Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SECCON2013 slide

01b71b58e2be3c71a605a356823292c0?s=47 mala
December 24, 2013

SECCON2013 slide

SECCON2013北陸前日勉強会のスライドです
http://2013.seccon.jp/2013events.html

元データここ https://gist.github.com/mala/8112696

01b71b58e2be3c71a605a356823292c0?s=128

mala

December 24, 2013
Tweet

Transcript

  1. εϚʔτϑΥϯͷηΩϡϦςΟʹ͍ͭͯ ma.la

  2. ࣗݾ঺հ ࣗݾ঺հ http://ma.la https://twitter.com/bulkneets

  3. LINEגࣜձࣾ livedoorํ໘ͷਓͰ͢

  4. ࢓ࣄ ࢓ࣄ JavaScript, Perl ݩʑͷઐ໳ྖҬ͸UI, ϑϩϯτΤϯυ WebΞϓϦશൠ ೝূೝՄपΓ

  5. ηΩϡϦςΟʹؔ͢Δۀ຿ ηΩϡϦςΟʹؔ͢Δۀ຿ ࣗࣾαʔϏεͷϦϦʔεલʹνΣοΫͨ͠Γͱ͔ Կ͔৽͍͠߈ܸख๏ݟ͔ͭͬͨΒௐࠪ ଞࣾαʔϏεͷ໰୊ݟ͚ͭͯใࠂͨ͠Γ ΦʔϓϯιʔεϓϩμΫτͷόάใࠂͨ͠Γ

  6. ͦ΋ͦ΋ԿͰJavaScriptΛॻ͍ͯͨਓ͕ؒ ηΩϡϦςΟʹؔ͢Δ͜ͱΛ΍͍ͬͯΔͷ͔

  7. ͋ΒΏΔσόΠεͰHTML + JavaScript͕࢖ΘΕ͍ͯΔ Ͳ͜·Ͱѱ༻Ͱ͖Δͷ͔ɺͲ͏΍ͬͯमਖ਼͢΂͖ͳͷ͔ ࣾ಺Ͱ΋ͬͱ΋ৄ͍͠

  8. جຊతʹ͸Webͷਓ iOS / Android ΞϓϦ։ൃ͋·Γৄ͘͠ͳ͍ ηΩϡϦςΟνΣοΫ΍Δؔ܎Ͱ͍֮͑ͯΔ

  9. ࣗࣾαʔϏε ࣗࣾαʔϏε livedoor, NAVERͷWebαʔϏε ࠷ۙ͸LINEʹؔ͢Δ͋Ε͜Ε΋

  10. αʔϏεϦϦʔεલʹ΍Δ͜ͱ QA / ηΩϡϦςΟQA ࣾ಺ϕʔλϦϦʔε

  11. ϦϦʔεલͷϨϏϡʔ ػցతͳݕࠪͰݟ͔ͭΒͳ͍Α͏ͳ໰୊Λݟ͚ͭΔ ϙϦγʔ੍ఆ΍ࣄނ͕ى͖ͨ࣌ͷ૬ஊʹ৐ͬͨΓ

  12. ੬ऑੑใࠂͷϋϯυϦϯά ੬ऑੑใࠂͷϋϯυϦϯά ݸਓతʹใࠂΛड͚ͨ΋ͷͷௐ੔ ୲౰ऀʹ఻͑Δ or ࣗ෼Ͱ௚͢ livedoorͷ΋ͷ͸େମ௚ͤΔ मਖ਼ํ๏ͷࢦ͔ࣔΒमਖ਼׬ྃͷ֬ೝ·Ͱɻ

  13. Ұݸݟ͚ͭͨΒෳ਺͋Δ Ұͭͷ੬ऑੑʹ͍ͭͯશαʔϏε໢ཏతʹௐࠪ

  14. ଞࣾαʔϏεͷࣄྫ ଞࣾαʔϏεͷࣄྫ Google, Facebook, Twitter, Yahoo, Amazon, Evernote, etc hatena,

    mixi, Doorkeeper, ೚ఱಊ, etc දཱͬͯॻ͍ͨΓ͢Δͷ͸XSS͕ଟ͍ ݸਓͷ׆ಈͰ͢ɻ ͨ·ͨ·ۀ຿࣌ؒதʹݟ͚ͭΔ͜ͱ΋͋Γ·͕͢ݸਓͷ׆ ಈͰ͢
  15. ͳͥଞࣾαʔϏεͷόάใ ͳͥଞࣾαʔϏεͷόάใ ࠂΛ͢Δ͔ ࠂΛ͢Δ͔ ୯ʹࣗ෼ͷ࢖ͬͯΔαʔϏε͕҆શ͔ؾʹͳΔ

  16. ࣗࣾͰݟ͚ͭͨ໰୊͸ଞࣾʹ΋͋Δ ଞࣾͰݟ͚ͭͨ໰୊͕ࣗࣾʹ΋͋Δ ࣋ͪͭ࣋ͨΕͭ

  17. ͳΜ͔XSS͹͔ͬΓ୳ͯ͠ΔΈ͍ͨʹࢥΘΕͨΓ͢Δ͜ͱ͕ ͋ΔͷͰ͕͢ ΋ͬͱΫϦςΟΧϧͳόάͱ͔৭ʑใࠂͯͨ͠Γ͠·͢

  18. ެ։͍ͯ͠Δͷ͸ެ։ͯ͠΋ྑͦ͞͏ͳ΋ͷ ެ։͍ͯ͠Δ΋ͷΑΓང͔ʹଟ͘ใࠂ͍ͯ͠Δ ΞϓϦͷ੬ऑੑ → όʔδϣϯΞοϓ͕ਁಁ͢Δ·Ͱ࿩͠ ʹ͍͘͜ͱ͕͋Δ

  19. ࠓ೔࿩͢͜ͱ ࠓ೔࿩͢͜ͱ εϚϗΞϓϦɺϞόΠϧΞϓϦέʔγϣϯʹ͓͚ΔηΩϡ ϦςΟ

  20. LINEͷ࿩͡Όͳ͍Ͱ͢Αʂ Ұൠ࿦Ͱ͢

  21. εϚϗΞϓϦ εϚϗΞϓϦ Webϕʔεͷٕज़͕ଟ͘࢖ΘΕ͍ͯΔ ࠓ·Ͱϒϥ΢β্Ͱى͖͍ͯͨΑ͏ͳ͜ͱ͕εϚϗΞϓϦ ಺Ͱى͖͍ͯΔ

  22. εϚϗΞϓϦʹ͓͚ΔηΩϡϦςΟ εϚϗΞϓϦʹ͓͚ΔηΩϡϦςΟ ݸਓతʹ৭ʑͱൃݟ͖ͯͨ͠ܦݧ͔Β ൃݟख๏΍मਖ਼ํ๏ʹ͍ͭͯ ҆શͳΞϓϦΛ࡞ΔͨΊʹ͸Ͳ͏͢Ε͹͍͍ͷ͔ʁ

