セキュリティ・ミニキャンプ in 中国2017（広島）Webアプリケーション脆弱性診断入門

8FC،فٔ؛٦ءّٝ 腚䓲䚍鏺倖ⰅꟌ ηΩϡϦςΟɾϛχΩϟϯϓ޿ౡ ৿ాߒฏ !NSUD

੬ऑੑͱ͸Կ͔ w ίϯϐϡʔλͷ04΍ιϑτ΢ΣΞʹ͓͍ͯɺϓϩάϥϜͷෆ۩߹΍ઃܭ্ͷϛε͕ݪ Ҽͱͳͬͯൃੜͨ͠৘ใηΩϡϦςΟ্ͷܽؕ w IUUQXXXTPVNVHPKQNBJO@TPTJLJKPIP@UTVTJOTFDVSJUZCBTJDSJTL IUNM w ཁ͸ѱ༻Մೳͳόά w
8FCαΠτͷ಺༰Λॻ͖׵͑Δ w ൿಗ͢΂͖৘ใͷ࿙Ӯ w νʔτɺ੒Γ͢·͠ͳͲ w ଞਓ΋͘͠͸αʔϏεʹة֐ΛՃ͑Δ͜ͱ͕Ͱ͖Δ w ৴༻ΛࣦͬͨΓɺۚમతଛࣦͷิరͳͲ

എܠ w 8FCશ੝ظ w ͋ΒΏΔ͜ͱ͕8FCͰ΍ΓऔΓ͞Ε͍ͯΔ w ෳࡶԽ͢Δ8FC w ཚཱ͢ΔϑϨʔϜϫʔΫ w
&MFDUSPO΍3FBDU/BUJWFͷొ৔ w Ռͨͯ͠ੈͷதͷ8FCΞϓϦέʔγϣϯ͸҆શ͔ʁ

എܠ w 8FCΞϓϦέʔγϣϯϑϨʔϜϫʔΫ΍ϒϥ΢βɺ8FCͷ࢓༷ͳ ͲʹΑΔอޢ w ࣗ໌ͳ΋ͷ͸๷͍Ͱ͘ΕΔ 944 42-*OKFDUJPO $43'
w શ෦๷͍Ͱ͘ΕΔΘ͚Ͱ͸ͳ͍ w ϨʔϧΛ֎ΕΔͱ੬ऑੑΛ࡞ΓࠐΜͰ͠·͍͕ͪ w ੈͷதͷ8FCΞϓϦέʔγϣϯͷඪ४͸௿͍

ηΩϡΞͳΞϓϦέʔγϣϯΛ࡞ΔͨΊʹ w ੬ऑੑΛ஌Δ w ͜ͷػೳΛ࣮૷͢Δͱ͖͸ɺ͜ͷ੬ऑੑʹؾΛ͚ͭΔ w ߈ܸऀ໨ઢͰ࣮૷΍ςετΛߦ͏ w ͜ͷೖྗ஋ΛೖΕΔͱେৎ෉ͩΖ͏͔ʁ w
ݖݶ͸ద੾ʹઃఆ͞Ε͍ͯΔͩΖ͏͔ʁ

ࠓ೔ͷΰʔϧ w ੬ऑͳ8FCΞϓϦέʔγϣϯͷ਍அΛ௨ͯ͠ ˖ וך歗꬗堣腉דוְֲ׏׋腚䓲䚍ָ欰ׄ׷ַ׾濼׷ ˖ 腚䓲䚍ך⾱椚׾濼׶ծ䕦갟׾罋ִ׷ ˖ 呎劤涸㼎瘻ה⥂ꤹ涸㼎瘻חאְג㷕ע

஫ҙࣄ߲ ˖ 盖鱥㢩ך،فٔ؛٦ءّٝח窫㼎余䷼׃זְ w #VH#PVOUZ੍౓ w IBDLFSPOFɿIUUQTXXXIBDLFSPOFDPN w $ZCP[V੬ऑੑใ঑੍ۚ౓ w
΋͠ݟ͚ͭͨΒ*1"ʹใࠂ͠Α͏ w IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSU

8FC੬ऑੑجૅ

)551 (&5QBUIUPJOEFYIUNM )5510, ϦΫΤετ Ϩεϙϯε

)551௨৴ΛݟΔ w ৭ʑखஈ͸͋Γ·͢ w %FW5PPMTʢ։ൃऀπʔϧʣ͕खܰ w ϩʔΧϧϓϩΩγ w 08"41;"1 'JEEMFS
#VSQ4VJUF w ͜͜Ͱ͸#VSQ4VJUFΛ࢖͍·͢

#VSQ4VJUF ΫϥΠΞϯτϚγϯ ϒϥ΢β #VSQ4VJUF 8FCΞϓϦέʔγϣϯ ɾ௨৴ͷه࿥ ɾϦΫΤετϨεϙϯεͷվม w ੬ऑੑ਍அπʔϧϩʔΧϧϓϩΩγ w
ϩʔΧϧϓϩΩγΛ࢖͏͜ͱͰϦΫΤετͷվมʢ੬ऑੑ਍அʣ ͕༰қʹͳΔ

怴统 #VSQד)551鸐⥋׾鋅״ֲ

)551௨৴ΛݟΑ͏ w #VSQ4VJUFͰ)551௨৴ΛݟͯΈ·͠ΐ͏ w ຊߨٛͰ͸ϒϥ΢β͸'JSFGPYΛલఏʹਐΊ͍͖ͯ·͢ w ࣄલ՝୊ͷ8FCΞϓϦέʔγϣϯΛ୊ࡐͱͯ͠ਐΊ·͢ w IUUQTNJOJDBNQUVUPSJBMIFSPLVBQQDPN

'JSFGPYͷઃఆ ΞυϨεΛ ϙʔτΛʹઃఆ ᶃ ᶄ ᶅ ᶆ ᶇ

#VSQͷઃఆ ᶃ ᶄ ᶅ -JTUFO͢ΔΞυϨεͱϙʔτΛઃఆ #JOEUPQPSU #JOEUPBEESFTT-PPQCBDLPOMZ 1SPYZλϒͷ0QUJPOTλϒͰ֬ೝ 3VOOJOHʹ✅͕ೖ͍ͬͯΔ͔ *OUFSGBDF͕ʹͳ͍ͬͯΔ͔

