Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
超絶技巧CSRF / Shibuya.XSS techtalk #7
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
mala
March 28, 2016
Programming
15k
41
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
超絶技巧CSRF / Shibuya.XSS techtalk #7
CSRF, HTML Form Protocol Attack, Cross-protocol scripting attackについて
mala
March 28, 2016
More Decks by mala
See All by mala
The Evolution of Alert & Notification System / Becks Japan #1
mala
11
9k
TBD/Shibuya.XSS techtalk #8
mala
5
2.8k
実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss
mala
25
9.6k
How to hack metacpan.org
mala
7
1.4k
SECCON2013 slide
mala
14
3k
Other Decks in Programming
See All in Programming
エンジニア向け会社紹介/Findy Company Profile
findyinc
6
360k
Vite+ Unified Toolchain for the Web
naokihaba
0
410
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
5.6k
20260623_Loop Engineeringで自分の分身の問い合わせBotを作る
ryugen04
0
110
正しくソフトウェアを作る、前提を疑うための認知の視点 / doubt-premise
minodriven
21
7.2k
Dataformのリポジトリを立ち上げるときにまずやること / dataform-day0-2026
snhryt
0
200
キャリア迷子上等 ─ "ない道"は自分で作ればいい
16bitidol
3
2.7k
技術記事、 専門家としてのプログラマ、 言語化
mizchi
14
7.2k
The ROI of Quarkus for Spring Boot Applications
hollycummins
0
150
The NotImplementedError Problem in Ruby
koic
1
1.1k
任せる範囲はこう広がった / How the Scope of AI Delegation Has Expanded
nrslib
1
220
ローカルLLMを使ってB2Bサービスを作っていての学び
yaotti
0
230
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.2k
Navigating Team Friction
lara
192
16k
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
62
55k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
9.1k
Six Lessons from altMBA
skipperchong
29
4.3k
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
uxyall
1
1.9k
The Cult of Friendly URLs
andyhume
79
6.9k
Practical Orchestrator
shlominoach
191
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
