Upgrade to Pro — share decks privately, control downloads, hide ads and more …

脆弱性発見者が注目する近年のWeb技術

9b5fecf0cfbd6572bd753a795b7e4b07?s=47 MUNEAKI NISHIMURA
February 03, 2017
Technology
29
12k

 脆弱性発見者が注目する近年のWeb技術

RECRUIT Technologies NIGHT vol.3の発表資料です。

9b5fecf0cfbd6572bd753a795b7e4b07?s=128

MUNEAKI NISHIMURA

February 03, 2017
Tweet

More Decks by MUNEAKI NISHIMURA

See All by MUNEAKI NISHIMURA
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
26
8.7k
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
15
2.5k
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
1
640
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
2
6.7k
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
1
740
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
6
4.2k

Other Decks in Technology

See All in Technology
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
530
F89f6a80305746253d4bedb128b2f445?s=48 mats16
0
370
98f8e6125c052c4ac3fcc94f97919371?s=48 evilsmile
0
300
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
170
164fd510e92a1912155b869b2c333c1e?s=48 tutuz
5
3.1k
E53046bb9794560f541fcf2cf0b9d526?s=48 sayokomiura
0
620
525442fc70ca92f82ae503f826956137?s=48 finengine
0
280
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
4
3.2k
D0f5daa7cc3a26140c06ea29e5e235cc?s=48 noriyukitakei
12
6.9k
8fa31051503b09846584c49cd53d2f80?s=48 asei
12
2.6k
E8ac626646da35420ffba5da02f4787d?s=48 ohsawa0515
0
270
Fc099d9851ad91908e0c16a70aa2ddc1?s=48 tikson
0
230

Featured

See All Featured
B47b288784fda77a94aeb234ca743c24?s=48 keavy
108
14k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
125
21k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
402
20k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
26
2.3k
4262b9cfacfb6b2c77f23e1d0310cd3e?s=48 myddelton
109
11k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
12
910
11c84dff30266b907714802088852677?s=48 jasonvnalue
82
8.2k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
498
130k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
222
47k
Ecdea9b9714877b86cee08458f085481?s=48 trallard
17
900
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
587
200k
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
8
830

Transcript

  1. ੬ऑੑൃݟऀ͕஫໨͢Δۙ೥ͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ೥݄೔

  2. ੢ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃ಺ܞଳి࿩ϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦͯ೥݄ΑΓݱ৬ɻϦΫϧʔτͷ*%؅ཧج ൫ͷηΩϡϦςΟอक΍ϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯ͸ϒϥ΢βͷ੬ऑੑΛ୳͢͜ ͱɻ೥ʹใࠂͨ͠੬ऑੑ͸݅Λ௒͑Δɻஶॻʹ

    ϒϥ΢βϋοΫʢ؂༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻ೥ΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ

  3. ੬ऑੑΛൃݟ͢Δਓͷࢹ఺Ͱ ஫໨͍ͯ͠Δ8FCٕज़Λ঺հ͠·͢

  4. Server Push

  5. • ௕೥ʹ౉Γٞ࿦ͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ͸4FSWFS4FOU&WFOUT΍8FC4PDLFU • *&5'Ͱ͸)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹ΋ɺϒϥ΢βͰ1VTI௨஌Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ΍1VTI"1*ͷ࢓༷ࡦఆ͕ߦͳΘΕ͍ͯΔ

    • ͦΜͳதɺݸਓతʹ஫໨͍ͯ͠Δͷ͸ʜ 4FSWFS1VTI

  6. multipart / x-mixed-replace

  7. http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html

  8. • ೥ɺ/FUTDBQFʹ౥ࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ഑৴खஈͱͯ͠΋࢖༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻཰͸ • ݱࡏͰ͸ɺ'JSFGPY͘Β͍͔͠·ͱ΋ʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜Ͱ࢖ΘΕ͍ͯΔͷ͔

    NVMUJQBSUYNJYFESFQMBDF

  9. #VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea

  10. 3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html

  11. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY

    Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδ໨ͷσʔλ ϖʔδ໨ͷσʔλ

  12. Կނ஫໨͍ͯ͠Δ͔ͱ͍͏ͱ

  13. ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ

  14. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ

  15. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

  16. https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/

  17. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ

  18. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

  19. ·ͩ௚ͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471

  20. https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮૷͕ෆ׬શͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕஌Δ͜ͱͷํ͕େ੾ͩͱ൑அ͠ɺ .P[JMMB͸ະमਖ਼ͷ੬ऑੑ৘ใΛ։ࣔ

  21. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a

    href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ

  22. https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ

  23. ৽͍͠ϔομ͕ొ৔͢Δͨͼָ͠ΊΔ

  24. HTTP/2

  25. • ೔࿨ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹ઀ଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱ঺հͨ͠ +YDL͞Μͱͷग़ձ͍͸ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/

  26. ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏

  27. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification

  28. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ೔࿨ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠

  29. • )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Ε͹ɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -

    ಉ͡ϦιʔεΛఏڙ͢Δ୅ସαʔόͷ࢖༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯ؅ཧ͸ͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";

  30. flickr.com ෳ਺υϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection

  31. flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠๨Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ

  32. flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)

    Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀ͸ҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘΋ ࣮࣭తͳڴҖ͸͋·Γͳ͍ͷͰ͸ʁ

  33. ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱ͸ݶΒͳ͍ • ྫ͑͹ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏

  34. ͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ

  35. )551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:

    h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate

  36. "MU4WDͷਖ਼͍࣮͠૷͸͜͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ

  37. ࣮૷ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ෇͚Δ͜ͱ͕Ͱ͖Δ

  38. ͜ͷ࣮૷ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ΋ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight

    (OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ

  39. https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲ͸ڻ͍͍ͯΔɻ͜Ε͸"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ

  40. ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙ΋ग़͖ͯͦ͏

  41. FlyWeb

  42. https://flyweb.github.io/#showcase

  43. • .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱ෺ཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ͸·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰ౥ࡌ - BCPVUDPOGJH

    Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC

  44. • ෳ਺ͷεϚϗΛ઀ଓ͠ɺϒϥ΢β্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4

  45. 'MZ8FCͷ࢓૊Έ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞ಺ͷ୺຤͕ͦͷαʔόʹΞΫηε

  46. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });

  47. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ୺຤͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢

  48. αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ୒͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ

  49. ϩʔΧϧΤϦΞʹ͋Δผͷ୺຤͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ

  50. #POKPVSରԠΦϑΟεϓϦϯλͷ؅ཧը໘΋։͚Δ • 'JSFGPYͷ'MZ8FC΢Οϯυ΢͸@IUUQUDQʹ΋ରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢Δػثʹ΋ΞΫηεͰ͖Δ

  51. 'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ؅ཧը໘ʹͳΓ͢·͢ ؅ཧը໘ʹΞΫηεͨ͠୺຤ʹ Ϛϧ΢ΣΞ഑෍ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ

  52. navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var

    h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠୺຤ʹ TFUVQCBU Λ഑෍

  53. ͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ

  54. (PPHMF຋༁ܦ༝Ͱ։͚͹ͦΕͬΆ͍υϝΠϯʹ

  55. ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ

  56. None

  57. ͜ͷ··ͷ࢓༷ͩͱຊ౰ʹѱ༻͞Εͦ͏

  58. • 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ஫໨͍ͯ͠Δ8FCٕज़Λͭ঺հ͠·ͨ͠