Upgrade to Pro — share decks privately, control downloads, hide ads and more …

フロントエンドエンジニアのためのセキュリティ対策 ~XSS編~ / #frontkansai 2019

フロントエンドエンジニアのためのセキュリティ対策 ~XSS編~ / #frontkansai 2019

FRONTEND CONFERENCE 2019( https://2019.kfug.jp )でセキュリティ、主にXSSについて話をしました。
demo: https://shisama.dev/xss-test

# Technical Topics
- 3 types of XSS ( Reflected XSS, Stored XSS, DOM based XSS)
- XSS with React
- DOMPurify
- Content Security Policy
- Trusted Types

Masashi Hirano

November 02, 2019
Tweet

More Decks by Masashi Hirano

Other Decks in Programming

Transcript

  1. Frontend Conference 2019 #frontkansai
    Masashi Hirano @shisama_
    ϑϩϯτΤϯυΤϯδχΞͷͨΊͷ
    ηΩϡϦςΟରࡦ~XSSฤ~

    View full-size slide

  2. ฏ໺ ণ࢜ / Masashi Hirano
    @shisama_
    shisama
    Node.js Core Collaborator
    ؔ੢NodeֶԂOrganizer

    View full-size slide

  3. ͜Μͳਓʹௌ͍ͯ΄͍͠
    • ηΩϡϦςΟʹؔ৺͕͋Δํ
    • XSSʹֶ͍ͭͯͼ͍ͨํ(ॳதڃऀ)
    • WebΤϯδχΞ
    ಛʹϑϩϯτΤϯυΤϯδχΞ

    View full-size slide

  4. Agenda
    • WebͷηΩϡϦςΟಈ޲
    • ੬ऑੑ(XSS)ͷ࢓૊Έͱରࡦ
    • XSSͷجૅ
    • ରࡦ: จࣈྻͷΤεέʔϓ
    • ରࡦ: ϒϥ΢βͷػೳ(CSPɺTrusted Types)
    • ηΩϡϦςΟ΁ͷҙࣝ

    View full-size slide

  5. WebͷηΩϡϦςΟಈ޲

    View full-size slide

  6. https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html

    View full-size slide

  7. https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html
    ಧग़݅਺ (2019೥7݄ʙ9݄)

    View full-size slide

  8. https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html
    ෼ྨ ݄ʙ݄ ಧग़ड෇։͔࢝Βͷྦྷܭ
    ιϑτ΢ΣΞ੡඼ ݅ ݅
    ΢ΣϒαΠτ ݅ ݅
    ߹ܭ ݅ ݅
    ಧग़݅਺ (2019೥7݄ʙ9݄)

    View full-size slide

  9. https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html
    ෼ྨ ݄ʙ݄ ಧग़ड෇։͔࢝Βͷྦྷܭ
    ιϑτ΢ΣΞ੡඼ ݅ ݅
    ΢ΣϒαΠτ ݅ ݅
    ߹ܭ ݅ ݅
    8FC͕ιϑτ΢ΣΞʹ
    ൺ΂ͯഒҎ্ͷಧग़਺
    ಧग़݅਺ (2019೥7݄ʙ9݄)

    View full-size slide

  10. https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html
    ΢ΣϒαΠτͷ੬ऑੑͷछྨผͷಧग़







    XSS
    (ΫϩεαΠτɾεΫϦϓςΟϯά)
    DNSͷઃఆෆඋ
    SQLΠϯδΣΫγϣϯ
    HTTPͷෆਖ਼ར༻
    σΟϨΫτϦɾτϥόʔαϧ
    ϑΝΠϧͷޡެ։
    ͦͷଞ

    View full-size slide

  11. https://www.youtube.com/watch?v=DDtM9caQ97I&t=633s

    View full-size slide

  12. https://www.hackerone.com/resources/top-10-vulnerabilities
    HackerOne 2018 Total Report

