CodeBlue2014 -JP- libinjection-from sqli to xss

Transcript

1. libinjection SQLi͔ΒXSS·Ͱ Nick Galbreath @ngalbreath! Signal Sciences Corp! [email protected] Code

   Blue ∙ ౦ژ ∙ 2014-02-18 ϦϒΠϯδΣΫγϣϯ

2. This is also in English! ೔ຊޠ͸ͪ͜Βˣ https://speakerdeck.com/ngalbreath/
 codeblue2014-en-libinjection-from-sqli-to-xss https://speakerdeck.com/ngalbreath/
 codeblue2014-jp-libinjection-from-sqli-to-xss

3. χοΫɾΨϧϒϨε
 Nick Galbreath
 @ngalbreath • ϑΝ΢ϯμʔ/CTO of Signal Sciences Corp

   • લ৬: IponWeb (Ϟείϫ, ౦ژ) • ͦͷલ: Etsy.com (χϡʔϤʔΫࢢ)

4. ʮlibinjectionʯͱ͸ʁ • SQLi߈ܸΛݕग़͢ΔͨΊͷখ͞ͳϥΠϒϥϦʔ • Cݴޠ • PythonɺluaɺphpͷAPI • Black Hat

   USA 2012Ͱॳొ৔ • ΦʔϓϯιʔεͱBSDϥΠηϯε • https://github.com/client9/libinjection

5. ͳΜͰlibinjectionͳͷ? • طଘͷݕग़ͷ΄ͱΜͲ͕ਖ਼نදݱͰߦΘΕΔ • Ϣχοτςετ͕ͳ͍ • ύϑΥʔϚϯεʢ଎౓ʣςετ͕ͳ͍ • ιʔείʔυͷΧόʔྖҬςετ͕ͳ͍ •

   ਖ਼֬ੑͷςετ͕ͳ͍ • ޡݕग़ͷςετ͕ͳ͍

6. libinjection SQLiͷݱࡏ • Version 3.9.1 • 8000 SQLi ಛ௃ •

   400+ Ϣχοτςετ • 85,000+ SQLi αϯϓϧ

7. ݱࡏͷ࢖ΘΕํ • mod_security WAF http://www.modsecurity.org/ • ironbee WAF https://www.ironbee.com/ •

   glastopf honeypot http://glastopf.org/ • ϓϥΠϕʔτͳWAFs • ͞·͟·ͳاۀ಺Ͱ • αʔυύʔςΟͷJava࣮૷
 https://github.com/Kanatoko/libinjection-Java • αʔυύʔςΟͷ.NET࣮૷
 https://github.com/kochetkov/ Libinjection.NetLibinjection.Net

8. XSS

9. SQLiͱͷྨࣅੑ • ඪ४తͳϥΠϒϥϦʔ͕ͳ͍ • ͋Δͱͯ͠΋ݶΒΕͨςετ͔͠ଘࡏ͠ͳ͍ • ਖ਼نදݱʹج͍ͮͨݕग़ • ΋ͬͱྑ͘Ͱ͖ͳ͍͔ʁ

10. 2छྨͷXSS • HTML ΠϯδΣΫγϣϯ߈ܸ • Javascript ΠϯδΣΫγϣϯ߈ܸ

11. XSS Javascript 
 ΠϯδΣΫγϣϯ • DOMελΠϧͷ߈ܸ • طଘͷjavascriptίʔυ΁ͷ߈ܸ • ຊ౰ͷݕग़͸ΫϥΠΞϯτͰ͔͠Ͱ͖ͳ͍

    • ͔ͳΓͷ೉୊

12. HTML ΠϯδΣΫγϣϯ • HTML ΠϯδΣΫγϣϯͱ͸ɺHTMLͷτʔΫϯԽ ΞϧΰϦζϜʹର͢Δ߈ܸ 
 (text “<b>foo</b>” to

    tags <b>, foo, </b>) • HTMLͷίϯςΩετΛjavascriptʹมߋ͠ɺ৽͍͠ javascriptΛ௥Ճ͢Δ͜ͱ͕໨త • ͜ΕΒͷ߈ܸ͸ݕग़Ͱ͖Δ΂͖

13. HTML ΠϯδΣΫγϣϯ
 αϯϓϧ <b>XSS</b> (HTML) <foo XSS> (tag attribute name)

    <foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)

14. HTML τʔΫϯԽ΢Σϒϒϥ΢β • ͜Ε·Ͱɺ͢΂ͯͷϒϥ΢βʔ͸HTMLΛҟͳΔํ๏Ͱ τʔΫϯԽ͍ͯͨ͠ • յΕͨHTMLλάɺ૝ఆ֎ͷจࣈ΍ΤϯίʔυΛ࢖ͬͨ ͋ΒΏΔ߈ܸ͕ൃੜͯ͠͠·͍ͬͯͨ • ݱࡏͰ͸ɺ΄΅͢΂ͯͷϒϥ΢βʔ͕HTML5Ͱنఆ͞