#VSQͰ௨৴ΛݟΔ w 'JSFGPYͰIUUQTNJOJDBNQUVUPSJBMIFSPLVBQQDPNʹΞΫ ηε 'PSXBSEͰϦΫΤετΛૹ৴ *OUFSDFQUJTPOʹͳ͍ͬͯΔؒ͸ ϦΫΤετ͕Ωϟϓνϟ͞ΕΔ

#VSQͰ௨৴ΛݟΔ w աڈͷ௨৴ϩά͸IJTUSPZλϒʹ͋Δ

怴统腚䓲䚍鏺倖ثُ٦زٔ،ٕ

8FCΞϓϦέʔγϣϯ਍அͬͯʁ w 8FCΞϓϦέʔγϣϯʹରͯ͠߈ܸऀࢹ఺Ͱ੬ऑੑΛݟ͚ͭΔ w ର৅ͷ೺Ѳɺݟੵ΋Γ ˖ خ٦ٕד鏺倖׃אאծخ٦ٕדכ嗚⳿♶〳腉ז鏺倖׾䩛⹛ד ˖ 䕦갟װⱄ植倯岀זוחאְג㜠デ剅⡲䧭 w
ݟΔ߲໨ w IUUQTJFSBFDPKQTFSWJDFXFCBQQMJDBUJPO w ͜͜ʹهࡌ͕ͳ͍ͷ΋֬ೝ͠·͢

੬ऑੑ਍அνϡʔτϦΞϧ w Ϣʔβʔొ࿥ɺϩάΠϯɺϙετͷ౤ߘɺฤूɺ࡟আͳͲΛ΍ͬͯΈΑ͏ w ֤छૢ࡞Λͨ͠ͱ͖ʹ w ͲΜͳϝιουΛ࢖͍ͬͯΔ͔ʁ w ͲΜͳύϥϝʔλΛૹ৴͍ͯ͠Δ͔ʁύϥϝʔλͷҙຯ͸ʁ w
ͲΜͳϨεϙϯε͕ฦ͍ͬͯΔ͔ʁ w ͳͲʹ஫໨͠Α͏ w &Y ϩάΠϯͰ͸1045ϝιουΛ࢖ͬͯɺೝূΛ͍ͯ͠ΔɻϦμΠϨΫτͰϩάΠϯޙ τοϓʹϦμΠϨΫτ͞ΕΔɻ ˖ 兛媮⢪欽׃גְ׷ػأٙ٦سװꅾ銲ז䞔㜠כ剅ֹ鴥תזְ״ֲח孡׾אֽגֻ׌ְׁ

੬ऑੑ਍அνϡʔτϦΞϧ w ݖݶ֎ૢ࡞ w ηογϣϯΛݟ͍ͯͳ͍ͷͰύϥϝʔλΛมߋ͢Δͱɺ೚ҙͷϢʔβʔͰϙετΛ ࡞੒Ͱ͖Δ w 944 w ѱҙ͋Δ+BWB4DSJQUͷ࣮ߦ΍ِ৘ใͷදࣔ
w $43' w ඃ֐ऀͷݖݶͰ֬ఆॲཧ͕࣮ߦ͞ΕΔ w 42-ΠϯδΣΫγϣϯ w 42-จͷෆਖ਼ͳվมʹΑΔ৘ใ࿙͍͑ͳͲ

੬ऑੑ਍அνϡʔτϦΞϧ ˖ 埄ꣲ㢩乼⡲ ˖ إحءّٝ׾鋅גְזְךדػًٓ٦ة׾㢌刿ׅ׷הծ⟣䠐ךِ٦ؠ٦דهأز׾ ⡲䧭דֹ׷ w 944 w ѱҙ͋Δ+BWB4DSJQUͷ࣮ߦ΍ِ৘ใͷදࣔ

ݖݶ֎ૢ࡞ w ϙετ౤ߘը໘ w τοϓʼOFXQPTUʼDSFBUFQPTU w QPTUTʹ1045ϦΫΤετ w ύϥϝʔλʹ஫໨ ౤ߘϑΥʔϜͷ಺༰͕ͦΕͧΕύϥϝʔλʹؚ·Ε͍ͯΔ

ύϥϝʔλͷҙຯΛߟ͑Α͏ ެ։͠ͳ͍ˠ ެ։͢Δˠ νΣοΫϘοΫε͸P⒎ͷͱ͖ૹ৴͞Εͳ͍ͷͰɺPOͷ࣌͸3BJMTʹΑͬͯ৽ͨʹੜ੒͞Εͯૹ৴͞ΕΔ ϢʔβʔJE

γεςϜͷಈ࡞Λਪଌ͢Δ w Ϣʔβʔ͸ࣗ਎ͷϙετΛ౤ߘͰ͖Δ w ϙετͱϢʔβʔ͸ඥ෇͍͍ͯΔ w ϙετ͸ඞͣਓͷϢʔβʔΛ͍࣋ͬͯΔ w Ϣʔβʔ͸ෳ਺ͷϙετΛ͍࣋ͬͯΔ w
ύϥϝʔλVTFS@JEΛૹ৴͍ͯ͠Δ w ΞϓϦέʔγϣϯଆ͸VTFS@JEͰϙετͷϢʔβʔΛઃఆ͍ͯ͠Δʁ

γεςϜͷಈ࡞Λਪଌ͢Δ VTFS@JE͕ͷϢʔβʔͰ࡞੒ post['title']=...&post['user_id']=1 post['title']=...&post['user_id']=2 VTFS@JE͕ͷϢʔβʔͰ࡞੒ ΋͠VTFS@JEΛʹมߋͯ͠ૹ৴͢Δͱʁ

#VSQͰύϥϝʔλΛվม͢Δ w ຊ౰ʹผͷϢʔβʔͰ࡞ΒΕͯ͠·͏ͷ͔֬ೝͯ͠ΈΑ͏ w *OUFSDFQUΛ0Oʹͯ͠ϙετ࡞੒࣌ͷϦΫΤετΛΩϟϓνϟ QPTU<VTFS@JE>ΛQPTU<VTFS@JE>ʹมߋ ᶃ ᶄ ᶅ