How to Think Like a Performance Engineer
csswizardry
28
2.7k
Transcript
$43' NBMB ઈٕ
ࠓͷςʔϚ w $43'ʹ͍ͭͯ w Έͳ͞Μ͝ଘͰ͢ΑͶ w ͋·Γ͍͜͠ͱ͠·ͤΜ
$43'PS943' w DSPTTTJUFSFRVFTUGPSHFSZ w ΫϩεαΠτͰϦΫΤετΛڧ੍͢Δ߈ܸख๏ w 944ͱฒΜͰྑ͘ݟ͔ͭΔ8FCΞϓϦέʔγϣ ϯͷදతͳ੬ऑੑͷҰͭ
Կ͕ग़དྷΔ͔ʁ w ةݥউखʹॻ͖ࠐΈ ͜Μʹͪ͜Μʹͪ w ةݥߴύεϫʔυΛউखʹมߋ w $43'ͰՄೳͳΞΫγϣϯʹΑ༷ͬͯʑ w
୯ͳΔΠλζϥ͔ΒΞΧϯτͬऔΓ·Ͱ
ະͩʹଟ͋͘Δ w 944ਖ਼͍͠ίʔυΛॻ͍͍ͯΕݩʑى͖ͳ ͍ w $43'ରࡦηΩϡϦςΟͷͨΊͷՃͷࢪࡦ w ϑϨʔϜϫʔΫͳͲͰࣗಈԽ͞Εͯͳ͍ͱ࿙ΕΔ w อޢ͖͔͢Ͳ͏͔ͷஅ͕͍͠
$43'ࣄޙରॲʹͳΓ͕ͪ w ·͋ɺͿͬͪΌ͚ܝࣔ൘ͱ͔ථͱ͔ίϝϯτ ػೳͱ͔ࣄޙରॲͰྑ͍ͱࢥ͍·͢ w ॏཁػೳ͕ಉ͡ײ֮ͰࣄޙରॲͩͱϠόΠʂ w ˠϦεΫͷߴ͍$43'ʹ͍ͭͯհ͠·͢
ΞΧϯτͬऔΓ w ةݥͳ$43'ͷදతͳͷ w ύεϫʔυมߋ͕$43'ͰՄೳ w ϝʔϧΞυϨεมߋ͕$43'ͰՄೳ
࿈ܞΞΧϯτՃ w 0"VUI TUBUFύϥϝʔλͬͯͳ͍ w ෳϓϩόΠμͷJEͰϩάΠϯ͕Մೳ w ׂͱ͋Γ͕ͪ
ωοτϫʔΫػثͷ߈ܸ w +7/ϧʔλʔ$43'ͳͲͰάάοͯΈͯͶ
͍ΖΜͳͷʹ$43'͢Δ w $43'Ͱ+40/9.-ΛૹΔ w GPSNFODUZQFUFYUQMBJOΛ͏ w IUUQJUTFDVSJUZDPODFQUTDPN DTSGPOKTPOSFRVFTUT w IUUQQFOUFTUNPOLFZOFUCMPHDTSGYNM
QPTUSFRVFTU
Ԡ༻ <form method="POST" enctype="text/plain" action="http://127.0.0.1:11211"> <textarea name="val"> set hoge 0
1000000 8 hogehoge </textarea> <input type="submit"> </form>
$43'ͰNFNDBDIFEʹॻ͖ࠐΉ <form method="POST" enctype="text/plain" action="http://127.0.0.1:11211"> <textarea name="val"> set hoge 0
1000000 8 hogehoge </textarea> <input type="submit"> </form>
͑ͬʁ w ͍͖ͳΓIUUQͷนΛӽ͑ͯߦ͖·ͨ͠Ͷ w ରԠ͍ͯ͠ͳ͍ίϚϯυແࢹ͞ΕΔ POST / HTTP/1.1 ERROR w
NFNDBDIFEQSPUPDPMͱͯ͠ղऍՄೳͳ෦ͩ ͚ධՁ͞ΕΔɻ
͍ΖΜͳͷʹ$43'͢Δ w $SPTTQSPUPDPMͳSFRVFTUGPSHFSZ w ରԠ͍ͯ͠ͳ͍ίϚϯυΛదٓແࢹͯ͘͠Εͯί ωΫγϣϯΛஅ͠ͳ͍5$1αʔόʔ w ˢ͜͏͍͏ੑ࣭ͷαʔόʔʹ$43'ͰίϚϯυ ൃߦՄೳ
࣮ݹ͔͘Β͋Δ߈ܸख๏ w )5.-'PSN1SPUPDPM"UUBDL w IUUQTXXXKPDIFOUPQGDPNIGQB w 5IJTDBOCFVTFEUPTFOEDPNNBOETUP TFSWFSTVTJOH"4$**CBTFEQSPUPDPMTMJLF
4.51 //51 101 *."1 *3$ BOEPUIFSTz w )5.-ϑΥʔϜ͔Β4.51ʹίϚϯυૹ৴
ৄ͘͠ ͜ͷຊͷষʹॻ͍ͯ͋Δ
ϒϥβଆͰͷରࡦ w $SPTT1SPUPDPMTDSJQUJOHBUUBDL w IUUQXXXBSDIJWFNP[JMMBPSHQSPKFDUTOFUMJC 1PSU#BOOJOHIUNM w Α͘ΒΕ͍ͯΔαʔϏε͕ϒϩοΫ͞Εͨ w XFMMLOPXOͰͳ͍QPSUೖͬͯͳ͍
w ϙʔτมߋͯ͠ͷӡ༻࠷ۙͷ/P42-αʔόʔͳΜ͔ อޢ͞Ε͍ͯͳ͍
αʔόʔଆͰͷରࡦ w ରԠ͍ͯ͠ͳ͍ίϚϯυ͕ૹΒΕͨΒஅ w )551͕ૹΒΕ͖ͯͨΒஅ͢Δ w ͱ͍͏࣮ͷαʔόʔ͋ΔΒ͍͠