  23. εϚϗͷ࿩ͷલʹ εϚϗͷ࿩ͷલʹ ௨ৗͷWebΞϓϦέʔγϣϯͰͷࣄྫΛͬ͘͟Γͱ

  24. Web WebΞϓϦʹ͓͚ΔηΩϡ ΞϓϦʹ͓͚ΔηΩϡ ϦςΟಈ޲ ϦςΟಈ޲

  25. XSS XSS ΫϩεαΠτεΫϦϓςΟϯά આ໌ඞཁʁ

  26. ࣗಈΤεέʔϓͯ͠Ε͹େମେৎ෉Ͱ͢ ςϯϓϨʔτΤϯδϯଆͰ҆શଆͷϙϦγʔ ͦΕͰΧόʔग़དྷ͍ͯͳ͍ࣄྫʹؾΛ࢖͑͹ྑ͍

  27. JavaScript JavaScriptͷಈతੜ੒ ͷಈతੜ੒ scriptλά಺΍onclickଐੑ಺ʹςϯϓϨʔτม਺ΛຒΊ͜ ΜͰ͍Δέʔε ҆શʹ͢Δͷ͕ඇৗʹ೉͍͠ͷͰ΍Βͳ͍Ͱ!

  28. javascript: javascript: ΁ͷϦϯΫ ΁ͷϦϯΫ a href΁ͷࢦఆ → ΫϦοΫ࣌ʹscript࣮ߦ iframe src΁ͷࢦఆ

    → ϩʔυ࣌ʹscript࣮ߦ img src΄͔ → ੲ͸࣮ߦ͞Ε͕ͨࠓ͸࣮ߦ͞Εͳ͍
  29. ͜͜Β΁Μ͸ී௨ͷXSS ੈͷதʹ͸·ͩ·ͩͨ͘͞Μ ࣗࣾαʔϏεͰ͸͋·Γݟ͔͚ͳ͘ͳΓ·ͨ͠

  30. DOM based XSS DOM based XSS jQueryΛ࢖͍ͬͯΔέʔε ֎෦υϝΠϯΛXHRͰಡΈࠐΊͯ͠·͏έʔε

  31. jQuery Mobile jQuery Mobileͷѱເ ͷѱເ ෳ਺ͷXSS੬ऑੑͷଘࡏ چόʔδϣϯ࢖ͬͯΔαΠτ΄΅શ෦XSSՄೳ ެࣜαΠτͷར༻ࣄྫ͔Βඈ΂Δϖʔδ΄΅શ෦

  32. ݪҼͱରࡦ ݪҼͱରࡦ location.hashʹࢦఆ͞ΕͨύεΛಡΈࠐΜͰHTMLͷ෦෼ ॻ͖׵͑ jQuery Mobileͷجຊػೳ ೚ҙͷURLΛϩʔυՄೳʹͳ͍ͬͯͨ → දࣔதͷυϝΠ ϯͷݖݶͰධՁ͞ΕΔ

  33. ରࡦ͸ ରࡦ͸ ಡΈ͜ΉલʹݱࡏදࣔதͷυϝΠϯͱҰக͢Δ͔Ͳ͏͔ݕ ࠪ͢ΔΑ͏ʹ ະͩʹજࡏతͳ໰୊͸͋Δ ʮಉҰυϝΠϯʯͷϦιʔε͸HTMLͱͯ͠ಡΈࠐΜͰ ΋҆શͩɺͱ͍͏҉໧ͷલఏ

  34. HTML͡Όͳ͍΋ͷ͕HTMLͱͯ͠ධՁ͞ΕΔ໰୊ Ҏલ͸ IEݶఆͷ໰୊ͱͯ͠ଘࡏ X-Content-Type-Options: nosniff

  35. JS JSͰͷಈతϩʔυͱͷ૊Έ߹Θͤ Ͱͷಈతϩʔυͱͷ૊Έ߹Θͤ ςΩετϑΝΠϧ ը૾(ͷίϝϯτ෦෼ʹHTML) JSONɺCSV etc HTML͡Όͳ͍΋ͷ͕HTMLͱͯ͠ධՁ͞ΕΔ ϦμΠϨΫλͳͲ͕བྷΉͱ࿩͕΍΍͘͜͠ͳΓ·͢

  36. Ruby on Rails Ruby on Rails ͷ ͷ Turbolinks Turbolinks

    Ajax + history.pushState Ͱߴ଎ʹը໘੾Γସ͑ githubͰ΍ͬͯΔΑ͏ͳ΍ͭ
  37. jQuery Mobileͱಉ༷ͷ໰୊ Ϣʔβʔ͕αΠτ಺ͷ೚ҙͷURLʹϦϯΫΛషΕΔΑ͏ ͳέʔε ΍΍ಛघ͕ͩे෼ʹ༗ΓಘΔ(જࡏతXSS) ରԠ: htmlͷΈड͚ೖΕɺϦμΠϨΫτΛڋ൱ Rails ϓνίϛολʔ

  38. AngularJS AngularJS ࠷ۙΞπ͍ͱ࿩୊ͷ ৼΔ෣͍Λهड़͍͍ͯ͠ײ͡ʹMVCͯ͘͠ΕΔ΍ͭ Ϣʔβʔ͕class໊Λࣗ༝ʹॻ͚ΔΑ͏ͳέʔεʁʁʁ ྲྀੴʹͳͦ͞͏͚ͩͲࠓޙ໰୊ʹͳΔ͔΋ Ή͠Ζ Content Security Policy

    bypass ͱͯ͠ͷϦεΫ https://code.google.com/p/mustache- security/wiki/AngularJS
  39. ϦονςΩετΤσΟλ্Ͱͷ ϦονςΩετΤσΟλ্ͰͷXSS XSS ϦονςΩετΤσΟλͷiframe಺ͰͷXSS TinyMCE΍ɺͦͷ೿ੜϓϩμΫτ ࠷ۙଟ਺ใࠂ

  40. ࣗࣾαʔϏεͰͷࣄྫ ࣗࣾαʔϏεͰͷࣄྫ livedoor Blog NAVERͷαʔϏε

  41. ଞࣾαʔϏεͰͷࣄྫ ଞࣾαʔϏεͰͷࣄྫ wordpress.com XSS मਖ਼ࡁΈ Movable Type XSS मਖ਼ࡁΈ ΄͔ʹ΋ௐ੔தͷ͍͔ͭ͘

  42. HTML HTMLύʔαͷڍಈͷҧ͍ʹΑΔ ύʔαͷڍಈͷҧ͍ʹΑΔXSS XSS ղऍʹϒϨ͕ੜ͡ΔΑ͏ͳHTMLΛೖྗ͢Δ αʔόʔଆ΍JSͷϑΟϧλΛ͢Γൈ͚Δɻ ېࢭ͞ΕͯΔ͸ͣͷλά͕௨Δ!

  43. Flash based XSS Flash based XSS ී௨ͷXSS͸ݟ͔ͭΓʹ͘͘ͳ͍ͬͯΔ Flash based XSS͕Ξπ͍!

    ࣄྫʹ͍ͭͯ·ͱΊͯ·͢ http://subtech.g.hatena.ne.jp/mala/20130604/1370328779
  44. Flash based XSS Flash based XSSͷݪҼ ͷݪҼ ExternalInterface.call htmlText ʹΑΔλάग़ྗ

    ֎෦swfͷϩʔυ
  45. Flash FlashͷηΩϡΞίʔσΟϯά ͷηΩϡΞίʔσΟϯά? ? ࠓ͞ΒͲ͏͠Α͏΋ͳ͍ ࠓ͔ΒFlashॻ͘ਓ͸͋·Γ͍ͳ͍ ඞཁͱ͞ΕͯΔέʔεͰద੾ͳϥΠϒϥϦΛ࢖͏ ϝϯς͞ΕͯΔϥΠϒϥϦ͔Ͳ͏͔ͷબఆ͕େࣄ