    View full-size slide

  13. https://blog.cybozu.io/entry/2019/06/20/160000
    Cybozu BugBounty 2018

    View full-size slide

  14. https://www.owasp.org/index.php/Japan
    " ΠϯδΣΫγϣϯ 42-ΠϯδΣΫγϣϯɺίϚϯυΠϯδΣΫγϣϯͳͲ
    " ೝূͷෆඋ Ϣʔβʔͷೝূ৘ใͷ࿙Ӯ
    " ػඍͳ৘ใͷ࿐ग़ ࡒ຿৘ใ΍ݸਓ৘ใͳͲ઄औɺվ͟Μ
    " 9.-֎෦ΤϯςΟςΟࢀর 99&
    ֎෦ΤϯςΟςΟʹΑΔϦϞʔτίʔυͷ࣮ߦͳͲ
    " ΞΫηε੍ޚͷෆඋ ଞͷϢʔβʔͷσʔλ΍ݖݶͷมߋ
    " ෆద੾ͳηΩϡϦςΟઃఆ ҆શͰͳ͍ઃఆʹΑΔ໰୊
    " ΫϩεαΠτεΫϦϓςΟϯά 944
    ϒϥ΢β্ͰͷεΫϦϓτ࣮ߦʹΑΔ৘ใ࿙͍͑ͳͲ
    " ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϦϞʔτ͔Βͷίʔυ࣮ߦ
    " ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ࢖༻ ੬ऑੑͷ͋ΔϥΠϒϥϦͳͲʹΑΔ߈ܸ΍ѱӨڹ
    " ෆे෼ͳϩΪϯάͱϞχλϦϯά ϞχλϦϯάͷෆඋʹΑΔ߈ܸݕ஌࿙Ε
    OWASP Top10 2017

    View full-size slide

  15. ͜͜·Ͱͷ·ͱΊ: WebͷηΩϡϦςΟಈ޲
    • ੬ऑੑͷଟ͕͘WebαΠτ͔Βൃੜ͢Δ΋ͷ
    • WebαΠτͷ੬ऑੑͰ࠷΋ଟ͍ͷ͸XSS
    • ಛʹॏେͳϦεΫ͕10ݸ͋Δ

    View full-size slide

  16. XSSͷڴҖ
    • ίϯςϯπͷվ͟Μ
    • ηογϣϯϋΠδϟοΫ
    • ݸਓ৘ใ࿙Ӯ
    ※ҰྫͰ͢

    View full-size slide

  17. YouTubeͷඃ֐ࣄྫ
    • σϚͷϙοϓΞοϓදࣔɺଞαΠτ΁ͷϦμΠϨΫτͳͲ

    View full-size slide

  18. Twitterͷඃ֐ࣄྫ
    • ԕִϋΠδϟοΫʹΑΔϦπΠʔτ౤ߘ

    View full-size slide

  19. KADOKAWAͷඃ֐ࣄྫ
    • վ͟ΜʹΑΔϚϧ΢ΣΞ૊ΈࠐΈɺݸਓ৘ใ͕౪·ΕΔ

    View full-size slide

  20. 3छྨͷXSS
    • Reflected XSS
    • Stored XSS
    • DOM Based XSS

    View full-size slide

  21. ᶃ ߈ܸऀ͕༻ҙͨ͠ϖʔδʹΞΫηε
    Reflected XSS (൓ࣹܕXSS)
    ᶄ εΫϦϓτΛύϥϝʔλʹ
    ͯ͠ର৅αΠτʹભҠ
    alert("XSS") ?token=“”/>alert(“XSS")ᶅ εΫϦϓτ͕
    ຒΊࠐ·ΕͨHTML

    View full-size slide

  22. Reflected XSS (൓ࣹܕXSS)

    alert("XSS")
    ΫΤϦετϦϯάͷ஋Λͦͷ··HTMLʹ൓ө

    View full-size slide

  23. Reflected XSS (൓ࣹܕXSS)

    alert("XSS")
    ΫΤϦετϦϯάͷ஋Λͦͷ··HTMLʹ൓ө

    View full-size slide

  24. ᶃ ϑΥʔϜ͔ΒPOST
    ᶄ POST͞Εͨ
    ஋Λͦͷ··อଘ
    alert(“xss")
    alert(1)
    ᶅ ଞͷϢʔβʔ͕αΠτʹΞΫηε
    ᶆ DBͷ஋ΛHTMLʹ൓ө
    Stored XSS (஝ੵܕXSS)