8IBU`TOFX w ͱݱͰঢ়گ͕ҟͳ͍ͬͯΔ w ϒϥβ͔ΒϢʔβʔΞΫγϣϯແ͠ͰͷόΠφ Ϧσʔλૹ৴͕Մೳʹͳ͍ͬͯΔ w ੲϑΝΠϧΞοϓϩʔυϓϥάΠϯܦ༝͠ͳ ͚Εແཧͩͬͨ w
ࠓYISTFOE CMPC ͰՄೳ
ࡉ͔͍ w ϑΝΠϧΞοϓϩʔυ͢Δ$43' w 'MBTIͰېࢭ͞Ε͕ͨ9)3MFWFMͰΉ͠Ζॊೈʹͳ͍ͬͯΔ w 'MBTI͔Β'JMF6QMPBE૬ͷ1045ϦΫΤετ DSPTTEPNBJOYNM͕ඞཁ IUUQXXXBEPCFDPNKQEFWOFU qBTIQMBZFSBSUJDMFTGQMBZFS@TFDVSJUZ@DIBOHFTIUNM
w ϩʔΧϧϑΝΠϧΛউखʹΞοϓϩʔυˠવແཧ w NVMUJQBSUGPSNEBUBΛ$43'ˠՄೳ w $034ͷϓϦϑϥΠτର֎
όΠφϦૹΕΔΑ͏ʹ͢Δ w UFYUQMBJOͩͱόΠφϦૹΕͳ͔ͬͨΓ͢Δ ˞ૹ৴͢ΔจࣈίʔυͷൣғͰ͔͠ૹΕͳ͍ɺؒҧͬͯͨΒڭ͑ͯ w NVMUJQBSUGPSNEBUBͰϑΝΠϧૹΕॊೈʹόΠφ Ϧૹ৴Մೳˠͨͩ͠Ϣʔβʔૢ࡞͕ඞཁͩͬͨ w /&8YISTFOE
CMPC ͰόΠφϦૹΕΔΑ͏ʹɻ w ΤϥʔΛదʹແࢹͯ͘͠ΕΕ όΠφϦϓϩτί ϧͰ$43'ͰΕΔ
ͬͱѱ༻͢Δ w NFNDBDIFEʹόΠφϦσʔλΛॻ͖ࠐΉ w SFNPUFDPEFFYFDVUJPOͷFYQMPJU w ΦϒδΣΫτσγϦΞϥΠβΛ௨ͨ͡ίʔυ࣮ ߦ w EFNP
None
Կ͕ग़དྷΔ͔ w σγϦΞϥΠβΛ௨ͨ͠ҙίʔυ࣮ߦ ˠେͷݴޠͰಉ༷ͷ߈ܸख๏͕͋Δ w NFNDBDIFEͷΞυϨε͕طͩͬͨΒҙͷ ΩʔʹҙͷσʔλΛॻ͖ࠐΜͩΓ w ߈ܸ༻ͷσʔλΛૹΓࠐΊ"QQαʔόʔ্Ͱ ҙίʔυ࣮ߦΛҾ͖ى͜͢͜ͱ͕ग़དྷΔ
ύεϫʔυೝূʹΑΔରࡦ w NFNDBDIFEೝূػߏ͕ແ͍ w *1ΞυϨεΠϯλϑΣʔε੍ݶͰೝূػߏΛඋ ͍͑ͯͳ͍ϛυϧΣΞଟ͍ w ೝূ͔͚͓͚ͯ0, ˠਖ਼ղؒҧ͍
ೝূΛಥഁ͢Δ$43' w 3FEJTͩͱύεϫʔυΛ͔͚ΒΕΔ w 3FEJTͷύεϫʔυೝূ BVUINZTFDSFUQBTTXPSE TFULFZWBMVF w ͜ΜͳͷΛૹΕྑ͍͚ͩͳͷͰಥഁՄೳ
ϛυϧΣΞͷύεϫʔυ w ͔͚͓ͯ͘ʹͨ͜͜͠ͱͳ͍͕ w ෦ͷωοτϫʔΫߏͳͲ͕طʹͳΔέʔε ˠιʔείʔυઃఆใ࿙Ӯ͍ͯ͠Δ͜ͱ ఆ͖͢ w ྫ͑ୀ৬ऀ͕෦ใΛώϯτʹݱ৬ࣾһΛ ᠘ʹ͔͚ͯSFNPUFDPEFFYFDVUJPOՄೳ
$43'ͰಥഁͰ͖Δೝূ w ݁ՌͷಡΈऔΓͷඞཁ͕ͳ͍ೝূํࣜͰ͋Εɺ ύεϫʔυΛૹΓ͚ͭΔ͚ͩͳͷͰಥഁՄೳ w νϟϨϯδϨεϙϯεܗࣜͷೝূͰ͋Εಥഁ Ͱ͖ͳ͍ w $43'ͰϦΫΤετͷ݁Ռ͕ಡΊͳ͍ͷͰ
ϛυϧΣΞͷ$43'ରࡦ w "$-͋Δ͔Β҆શͱࢥͬͯ·ͤΜ͔ʁ w ωοτϫʔΫࣗମΛִ͢Δͷ͕ྑ͍ w ִ͢ΔͷͪΌΜͱִɺιʔείʔυ ύεϫʔυ͕طͳΒ߈ܸͰ͖ΔΑ͏ͳͷ ʮୀ৬ऀ͚όοΫυΞʯ
ࠓޙͷͱରࡦ w ϙʔτ੍ݶʹ͍༷͕ͭͯ໌֬Խ͞ΕΔΑ͏ ʹͳͬͨ w IUUQTGFUDITQFDXIBUXHPSHQPSU CMPDLJOH w ͔͠͠XFMMLOPXOͰͳ͍QPSUҾ͖ଓ͖ DSPTTQSPUPDPMBUUBDL͕ՄೳͰ͠ΐ͏
ࠓޙͷͱରࡦ w ෦ωοτϫʔΫ͚ͷ$43'ରࡦ w $034BOE3'$ IUUQTNJLFXFTUHJUIVCJPDPSTSGD w ϒϥβଆͰͷରࡦೖΔ͔
ྨࣅͷ w $SPTTTJUF TDSJQUJOHSFRVFTUGPSHFSZ w TJUFˠQSPUPDPMTJUFˠBQQ w *1$ͷͨΊͷϩʔΧϧαʔόʔΛ࡞ΔΞϓϦ w
ΧελϜεΩʔϜͷϦΫΤετڧ੍ w ϦΫΤετҰํతʹૹΕΔ૬ޓʹೝূ͢Δϓ ϩτίϧʹͳ͍ͬͯΔ͔֬ೝ͠·͠ΐ͏
·ͱΊ w $43'ΛͳΊ͍͚ͯͳ͍ w ʮউखʹॻ͖ࠐΈʯग़དྷΔ͚͕ͩͩ ॻ͖ࠐΈରʹΑͬͯग़དྷΔ͜ͱ͕෯͍ w DSPTTQSPUPDPMͳ$43' YISTFOE
CMPC ͰόΠφϦૹΕΔ w )5.-Ͱػೳ͕૿͑Δˠ߈ܸํ๏ϦεΫ૿Ճ
ऴΘΓ w "OZRVFTUJPOT