ଞϢʔβʔͱͯ͠౤ߘ͕Ͱ͖ͨ ӨڹɿଞͷϢʔβʔͱͯ͠౤ߘ͢Δ͜ͱ͕Մೳ ݪҼɿηογϣϯͰ͸ͳ͘ɺϢʔβʔ͔ΒͷύϥϝʔλΛ ৴༻͍ͯ͠Δɻ

Ͳ͏࣮૷͢Δ΂͖͔ w $PPLJFͳͲͷηογϣϯ৘ใ͔ΒϢʔβʔΛ൑ผ͢Δ $PPLJFTFTTJPO@JEBCDE QPTU<UJUMF>QPTU<VTFS@JE> TFTTJPO@JE͕BCDEͳͷ͸ Ϣʔβʔͩͳ VTFS@JE͕ͷϢʔβʔͰ࡞੒ w ࣗ෼Ͱ࣮૷͠ͳͯ͘΋ϑϨʔϜϫʔΫʹ͸DVSSFOU@VTFSͳͲͷ
ϝιουɺϔϧύʔ͕ଘࡏ͢ΔͷͰͦΕΛ࢖͏

ηογϣϯ*%ͰؾΛ͚ͭΔ͜ͱ w ηογϣϯ*%͸ୈऀ͕༧ଌෆՄೳͳ΋ͷͰ͋Δ͜ͱ w ηογϣϯ*%Λ63-ʹؚΊͳ͍ w IUUQTFYBNQMFDPNNZQBHF KTFTTJPOJEBCDEFGH w 3FGFSFSʹΑͬͯϦϯΫઌͷ63-΁ૹ৴͞ΕΔ
w ϩάΠϯ੒ޭޙʹ͸ηογϣϯ*%Λ৽͘͠ൃߦ͢Δ w 4FTTJPO'JYBUJPO ηογϣϯݻఆԽ߈ܸʣ w )5514௨৴Ͱར༻͢Δ৔߹͸TFDVSFଐੑΛ͚ͭΔ w )551௨৴Ͱૹ৴͠ͳ͍Α͏ʹ͢Δ͜ͱͰ౪ௌʹΑΔෆਖ਼઄औΛ๷͙

੬ऑੑ਍அνϡʔτϦΞϧ w ݖݶ֎ૢ࡞ w ηογϣϯΛݟ͍ͯͳ͍ͷͰύϥϝʔλΛมߋ͢Δͱɺ೚ҙͷϢʔβʔͰϙετΛ ࡞੒Ͱ͖Δ ˖ 944 ˖ 䝤䠐֮׷+BWB4DSJQUך㹋遤װ⩝䞔㜠ך邌爙

944 w ϙετৄࡉը໘ w τοϓʼ4IPX w QPTUT\QPTU@JE^ w Ϣʔβʔͷ౤ߘ͕)5.-ʹ൓ө͞ΕΔ w
λΠτϧɺຊจ

944 w Ϣʔβʔͷೖྗ಺༰͕)5.-ͱͯ͠൓ө͞ΕΔͱ͖ɺ944ʢΫϩ εαΠτεΫϦϓςΟϯάʣͱݺ͹ΕΔ੬ऑੑͷՄೳੑ͕͋Δ w ։ൃऀͷҙਤ͠ͳ͍ܗͰ)5.-΍+BWB4DSJQUΛ஫ೖ͞ΕΔͨΊɺ ѱҙͷ͋Δ+BWB4DSJQU࣮ߦͳͲʹͭͳ͕Δ ߈ܸ༻+BWB4DSJQUΛ࢓ࠐΉ ѱҙ͋ΔεΫϦϓτ ຒΊࠐ·ΕͨϖʔδΛӾཡ͢Δ͜ͱͰ
ඃ֐ऀͷϒϥ΢ζ্Ͱ+BWB4DSJQU͕࣮ߦ

944 TDSJQUBMFSU EPDVNFOUDPPLJF TDSJQUͱ͍͏಺༰Ͱ࡞੒ ͷεΫϦϓτ͕)5.-ͱͯ͠ ղऍ͞Ε࣮ߦ͞ΕΔ

944ͷӨڹ Өڹɿ+BWB4DSJQUדדֹ׷ֿה͑944דדֹ׷ֿה w ηογϣϯ஋Λ౪·Εͯ੒Γ͢·͠ඃ֐ʹ߹͏ w ෆਖ਼ͳ+BWB4DSJQU͕ಈ࡞͠ɺΞϓϦέʔγϣϯͷػೳΛѱ༻͞ΕΔ w ِͷϑΥʔϜΛ࡞Γग़͢ͳͲͯ͠ɺϑΟογϯάʹ߹͏ w ѱ࣭ͳϖʔδ΁ϦμΠϨΫτ
ൃੜՕॴɿ)5.-΍+BWB4DSJQUΛੜ੒͍ͯ͠Δͱ͜Ζ

944ͷݪཧ w )5.-ੜ੒࣌ʹ஫ೖ͞Εͨʮʼʯ΍ʮʻʯΛΤεέʔϓͤͣʹग़ ྗͨͨ͠Ίʹɺ)5.-λάͱͯ͠ѻΘΕΔɻ // $str = <script>alert(1)</script> <p><?php echo
$str; ?></p> <p><script>alert(1)</script></p> // $str = "><script>alert(1)</script> <input id="name" value="<?php echo $str; ?>" /> <input id="name" value=""><script>alert(1)</script> />

944ͷݕࠪํ๏ w BMFSUΛग़͢ "><script>alert(1)</script> '; alert(1); // <img src="x" onerror="alert(1)"
/> w )5.-͕ૠೖՄೳ͔ "><s>XSS</s> "><h1>XSS</s> w %0.#BTFE944 var el = document.getElementById("item") el.innerHTML = foo; // foo = <script>alert(1)</script>

944ͷجຊతͳରࡦ w جຊతͳରࡦͱͯ͠͸ҎԼͷ)5.-ग़ྗ࣌ʹ)5.-ϝλΩϟϥΫλΛΤεέʔϓ͢Δ ˖ ̔MU ˖ ̔HU ˖ ̔BNQ ˖
̔RVPU ˖ ̔ w ࠷ۙͷϑϨʔϜϫʔΫʢςϯϓϨʔτΤϯδϯʣͰ͸ࣗಈͰΤεέʔϓ͞ΕΔ w Τεέʔϓ͠ͳ͍৔߹͸໌ࣔతʹߦ͏ඞཁ͕͋Δʢٯʹ࡞ΓࠐΈʹ͍͘ʣ # Rails(erb) <% raw @post.body %>

