$30 off During Our Annual Pro Sale. View Details »

超絶技巧CSRF / Shibuya.XSS techtalk #7

mala
March 28, 2016
Programming
40
14k

超絶技巧CSRF / Shibuya.XSS techtalk #7

CSRF, HTML Form Protocol Attack, Cross-protocol scripting attackについて

mala

March 28, 2016
Tweet

More Decks by mala

See All by mala
The Evolution of Alert & Notification System / Becks Japan #1
mala
11
8.3k
TBD/Shibuya.XSS techtalk #8
mala
5
2.3k
実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss
mala
25
8.9k
How to hack metacpan.org
mala
7
1.2k
SECCON2013 slide
mala
14
2.7k

Other Decks in Programming

See All in Programming
コンピュータグラフィクスの空
fadis
5
1.3k
Hono v3 and v4
yusukebe
4
2.6k
DMMプラットフォームにおけるコード品質を改善する取り組みの理想と現実
pospome
3
1.8k
LLMを使ったアプリケーション開発の基本とLangChain超入門
os1ma
16
6.5k
Postman CLI で Integration Test
codemountains
1
300
Open Source - A Journey of Contribution and Collaboration
ivargrimstad
0
730
Scala Left Fold Parallelisation - Three Approaches
philipschwarz
PRO
0
270
ユーザー登録とログインフォームにautocomplete属性を使いましょう
ivanova1991
2
1.7k
ちょうぜつ本の紹介 (クリーンアーキテクチャとパッケージ原則)
suzukimar
0
270
Expert Tech Talk!〜ニフティスペシャリスト対談〜 - NIFTY Tech Day 2023
niftycorp
0
120
GoにおけるCall Graphを用いた 大規模コードベースの影響調査
ffjlabo
0
110
ChatGPTをソフトウェア開発に活用する
fbei_ot
0
130

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
323
20k
Embracing the Ebb and Flow
colly
77
3.9k
Why Our Code Smells
bkeepers
PRO
329
56k
Being A Developer After 40
akosma
52
580k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
20k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
500
140k
Documentation Writing (for coders)
carmenintech
55
3.5k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
215
12k
4 Signs Your Business is Dying
shpigford
172
21k
Done Done
chrislema
178
15k
What's in a price? How to price your products and services
michaelherold
236
10k

Transcript

  1. $43'
    NBMB
    ௒ઈٕ޼

    View Slide

  2. ࠓ೔ͷςʔϚ
    w $43'ʹ͍ͭͯ
    w Έͳ͞Μ͝ଘ஌Ͱ͢ΑͶ
    w ͋·Γ೉͍͜͠ͱ͸࿩͠·ͤΜ

    View Slide

  3. $43'PS943'
    w DSPTTTJUFSFRVFTUGPSHFSZ
    w ΫϩεαΠτͰϦΫΤετΛڧ੍͢Δ߈ܸख๏
    w 944ͱฒΜͰྑ͘ݟ͔ͭΔ8FCΞϓϦέʔγϣ
    ϯͷ୅දతͳ੬ऑੑͷҰͭ

    View Slide

  4. Կ͕ग़དྷΔ͔ʁ
    w ةݥ౓௿উखʹॻ͖ࠐΈ ͜Μʹͪ͸͜Μʹͪ͸

    w ةݥ౓ߴύεϫʔυΛউखʹมߋ
    w $43'ͰՄೳͳΞΫγϣϯʹΑ༷ͬͯʑ
    w ୯ͳΔΠλζϥ͔ΒΞΧ΢ϯτ৐ͬऔΓ·Ͱ

    View Slide

  5. ະͩʹଟ͋͘Δ
    w 944͸ਖ਼͍͠ίʔυΛॻ͍͍ͯΕ͹ݩʑى͖ͳ
    ͍
    w $43'ରࡦ͸ηΩϡϦςΟͷͨΊͷ௥Ճͷࢪࡦ
    w ϑϨʔϜϫʔΫͳͲͰࣗಈԽ͞Εͯͳ͍ͱ࿙ΕΔ
    w อޢ͢΂͖͔Ͳ͏͔ͷ൑அ͕೉͍͠

    View Slide

  6. $43'͸ࣄޙରॲʹͳΓ͕ͪ
    w ·͋ɺͿͬͪΌ͚ܝࣔ൘ͱ͔౤ථͱ͔ίϝϯτ
    ػೳͱ͔͸ࣄޙରॲͰྑ͍ͱࢥ͍·͢
    w ॏཁػೳ͕ಉ͡ײ֮ͰࣄޙରॲͩͱϠόΠʂ
    w ˠϦεΫͷߴ͍$43'ʹ͍ͭͯ঺հ͠·͢