  46. ஶ໊Ͳ͜Ζ ஶ໊Ͳ͜Ζ swfupload zeroclipboard ಈըϓϨΠϠʔ͋Ε͜Ε

  47. ಈըϓϨΠϠʔͷ ಈըϓϨΠϠʔͷXSS XSS videoλάͷfallbackͱͯ͠Flash ·ͩඞཁͱ͞ΕΔঢ়گ

  48. ಈըϓϨΠϠʔͷ ಈըϓϨΠϠʔͷXSS XSS ͿͬͪΌ͚શ෦μϝͩͬͨ ͋Ε΋͜Ε΋શ෦XSS͕͋Δ JWPlayer, Video-js, mediaelement, flowplayer, etc

    ݹ͍όʔδϣϯ࢖͕֮ͬͨ͑͋ΔͳΒߋ৽Λɻ
  49. ࣗࣾαΠτͰͷࣄྫ ࣗࣾαΠτͰͷࣄྫ ͨ͘͘͢͝͞Μ ϒϩάʹॻ͍͔ͯΒؾ෇͍ͨ΋ͷ΋͋Γ

  50. ଞࣾαΠτͰͷࣄྫ ଞࣾαΠτͰͷࣄྫ IPA੬ऑੑใࠂ૭ޱʹಧग़ ௐ੔த

  51. ͳΜͰ͜Μͳ͜ͱʹͳͬͯΔͷʁ ͳΜͰ͜Μͳ͜ͱʹͳͬͯΔͷʁ FlashଆͰͷΠϕϯτΛJavaScriptʹ௨஌ ݺ͹ΕΔؔ਺ΛΧελϚΠζग़དྷΔΑ͏ʹͳ͍ͬͯΔ΋ͷ ͕ଟ͍ some_swf?debug=function(){alert(/XSS/)} ͦ΋ͦ΋Flash → JS΁ͷҾ਺ड͚౉͠ͷࡍͷॲཧ͕όάͬ ͯͨΓ͢Δ

  52. Flash Flashͷ໰୊ ͷ໰୊ PlayerଆͰ௚͢΂͖όά͕௚Βͳ͍ ࣌ͱͯ͠ޓ׵ੑͷͨΊʹෆద੾ͳ࢓༷ͷ··์ஔ ଟ͘ͷswf͕ݹ͍όʔδϣϯͷϚϚ์ஔ͞Ε͍ͯΔ

  53. Web Webͷ࿩ ͷ࿩ ͍͍ͩͨ͜Μͳײ͡

  54. Web Web → → εϚϗ εϚϗ ੬ऑੑͷൃੜ͠΍͍͢ϙΠϯτ͸ಉ͡ WebView + XSS

    CSRFʹࣅͨ΋ͷ(Cross-Application request forgeries) ଞݴޠͱͷϒϦοδػೳ
  55. εϚϗΞϓϦͱ͍ͬͯ΋ εϚϗΞϓϦͱ͍ͬͯ΋ ৭ʑ ৭ʑ Webϕʔεͷ΋ͷ HTML5ϕʔεͷ΋ͷ ϓϥοτϑΥʔϜݻ༗ͷUIίϯϙʔωϯτ࢖͏΋ͷ

  56. Web WebϕʔεͷΞϓϦ ϕʔεͷΞϓϦ εϚϗ޲͚ͷWebαΠτ ͋Δ͍͸ͦΕΛදࣔ͢Δ͚ͩͷΞϓϦ

  57. ωΠςΟϒدΓͷΞϓϦ ωΠςΟϒدΓͷΞϓϦ ϩʔΧϧͷHTML5 + JSͰ࡞ΒΕ͍ͯΔ΋ͷ ϓϥοτϑΥʔϜωΠςΟϒͷUIίϯϙʔωϯτͰ࡞Β Ε͍ͯΔ΋ͷ ͍ͣΕʹͤΑ಺෦Ͱ͸http/https࢖ͬͯΔ͜ͱ͕ຆͲ

  58. εϚϗΞϓϦͱ͸ εϚϗΞϓϦͱ͸ ݁ہͷͱ͜ΖಛఆαʔϏε޲͚ͷઐ༻ϒϥ΢β Ͱ͋Δ͜ͱ͕ඇৗʹଟ͍ Webͷٕज़ɺϊ΢ϋ΢͕ྲྀ༻Ͱ͖Δ HTML/JSΛௐࠪ͢Δ͜ͱͰ੬ऑੑΛݟ͚ͭΒΕΔ WebͰى͖ͯΔ͜ͱ͸εϚϗΞϓϦ্Ͱ΋ى͖Δ

  59. ௐࠪํ๏ͷ࿩ ௐࠪํ๏ͷ࿩

  60. ௐ΂ํ ௐ΂ํ ௨৴ΛΩϟϓνϟͯ͠ௐ΂Δ ΞϓϦέʔγϣϯͷอଘ͍ͯ͠ΔσʔλΛௐ΂Δ ιʔείʔυ͔Βௐ΂Δ(ࣗࣾΞϓϦ) ϦόʔεΤϯδχΞϦϯά(Android)

  61. ௨৴ͷղੳ ௨৴ͷղੳ ࠷ۙ͸΋ͬͺΒmitmproxyͱ͍͏ͷΛ࢖ͬͯ·͢

  62. mitmproxy mitmproxy pythonͰॻ͔Εͨproxyαʔόʔ ୺຤ʹϧʔτূ໌ॻΛೖΕͯHTTPSͷ௨৴ΛΩϟϓνϟ http://mitmproxy.org

  63. mitmproxy mitmproxy WiFiཱͯΔͷ໘౗ͳͷͰVPNܦ༝Ͱ࢖͑ΔΑ͏ʹͯ͋͠ Δ VPN༗ޮʹ → 80,443ͷશͯͷ௨৴Λmitmproxyͷಁաϓ ϩΩγܦ༝ʹɻ iOSͰ΋AndroidͰ΋VPNͷઃఆ͸͋·Γ೉͘͠ͳ͍

  64. Why VPN Why VPN ࣾ಺Ͱ։ൃ༻ʹWiFiΞΫηεϙΠϯτ࡞Δਓଟ͗͢ ׯবͯ͠ແઢͭͳ͕Γʹ͘͘ͳΔ ໺ྑWiFiېࢭྩ͕ग़ͨ

  65. ௨৴ΛΩϟϓνϟͯ͠෼͔Δ͜ͱ ௨৴ΛΩϟϓνϟͯ͠෼͔Δ͜ͱ ಺෦Ͱୟ͍͍ͯΔAPI → ͜Ε௚઀ΞΫηεͨ͠ΒͲ͏ͳ ΔΜͩΖʁ ฏจ௨৴ → վ᜵͞Εͨ৔߹ͷӨڹ͸Ͳͷఔ౓ʁ ΞΫηεղੳ΍τϥοΩϯάͰૹΒΕ͍ͯΔσʔλ

  66. อଘ͍ͯ͠ΔσʔλΛௐ΂Δ อଘ͍ͯ͠ΔσʔλΛௐ΂Δ ୺຤ͱUSBέʔϒϧͰ઀ଓͯ͠Ϛ΢ϯτ อଘ͞Ε͍ͯΔϑΝΠϧΛௐ΂ͨΓॻ͖׵͑ͨΓ σΟϨΫτϦߏ੒Λௐ΂Δ → ݸਓ৘ใ͕อଘ͞Εͯͦ͏ ͳϑΝΠϧΛݟ͚ͭΔ ΞϓϦ಺ͷ੬ऑੑͰϑΝΠϧ͕ಡΊͳ͍͔ௐ΂Δ