944ରࡦ͸େม KBWBTDSJQUBMFSU BISFGKBWBTDSJQUBMFSU IUUQͱIUUQTʹͷΈ ݶఆ͢ΔͳͲͷରࡦ͕ඞཁ w Α͘୊ࡐʹ͋͛ΒΕΔͷ͕63-ग़ྗ
w ͜ͷ͋ͨΓ͸ϑϨʔϜϫʔΫʹΑͬͯରࡦ͞Εͳ͍͜ͱ͕ଟ͍ͷ Ͱɺ։ൃऀ͕ؾΛ͚ͭΔඞཁ͕͋Δɻ

3BJMTͩͱ w ҆௚ʹग़ྗͯ͠͸μϝɻIUUQͱIUUQTͳͲͷΈʹ੍ݶΛ͔͚Δɻ w KBWBTDSJQU΍EBUBͳͲΛڐՄ͠ͳ͍Α͏ʹϗϫΠτϦετͰ੍ݶ // Bad <%= link_to link,
link %> <a href="<%= link %>"><%= link %></a> // Good <%= sanitize link_to link, link %> w Τεέʔϓͷ࣮૷ w IUUQTHJUIVCDPNSBJMTSBJMTCMPCNBTUFSBDUJWFTVQQPSUMJC BDUJWF@TVQQPSUDPSF@FYUTUSJOHPVUQVU@TBGFUZSC w IUUQBQJSVCZPOSBJMTPSHDMBTTFT"DUJPO7JFX)FMQFST4BOJUJ[F)FMQFSIUNM

944ରࡦ͸େม w έʔεόΠέʔεʹͳΓ͕ͪ w ಛఆͷ)5.-λά΍Ϣʔβʔೖྗ$44ΛڐՄ͍ͨ͠ w TWHPOMPBEBMFSU w
QTUZMFYFYQSFTTJPO BMFSU w .BSLEPXO΍ͦͷଞͷϚʔΫΞοϓݴޠΛ)5.-ϨϯμϦϯά͍ͨ͠ w <FYBNQMFDPN> KBWBTDSJQUBMFSU w IUUQTIBDLFSPOFDPNSFQPSUT w ҆શͳ΢ΣϒαΠτͷ࡞ΓํΫϩεαΠτεΫϦϓςΟϯά w IUUQTXXXJQBHPKQpMFTQEGQBHF w %0.ϕʔε944ରࡦνʔτγʔτ w IUUQTKQDFSUDDHJUIVCJP08"41EPDVNFOUT$IFBU4IFFUT%0.CBTFE9441SFWFOUJPOIUNM "><svg/onload=alert(1) <p style="x:expression(alert(1))"> [example.com](javascript:alert(1))

؇࿨తରࡦ w ੬ऑੑ͸ଘࡏ͢Δ͚Ͳɺѱ༻͕೉͍͠Ϩϕϧʹམͱ͠ࠐΉ ˖ $PPLJFךIUUQPOMZ㾩䚍 w +BWB4DSJQU͔Β$PPLJF஋Λ৮Εͳͯ͘͠ɺηογϣϯϋΠδϟοΫ͔ΒकΔ ˖ 99441SPUFDUJPOقحت٦ w
ϒϥ΢βͷ944ݕ஌ɾ๷ࢭػೳ ˖ $41$POUFOU4FDVSJUZ1PMJDZ w 944Λܰݮ͢ΔͨΊʹઃܭ͞Εͨ࢓૊Έ w ࢦఆ͞ΕͨεΫϦϓτҎ֎͸࣮ߦͤ͞ͳ͍

੬ऑੑ਍அνϡʔτϦΞϧ w ݖݶ֎ૢ࡞ w ηογϣϯΛݟ͍ͯͳ͍ͷͰύϥϝʔλΛมߋ͢Δͱɺ೚ҙͷϢʔβʔͰϙετΛ ࡞੒Ͱ͖Δ w 944 w ѱҙ͋Δ+BWB4DSJQUͷ࣮ߦ΍ِ৘ใͷදࣔ
˖ $43' ˖ 鄃㹱罏ך埄ꣲד然㹀Ⳣ椚ָ㹋遤ׁ׸׷ w 42-ΠϯδΣΫγϣϯ w 42-จͷෆਖ਼ͳվมʹΑΔ৘ใ࿙͍͑ͳͲ

$43' w ίϝϯτ౤ߘը໘ w τοϓʼTIPXʼ$SFBUF$PNNFOU w QPTUT\QPTU@JE^ w DPNNFOUTʹ1045ϦΫΤετ w
Ϣʔβʔʹඥ෇͍ͨίϝϯτͷ౤ߘ͕͞ΕΔ

$43' w ඃ֐ऀͷݖݶͰɺҙਤ͠ͳ͍ܗͰॲཧ͕࣮ߦ͞ΕΔ $43'੬ऑੑΛಥ͘᠘αΠτ $43'੬ऑੑ͕͋ΔαΠτ ᶄ1045ϦΫΤετ ηογϣϯ*%෇͖ͰϦΫΤετ ϩάΠϯࡁΈϢʔβʔ ᶃӾཡ
ᶅίϝϯτ͕ॻ͖ࠐ·ΕΔ ɾύεϫʔυมߋ ɾܝࣔ൘΁ͷॻ͖ࠐΈ ɾ঎඼ͷߪೖ 䕦갟

ίϝϯτػೳͷ$43' ίϝϯτ࡞੒63-ʹ1045ϦΫΤετΛૹ৴͢Δ)5.-Λॻ͘ɻ DPNNFOU<DPNNFOU>͸ίϝϯτͷ಺༰ DPNNFOU<QPTU@JE>͸ίϝϯτ͢ΔϙετͷJE ϩάΠϯঢ়ଶͰ࡞੒ͨ͠)5.-Λ։͍ͯ 4VCNJU͢Δͱίϝϯτ͞ΕΔ