    View full-size slide

  25. ᶃ ϑΥʔϜ͔ΒPOST
    ᶄ POST͞Εͨ
    ஋Λͦͷ··อଘ
    alert("XSS")
    alert(1)
    ᶅ ଞͷϢʔβʔ͕αΠτʹΞΫηε
    ᶆ DBͷ஋ΛHTMLʹ൓ө
    Stored XSS (஝ੵܕXSS)

    View full-size slide

  26. DOM Based XSS
    const hash = decodeURIComponent(location.hash.slice(1));
    document.querySelector('#result').innerHTML = hash;

    ϩέʔγϣϯϋογϡͷ஋Λ
    JavaScriptͰૠೖ

    View full-size slide

  27. DOM Based XSS
    const hash = decodeURIComponent(location.hash.slice(1));
    document.querySelector('#result').innerHTML = hash;

    ϩέʔγϣϯϋογϡͷ஋Λ
    JavaScriptͰૠೖ

    View full-size slide

  28. DOM Based XSS
    const hash = decodeURIComponent(location.hash.slice(1));
    document.querySelector('#result').innerHTML = hash;
    ιʔε (Source)
    γϯΫ (Sink)
    ୅දతͳSink
    - innerHTML
    - location.href
    - document.write
    - jQuery() ͳͲ
    ୅දతͳSource
    - location.hash
    - location.href
    - document.referrer
    - IndexedDB ͳͲ

    View full-size slide

  29. 3छྨͷXSS
    • Reflected XSS
    • Stored XSS
    • DOM Based XSS
    ࠷ऴతʹ͸ඃ֐ऀͷϒϥ΢β্Ͱ
    JavaScript͕࣮ߦ͞ΕΔ

    View full-size slide

  30. ओͳXSSͷରࡦ
    • ةݥͳจࣈྻͷΤεέʔϓɾ࡟আ
    • ϒϥ΢βͷػೳΛ࢖͏

    View full-size slide

  31. ओͳXSSͷରࡦ
    • ةݥͳจࣈྻͷΤεέʔϓɾ࡟আ
    • ϒϥ΢βͷػೳΛ࢖͏

    View full-size slide

  32. HTMLಛघจࣈͷΤεέʔϓॲཧ
    <br/>cookieHijack()<br/>
    <script>
    cookieHijack()
    </script>
    &
    <
    ม׵લ ม׵ޙ
    >


    &
    <
    >
    "
    '
    Τεέʔϓॲཧ

    View full-size slide

  33. ةݥͳจࣈྻͷ࡟আॲཧ

    ࡟আॲཧ

    View full-size slide

  34. จࣈྻͷΤεέʔϓɾ࡟আॲཧͷ࣮૷
    function sanitizer(str) {
    return str
    .replace(/&/g, "&")
    .replace(/.replace(/>/g, ">")
    .replace(/"/g, """)
    .replace(/'/g, "'")
    ...
    }

    View full-size slide

  35. จࣈྻͷΤεέʔϓɾ࡟আॲཧͷ࣮૷
    function sanitizer(str) {
    return str
    .replace(/&/g, "&")
    .replace(/.replace(/>/g, ">")
    .replace(/"/g, """)
    .replace(/'/g, "'")
    ...
    }
    ࣮૷͢Δ͕େม ςετ΋େม
    ࢓༷࿙Ε͍ͯͳ͍͔ෆ҆

    View full-size slide

  36. ݴޠػೳ΍OSSΛ࢖͏
    • ϓϩάϥϛϯάݴޠ΍ओཁͳϑϨʔϜϫʔΫʹ͸Τεέʔϓػೳ
    Λඋ͍͑ͯΔ
    • Τεέʔϓ༻ͷϥΠϒϥϦ΋ଟ਺ଘࡏ͠·͢

    View full-size slide

  37. https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks

    View full-size slide

  38. const App = props => (

    alert(“xss")

    );
    React DOM escapes any values by default

    View full-size slide

  39. const App = props => (

    alert(“xss")

    );
    React DOM escapes any values by default
    944͸ى͖ͳ͍

    View full-size slide

  40. const App = (props) => (

    click me!