  67. ιʔείʔυ͔Βௐ΂Δ ιʔείʔυ͔Βௐ΂Δ apkͷٯίϯύΠϧ ࣗࣾΞϓϦͷιʔείʔυ͔Β ࠷΋ޮ཰͕Α͘໢ཏతʹௐ΂ΒΕΔ

  68. ௐࠪํ๏ ௐࠪํ๏ େମ͜Μͳײ͡

  69. ੬ऑੑͷ͋ͬͨΞϓϦͷࣄ ੬ऑੑͷ͋ͬͨΞϓϦͷࣄ ྫ ྫ ࣗ෼͕ൃݟใࠂ͖ͯͨ͠΋ͷ

  70. έʔεελσΟ έʔεελσΟ WebView WebViewʹؔ͢Δ΋ͷ ʹؔ͢Δ΋ͷ

  71. Sparrow, Mailbox, Boxcar, LINE, NAVER, Google, etc

  72. ϝʔϧΞϓϦͰͷ ϝʔϧΞϓϦͰͷXSS XSS HTMLϝʔϧදࣔػೳͰscript࣮ߦՄೳͳࣄྫ͕ଟ਺ Sparrow Mailbox

  73. Sparrow Sparrow ධ൑ͷྑ͍ϝʔϧΫϥΠΞϯτ Googleʹങऩ͞Εͨ ͦͷগ͠લʹͪΐ͏Ͳόάใࠂ͍ͯͨ͠

  74. None
  75. Sparrow Sparrowͷέʔε ͷέʔε ͱ͋ΔαʔϏεͷ໊લͷઃఆʹHTMLλάΛೖΕ͍ͯͨ ͓஌Βͤϝʔϧͷ໊݅෦෼Ͱλά͕༗ޮʹͳ͍ͬͯͨ ո͍͠ͱࢥͬͯݕূ ϒϥοΫϦετͰͷ੍ݶͩͬͨ

  76. audio΍video༻ͷ৽͍͠Πϕϯτϋϯυϥ طଘͷϒϥοΫϦετʹॻ͍ͯͳ͍ → ௨Δ OSXͰ໰୊͕͋ͬͨͷͰiOSόʔδϣϯ΋ௐ΂Δ ಉ༷ʹϝʔϧදࣔը໘ͰJavaScript࣮ߦՄೳͩͬͨ

  77. Կ͕ग़དྷͨͷ͔ʁ Կ͕ग़དྷͨͷ͔ʁ JavaScript͔Βϝʔϧຊจͷೖ͍ͬͯΔsqliteϑΝΠϧʹΞ ΫηεՄೳͩͬͨ ड৴ͨ͠શͯͷϝʔϧΛ౪ΈऔΔ͜ͱ͕Մೳ iOS5Ͱ͸ΞυϨεாͷσʔλϕʔεϑΝΠϧͷಡΈऔΓ ΋Մೳ

  78. Կނ͜͏ͳΔͷ͔ʁ Կނ͜͏ͳΔͷ͔ʁ ݖݶͷڧ͍UIWebViewͰϝʔϧΛද͍ࣔͯ͠Δ BaseURL͕ແࢦఆ or file:// ͦͷΞϓϦͷDocumentʹΞΫηεՄೳʹͳΔ

  79. Mailbox Mailboxͷࣄྫ ͷࣄྫ Dropboxʹങऩ͞Εͨ Gmail༻ΫϥΠΞϯτɺOAuth࢖ͬͯαʔόʔαΠυͰड ৴͍ͯ͠Δ MailboxͷαʔόʔଆͰλάΛϑΟϧλՄೳ ւ֎Ͱ໰୊Λࢦఠ͞ΕͯαʔόʔଆͰͷϑΟϧλͰରԠ͠ ͍ͯͨ

  80. Mailbox Mailboxͷࣄྫ ͷࣄྫ 2013೥9݄ HTMLϝʔϧ಺ͰͷJavaScript࣮ߦͷ໰୊͕ࢦఠ͞ΕΔ http://miki.it/blog/2013/9/24/mailboxapp-javascript- execution/

  81. None
  82. "As many have noted, the real risks presented by running

    javascript within Mailbox are extremely limited thanks to how iOS is designed." ଟ͘ͷਓ͕ࢦఠͯ͠ΔΑ͏ʹMailbox্Ͱͷjavascript࣮ߦʹ ΑΔϦεΫ͸ۃΊͯݶఆతͰ͢ɺiOSͷઃܭʹײँ
  83. "extremely limited" "thanks to how iOS is designed."

  84. ͓લ͸ԿΛݴ͍ͬͯΔΜͩ

  85. ͓͍ΠλϦΞͷϒϩΨʔ ͓͍ΠλϦΞͷϒϩΨʔ ಈըͱͬͯ௕จॻ͍ͯΔՋ͋ͬͨΒ alert(location) Λॻ͚ ӨڹൣғΛద੾ʹ೺Ѳ͢Δ͜ͱ͕ඞཁ

  86. όάใࠂʹಈը͸͍Βͳ͍ Google: σϞಈըΑΓ୹͍࣮ূίʔυ

  87. Mailbox MailboxͷରԠ ͷରԠ ެࣜϒϩάͰʮsandboxʹΑͬͯӨڹ͸ۃখʯͱΞφ΢ϯ ε ਖ਼௚͜ͷஈ֊Ͱ͸ɺ෼͔Βͳ͍ ʮ͋ɺ͍ͭ͜෼͔ͬͯͳͦ͞͏ʯ→ ௐ΂Δ

  88. Mailbox Mailboxͷࣄྫ ͷࣄྫ ݩͷใࠂऀ: ൈ͚͕͋ͬͯ࠶౓मਖ਼ɺͱ͍͏هࣄ ·ͩ·ͩൈ͚݀͋ΔΜ͡Όͳ͍ͷʁ → ͜͜ͰHTMLύʔαͷڍಈͷҧ͍ʹΑΔXSS

  89. Mailbox Mailboxͷࣄྫ ͷࣄྫ มͳλάͨ͘͞Μ࡞ͬͯࢼ͢ ී௨ͷϝʔϥʔͰ͸ૹΕͳ͍͜ͱ͕ଟ͍ HTMLϝʔϧૹ৴scriptॻ͘ or ϝʔϥͷૹ৴଴ͪϑΝΠϧ ΛΤσΟλͰฤू

  90. ͜͏͍͏ͷͰ͢ ͜͏͍͏ͷͰ͢ <!--> < script> your code here < /script>

    -->
  91. <!--> < script> your code here < /script> --> HTMLύʔαϥΠϒϥϦͷଟ͘͸ίϝϯτͱͯ͠ղऍ

    ࣮ࡍͷϒϥ΢βͰ͸Ұߦ໨Ͱίϝϯτऴྃͱݟͳ͢ ஌Βͳ͍ͱؾ෇͔ͳ͍
  92. ύʔαͷڍಈͷҧ͍ʹΑΔ ύʔαͷڍಈͷҧ͍ʹΑΔ XSS XSS ϒϥοΫϦετ͸ةݥͰ͢ ύʔεͯ͠ɺਖ਼نԽͨ͠HTMLΛ࠶ߏ੒͢Δ͜ͱ

  93. UIWebView + XSS UIWebView + XSS Sparrow΋Mailbox΋UIWebView಺ͰJavaScript͕࣮ߦͰ ͖ͨ ࣮ࡍͷͱ͜ΖͲ͜·Ͱग़དྷͨͷ͔ʁ ηΩϡϦςΟݚڀऀ΋ϦεΫΛਖ਼͘͠ೝࣝग़དྷ͍ͯͳ͍