ݪҼ w 8FCͷಛੑΛ׆͔ͨ͠੬ऑੑ w GPSNͷૹ৴ઌ͸ͲͷυϝΠϯͰ΋0, w FWJMDPNͷϖʔδ͚ͩͲFYBNQMFDPNʹૹ৴Ͱ͖Δ w ͦͷࡍɺ$PPLJF͸ର৅ͷαΠτʹࣗಈతʹૹ৴͞ΕΔ w
ਖ਼نʢར༻ऀ͕ҙਤͨ͠ʣϦΫΤετͰ͋Δ͜ͱΛ֬ೝ͢Δ w $43'τʔΫϯͷຒΊࠐΈ w 3FGFSFSͷνΣοΫʢ৔߹ʹΑͬͯ͸ૹ৴͞Εͳ͍ͷͰʣ

$43'τʔΫϯ w ରࡦ͕ඞཁͳϖʔδʹୈऀ͕஌Γಘͳ͍τʔΫϯΛຒΊΔ w ϦΫΤετதʹؚ·ΕΔτʔΫϯ͕ਖ਼͍͔͠ΛνΣοΫ͢Δ w ݕࠪ࣌͸ɺϦΫΤετʹτʔΫϯࣗମ෇͚ͳ͍ɺ஋͚ۭͩʹ͢Δͱ͍ͬͨνΣοΫΛ΍Δ

$43'ରࡦ w 3BJMTͳͲͷ࠷ۙͷϑϨʔϜϫʔΫͰ͸σϑΥϧτͰ༗ޮ w ϑΥʔϜ࡞੒࣌ʹࣗಈͰຒΊࠐ·ΕɺνΣοΫͯ͘͠ΕΔ w IUUQTHJUIVCDPNSBJMTSBJMTCMPCNBTUFSBDUJPOQBDL MJCBDUJPO@DPOUSPMMFSNFUBM SFRVFTU@GPSHFSZ@QSPUFDUJPOSC w
IUUQUBLBHJIJSPNJUTVKQEJBSZIUNM

ͱ͸͍͑ɺ࣌͸೥ w ࣌୅͸"KBY 9)3 w 3BJMTͰ+BWB4DSJQU࢖ͬͯ1045͍ͨ͠ΜͰ͕͢ <% form_for @post,
remote: true do |f| %> w NFUBλάͷ$43'τʔΫϯΛ9$43'5PLFOϔομʹηοτ w IUUQTHJUIVCDPNSBJMTKRVFSZSBJMTCMPCNBTUFSWFOEPS BTTFUTKBWBTDSJQUTKRVFSZ@VKTKT- X-CSRF-Token: KvDjn0XOpeK2dXiJ0sKXMzFYmnfQrkoY... w %KBOHPIUUQTEPDTEKBOHPQSPKFDUDPNFOSFGDTSGBKBY

ͱ͸͍͑ɺ࣌୅͸41" w Ͳ͏΍ͬͯ$43'ରࡦ͢Ε͹͍͍Ͱ͔͢ w ಠࣗϔομΛ্͚ͭͨͰɺ015*0/4ʹ൓Ԡ͠ͳ͍ w ࣮ࡍͷॲཧͷલʹ1SFqJHIU͕ඈͿ w +85Ͱೝূͯ͠ϔομͰεςʔτϨεͳঢ়ଶͰ w
MPDBM4UPSBHFʹอଘ͢Δ͜ͱ͕ଟ͍ ͕ɺ౰વIUUQ0OMZͷΑ͏ͳػೳ͸ແ͍ͷ Ͱؾ߹Ͱ944Λ௵͞ͳ͚Ε͹ͳΒͳ͍ w IUUQEIBUFOBOFKQIBTFHBXBZPTVLFQ w 0SJHJO͕ਖ਼͍͠63-Ͱ͋Γɺ9'SPN͕͋Δ͜ͱ w 0SJHJO͕ਖ਼͍͠9)33FRVFTU8JUI͕͋Δ IUUQTXXXPXBTQPSHJOEFYQIQ$SPTT4JUF@3FRVFTU@'PSHFSZ@ $43' @1SFWFOUJPO@$IFBU@4IFFU1SPUFDUJOH@3&45@4FSWJDFT@6TF@PG@$VTUPN@3FRVFTU@)FBEFST

੬ऑੑ਍அνϡʔτϦΞϧ w ݖݶ֎ૢ࡞ w ηογϣϯΛݟ͍ͯͳ͍ͷͰύϥϝʔλΛมߋ͢Δͱɺ೚ҙͷϢʔβʔͰϙετΛ࡞ ੒Ͱ͖Δ w 944 w ѱҙ͋Δ+BWB4DSJQUͷ࣮ߦ΍ِ৘ใͷදࣔ
w $43' w ඃ֐ऀͷݖݶͰ֬ఆॲཧ͕࣮ߦ͞ΕΔ ˖ 42-؎ٝآؙؑءّٝ ˖ 42-俑ך♶姻ז何㢌ח״׷䞔㜠怩ְִזו

42-ΠϯδΣΫγϣϯ w τοϓʼ4FBSDI w QPTUT VUG&$UJUMF\ݕࡧϫʔυ^ w λΠτϧͰݕࡧ w ʮςετʯʮςʯɺʮεʯͳͲͰڍಈΛ֬ೝ
SELECT * FROM post WHERE title LIKE '%#{title}%'

42-ΠϯδΣΫγϣϯ ൃੜՕॴɿ42-ݺͼग़͠Λߦ͏Օॴ Өڹ w ҙਤ͠ͳ͍ܗͰ42-จ͕վม͞ΕΔ w σʔλϕʔε͕ෆਖ਼ʹૢ࡞͞ΕΔ w σʔλϕʔε͔Β৘ใ઄औɺվ᜵ͳͲ w
3%#4ͷػೳΛར༻ͨ͠೚ҙϑΝΠϧͷಡΈॻ͖ɾ࣮ߦ

42-ΠϯδΣΫγϣϯ SELECT * FROM post WHERE title LIKE '%#{title}%' //
#{title} = "title" SELECT * FROM post WHERE title LIKE 'title' // #{title} = "O'Reilly" SELECT * FROM post WHERE title LIKE 'O'Reilly' // #{title} = "title'; DELETE FROM post;-- " SELECT * FROM post WHERE title LIKE 'title'; DELETE FROM post;-- OBNFVTFS03QBTT 4&-&$5 '30.VTFS 8)&3&OBNFVTFS03"/%QBTTXPSE -PHJO4VDDFTT