    );
    React DOM escapes any values by default

    View full-size slide

  41. const App = (props) => (

    click me!

    );
    React DOM escapes any values by default

    View full-size slide

  42. ReactͷXSS
    • javascript:εΩʔϜͳͲଐੑ஋͸Τεέʔϓ͞Εͳ͍
    • Ϣʔβʔ͕ೖྗͰ͖Ε͹XSS͸ൃੜ͢Δ





    {title}

    View full-size slide

  43. const Link = props => {
    const protocol = new URL(props.url).protocol;
    const safeUrl = /^https?:/.test(protocol) ? props.url : "";
    return {props.children};
    };
    const App = () => {
    const { url, title, onChangeUrl, onChangeTitle } = useInput();
    return (





    {title}

    );
    };

    View full-size slide

  44. const Link = props => {
    const protocol = new URL(props.url).protocol;
    const safeUrl = /^https?:/.test(protocol) ? props.url : "";
    return {props.children};
    };
    const App = () => {
    const { url, title, onChangeUrl, onChangeTitle } = useInput();
    return (





    {title}

    );
    };
    IUUQ·ͨ͸IUUQTϓϩτίϧͷΈڐՄ͢Δ͜ͱ
    ͰɺzKBWBTDSJQUz͔Β࢝·ΔจࣈྻΛແ֐Խ
    click me!

    View full-size slide

  45. https://github.com/facebook/react/pull/15047

    View full-size slide

  46. https://github.com/cure53/DOMPurify

    View full-size slide

  47. $ npm install dompurify
    npm

    CDN
    DOMPurify

    View full-size slide

  48. DOMPurify
    const untrustedStr = location.hash;
    //
    const trustedStr = DOMPurify.sanitize(untrustedHTML);
    $('#foo').innerHTML = trustedStr;
    //

    View full-size slide

  49. DOMPurify
    const untrustedStr = location.hash;
    //
    const trustedStr = DOMPurify.sanitize(untrustedHTML);
    $('#foo').innerHTML = trustedStr;
    //
    MPDBUJPOIBTIͷ஋͕
    ͦͷ··4JOL͞ΕͨΒ
    εΫϦϓτ͕࣮ߦ͞ΕΔ

    View full-size slide

  50. DOMPurify
    const untrustedStr = location.hash;
    //
    const trustedStr = DOMPurify.sanitize(untrustedHTML);
    $('#foo').innerHTML = trustedStr;
    //
    %0.1VSJGZTBOJUJ[FʹΑΓ
    ةݥͳจࣈྻ͚ͩআڈ͞ΕΔ

    View full-size slide

  51. https://developer.cybozu.io/hc/ja/articles/360001038846-DOMPurifyΛ࢖ͬͯ҆શʹDOMΛදࣔ͠Α͏-

    View full-size slide

  52. ओͳXSSͷରࡦ
    • ةݥͳจࣈྻͷΤεέʔϓɾ࡟আ
    • ϒϥ΢βͷػೳΛ࢖͏

    View full-size slide

  53. ϒϥ΢β͸༷ʑͳ੬ऑੑରࡦͷػೳΛඋ͍͑ͯΔ
    X-XSS-Protection
    HttpOnly
    SameSite
    Content Security Policy
    Referer
    Referrer-Policy
    XSS Auditor
    ※ܝࡌ͸Ұ෦
    Fetch Meta

