Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
脆弱性発見者が注目する近年のWeb技術
Search
MUNEAKI NISHIMURA
February 03, 2017
Technology
29
13k
脆弱性発見者が注目する近年のWeb技術
RECRUIT Technologies NIGHT vol.3の発表資料です。
MUNEAKI NISHIMURA
February 03, 2017
Tweet
Share
More Decks by MUNEAKI NISHIMURA
See All by MUNEAKI NISHIMURA
脆弱星に導かれて
nishimunea
3
2.6k
Brave Browserの脆弱性を見つけた話(iOS編)
nishimunea
3
2.8k
ブラウザの脆弱性とそのインパクト
nishimunea
26
9.9k
脆弱性発見者の目から見た、脆弱性対応の最前線
nishimunea
15
2.7k
Slack Team for Security Testers and Bug Hunters
nishimunea
1
810
Finding Vulnerabilities in Firefox for iOS
nishimunea
3
8.8k
SWIFT Code for Mozilla Bank
nishimunea
1
960
次世代プラットフォームのセキュリティモデル考察
nishimunea
6
5.5k
Other Decks in Technology
See All in Technology
【初心者向け】ローカルLLMの色々な動かし方まとめ
aratako
2
1.5k
衝突して強くなる! BLUE GIANTと アジャイルチームの共通点とは ― いきいきと活気に満ちたグルーヴあるチームを作るコツ ― / BLUE GIANT and Agile Teams
naitosatoshi
0
290
トヨタ生産方式(TPS)入門
recruitengineers
PRO
6
1.4k
mruby(PicoRuby)で ファミコン音楽を奏でる
kishima
2
490
Vault meets Kubernetes
mochizuki875
0
150
なぜSaaSがMCPサーバーをサービス提供するのか?
sansantech
PRO
4
890
シークレット管理だけじゃない!HashiCorp Vault でデータ暗号化をしよう / Beyond Secret Management! Let's Encrypt Data with HashiCorp Vault
nnstt1
2
130
Oracle Cloud Infrastructure:2025年8月度サービス・アップデート
oracle4engineer
PRO
0
170
ヒューリスティック評価を用いたゲームQA実践事例
gree_tech
PRO
0
420
おやつは300円まで!の最適化を模索してみた
techtekt
PRO
0
250
AWS環境のリソース調査を Claude Code で効率化 / aws investigate with cc devio2025
masahirokawahara
2
1k
個人CLAUDE.md紹介と設定から学んだこと/introduce-my-claude-md
shibayu36
0
160
Featured
See All Featured
Gamification - CAS2011
davidbonilla
81
5.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
570
Fireside Chat
paigeccino
39
3.6k
Building Adaptive Systems
keathley
43
2.7k
Making Projects Easy
brettharned
117
6.4k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
11
1.1k
Producing Creativity
orderedlist
PRO
347
40k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
[RailsConf 2023] Rails as a piece of cake
palkan
56
5.8k
Agile that works and the tools we love
rasmusluckow
330
21k
Transcript
੬ऑੑൃݟऀ͕͢Δۙͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ݄
ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃܞଳిϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦ݄ͯΑΓݱ৬ɻϦΫϧʔτͷ*%ཧج ൫ͷηΩϡϦςΟอकϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯϒϥβͷ੬ऑੑΛ୳͢͜ ͱɻʹใࠂͨ͠੬ऑੑ݅Λ͑Δɻஶॻʹ
ϒϥβϋοΫʢ༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ
੬ऑੑΛൃݟ͢ΔਓͷࢹͰ ͍ͯ͠Δ8FCٕज़Λհ͠·͢
Server Push
• ʹΓٞͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ4FSWFS4FOU&WFOUT8FC4PDLFU • *&5'Ͱ)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹɺϒϥβͰ1VTI௨Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ1VTI"1*ͷ༷ࡦఆ͕ߦͳΘΕ͍ͯΔ
• ͦΜͳதɺݸਓతʹ͍ͯ͠Δͷʜ 4FSWFS1VTI
multipart / x-mixed-replace
http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html
• ɺ/FUTDBQFʹࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ৴खஈͱͯ͠༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻ • ݱࡏͰɺ'JSFGPY͘Β͍͔͠·ͱʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜ͰΘΕ͍ͯΔͷ͔
NVMUJQBSUYNJYFESFQMBDF
#VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea
3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY
Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδͷσʔλ ϖʔδͷσʔλ
Կނ͍ͯ͠Δ͔ͱ͍͏ͱ
ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
·ͩͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471
https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮͕ෆશͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕Δ͜ͱͷํ͕େͩͱஅ͠ɺ .P[JMMBະमਖ਼ͷ੬ऑੑใΛ։ࣔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a
href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ
৽͍͠ϔομ͕ొ͢Δͨͼָ͠ΊΔ
HTTP/2
• ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱհͨ͠ +YDL͞Μͱͷग़ձ͍ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/
ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠
• )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Εɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -
ಉ͡ϦιʔεΛఏڙ͢Δସαʔόͷ༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯཧͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";
flickr.com ෳυϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection
flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ
flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)
Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘ ࣮࣭తͳڴҖ͋·Γͳ͍ͷͰʁ
ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱݶΒͳ͍ • ྫ͑ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏
͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ
)551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:
h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate
"MU4WDͷਖ਼͍࣮͜͠͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ
࣮ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ͚Δ͜ͱ͕Ͱ͖Δ
͜ͷ࣮ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight
(OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ
https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲڻ͍͍ͯΔɻ͜Ε"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ
ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙग़͖ͯͦ͏
FlyWeb
https://flyweb.github.io/#showcase
• .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰࡌ - BCPVUDPOGJH
Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC
• ෳͷεϚϗΛଓ͠ɺϒϥβ্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4
'MZ8FCͷΈ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞͷ͕ͦͷαʔόʹΞΫηε
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢
αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ
ϩʔΧϧΤϦΞʹ͋Δผͷ͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ
#POKPVSରԠΦϑΟεϓϦϯλͷཧը໘։͚Δ • 'JSFGPYͷ'MZ8FCΟϯυ@IUUQUDQʹରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢ΔػثʹΞΫηεͰ͖Δ
'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ཧը໘ʹͳΓ͢·͢ ཧը໘ʹΞΫηεͨ͠ʹ ϚϧΣΞ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ
navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var
h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠ʹ TFUVQCBU Λ
͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ
(PPHMF༁ܦ༝Ͱ։͚ͦΕͬΆ͍υϝΠϯʹ
ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ
None
͜ͷ··ͷ༷ͩͱຊʹѱ༻͞Εͦ͏
• 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ͍ͯ͠Δ8FCٕज़Λͭհ͠·ͨ͠