    ΕͨΞϧΰϦζϜΛ࢖༻͍ͯ͠Δ • HTML5ͷΞϧΰϦζϜ͸ͱͯ΋ਖ਼֬

15. ͢΂ͯͷεςοϓ http://www.w3.org/html/wg/drafts/html/CR/syntax.html#tokenization

16. εςοϓ͕͔ͳΓ໌֬

17. σεΫτοϓϒϥ΢βͷ60ˋҎ্͸ɺ HTML5Ͱ͋Δ http://tnw.co/1cqFueo IE 9 9% IE 10 11% IE

    11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%

18. ϞόΠϧϒϥ΢βͷ90ˋ͕
 HTML5Ͱ͋Δ http://bit.ly/JQSZxb

19. ࢒Γ͕ɺIE6ɺIE7ɺIE8 • IE6 ͕ফ͑Δͷ͸࣌ؒͷ໰୊ • IE7 ͷࢢ৔γΣΞ͸ͨͬͨ2% • IE8 ͷࢢ৔γΣΞ͸20%

    • ΄ͱΜͲ͕Windows XP • ͜ΕΒͷࢢ৔γΣΞ͕͜ΕҎ্૿͑Δ͜ͱ͸ͳ͍

20. libinjection XSS

21. HTML̑΢Σϒϒϥ΢β ʹ͓͚ΔHTML ΠϯδΣΫ γϣϯ߈ܸ • No: XML / XSLT ΠϯδΣΫγϣϯ

    • No: IE6ɺIE7ɺOpera • FFɺChromeͷݹ͍όʔδϣϯ • No: DOMελΠϧͷ߈ܸ

22. libinjection HTML5 • ׬શͳHTML5τʔΫϯԽ • πϦʔ΍DOMΛߏங͠ͳ͍ • ͍͔ͳΔσʔλ΋ίϐʔ͠ͳ͍

23. τʔΫϯԽͷαϯϓϧ TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE

    alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>

24. ҟͳΔHTMLίϯςΩετͰ νΣοΫ ֤Πϯϓοτ͸ɺ6ͭͷҟͳΔHTMLίϯςΩετͰνΣοΫ͞Ε Δɻ <b>XSS</b> (raw HTML) <foo XSS> (tag

    attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)

25. ໰୊ͷ͋ΔτʔΫϯΛআ֎ • ໰୊ͷ͋ΔλάɺΞτϦϏϡʔτɺόϦϡʔ͕আ֎͞ ΕΔɻ • λάɿ<script>ɺXML·ͨ͸SVGʹؔ࿈͢Δ͢΂ͯ • ΞτϦϏϡʔτͷ໊લ: on*ͳͲ •

    ΞτϦϏϡʔτͷόϦϡʔɿjavascriptͷURL • ͳͲͳͲ

26. τϨʔχϯάσʔλ

27. XSS Cheat Sheets • ΄ͱΜͲ͕࣌ޮ(Firefox 3! ) • ݹ͍߈ܸ͕আڈ͞ΕΔ

28. HTML5SEC.org • ૉ੖Β͍͠৘ใࢿݯ • Ұ෦ݹ͍߈ܸͳͲ࠷৽Ͱ͸ͳ͍΋ͷ΋

29. @soaj1664ashar • ৽͍͠߈ܸΛఆظతʹ։ൃͯ͠Δ • XSS͕޷͖ͳΒɺ൴ΛϑΥϩʔ͠Α͏ • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA •

    http://bit.ly/1iXODkW

30. ߈ܸ /εΩϟφʔ • XSSεΩϟφʔͷΞ΢τϓοτΛ׆༻ • Shazzer fuzzͷσʔλϕʔε
 http://shazzer.co.uk/
 (ModSecurityνʔϜͷ͓͔͛)

31. ݱࡏͷঢ়گ

32. طʹ׆༻Ͱ͖·͢ • github
 https://github.com/client9/libinjection • ΢ΣϒαΠτ
 https://libinjection.client9.com/ • ·ͩΞϧϑΝஈ֊

33. $ make test-xss ./reader -t -i -x -m 10 ../data/xss*

    ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639݅ͷ૯αϯϓϧ਺ 1628͕݅ਖ਼͍͠XSSݕग़਺ 11݅ͷݕग़࿙Ε

34. IEɿҾ༻ූʹؔ͢Δ໰୊ • IE 8͸ɺӳޠͰ͍͏ͱ͜Ζͷ‘unbalanced quotes’ ʢҾ༻ූ͕ਖ਼͘͠ด͍ͯ͡ͳ͍ͳͲʣʹର͢Δಈ࡞ ͕͓͔͍͠ • ͜ͷ໰୊ʹؔͯ͠͸ݱࡏରԠ͕ਐߦத <img

    src="x` `<script>alert(1)</script>"` `>

35. ύϑΥʔϚϯε  ݅Ҏ্Λ
    ඵͰνΣοΫ

36. 2014-02-18ͷTO DO • ·ͩΞϧϑΝஈ֊ — ݱ࣌఺Ͱ͸ૉ੖Β͍͠ϛε͕Ӆ͞Ε͍ͯΔ Մೳੑ͸͋Δ • ݕग़࿙Εʹؔ͢ΔQA͸ະ׬੒ •

    Ұ෦ͷIEΠϯδΣΫγϣϯʹ͸ະରԠ • ࣮ݧͷͨΊͷςετϕου͕ͳ͍ʢࠓिޙ൒ʹͰ΋ʣ • QAͷॆ࣮ɺίʔυͷΧόϨοδͷڧԽ͕ඞཁ • εΫϦϓτݴޠͷରԠ͸·ͩʢ͍ۙ͏ͪʣ

37. [email protected] ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