    ݩͷใࠂऀ͸ʮJailbreak͞ΕͯΔσόΠεͰةݥʯͱओு
  94. Jailbreak Jailbreakͯ͠Δͱةݥ ͯ͠Δͱةݥ? ? iOSؔ܎ͰΑ͘ฉ͘ϑϨʔζɻ Jailbreak͸ϚδͰؔ܎ͳ͍Ͱ͢ WebKitͷόάΛ͍ͭͨΒةݥ → ͦΕ͸WebKitͷόάͰ ͢

  95. ਖ਼͍͠౴͑ ਖ਼͍͠౴͑ BaseURLʹΑΔ UIWebViewͷBaseURLͰ͢

  96. JS࣮ߦग़དྷΔ͚ͩͰةݥͩͬͨΒϒϥ΢β͕ةݥ Ͳ͏͍͏ݖݶɺίϯςΩετͰಈ͍ͯΔͷ͔͕ॏཁ

  97. Mailboxͷ৔߹

  98. file:// Ͱಈ͍ͯΔ!! ͳΜ͔·ͣͦ͏

  99. PoC PoCΛ࡞Δ Λ࡞Δ 1. σʔλΛอଘͯ͠ΔύεΛௐ΂Δ(iPhone Explorer౳) 2. JS͔ΒϑΝΠϧಡΈऔΔίʔυΛॻ͘ 3. ϑΝΠϧαΠζऔΕΕ͹੒ޭ

    4. ϦϞʔτʹσʔλૹΔίʔυΛॻ͘
  100. ࣮ࡍͷڴҖ͸ʁ ࣮ࡍͷڴҖ͸ʁ Sparrow΋Mailbox΋ڧ͍ݖݶͷWebViewͰಈ࡞ɻ ʮड৴ࡁΈϝʔϧΛશͯ౪Έग़ͤΔ͜ͱ͕ग़དྷΔ੬ऑੑʯ ͩͬͨ

  101. ͦͷޙ ͦͷޙ Mailbox Appͷ໰୊͸मਖ਼͞Εͨ ͦ΋ͦ΋ʮWebViewͷݖݶΛ੍ݶͨ͠΄͏͕ྑ͍ʯͱΞ υόΠε ʮϒϩάهࣄΛగਖ਼ͨ͠΄͏͕ྑ͍ʯͱ΋ΞυόΠε

  102. Dropboxͷ༰ྔ૿͑ͨ 10GB

  103. ࠓ࣌10GB? ͱจ۟ݴͬͨΒ 100GB ૿͑ͨ

  104. ࣗࣾͰͷࣄྫ ࣗࣾͰͷࣄྫ εϚϗΞϓϦதͰͷXSS ࣗ෼ͷϒϩάͰղઆهࣄΛॻ͘ ͔ࣗࣾ͠͠΍άϧʔϓձࣾͷΞϓϦͰಉ౳ͷ໰୊ ಉ͡આ໌Λ܁Γฦ͢೔ʑ oh..

  105. ڞ௨ͯ͠ݴ͑Δ͜ͱ ڞ௨ͯ͠ݴ͑Δ͜ͱ ڧ͍ݖݶΛ࣋ͭWebViewͰͷJavaScript࣮ߦ ։ൃݩ: sandboxͰ੍ݶ͞ΕΔͱओு ࣮ࡍ͸: ϝʔϧͷσʔλϕʔεશ෦ಡΊΔɺiOSͷΞυϨ εாಡΊΔ ։ൃऀ͕ϦεΫΛਖ਼͘͠ೝࣝͰ͖͍ͯͳ͍

  106. ੬ऑੑݟ͚ͭͨΒ ੬ऑੑݟ͚ͭͨΒ Ͳ͜·Ͱѱ༻Ͱ͖Δ͔ௐ΂Δ͜ͱ·Ͱηοτ "JavaScript͕࣮ߦͰ͖Δόά" ͳͷ͔ "ݸਓ৘ใΛ౪Έग़ ͤΔ੬ऑੑ" ͳͷ͔

  107. ࠷ॳ͸ࣗ෼΋ʮͦΜͳ͜ͱͰ͖Μͷʁʁʯͩͬͨ ϓϥοτϑΥʔϜຖʹϦεΫ͸ҟͳΔ ͦͷϓϥοτϑΥʔϜ্ͷόϦόϦݱ໾։ൃऀ͡Όͳ͍ͱ ෼͔Βͳ͍ ͦ͏͍͏ਓ͕ηΩϡϦςΟʹڵຯͳ͍ͱ → ৘ใग़·Θ Βͳ͍ laiso͞Μͱ͍͏ͻͱ͕ௐ΂ͯ͘Εͨ http://d.hatena.ne.jp/laiso+iphone/20111003/1317651353

  108. iOS iOSͷΞυϨεாͷύʔϛο ͷΞυϨεாͷύʔϛο γϣϯ γϣϯ addressbook.sqlitedb iOS5: file:// ͔ΒͰ͋Ε͹ڐՄແ͘ಡΈࠐΊͨ iOS6:

    ΞϓϦ͕Ұ౓ΞυϨεாΛಡΈࠐΜͩޙͳΒಡΈࠐ Ίͨ iOS7: file:// Ͱ௚઀ΞΫηε͕ෆՄೳʹͳͬͨ
  109. ΞυϨεா௚ಡΈ໰୊ ΞυϨεா௚ಡΈ໰୊ UIWebView্ͷJavaScript͔ΒϩʔΧϧϑΝΠϧ͕ಡΊΔ ͦͷΞϓϦͷυΩϡϝϯτͳΒOK OSͷΞυϨεாͷsqliteϑΝΠϧಡΊΔҙຯ͕Ͳ͜ʹʁ Ξοϓϧʹ໰͍߹ͤͯΈͨΓɻ

  110. ԶʮͳΜͰJavaScript͔ΒΞυϨεுಡΊͪΌ͏ͷʁʯ ΞʮͦΕ͸ΞϓϦଆͷ໰୊Ͱ͢ɺͪ͜ΒͷηΩϡΞίʔ σΟϯάʹؔ͢ΔߨԋಈըΛɾɾɾʯ

  111. ԶʮiOS7 betaͰ͸௚ͬͯΔΈ͍ͨͳΜ͚ͩͲʯ ΞʮiOS7 Ͱ͸SandboxͷڧԽ͕ߦΘΕͯɾɾɾʯ

  112. ׬શͳमਖ਼͸iOS7Ҏ߱

  113. େࣄͳ͜ͱ େࣄͳ͜ͱ Sandbox͕ԿΛอޢ͢Δ΋ͷͳͷ͔ཧղ͢Δ͜ͱ ΞϓϦέʔγϣϯ͝ͱͷϓϩηεͷ෼཭ iOSͷઃܭʹײँ͢Δલʹௐ΂·͠ΐ͏

  114. Sandbox Sandboxͷ໨త͸ ͷ໨త͸ ʮผϓϩηεʯ͔ΒׯবͰ͖ͳ͘͢Δ͜ͱ ࣗ෼ࣗ਎ͷอ͍࣋ͯ͠Δσʔλ͸ଟ͘ͷ৔߹ɺ౰વʹಡΊ Δ

  115. on Android on Android

  116. Android Androidʹ΍΍ݻ༗ͷ໰୊ ʹ΍΍ݻ༗ͷ໰୊ addJavascriptInterfaceͷ໰୊ WebViewΛ࢖͍ͬͯΔΞϓϦͷඇৗʹଟ͕͘ӨڹΛड͚ Δ ࢀߟ: http://ierae.co.jp/uploads/webview.pdf