42-ΠϯδΣΫγϣϯ w ҎԼͷจࣈྻͰݕࡧʢҰߦʣ w VTFSςʔϒϧ͔ΒϢʔβʔͷ৘ใΛ઄औͰ͖Δ title%') UNION SELECT id,email,encrypted_password,NULL,NULL,NULL,NULL FROM
users;--

࣮ࡍͷ਍அ w 42-ΠϯδΣΫγϣϯ͸ͦͷੑ্࣭ɺσʔλϕʔεͷফڈͳͲͷՄೳੑ ͕͋ΔͷͰɺ৻ॏʹߦΘͳ͚Ε͹ͳΒͳ͍ w ؾܰʹ8FCαΠτͰࢼ͞ͳ͍ํ͕͍͍ w 42-ΠϯδΣΫγϣϯ͕͋Δͱ෼͔Ε͹ྑ͍ͷͰɺग़དྷΔݶΓ҆શͳํ ๏ͰݕࠪΛߦ͏ w
5SVF'BMTF w ԋࢉɺจࣈྻ࿈݁ w TMFFQͳͲൺֱత҆શͳؔ਺

ʢͰ͖Δ͚ͩʣ҆શͳݕࠪ w ʮ"/% ʯͰݕࡧ w ʮ"/% ʯͰݕࡧ SELECT * FROM
posts WHERE (title = 'hoge' AND 1=1)-- SELECT * FROM posts WHERE (title = 'hoge' AND 1=2)-- ͸5SVFͳͷͰ ಉ͡ݕࡧ݁Ռ͕ฦΔ ͸'BMTFͳͷͰ ࣜશମ͕'BMTFͱͳΓ Կ΋ฦΒͳ͍

w จࣈྻ࿈݁ w IUUQTFYBNQMFDPN TFBSDIUFccTU w ʮUFTUʯͱʮUF]]TUʯͰಉ͡Ϩεϙϯε͕ฦΔ͜ͱΛ͔֬ΊΔ SELECT * FROM
posts WHERE (title = 'te' || 'st') w ΤϥʔͰ֬ೝ͢Δ w IUUQTFYBNQMFDPN TFBSDIˠΤϥʔ w IUUQTFYBNQMFDPN TFBSDIˠ0, SELECT * FROM posts WHERE (title = ''') # Syntax Error SELECT * FROM posts WHERE (title = '''') ʢͰ͖Δ͚ͩʣ҆શͳݕࠪ

SELECT * FROM posts WHERE (id = 2+1) w ਺஋
w IUUQTFYBNQMFDPNQPTU w ʮ ʯʮʯͱ͢Δ͜ͱͰಉ͡Ϩεϙϯε͕ฦΔ͜ͱΛ͔֬ΊΔ w TMFFQ w IUUQTFYNBQMFDPN TFBSDIUFTU w UFTU"/% 4&-&$5 '30. 4&-&$5 4-&&1 B w ϦΫΤετΛૹ৴ͯ͠໿ඵޙʹϨεϙϯε͕ฦΔ͜ͱΛ͔֬ΊΔ SELECT * FROM posts WHERE (title = 'test' AND (SELECT * FROM (SELECT (SLEEP(10)))a))-- ʢͰ͖Δ͚ͩʣ҆શͳݕࠪ

ରࡦ w 42-จͷ૊Έཱͯ͸੩తϓϨʔεϗϧμͰ࣮૷͢Δ w ʮʁʯʹՄมͷύϥϝʔλʢม਺ͳͲʣ͕ຒΊࠐ·ΕΔ w %#Ͱ42-จͷίϯύΠϧ͕ߦΘΕɺ஋͕όΠϯυ͞ΕΔ SELECT * FROM
posts WHERE (title = ?) w 03.ͷػೳΛద੾ʹ࢖͍ɺจࣈྻ݁߹ͳͲ͠ͳ͍ͷ͕మଇ w 3BJMTͳͲͷϑϨʔϜϫʔΫ ͱ͍͏ΑΓ03.ʣ͕ϝιουΛఏڙ͍ͯ͠Δ w ࣗ෼Ͱ42-Λจࣈྻ࿈݁͢Δඞཁ͸ͳ͍ w ٯʹෳࡶͳΫΤϦͰ΋ͳ͍ͷʹจࣈྻ࿈݁͢Δͱ͖͸͓͔͍͠ͱࢥͬͨํ͕͍͍ Post.where(title: title) # SELECT * FROM posts WHERE (title = 'title');

3BJMTͰͷϓϨʔεϗϧμ # Good Post.where("title = ?", title) w จࣈྻ݁߹ʢల։ʣͳͲͰΫΤϦΛ૊Έཱͯͯ͸ͳΒͳ͍ #
Bad Post.where("title = '#{title}'") Post.find_by_sql("SELECT * FROM posts WHERE title = '#{title}'") w "DUJWF3FDPSEͰ΋Ҿ਺ΛαχλΠζ͠ͳ͍ϝιου͕͋ΔͷͰɺ ஫ҙͯ͠42-Λॻ͘ w IUUQTSBJMTTRMJPSH

ͦͷଞͷ੬ऑੑ w ڧ੍ϒϥ΢ζ w ௚઀63-ʹΞΫηε͢Δ͜ͱͰඇެ։ϙετΛݟΕΔ w JEʹΑΔ࿈൪ QPTUTͷΑ͏ͳ ͳͷͰɺਪଌ͕༰қ w
ྫ͑͹ɺ೚ҙͷϑΝΠϧڞ༗Λߦ͏৔߹ͳͲ͸ʮڞ༗ͨ͠Ϣʔβʔ͔֬ೝ͢Δʯʮे ෼ʹෳࡶͰ௕͍JEʢQPTUT,X%XC#QHO"K"-"%ͷΑ͏ͳ Λൃߦ͢ΔʯͳͲ͢Δ w ੬ऑੑͱ͍͏ΑΓվળͨ͠ํ͕ྑ͍఺ w $PPLJFʹ)UUQ0OMZଐੑ TFDVSFଐੑ͕෇༩͞Ε͍ͯͳ͍ w )551ͰͷϩάΠϯ͕Մೳ w ΞΧ΢ϯτϩοΫͳ͠ w ੬ऑͳύεϫʔυʢQBTTXPSE΍ʣ͕࢖༻Մೳ