    View full-size slide

  54. https://www.w3.org/TR/CSP2/

    View full-size slide

  55. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

    View full-size slide

  56. https://caniuse.com/#feat=mdn-http_headers_csp_content-security-policy

    View full-size slide

  57. ▼ Response Headers
    content-security-policy: script-src ‘self’ *.trusted.com
    σΟϨΫςΟϒ ιʔε
    • HTTPϨεϙϯεϔομʔʹ௥Ճ͢Δ
    • Ϧιʔεͷऔಘઌ΍εΫϦϓτͷ࣮ߦΛࢦఆͨ͠ιʔεͷΈʹ੍ݶͰ͖Δ
    • script-src ‘self’; img-src *.trusted.comͷ ͷΑ͏ʹෳ਺ઃఆ΋Մೳ
    script-src ‘self’; img-src *.trusted.com
    Content Security Policy

    View full-size slide


  58. Content Security Policy
    • HTMLͷλάͰࢦఆͰ͖ΔͷͰϑϩϯτΤϯυ͚ͩͰ΋࣮૷Մೳ
    • ΑΓઌʹઃఆ͞Εͨ஋ͷ্ॻ͖ෆՄ
    • ΑΓઌʹಡΈࠐ·ΕͨϦιʔε΍εΫϦϓτʹ͸ద༻Ͱ͖ͳ͍
    • Ͱ͸ઃఆͰ͖ͳ͍σΟϨΫςΟϒ͕͋Δ e.g. report-only

    View full-size slide

  59. ▼ Response Headers
    content-security-policy-report-only: script-src ‘self’ *.trusted.com
    report-uri /csp-report
    • ࣮ࡍͷCSPΛద༻ͤͣʹϨϙʔτ͚ͩૹΔ͜ͱ͕Մೳ
    • CSPͰڐՄ͞Ε͍ͯͳ͍৔߹ɺϨϙʔτΛPOST͢Δ
    • CSPͷຊ൪ಋೖલʹӨڹΛ֬ೝ͢Δ͜ͱ͕Մೳ
    • λάͰͷઃఆ͸ෆՄ
    Content-Security-Policy-Report-Only

    View full-size slide

  60. {
    "csp-report": {
    "document-uri": "http://example.com/index.html",
    "referrer": "",
    "blocked-uri": "http://invalid-cdn.com/js/react.js",
    "violated-directive": "script-src self *.trusted.com*",
    "original-policy": "script-src 'self' *.trusted.com; report-uri /csp-report/",
    "disposition": "report"
    }
    }
    Ϩϙʔτͷྫ

    View full-size slide

  61. content-security-policy: script-src ‘self’ *.trusted.com
    : εΫϦϓτͷ࣮ߦ੍ݶ
    : ڐՄ͢ΔιʔεΛࢦఆ
    Content Security Policyͷ஋ʹ͍ͭͯ
    script-src
    ‘self’ *.trusted.com
    Ωʔϫʔυ ϗετ

    View full-size slide

  62. σΟϨΫςΟϒ
    DPOOFDUTSD 9)3ɺ8FC4PDLFUͳͲͷ੍ݶ
    EFGBVMUTSD ଞͷϑΣονσΟϨΫςΟϒͷϑΥʔϧόοΫ
    JNHTSD ը૾ͷಡΈࠐΈઌΛ੍ݶ
    NFEJBTSD BVEJPWJEFPͷಡΈࠐΈઌΛ੍ݶ
    TDSJQUTSD εΫϦϓτͷ࣮ߦ৔ॴΛ੍ݶ
    TUZMFTSD ελΠϧͷద༻৔ॴΛ੍ݶ
    ୅දతͳσΟϨΫςΟϒ(ϑΣονͷҰ෦)

    View full-size slide

  63. content-security-policy: script-src ‘self’

    alert("XSS")

    ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ

    View full-size slide

  64. content-security-policy: script-src ‘self’

    alert("XSS")

    ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ
    ࢦఆ͞Εͨϗετͱҧ͏ͷͰېࢭ

    View full-size slide

  65. content-security-policy: script-src ‘self’

    alert("XSS")

    ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ


    ΠϯϥΠϯεΫϦϓτ͸ېࢭ

    View full-size slide

  66. content-security-policy: script-src ‘self’

    alert("XSS")

    ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ



    Πϕϯτଐੑ΍KBWBTDSJQUͳͲ΋ېࢭ

    View full-size slide

  67. content-security-policy: script-src ‘self’ ‘unsafe-inline’
    ΠϯϥΠϯεΫϦϓτͷڐՄ
    • ΠϯϥΠϯεΫϦϓτΛڐՄ͍ͨ͠৔߹
    • ໊લͷ௨Γunsafe(҆શͰ͸ͳ͍)

    View full-size slide

  68. https://www.w3.org/TR/CSP2/#source-list-valid-nonces
    CSP Lv.2 nonce

    View full-size slide

  69. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
    alert("OK")
    alert(“NG")
    alert("NG")
    OPODFCBTFΤϯίʔυ஋

    View full-size slide

  70. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
    alert("OK")
    alert(“NG")
    alert("NG")
    OPODFͷ஋͕Ұக͍ͯ͠ΔͷͰ࣮ߦΛڐՄ
    OPODFCBTFΤϯίʔυ஋

    View full-size slide

  71. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
    alert("OK")
    alert(“NG")
    alert("NG")
    OPODF஋͕ෆҰக·ͨ͸ະࢦఆͳͷͰ࣮ߦΛېࢭ
    OPODFCBTFΤϯίʔυ஋

    View full-size slide

  72. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
    alert("OK")
    • nonceͷ஋͸αʔόʔଆͰϦΫΤετ͝ͱʹมߋ͢Δ͜ͱ
    • ਪଌ͞Εͳ͍ϥϯμϜͳ஋ʹ͢Δ͜ͱ
    • scriptλάΛಈతʹੜ੒Ͱ͖ͳ͍
    nonceͷ஫ҙ఺

    View full-size slide

  73. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’
    <br/>const script = document.createElement('script');<br/>script.src = ‘/static/js/main.js’;<br/>document.head.appendChild(script);<br/>
    CSP Lv.3 strict-dynamic
    QBSTFSJOTFSUFEͰͳ͍TDSJQUͷಈతੜ੒͕Մೳ
    ※parser-inserted = HTMLύʔαʔ΍XMLύʔαʔʹΑͬͯૠೖ͞ΕΔ͜ͱ

    View full-size slide

  74. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’
    <br/>const script = document.createElement('script');<br/>script.textContent = location.hash.slice(1);<br/>document.head.appendChild(script);<br/>
    location.hashͷ஋ΛऔΔͱʁ

    View full-size slide

  75. content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’
    <br/>const script = document.createElement('script');<br/>script.textContent = location.hash.slice(1);<br/>document.head.appendChild(script);<br/>
    location.hashͷ஋ΛऔΔͱʁ

    View full-size slide

  76. https://w3c.github.io/webappsec-trusted-types/dist/spec/

    View full-size slide

  77. Trusted Types
    URL String
    HTML String
    Script String
    Scritp URL
    TrustedURL
    TrustedHTML
    TrustedScript
    TrustedScriptURL
    TrustedTypes
    จࣈྻΛ҆શͳܕʹม׵ͯ͠ݕূ͢Δ

    View full-size slide

  78. content-security-policy: require-trusted-types-for ‘script’; trusted-types;
    script.textContent = location.hash.slice(1);
    document.head.appendChild(script);
    Trusted Types
    ҆શͳܕͰ͸ͳ͍ͷͰεΫϦϓτ͸࣮ߦ͞Εͳ͍

    View full-size slide

  79. content-security-policy: require-trusted-types-for ‘script’; trusted-types *;
    script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’
    <br/>const script = document.createElement('script');<br/>script.textContent = location.hash.slice(1);<br/>document.head.appendChild(script);<br/>

    View full-size slide

  80. content-security-policy: require-trusted-types-for ‘script’; trusted-types *;
    script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’
    <br/>const script = document.createElement('script');<br/>script.textContent = location.hash.slice(1);<br/>document.head.appendChild(script);<br/>
    944͸ى͖ͳ͍