    View Slide

  7. ΞΧ΢ϯτ৐ͬऔΓ
    w ةݥͳ$43'ͷ୅දతͳ΋ͷ
    w ύεϫʔυมߋ͕$43'ͰՄೳ
    w ϝʔϧΞυϨεมߋ͕$43'ͰՄೳ

    View Slide

  8. ࿈ܞΞΧ΢ϯτ௥Ճ
    w 0"VUITUBUFύϥϝʔλ࢖ͬͯͳ͍
    w ෳ਺ϓϩόΠμͷJEͰϩάΠϯ͕Մೳ
    w ׂͱ͋Γ͕ͪ

    View Slide

  9. ωοτϫʔΫػث΁ͷ߈ܸ
    w +7/ϧʔλʔ$43'ͳͲͰάάοͯΈͯͶ

    View Slide

  10. ͍ΖΜͳ΋ͷʹ$43'͢Δ
    w $43'Ͱ+40/΍9.-ΛૹΔ
    w GPSNFODUZQFUFYUQMBJOΛ࢖͏
    w IUUQJUTFDVSJUZDPODFQUTDPN
    DTSGPOKTPOSFRVFTUT
    w IUUQQFOUFTUNPOLFZOFUCMPHDTSGYNM
    QPTUSFRVFTU

    View Slide

  11. Ԡ༻
    action="http://127.0.0.1:11211">

    set hoge 0 1000000 8
    hogehoge



    View Slide

  12. $43'ͰNFNDBDIFEʹॻ͖ࠐΉ
    action="http://127.0.0.1:11211">

    set hoge 0 1000000 8
    hogehoge



    View Slide

  13. ͑ͬʁ
    w ͍͖ͳΓIUUQͷนΛӽ͑ͯߦ͖·ͨ͠Ͷ
    w ରԠ͍ͯ͠ͳ͍ίϚϯυ͸ແࢹ͞ΕΔ
    POST / HTTP/1.1
    ERROR
    w NFNDBDIFEQSPUPDPMͱͯ͠ղऍՄೳͳ෦෼ͩ
    ͚ධՁ͞ΕΔɻ

    View Slide

  14. ͍ΖΜͳ΋ͷʹ$43'͢Δ
    w $SPTTQSPUPDPMͳSFRVFTUGPSHFSZ
    w ରԠ͍ͯ͠ͳ͍ίϚϯυΛదٓແࢹͯ͘͠Εͯί
    ωΫγϣϯΛ੾அ͠ͳ͍5$1αʔόʔ
    w ˢ͜͏͍͏ੑ࣭ͷαʔόʔʹ͸$43'ͰίϚϯυ
    ൃߦՄೳ

    View Slide

  15. ࣮͸ݹ͔͘Β͋Δ߈ܸख๏
    w )5.-'PSN1SPUPDPM"UUBDL ೥

    w IUUQTXXXKPDIFOUPQGDPNIGQB
    w 5IJTDBOCFVTFEUPTFOEDPNNBOETUP
    TFSWFSTVTJOH"4$**CBTFEQSPUPDPMTMJLF
    4.51 //51 101 *."1 *3$ BOEPUIFSTz
    w )5.-ϑΥʔϜ͔Β4.51ʹίϚϯυૹ৴

    View Slide

  16. ৄ͘͠͸
    ͜ͷຊͷষʹॻ͍ͯ͋Δ

    View Slide

  17. ϒϥ΢βଆͰͷରࡦ
    w $SPTT1SPUPDPMTDSJQUJOHBUUBDL
    w IUUQXXXBSDIJWFNP[JMMBPSHQSPKFDUTOFUMJC
    1PSU#BOOJOHIUNM
    w Α͘஌ΒΕ͍ͯΔαʔϏε͕ϒϩοΫ͞Εͨ
    w XFMMLOPXOͰ͸ͳ͍QPSU͸ೖͬͯͳ͍
    w ϙʔτมߋͯ͠ͷӡ༻΍࠷ۙͷ/P42-αʔόʔͳΜ͔
    ͸อޢ͞Ε͍ͯͳ͍