ͦͷଞͷΑ͘ݟΔ੬ऑੑ

ΦʔϓϯϦμΠϨΫτ w ࢦఆ͞Εͨϖʔδ΁ϦμΠϨΫτ͢Δࡍʹɺ߈ܸऀ͕ࢦఆͨ͠೚ҙͷ63-΁ϦμΠ ϨΫτ ˖ IUUQTFYNBQMFDPNMPHJO SFEJSFDUIUUQFWJMDPN w ͦͷυϝΠϯΛ৴པͯ͠ΞΫηεͨ͠ʹ΋ؔΘΒͣɺѱҙ͋ΔαΠτʹϦμΠϨ Ϋτ͞ΕΔͷͰ৴པΛଛͳ͏
w ϦμΠϨΫτઌʹِͷϑΥʔϜΛදࣔͤ͞ΔͳͲͯ͠ϑΟογϯά w ϦμΠϨΫτઌΛϢʔβʔͷೖྗ͔ΒߦΘͳ͍ɻϗϫΠτϦετԽ͢Δɻ w IUUQTXXXPXBTQPSHJOEFYQIQ 6OWBMJEBUFE@3FEJSFDUT@BOE@'PSXBSET@$IFBU@4IFFU w IUUQHJIZPKQEFWTFSJBMKBWBTDSJQUTFDVSJUZ

ύεϫʔυ࿙Ӯରࡦ ˖ ػأٙ٦سכ窫㼎ח䎂俑ד⥂㶷׃זְ农〾⻉׮تً ˖ إز عحءُ أزٖحثؚٝ w ύεϫʔυϦϚΠϯμͰ͸ͳ͘ɺύεϫʔυϦηοτͰ w
0"VUIͳͲͰࣗલͰύεϫʔυΛ࣋ͨͳ͍ํ਑΋ w ࠷ۙͷϑϨʔϜϫʔΫͰ͸҆શੑͷߴ͍ΞϧΰϦζϜ͕࠾༻͞Ε͍ͯΔ w 3BJMTˠCDSZQU IBT@TFDVSF@QBTTXPSEΛϞσϧʹ௥Ճ͢Δ͚ͩ w %KBOHPˠ1#,%' w IUUQXXXBUNBSLJUDPKQBJUBSUJDMFTOFXT@IUNM w IUUQTXXXPXBTQPSHJOEFYQIQ1BTTXPSE@4UPSBHF@$IFBU@4IFFU

.BTT"TTJHONFOU w 3BJMTͰऔΓ্͛ΒΕΔ͜ͱ͕ଟ͍͕ɺͲͷϑϨʔϜϫʔΫͰ΋ى͜Δ w 3BJMTͰ͸4USPOH1BSBNFUFSͰݕূΛߦ͏ w )551ϦΫΤετͷ஋Λݕࠪͯ͠ϩδοΫ΁౉͢ # Controller class
Users < ApplicationController def create # params[:user] = {:name => mrtc0, :passwrod => pass} @user = User.create params[:user] end end # HTTP Request Body user[name]=mrtc0&user[password]=pass&user[is_admin]=true

ϑΝΠϧΞοϓϩʔυ w %P4ରࡦ w ڊେͳϑΝΠϧͷૹ৴Λ๷͙ͨΊʹϑΝΠϧαΠζͷ্ݶΛઃఆ͢Δ͜ͱ w ΋͘͠͸ඇಉظͰ࣮ߦΛߦ͏ w ϑΝΠϧͷछྨͷ੍ݶ w
֦ுࢠͰ͸ͳ͘ɺ.*.&5ZQFɺϚδοΫφϯόʔͳͲͰϑΝΠϧͷछྨΛ൑ผ͢Δ w ֦ுࢠΛِ૷͠ѱҙ͋Δ3VCZ΍1)1εΫϦϓτΛΞοϓϩʔυ͞Εͳ͍Α͏ʹ w อଘ͢Δࡍ͸ϑΝΠϧ໊ʹϥϯμϜͳ஋Λ w Ͱ͖ͳ͍৔߹͸ڐՄՄೳͳจࣈྻΛϗϫΠτϦετԽ w QBTTXEͳͲΛࢦఆ͞ΕɺσΟϨΫτϦτϥόʔαϧ͞Εͳ͍Α͏ʹ

ϑΝΠϧΞοϓϩʔυ w ѹॖϑΝΠϧΛΞοϓϩʔυ͠ల։͢Δࡍ͸ɺల։લʹϑΝΠϧͷछྨ΍ల։࣌ ͷαΠζΛ֬ೝ͢Δ w γϯϘϦοΫϦϯΫΛ࢖ͬͨ߈ܸ΍[JQCPNCͳͲΛ๷͙ w IUUQTIBDLFSPOFDPNSFQPSUT w ΞΫηε੍ݶɺݖݶΛద੾ʹઃఆ͢Δ
w Ӿཡݖݶͷͳ͍Ϣʔβʔ͕Ӿཡɺμ΢ϯϩʔυͰ͖ͳ͍Α͏ʹ w อଘઌ͸4ͳͲͷΫϥ΢υετϨʔδαʔϏε΁Ξοϓϩʔυ͢Δ͜ͱΛݕ౼͢ Δ w อݥతରࡦ͕ͩɺΞϓϦέʔγϣϯͱ੾Γ཭͢͜ͱͰηΩϡϦςΟ໰୊Λ؇࿨

FWBM w จࣈྻΛίʔυͱͯ͠ධՁ͢Δؔ਺ w FWBM BMFSU w
೚ҙͷίʔυ࣮ߦ͕ՄೳͳͷͰɺҾ਺ʹ֎෦͔ΒͷೖྗΛ༩͑ ͳ͍ͳͲͷରࡦΛߦ͏͜ͱ w FWBMͱ͍͏໊લͰͳͯ͘΋ಉ౳ͷػೳΛ࣋ͭؔ਺͕ଘࡏ͢ΔͷͰ ஫ҙ eval('alert(1)')