    View full-size slide

  81. content-security-policy: require-trusted-types-for ‘script';
    trusted-types my-policy;
    const myPolicy = trustedTypes.createPolicy('my-policy', {
    createHTML: (s) => { return customSanitize(s) },
    createURL: (s) => { /* ΤεέʔϓॲཧͳͲ */ },
    createScript: (s) => { /* εΫϦϓτ಺༰ͷνΣοΫͳͲ */ },
    })
    Trusted Types Policy
    จࣈྻΛ҆શͳܕʹม׵͢ΔϙϦγʔΛੜ੒͢Δ

    View full-size slide

  82. Trusted Types Policy
    ϙϦγʔʹΑͬͯੜ੒͞Εͨܕ͸࣮ߦՄೳʹͳΔ
    const hash = decodeURIComponent(location.hash.slice(1));
    const trustedHtml = myPolicy.createHTML(hash)
    document.body.innerHTML = trustedHtml;
    content-security-policy: require-trusted-types-for ‘script’; trusted-types my-policy;

    View full-size slide

  83. const myPolicy = trustedTypes.createPolicy("my-policy", {
    createHTML: (s) => {
    return DOMPurify.sanitize(s);
    }
    });
    Trusted Types & DOMPurify
    const hash = decodeURIComponent(location.hash.slice(1));
    const trustedHtml = myPolicy.createHTML(hash)
    document.body.innerHTML = trustedHtml;


    View full-size slide

  84. https://github.com/w3c/webappsec-trusted-types/pull/205
    5SVTUFE5ZQFTUSVTUFE5ZQFTʹϦωʔϜ͞Εͨ

    View full-size slide

  85. https://www.chromestatus.com/feature/5650088592408576
    Chrome 83 ͔Β͸σϑΥϧτͰ༗ޮ

    View full-size slide

  86. chrome://flags/#enable-experimental-web-platform-features
    ΋͠$ISPNFҎԼΛ࢖͍ͬͯΔ৔߹

    View full-size slide

  87. src="https://w3c.github.io/webappsec-trusted-types/dist/es5/trustedtypes.build.js"
    data-csp="trusted-types my-policy“>
    <br/>trustedTypes.createPolicy('my-policy', ...);<br/>trustedTypes.createPolicy('unknown', ...); // throws<br/>document.body.innerHTML = 'foo'; // throws<br/>Trusted Types Polyfill<br/>npm<br/>CDN<br/>$ npm install trusted-types<br/>import {tt} from 'trusted-types'<br/>tt.createPolicy('my-policy', ...);<br/>

    View full-size slide

  88. • Demo Page: https://shisama.dev/xss-test/
    • GitHub: https://github.com/shisama/xss-test/
    • DOM Based XSS
    • CSP
    • Trusted Types
    ※devToolsͷconsoleΛ։͖ͳ͕Β֬ೝ͍ͯͩ͘͠͞

    View full-size slide

  89. https://github.com/facebook/react/pull/16157/

    View full-size slide

  90. ͜͜·Ͱͷ·ͱΊ: XSS
    • XSS͸ϒϥ΢βͰεΫϦϓτΛ࣮ߦ͢Δ߈ܸख๏
    • ೖྗ͞ΕͨจࣈྻͷΤεέʔϓͰରࡦՄೳ
    • ϒϥ΢βͷػೳͰରࡦՄೳ
    • CSP΍Trusted TypesͰΑΓ҆શʹXSSΛ๷͙͜ͱ͕Մೳ

    View full-size slide

  91. ηΩϡϦςΟ΁ͷҙࣝ

    View full-size slide

  92. https://www.amazon.co.jp/dp/4797393165

    View full-size slide

  93. https://www.amazon.co.jp/dp/4797393165
    “੬ऑੑͱ͸ɺʮѱ༻Ͱ͖Δόάʯ”
    ʰମܥతʹֶͿ ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํ ୈ̎൛ʱ ಙؙ ߒ (ஶ)

    View full-size slide

  94. ੬ऑੑ͸όάͰ͋Δͱ͍͏ҙࣝΛ࣋ͭ
    • ཁ݅ఆٛ΍࢓༷ࡦఆͰηΩϡϦςΟʹؔͯ͠FIX͢Δ
    • ػೳςετ͚ͩͰͳ͘ηΩϡϦςΟςετΛߦ͏
    • ੬ऑੑ(όά)͕ݟ͔ͭΕ͹؅ཧͯ͠༏ઌ౓Λ͚ͭΔ