    View Slide

  18. αʔόʔଆͰͷରࡦ
    w ରԠ͍ͯ͠ͳ͍ίϚϯυ͕ૹΒΕͨΒ੾அ
    w )551͕ૹΒΕ͖ͯͨΒ੾அ͢Δ
    w ͱ͍͏࣮૷ͷαʔόʔ΋͋ΔΒ͍͠

    View Slide

  19. 8IBU`TOFX
    w ೥ͱݱ୅Ͱ΍΍ঢ়گ͕ҟͳ͍ͬͯΔ
    w ϒϥ΢β͔ΒϢʔβʔΞΫγϣϯແ͠ͰͷόΠφ
    Ϧσʔλૹ৴͕Մೳʹͳ͍ͬͯΔ
    w ੲϑΝΠϧΞοϓϩʔυ΍ϓϥάΠϯܦ༝͠ͳ
    ͚Ε͹ແཧͩͬͨ
    w ࠓYISTFOE CMPC
    ͰՄೳ

    View Slide

  20. ࡉ͔͍࿩
    w ϑΝΠϧΞοϓϩʔυ͢Δ$43'
    w 'MBTIͰېࢭ͞Ε͕ͨ9)3MFWFMͰΉ͠Ζॊೈʹͳ͍ͬͯΔ
    w 'MBTI͔Β'JMF6QMPBE૬౰ͷ1045ϦΫΤετ͸
    DSPTTEPNBJOYNM͕ඞཁ IUUQXXXBEPCFDPNKQEFWOFU
    qBTIQMBZFSBSUJDMFTGQMBZFS@TFDVSJUZ@DIBOHFTIUNM

    w ϩʔΧϧϑΝΠϧΛউखʹΞοϓϩʔυˠ౰વແཧ
    w NVMUJQBSUGPSNEBUBΛ$43'ˠՄೳ
    w $034ͷϓϦϑϥΠτର৅֎

    View Slide

  21. όΠφϦ΋ૹΕΔΑ͏ʹ͢Δ
    w UFYUQMBJOͩͱόΠφϦૹΕͳ͔ͬͨΓ͢Δ

    ˞ૹ৴͢ΔจࣈίʔυͷൣғͰ͔͠ૹΕͳ͍ɺؒҧͬͯͨΒڭ͑ͯ

    w NVMUJQBSUGPSNEBUBͰϑΝΠϧૹΕ͹ॊೈʹόΠφ
    Ϧૹ৴Մೳˠͨͩ͠Ϣʔβʔૢ࡞͕ඞཁͩͬͨ
    w /&8YISTFOE CMPC
    ͰόΠφϦ΋ૹΕΔΑ͏ʹɻ
    w ΤϥʔΛద౓ʹແࢹͯ͘͠ΕΕ͹
    όΠφϦϓϩτί
    ϧͰ΋$43'Ͱ஻ΕΔ

    View Slide

  22. ΋ͬͱѱ༻͢Δ
    w NFNDBDIFEʹόΠφϦσʔλΛॻ͖ࠐΉ
    w SFNPUFDPEFFYFDVUJPOͷFYQMPJU
    w ΦϒδΣΫτσγϦΞϥΠβΛ௨ͨ͡ίʔυ࣮
    ߦ
    w EFNP

    View Slide

  23. View Slide

  24. Կ͕ग़དྷΔ͔
    w σγϦΞϥΠβΛ௨ͨ͠೚ҙίʔυ࣮ߦ

    ˠେ൒ͷݴޠͰಉ༷ͷ߈ܸख๏͕͋Δ
    w NFNDBDIFEͷΞυϨε͕ط஌ͩͬͨΒ೚ҙͷ
    Ωʔʹ೚ҙͷσʔλΛॻ͖ࠐΜͩΓ
    w ߈ܸ༻ͷσʔλΛૹΓࠐΊ͹"QQαʔόʔ্Ͱ
    ೚ҙίʔυ࣮ߦΛҾ͖ى͜͢͜ͱ͕ग़དྷΔ

    View Slide

  25. ύεϫʔυೝূʹΑΔରࡦ
    w NFNDBDIFE͸ೝূػߏ͕ແ͍
    w *1ΞυϨε΍ΠϯλϑΣʔε੍ݶͰೝূػߏΛඋ
    ͍͑ͯͳ͍ϛυϧ΢ΣΞ΋ଟ͍
    w ೝূ͔͚͓͚ͯ͹0, ˠ൒෼ਖ਼ղ൒෼ؒҧ͍

    View Slide

  26. ೝূΛಥഁ͢Δ$43'
    w 3FEJTͩͱύεϫʔυΛ͔͚ΒΕΔ
    w 3FEJTͷύεϫʔυೝূ
    BVUINZTFDSFUQBTTXPSE