  117. addJavascriptInterface addJavascriptInterfaceͷ໰ ͷ໰ ୊ͱ͸ ୊ͱ͸ JavaScript͔ΒΞϓϦଆͷؔ਺Λݺͼग़ͨ͢ΊͷϒϦοδ ຊདྷ։ൃऀͷࢦఆͨ͠ϝιου͔͠ݺͼग़ͤͳ͍ͱ͓΋͍ ͖΍ JavaͷϦϑϨΫγϣϯΛ࢖ͬͯ೚ҙͷϝιουݺͼग़͠Մ ೳ

  118. ࢖ͬͯͳ͚Ε͹໰୊ͳ͍ʁ

  119. Androidͷݹ͍όʔδϣϯͰ͸(Android 3 - 4.1) ඪ४ͷWebViewίϯϙʔωϯτ͕σϑΥϧτͰ addJavascriptInterfaceΛ࢖༻ addJavascriptInterface࢖͕֮ͬͨ͑ͳͯ͘΋໰୊͕ى͖ Δ!! WebView૊ΈࠐΜͰΔ͚ͩͰ໰୊͕͋Δ ͜ΓΌେม

  120. ΞϓϦ͕೚ҙͷWebϖʔδΛදࣔͰ͖Δ = ͦͷΞϓϦͷ ݖݶͰ೚ҙίʔυ࣮ߦՄೳ ௨৴͕վ᜵͞Ε͍ͯΔ = ͦͷΞϓϦͷݖݶͰ೚ҙίʔυ ࣮ߦՄೳ ৑ஊΈ͍͚ͨͩͲຊ౰ͷ࿩

  121. ͜ΓΌϚζΠΑ ͜ΓΌϚζΠΑ ࡢ೥຤ʹ໰୊ʹ͍ͭͯௐࠪ ݖݶͷऑ͍ΞϓϦͰ΋: ΞϓϦέʔγϣϯҰཡͷऔಘͳͲ ͕Մೳ ݖݶͷڧ͍ΞϓϦ: ΞυϨεாಡΈࠐΈɺSMSૹ৴ etc

  122. Android Androidͷ҆શੑ ͷ҆શੑ ެʹͳͬͯͳ͍͚ͩ ηΩϡϦςΟؔ܎ऀ͸஌ͬͯΔ ͪΐͬͱௐ΂Ε͹࣮ূίʔυखʹೖΔ

  123. ࣄྫ ࣄྫ WebView࢖ͬͨϒϥ΢βΞϓϦ ͍͔ͭ͘ͷΞϓϦͰݕূ Android4.1ҎԼͰ੬ऑͳ΋ͷ Android4.2Ҏ߱Ͱ΋੬ऑͳ΋ͷ

  124. Android4.1 Android4.1ҎԼͰةݥͳ΋ ҎԼͰةݥͳ΋ ͷ ͷ ΞϓϦ։ൃऀ͸ຆͲѱ͘ͳ͍ ඪ४ͷWebViewΛͦͷ··࢖ͬͯΔ͚ͩͰةݥ ଞͷݖݶঢ֨ܥͷόάͱ૊Έ߹ΘͤΕ͹WebαΠτ։͍ͨ ͚ͩͰ׬શঠѲ

  125. Android4.2 Android4.2Ҏ߱Ͱ΋ةݥͳ Ҏ߱Ͱ΋ةݥͳ ΋ͷ ΋ͷ ͍͔ͭ͘೺Ѳ ϒϥ΢βಠࣗͷػೳ΍֦ுػೳͷͨΊʹɺ addJavascriptInterfaceΛ࢖༻

  126. Android AndroidଆͰͷରԠ ଆͰͷରԠ Android API Level 17 Ͱͷมߋ ࢦఆͨ͠ϝιου͔͠ݺͼग़ͤͳ͍Α͏ʹ͢Δ͜ͱ͕Մೳ ʹ

    ಈ࡞ର৅σόΠε͕ݶΒΕΔ͜ͱʹͳͬͯ͠·͏ http://commonsware.com/blog/2013/02/18/webview- addjavascriptinterface-change.html http://android-developers.blogspot.jp/2013/02/security- enhancements-in-jelly-bean.html
  127. Android 4.4 Android 4.4 Ͱվળ Ͱվળ ͞Ε͍ͯΔɺ͸ͣ ApplicationͷContextΦϒδΣΫτΛऔಘ͢Δ͜ͱ͕ग़དྷ ͨΫϥε͕ແ͘ͳͬͯΔ ଞʹ΋ൈ͚ಓ͕͋Δ͔΋͠Εͳ͍

    [ཁௐࠪ]
  128. WebView WebView࢖ͬͯΕ͹ԿͰ΋ ࢖ͬͯΕ͹ԿͰ΋ ӨڹΛड͚Δ ӨڹΛड͚Δ ޿ࠂ഑৴༻ͷSDK(ຆͲHTMLͩΑͶ) ճઢ͕৴༻ग़དྷͳ͍ঢ়گԼͰ΋҆શʹ͚ͨ͠Ε͹ɺશ௨৴ SSLඞਢʹ

  129. ΞϓϦέʔγϣϯ։ൃऀଆ ΞϓϦέʔγϣϯ։ൃऀଆ ͸Ͳ͏͢΂͖ʁ ͸Ͳ͏͢΂͖ʁ ݹ͍AndroidͰ΋ͳΜͱ͔ग़དྷͳ͍͜ͱ΋ͳ͍ Chrome/Opera͸࣮ࡍʹӨڹड͚ͳ͍(ඪ४WebView࢖ͬ ͯͳ͍͔Β) ಠࣗͰWebKit૊ΈࠐΉͱ͔ɺ͏·͍͜ͱ্ॻ͖͢Δͱ ͔ɻ OSଆͷόάʹͲ͜·Ͱରॲ͢΂͖͔ͱ͍͏໰୊

  130. Өڹ޿ൣ͗͢ΔͷͰOSଆͰରॲͯ͘͠ΕΔͷ͕๬·͍͠ ͕ɾɾɾ ݱ࣮తʹΞοϓσʔτࠔ೉ͳ୺຤͕ଟ਺͋Δ ʮIEͷ໰୊ͩΖʂʂʯͱݴ͍ͭͭରԠ͖ͯͨ͠ྺ࢙ͱࣅͯ Δ

  131. ΞϓϦؒ࿈ܞʹ ΞϓϦؒ࿈ܞʹ ؔ͢Δ໰୊ ؔ͢Δ໰୊

  132. ΞϓϦέʔγϣϯؒ࿈ܞʹ ΞϓϦέʔγϣϯؒ࿈ܞʹ ܎Δ΋ͷ ܎Δ΋ͷ γϯάϧαΠϯΦϯͱ͔ WebαΠτؒ ΞϓϦέʔγϣϯؒ

  133. ೝূɺ ೝূɺOpenID OpenID΍ ΍OAuth OAuthɺ ɺ ϓϥοτϑΥʔϜ ϓϥοτϑΥʔϜSDK SDK ڧ੍తʹೝՄͤͯ͞͠·͏Α͏ͳ΋ͷ

