬ೝ͕ඞཁ
    • ҆શͳೖྗՕॴͰ͋ͬͯ΋ϨϏϡʔ͕େมʹͳΔ

    View Slide

  34. Ͳ͏͢Ε͹ྑ͍ʁ
    • HTML entityͷղऍͷͨΊʹɺhtml() Λ࢖Θͳ͍ɻ
    • html() Λ࢖͏ͱɺ͋Δ೔ಥવةݥʹͳΔ
    • ඞཁͳॲཧ͸htmlग़ྗͰ͸ͳ͘ɺdecode html entities
    • textarea hack $("").html(value).text()

    View Slide

  35. ࣅͨࣄྫ: escapeํࣜͷมߋ
    • αʔόʔαΠυͰ΋ΤεέʔϓɺjsͰͷग़ྗͰ΋Τεέʔϓ
    • ೋॏescapeʹͳͬͯ͠·ͬͨʂ & ΍ " ͳͲ͕ը໘ʹදࣔ͞Ε
    Δ
    • html escape → js escape ΁ͷมߋ
    • ͜Εࣗମ͸ਖ਼͍͕͠ɺຊ౰ʹେৎ෉ʁ

    View Slide

  36. escapeํࣜมߋʹ൐͏໰୊
    • A: ̋ js escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ
    • B: ˚ html escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ → 

    ೋॏescape
    • C: ☓ js escapeͰม਺ຒΊࠐΈ → innerHTML ΍ $() html() Ͱग़ྗՕॴ͕͋Δ

    View Slide

  37. Կ͕໰୊͔ʁ
    • ೋॏΤεέʔϓ͸όά͚ͩͲ XSS ͸੬ऑੑ
    • B → C ʹѱԽ͢ΔՄೳੑ͕͋Δ (όάΛ௚ͯ͠੬ऑੑ͕ൃݱ)
    • पลՕॴͷϨϏϡʔ΋ηοτͰߦΘͳ͍ͱμϝ

    View Slide

  38. ֶͼ
    • ද͕ࣔόάͬͯ·͢ → ҰൠϢʔβʔ΍QA͔Βͷใࠂ
    • ରॲྍ๏తʹ௚͢ɺ෼͔ͬͯΔਓ͕ϨϏϡʔ͠ͳ͍··ద༻
    • ೋॏΤεέʔϓόά͕XSSͱͯ͠ѱԽͯ͠͠·͏
    • ௚ͨ͠ຊਓ͸όάΛ௚ͨͭ͠΋Γ

    View Slide

  39. ࣄྫ: ίϝϯτΞ΢τ
    ׂͱ௝͍͠λΠϓ

    View Slide

  40. JavaScriptதͷม਺ग़ྗՕॴͷίϝϯτΞ΢τ
    • /* */ Λ࢖͏έʔε
    • */ ΛೖΕΔ͜ͱͰίϝϯτΛڧ੍ऴྃ͢Δ
    /* var keyword = '[% keyword %]' */

    /* var keyword = '*/ alert(1) /*' */

    View Slide

  41. // Λ࢖͏έʔε
    • վߦͰಥഁՄೳ
    // var keyword = '

    alert(1)//‘
    • U+2028 / U+2029 Ͱ΋ಥഁՄೳ
    • վߦΛϑΟϧλͳΜͯத్൒୺ͳ͜ͱ͸͠ͳ͍Α͏ʹɻ

    View Slide

  42. ίϝϯτΞ΢τ໰୊
    • jsͷಈతੜ੒ɺม਺ຒΊࠐΈΛ΍ΊΔɺͱ͍͏ݪଇͰରԠՄೳ
    • ม਺ग़ྗՕॴͷจ຺Λҙࣝ͢Δ͜ͱͰ๷͙ → ೉͍͠

    • JavaScriptத͔ͩΒjs escape!! ͱ͍͏ܒ໤͕ग़དྷ͍ͯͯ΋ൃੜ͢Δ
    • ͦ΋ͦ΋ίϝϯτΞ΢τ͠ͳ͍Ͱؙ͝ͱফ͢ɺgitʹϩά࢒Δ

    View Slide

  43. ࣄྫ: ίϯςϯπͷಈతͳϩʔυ
    • HTMLஅยΛදࣔ͢ΔΑ͏ͳέʔε
    • Single page appͷྲྀߦͰଟ͘ͳͬͨ → router͕ͪΌΜͱॻ͔Ε͍ͯ
    Ε͹੬ऑੑ͸গͳ͍
    • ͪΐͬͱલʹ࡞ΒΕͨΑ͏ͳαΠτɺlocation.hash ͔Βऔಘ
    • ΞχϝެࣜαΠτ΍ϥϯσΟϯάϖʔδͳͲͰΑ͘ݟΔ

    View Slide

  44. HTMLஅยϩʔυͷ໰୊఺
    • ಉҰυϝΠϯʹ੍ݶ͍ͯͯ͠΋҆શͰ͸ͳ͍έʔε͕͋Δ
    • ಉҰυϝΠϯʹΦʔϓϯϦμΠϨΫλ
    • ಉҰυϝΠϯͰ <> ΛؚΉίϯςϯπΛಈతੜ੒Մೳ(JSONP API౳)
    • ඞཁͳ͜ͱ → ૝ఆͨ͠path͔Ͳ͏͔ͷݫ֨ͳνΣοΫ

    View Slide

  45. ϥΠϒϥϦͰͷ໰୊
    • ಉҰυϝΠϯͷίϯςϯπ͸҆શͰ͋Δɺͱ͍͏ࢥ͍ࠐΈ
    • jQuery mobile → ϋογϡࢦఆͰಉҰυϝΠϯ಺ϩʔυ
    • Rails ͷ turbolinks → ϦϯΫઌΛAjaxͰಡΈࠐΜͰߴ଎Խ
    • ύονॻ͍ͨΓͨ͠ (ಈతϩʔυΛߦͳ͏content-typeͷ੍ݶ)

    View Slide

  46. ·ͱΊ
    • XSS͸΍΍ͯ͘͜͠೉͍͠
    • ҆શʹ͢ΔͨΊͷγϯϓϧͳݪଇ͸͋Δ
    • ಈతͳίʔυੜ੒Λආ͚ΔɺࣗಈΤεέʔϓΛ࢖͏
    • + ݪଇΛ֎Εͨ࣌ʹةݥͩͱ࡯஌͢Δηϯε͕ඞཁ

    View Slide