    TFULFZWBMVF
    w ͜ΜͳͷΛૹΕ͹ྑ͍͚ͩͳͷͰಥഁՄೳ

    View Slide

  27. ϛυϧ΢ΣΞͷύεϫʔυ
    w ͔͚͓ͯ͘ʹͨ͜͜͠ͱ͸ͳ͍͕
    w ಺෦ͷωοτϫʔΫߏ੒ͳͲ͕ط஌ʹͳΔέʔε

    ˠιʔείʔυ΍ઃఆ৘ใ΋࿙Ӯ͍ͯ͠Δ͜ͱ΋
    ૝ఆ͢΂͖
    w ྫ͑͹ୀ৬ऀ͕಺෦৘ใΛώϯτʹݱ৬ࣾһΛ
    ᠘ʹ͔͚ͯSFNPUFDPEFFYFDVUJPOՄೳ

    View Slide

  28. $43'ͰಥഁͰ͖Δೝূ
    w ݁ՌͷಡΈऔΓͷඞཁ͕ͳ͍ೝূํࣜͰ͋Ε͹ɺ
    ύεϫʔυΛૹΓ͚ͭΔ͚ͩͳͷͰಥഁՄೳ
    w νϟϨϯδϨεϙϯεܗࣜͷೝূͰ͋Ε͹ಥഁ
    Ͱ͖ͳ͍
    w $43'Ͱ͸ϦΫΤετͷ݁Ռ͕ಡΊͳ͍ͷͰ

    View Slide

  29. ϛυϧ΢ΣΞ΁ͷ$43'ରࡦ
    w "$-͋Δ͔Β҆શͱࢥͬͯ·ͤΜ͔ʁ
    w ωοτϫʔΫࣗମΛִ཭͢Δͷ͕ྑ͍
    w ִ཭͢Δ΋ͷ͸ͪΌΜͱִ཭ɺιʔείʔυ΍
    ύεϫʔυ͕ط஌ͳΒ߈ܸͰ͖ΔΑ͏ͳͷ͸

    ʮୀ৬ऀ޲͚όοΫυΞʯ

    View Slide

  30. ࠓޙͷ܏޲ͱରࡦ
    w ϙʔτ੍ݶʹ͍ͭͯ͸࢓༷͕໌֬Խ͞ΕΔΑ͏
    ʹͳͬͨ
    w IUUQTGFUDITQFDXIBUXHPSHQPSU
    CMPDLJOH
    w ͔͠͠XFMMLOPXOͰͳ͍QPSU͸Ҿ͖ଓ͖

    DSPTTQSPUPDPMBUUBDL͕ՄೳͰ͠ΐ͏

    View Slide

  31. ࠓޙͷ܏޲ͱରࡦ
    w ಺෦ωοτϫʔΫ޲͚ͷ$43'ରࡦ
    w $034BOE3'$

    IUUQTNJLFXFTUHJUIVCJPDPSTSGD
    w ϒϥ΢βଆͰͷରࡦ΋ೖΔ͔΋

    View Slide

  32. ྨࣅͷ໰୊
    w $SPTTTJUF TDSJQUJOHSFRVFTUGPSHFSZ

    w TJUFˠQSPUPDPMTJUFˠBQQ
    w *1$ͷͨΊͷϩʔΧϧαʔόʔΛ࡞ΔΞϓϦ
    w ΧελϜεΩʔϜ΁ͷϦΫΤετڧ੍
    w ϦΫΤετ͸ҰํతʹૹΕΔ૬ޓʹೝূ͢Δϓ
    ϩτίϧʹͳ͍ͬͯΔ͔֬ೝ͠·͠ΐ͏

    View Slide

  33. ·ͱΊ
    w $43'ΛͳΊͯ͸͍͚ͳ͍
    w ʮউखʹॻ͖ࠐΈʯग़དྷΔ͚͕ͩͩ

    ॻ͖ࠐΈର৅ʹΑͬͯ͸ग़དྷΔ͜ͱ͕෯޿͍
    w DSPTTQSPUPDPMͳ$43'

    YISTFOE CMPC
    ͰόΠφϦૹΕΔ
    w )5.-Ͱػೳ͕૿͑Δˠ߈ܸํ๏΍ϦεΫ૿Ճ

    View Slide

  34. ऴΘΓ
    w "OZRVFTUJPOT

    View Slide