    ଞਓʹ੒Γ͢·ͯ͠ϩάΠϯग़དྷͯ͠·͏΋ͷ ਖ਼نͷΞϓϦҎ֎ʹڧ੍తʹೝՄͰ͖ͯ͠·͏΋ͷ
  134. OpenID, OAuth OpenID, OAuthͷ ͷCSRF CSRF໰ ໰ ୊ ୊ ϥΠϒϥϦ࢖ͬͯී௨ʹ࣮૷͚ͨͩ͠ɺͰݱঢ়๷͛ͯͳ͍

    ໰୊͕͋Δ
  135. Facebook SDK Facebook SDKʹΑΔ΋ͷ ʹΑΔ΋ͷ ͦͷϢʔβʔ༻ͷʮผΞϓϦʯͷΞΫηετʔΫϯΛΞϓ Ϧʹೖྗ ΧελϜURLεΩʔϜͰड͚౉͢ Ϣʔβʔ৘ใऔಘ →

    ϩάΠϯʹ࢖༻ ѱҙͷ͋ΔΞϓϦ։ൃऀ͕ผΞϓϦʹ੒Γ͢·͠ϩάΠϯ ՄೳʹͳΔ
  136. ରࡦ ରࡦ ʮͦͷΞϓϦ༻ʹൃߦ͞Εͨtoken͔Ͳ͏͔ͷ֬ೝʯ http://oauth.jp/blog/2012/02/08/ios-sdk/

  137. ରࡦ ରࡦ2 2 ΞϓϦέʔγϣϯؒͷભҠΛௐ΂Δ ݺͼग़͠ݩͷΞϓϦΛௐ΂ͯɺݕূ͢Δ ֓Ͷ҆શ ൈ͚ಓ͕͋Δ

  138. ݺͼग़͠ݩͷݕূ ݺͼग़͠ݩͷݕূ: Android : Android ͷέʔε ͷέʔε 2013೥7݄: Android OS

    ʹ͓͍ͯΞϓϦͷॺ໊ͷݕূ͕ෆ े෼ͳ੬ऑੑ ݹ͍୺຤ + ໺ྑΞϓϦΛߟྀ͢Δ৔߹: package signature ͕ѼʹͳΒͳ͍ ਖ਼نͷΞϓϦʹݶఆ͍ͨ͠ॲཧ͕໺ྑΞϓϦ͔ΒͰ΋ୟ͚ Δ͜ͱʹ
  139. ݺͼग़͠ݩͷݕূ ݺͼग़͠ݩͷݕূ: iOS : iOSͷ ͷ έʔε έʔε openURLͰଞͷΞϓϦέʔγϣϯىಈ ݺͼग़͠ݩΞϓϦͷBundle

    IDΛऔΕΔ WebView಺ͷϦϯΫΫϦοΫͰ΋෇͍ͪΌ͏Α ೚ҙͷWebϖʔδΛදࣔ͢ΔΑ͏ͳػೳ͕͋ΔͳΒݺͼग़ ͠ݩΞϓϦ৘ใ͸ΞςʹͳΒͳ͍
  140. ѱҙͷ͋ΔΞϓϦΛೖΕͳ͚Ε͹໰୊ ѱҙͷ͋ΔΞϓϦΛೖΕͳ͚Ε͹໰୊ ͳ͍ʁ ͳ͍ʁ ֓Ͷͦͷ௨Γɻ ෆࣗ༝ͳϚʔέοτʹґଘͨ͠ηΩϡϦςΟ App Store, Google Playʹ഑෍ܗଶ͕ݶఆ

    ͜ͷߟ͑Ͱߦ͘ͱΞϓϦࣗ༝ʹ։ൃ/഑෍Ͱ͖ͳ͍ੈͷத ʹͳͬͯ͠·͏
  141. ͜Ε͔ΒΞϓϦؒ࿈ܞ࡞Δਓ΁ͷΞυ ͜Ε͔ΒΞϓϦؒ࿈ܞ࡞Δਓ΁ͷΞυ όΠε όΠε ॏཁͳॲཧ͸ඞͣϢʔβʔૢ࡞Λհࡏͤͨ͞΄͏͕ྑ͍ ৴༻Ͱ͖ΔΞϓϦಉ࢜ʹݶఆͨͭ͠΋ΓͰ͋ͬͯ΋ ຊ౰ʹݶఆͰ͖ͯΔʁ

  142. ϓϩτίϧϨϕϧͰͷઃܭϛε ϓϩτίϧϨϕϧͰͷઃܭϛε ޙ͔Βํ޲मਖ਼͕ࠔ೉ɻݹ͍όʔδϣϯͷΞϓϦ͕࢒Δͱ ໽հɻ SDKͱͯ͠഑෍ → ݹ͍όʔδϣϯ͕ࢢ৔ʹ࢒Γଓ͚Δ ࠷ॳ͔Βਖ਼͍͠ઃܭࢦ਑Λ࣋ͭ͜ͱ͕େࣄ

  143. ͦΕͰ΋ؒҧ͑ͯ͠·ͬͨΒ ͦΕͰ΋ؒҧ͑ͯ͠·ͬͨΒ όʔδϣϯΞοϓػߏͱద੾ͳΞφ΢ϯε ॲཧΛ׬શʹΞϓϦ಺Ͱ׬݁ͤ͞Δͱةݥ αʔόʔαΠυͰमਖ਼Ͱ͖Δ༨஍Λ࢒͓ͯ͘͠

  144. ։ൃऀͷδϨϯϚ ։ൃऀͷδϨϯϚ ݹ͍όʔδϣϯ͕࢒͍ͬͯΔͷͰৄࡉΛެ։Ͱ͖ͳ͍ security fix ͳͷʹ bug fix ͱࠂ஌ ਂࠁͳόά͸ڧ੍όʔδϣϯΞοϓͷ࢓૊ΈΛɻ

    αʔόʔଆͰରॲͰ͖ΔΑ͏ͳ࢓૊Έͷ΄͏͕҆શʁ
  145. Mailbox Mailboxͷࣄྫ ͷࣄྫ GmailΛҰ౓Mailboxͷαʔόʔܦ༝Ͱड৴ ͦͷͨΊαʔόʔଆͰͷϑΟϧλͰ΋ରԠͰ͖Δ ͦͷؾʹͳΕ͹ӡӦऀ͔ΒϝʔϧΛ౪ΈݟΔ͜ͱ͕ग़དྷͯ ͠·͏ σʔλ͕Ͳ͜ʹอଘ͍ͯ͠Δͷ͔ᐆດͳੈք

  146. αʔόʔαΠυ͔Β࣮ߦίʔυ͢Βߋ৽Ͱ͖ΔΑ͏ʹͳͬͯ ͍ͨ΄͏͕ ਝ଎ʹόάमਖ਼Ͱ͖Δ͚ΕͲɺ ͦΕ͸ͦΕͰ҆શ͔Ͳ͏͔ͷݕূ΋ෆՄೳͳੈք

  147. εϚϗΞϓϦͷݱঢ় εϚϗΞϓϦͷݱঢ় ݖݶͷڧ͍WebViewʹϦϞʔτͷHTML΍JS͕ಡΈࠐ· ΕΔ ͦͷΞϓϦέʔγϣϯ͕҆શ͔ɺ৴༻Ͱ͖Δ͔ɺ୯ମͰ෼ ͔Βͳ͍ ղੳͯ͠΋ಈతʹड৴͢Διʔεͱηοτ͡Όͳ͍ͱ൑அ Ͱ͖ͳ͍