ηΩϡϦςΟؔ܎ͷ)551ϔομ w ৭ʑ͋Δ͕ɺͱΓ͚͓͚͋͑ͣͭͯͱ͍͏ϔομ w 99441SPUFDUJPONPEFCMPDL w 944'JMUFS"VEJUPSΛ༗ޮ w 9$POUFOU5ZQF0QUJPOTOPTOJ⒎ w
*&͸$POUFOU5ZQFΛແࢹ͢Δ͜ͱ͕͋ΔͷͰ w 9'SBNF0QUJPOT4".&03*(*/ w ΫϦοΫδϟοΩϯά๷ࢭ w ౰વΞϓϦέʔγϣϯʹΑͬͯઃఆ͢Δ஋͸มΘΔͷͰɺద੾ʹઃఆ͢Δ͜ͱ

-FUT੬ऑੑ਍அ w ౡ͝ͱʹνʔϜʹͳͬͯ਍அΛ͍ͯͩ͘͠͞ w ࠷ޙʹ֤νʔϜʹݟ͚ͭͨ੬ऑੑʹ͍ͭͯൃදͯ͠΋Β͍·͢ w Ͳͷը໘ 63- Ͱ w
Ͳ͏͍ͬͨૢ࡞Λͨ͠Β w Ͳ͏͍ͬͨ੬ऑੑ͕ݟ͔͔ͭͬͨ w ͜ͷΞϓϦέʔγϣϯ಺ͰͲͷΑ͏ͳӨڹ͕͋Δ͔ʢͰ͖Ε͹ରࡦʹ͍ͭͯ΋ʣ w ൃදޙ$ZCP[V-JWFʹ֤νʔϜ͕ݟ͚ͭͨ੬ऑੑͷ؆қใࠂॻΛΞοϓ͍ͯͩ͘͠͞ɻ w ݟ͚ͭͨΒҰਓ͕ใࠂॻ࡞੒ʹճΔͳͲɺޮ཰తͳ਍அΛ͢Δ͜ͱΛΦεεϝ͠· ͢ɻ

஫ҙɾېࢭࣄ߲ w ஫ҙࣄ߲ w ొ࿥͢Δύεϫʔυ͸ීஈ࢖͍ͬͯͳ͍΋ͷʹ͍ͯͩ͘͠͞ w ېࢭࣄ߲ w ଞਓ΁ͷ߈ܸɺεΩϟϯͳͲෛՙΛ͔͚Δ߈ܸɺσʔλϕʔε ࡟আͳͲͷةݥͳ߈ܸ
w ωοτϫʔΫ਍அͰ͸ͳ͍ͷͰ/NBQͳͲ΋ېࢭ

੬ऑੑใࠂλΠϜ w νʔϜͰ୅දऀਓ͕ݟ͚ͭͨ੬ऑੑʹ͍ͭͯͭൃද w Ͳͷը໘ 63- Ͱ w Ͳ͏͍ͬͨૢ࡞Λͨ͠Β w
Ͳ͏͍ͬͨ੬ऑੑ͕ݟ͔͔ͭͬͨ w ͜ͷΞϓϦέʔγϣϯ಺ͰͲͷΑ͏ͳӨڹ͕͋Δ͔ʢͰ͖Ε ͹ରࡦʹ͍ͭͯ΋ʣ w ൃදޙʹ؆қใࠂॻΛ$ZCP[V-JWFʹڞ༗͍ͯͩ͘͠͞

·ͱΊ w 8FCΞϓϦέʔγϣϯ਍அͷίπ w 8FC͸ΤεύʔɻΞϓϦέʔγϣϯͷؾ࣋ͪʹͳΔ w ࢓༷Λ͍ͪૣ͘௫Ή w ڍಈΛཧղ͢Δ w
ͲͷΑ͏ͳॲཧ͕ߦΘΕ͍ͯΔͷ͔ w ΞϓϦέʔγϣϯͷཪଆΛ૝૾͢Δྗ͕ඞཁ

·ͱΊ w ։ൃऀ΋ηΩϡϦςΟΛֶ͹ͳ͚Ε͹ͳΒͳ͍ w Ͳ͏͍͏࣮૷ͰͲ͏͍͏੬ऑੑ͕࡞Γࠐ·ΕΔ͔Λ஌Βͳ͚Ε ͹ͳΒͳ͍ w ։ൃʹۜͷ஄ؙ͸ͳ͍ w ϑϨʔϜϫʔΫͰશͯͷ੬ऑੑΛղܾͯ͘͠Εͳ͍
w ։ൃޙʹ਍அͰ͸ͳ͘ɺ։ൃαΠΫϧʹݕࠪΛೖΕΔ

஫ҙࣄ߲ʢ࠶ܝʣ ˖ 盖鱥㢩ך،فٔ؛٦ءّٝח㼎׃ג窫㼎余䷼׃זְ w #VH#PVOUZ੍౓ w IBDLFSPOFɿIUUQTXXXIBDLFSPOFDPN w $ZCP[V੬ऑੑใ঑੍ۚ౓ w
*1"ʹใࠂ͠Α͏ w IUUQTXXXJQBHPKQTFDVSJUZWVMOSFQPSU w ࠷௿Ͱ΋ࠓճॻ͍ͨ؆қใࠂॻϨϕϧͷ಺༰Ͱಧ͚ग़͠Α͏

਍அ͢Δͱ͖͸ w ͨͱ͑ࣗ෼ͷΞϓϦέʔγϣϯͰ͋ͬͯ΋ɺΫϥ΢υαʔϏεΛ ར༻͢Δࡍ͸ਃ੥͕ඞཁͳ৔߹͕͋Δ w ಛʹ"84 w IUUQUJHFST[LIBUFOBCMPHDPNFOUSZ

ࢀߟ w ମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯͷ࡞Γํ w IUUQTXXXBNB[PODPKQEQ w ΊΜͲ͏͍͘͞8FCηΩϡϦςΟ w IUUQTXXXBNB[PODPKQEQ w
҆શͳ΢ΣϒαΠτͷ࡞Γํ w IUUQTXXXJQBHPKQTFDVSJUZWVMOXFCTFDVSJUZIUNM w 3BJMT42-*OKFDUJPO w IUUQTSBJMTTRMJPSH w 08"41501 w IUUQTXXXPXBTQPSHJOEFYQIQ5PQ@@5PQ@

セキュリティ・ミニキャンプ in 中国2017（広島）Webアプリケーション脆弱性診断入門

セキュリティ・ミニキャンプ in 中国2017（広島）Webアプリケーション脆弱性診断入門

More Decks by mrtc0

Other Decks in Programming

Featured

Transcript