    View full-size slide

  95. ୭͠΋͕
    ηΩϡϦςΟͷΤΩεύʔτͰ͸ͳ͍

    View full-size slide

  96. ͲͷΑ͏ʹ੬ऑੑΛ֬ೝ͢Ε͹Α͍͔

    View full-size slide

  97. https://www.ipa.go.jp/security/vuln/websecurity.html

    View full-size slide

  98. ʰ҆શͳ΢ΣϒαΠτͷ࡞ΓํʱνΣοΫϦετͰ͸͡ΊΔ

    View full-size slide

  99. • ֤੬ऑੑʹର͢Δʮࠜຊతղܾʯʮอݥతղܾʯ͕هࡌ͞Ε͍ͯΔ

    View full-size slide

  100. ҎԼͷ੬ऑੑ͕هࡌ͞Ε͍ͯΔ
    • ̍ʣ SQL ΠϯδΣΫγϣϯ
    • ̎ʣ OS ίϚϯυɾΠϯδΣΫγϣϯ
    • ̏ʣ ύε໊ύϥϝʔλͷະνΣοΫʗ
    σΟϨΫτϦɾτϥόʔαϧ
    • ̐ʣ ηογϣϯ؅ཧͷෆඋ
    • ̑ʣ ΫϩεαΠτɾεΫϦϓςΟϯά
    • ̒ʣ CSRFʢΫϩεαΠτɾϦΫΤετɾ
    ϑΥʔδΣϦʣ
    • ̓ʣ HTTP ϔομɾΠϯδΣΫγϣϯ
    • ̔ʣ ϝʔϧϔομɾΠϯδΣΫγϣ
    ϯ
    • ̕ʣ ΫϦοΫδϟοΩϯά
    • ̍̌ʣόοϑΝΦʔόʔϑϩʔ
    • ̍̍ʣΞΫηε੍ޚ΍ೝՄ੍ޚͷܽ

    View full-size slide

  101. ηΩϡϦςΟνΣοΫʹ࢖͑Δ΋ͷҰྫ
    • Ϧετ
    • ΢Σϒ݈߁਍அ࢓༷
    • OWASP Cheat Sheet Series
    • HTML5 Security Cheat Sheet
    • πʔϧ
    • OWASP ZAP
    • Vuls
    • VAddy

    View full-size slide

  102. جຊతͳ੬ऑੑͷ

    νΣοΫ΍ରࡦ͸Ͱ͖Δ

    View full-size slide

  103. όάΛະવʹ๷͗ɺ
    ൃݟͨ͠Β؅ཧ͠վम͠Α͏
    “੬ऑੑͱ͸ɺʮѱ༻Ͱ͖Δόάʯ”

    View full-size slide

  104. ·ͱΊ
    • ࠷΋ଟ͍੬ऑੑ͸XSS
    • XSSରࡦʹ͸จࣈྻΛΤεέʔϓ͢Δ
    • ϒϥ΢β͸CSPͳͲ੬ऑੑରࡦͷػೳΛඋ͍͑ͯΔ
    • ੬ऑੑ͸όάͱ͍͏ҙࣝΛ࣋ͭ͜ͱ

    View full-size slide

  105. ࢀߟ
    • ͦΖͦΖCSP Lv.2 nonce΍Ζ͏ - teppeis blog
    • Masato Kinugawa Security Blog: CVE-2018-5175: FirefoxͰCSPͷstrict-dynamic
    όΠύε
    • ҆શͳจࣈྻͰ͋ΔͱܕͰݕূ͢Δ Trusted Types ʹ͍ͭͯ - Jxck
    • Avoiding XSS in React is Still Hard - javascript-security - Medium
    • Securing Web Apps with Modern Platform Features (Google I/O ’19)

    View full-size slide

  106. Thanks.
    @shisama_
    shisama

    View full-size slide