  148. ୈࡾऀʹΑΔ҆શੑͷ୲อ͕ࠔ೉ Ϣʔβʔ͔Βݟͯ҆શ͔Ͳ͏͔൑அ͕೉͍͠

  149. ҆શͳΞϓϦΛ࡞ΔͨΊʹ ҆શͳΞϓϦΛ࡞ΔͨΊʹ

  150. ͜Ε·Ͱൃݟɺରॲ͖ͯͨ͠ܦݧ͔Β

  151. 1. 1. ࠜຊతͳରࡦΛ ࠜຊతͳରࡦΛ JavaScriptϑΟϧλ͢ΔલʹWebViewͷݖݶམͱͤ

  152. ͜Μͳ;͏ʹߟ͕͑ͪ ͜Μͳ;͏ʹߟ͕͑ͪ JavaScriptΛϑΟϧλ͢Δͷ͕ରࡦ WebViewͷݖݶΛམͱ͢ͷ͕อݥతରࡦɺϑΣΠϧηʔ ϑઃܭ

  153. ॱ൪ٯʹ͠·ͤΜ͔ʁ ॱ൪ٯʹ͠·ͤΜ͔ʁ όά͕͋ͬͯ΋҆શʹ͢Δͷ͕ϑΣΠϧηʔϑ "ద੾ͳݖݶ"Ͱಈ͍ͯͳ͍ͷ͸ɺͦ΋ͦ΋͓͔͍͠

  154. unix unixͷੈք؍Λࢀߟʹ ͷੈք؍Λࢀߟʹ rootݖݶͰԿ΋͔΋ಈ͍ͯΔΑ͏ͳ΋ͷ ద੾ͳݖݶͰಈ͔͢ͷ͕·ͣେલఏ

  155. ϑΝΠϧύʔϛογϣϯ WebͰ͋Ε͹Same origin policy ݪ࢝తͳอޢػߏ͸ރΕͯͯόά΋গͳ͍͜ͱ͕ظ଴Ͱ͖ Δ

  156. 2. 2. ߈ܸγφϦΦͱอޢࢿ࢈Λҙࣝ͢Δ ߈ܸγφϦΦͱอޢࢿ࢈Λҙࣝ͢Δ

  157. ྫ͑͹ ྫ͑͹ Ϣʔβʔ͕ո͍͠WiFi࢖ͬͨ Ϣʔβʔ͕ܞଳి࿩མͱͨ͠ ʮࣗݾ੹೚Ͱ͠ΐʯͱݴ͍͍ͨͱ͜Ζ

  158. SSL SSL࢖͏ͳΒ ࢖͏ͳΒ ճઢ͕৴༻Ͱ͖ͳͯ͘΋҆શʹ͢Δͷ͕໨త ͦͷલఏʹཱͨͳ͚Ε͹ҙຯ͕ແ͍

  159. ҉߸Խ ҉߸Խ ετϨʔδ্ͷ҉߸Խ ղಡ͞ΕΔ·Ͱͷ࣌ؒՔ͗ ෺ཧతʹ౪·Εͯ΋େৎ෉ͳΑ͏ʹ͢Δͷ͕໨త

  160. ྑ͋͘Δέʔε ྑ͋͘Δέʔε Android + WebViewͷ੬ऑੑ ௨৴͕վ᜵͞ΕͯΔ৔߹ʹΞϓϦͷݖݶͰ೚ҙίʔυ࣮ߦ

  161. ِΞΫηεϙΠϯτ໰୊ ِΞΫηεϙΠϯτ໰୊ ಛఆͷSSIDͰࣗಈ઀ଓ͢ΔΑ͏ͳઃఆͷ୺຤͕ඇৗʹଟ ͍ ᠘࢓ֻ͚Α͏ͱࢥ͑͹؆୯

  162. ௨৴վ᜵͞ΕΔͱΫϦςΟΧϧʹͳΔ ௨৴վ᜵͞ΕΔͱΫϦςΟΧϧʹͳΔ έʔε έʔε έʔεόΠέʔε ൑அͰ͖ͳ͔ͬͨΒͱʹ͔͘HTTPS࢖ͬͨ΄͏͕͍͍

  163. ίετͷؔ܎Ͱ೉͍͠৔߹͸ ίετͷؔ܎Ͱ೉͍͠৔߹͸ ը૾΍ಈըͳΒɻ Mozilla ͷ Active/Passive content ൑அΛࢀߟʹ https://developer.mozilla.org/en- US/docs/Security/MixedContent

  164. ͋Δ͍͸ॺ໊΍ϋογϡ஋ͷݕূͱηοτͰHTTPΛ࢖͏ ΞϓϦέʔγϣϯຊମʹݕূॲཧΛ૊ΈࠐΊ͹͍͍

  165. 3. OS 3. OSͷόάͱద౓ʹ޲͖͋͏ ͷόάͱద౓ʹ޲͖͋͏

  166. iOS5,6: ΞϓϦ಺XSSͰOSͷΞυϨεா͕ಡΊΔ Android: ඪ४WebView࢖ͬͯΔΞϓϦશൠ͕ةݥ

  167. ։ൃऀ͸Ͳ͏͢΂͖ͳͷ͔ʁ ։ൃऀ͸Ͳ͏͢΂͖ͳͷ͔ʁ Ϣʔβʔ͸࣮ࡍʹݹ͍όʔδϣϯͷOSΛ࢖ͬͯΔ Ξοϓσʔτࠔ೉ͳ୺຤͕ଟ਺ࢢ৔ʹ࢒͍ͬͯΔ

  168. Web WebαΠτͱεϚϗΞϓϦͷҧ͍ αΠτͱεϚϗΞϓϦͷҧ͍ Webͷ৔߹ geocitiesͰJavaScriptॻ͚ͯ΋ʮ੬ऑੑͩʯͱ͸ݴΘͳ͍ ຊདྷಈ͍ͪΌ͍͚ͳ͍script͕ಈ͔ͤͨΒXSS

  169. εϚϗͷ৔߹ อޢ͢΂͖ػີ৘ใΛ࣋ͨͳ͍ΞϓϦͰ΋ ΞυϨεா͕ಡΊͯ͠·ͬͨΓOSͷػೳΛୟ͚ͨΓ ௨৴͕վ᜵͞Εͨ৔߹ͷӨڹ͕ແࢹͰ͖ͳ͍΄Ͳେ͖͔ͬ ͨΓ

  170. ࣗ෼ͷߟ͑ ࣗ෼ͷߟ͑ ΞϓϦೖΕͯ΋ೖΕͳͯ͘΋ى͜Δ໰୊ͳΒOSͷ໰୊ ͦͷ͏ͪOSଆͷόʔδϣϯΞοϓͰউखʹ҆શʹʁʁ ͋·Γظ଴͠ͳ͍΄͏͕͍͍ ͦͷΞϓϦݻ༗Ͱ૿Ճ͢ΔϦεΫ͸ରॲͨ͠ํ͕͍͍

  171. Өڹͷେ͖͍໰୊͸ݸʑͷΞϓϦ͕ରࡦͯ͘͠Εͳ͍ͱѱ ॥؀ʹͳΔ ެද͞Εͳ͍ → प஌͞Εͳ͍ → ݸਓͷ։ൃऀ͸શ͘஌Β ͳ͍ WebViewʹىҼ͢Δ໰୊ ηΩϡϦςΟؔ܎ऀ͸஌ͬͯΔ͚Ͳ։ൃऀ͕ຆͲ஌Β

    ͳ͍ͷͰ͸ɻ
  172. Ҏ্

  173. ࣭ٙԠ౴

  174. None