Lock in $30 Savings on PRO—Offer Ends Soon! ⏳
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
脆弱性発見者が注目する近年のWeb技術
Search
MUNEAKI NISHIMURA
February 03, 2017
Technology
29
13k
脆弱性発見者が注目する近年のWeb技術
RECRUIT Technologies NIGHT vol.3の発表資料です。
MUNEAKI NISHIMURA
February 03, 2017
Tweet
Share
More Decks by MUNEAKI NISHIMURA
See All by MUNEAKI NISHIMURA
脆弱星に導かれて
nishimunea
3
1.9k
Brave Browserの脆弱性を見つけた話(iOS編)
nishimunea
3
2.4k
ブラウザの脆弱性とそのインパクト
nishimunea
26
9.7k
脆弱性発見者の目から見た、脆弱性対応の最前線
nishimunea
15
2.7k
Slack Team for Security Testers and Bug Hunters
nishimunea
1
750
Finding Vulnerabilities in Firefox for iOS
nishimunea
3
8.4k
SWIFT Code for Mozilla Bank
nishimunea
1
890
次世代プラットフォームのセキュリティモデル考察
nishimunea
6
5.2k
Other Decks in Technology
See All in Technology
AWS re:Invent 2024 予選落ちのBedrockアプデをまとめて解説!
minorun365
PRO
2
210
LLMアプリケーションの評価と継続的改善
pharma_x_tech
2
150
Engineer Recruting Deck
siva_official
PRO
1
3.1k
RDRAとLLM
kanzaki
4
460
50以上のマイクロサービスを支えるアプリケーションプラットフォームの設計・構築の後悔と進化 #CNDW2024 / regrets and evolution of application platform
toshi0607
5
580
MTDDC Meetup TOKYO 2024 運用フェーズに突入したウェブサイト。年々コスト増えていませんか?
kurashige
1
130
リモートだからこそ 懸念だし1on1
jimpei
1
290
241130紅白ぺぱ合戦LT「編集の技術」
toya524287
3
480
LLMを「速く」「安く」 動かすには / CloudNative Days Winter 2024
pfn
PRO
4
1.1k
JAWS UG 青森(弘前)クラウド・AWS入門
hiragahh
0
170
今はまだ小さい東京ガス内製開発チームが、これからもKubernetesと共に歩み続けるために
yussugi
3
430
140年の歴史あるエンタープライズ企業の内製化×マイクロサービス化への航海
yussugi
0
3.3k
Featured
See All Featured
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Designing for humans not robots
tammielis
250
25k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Being A Developer After 40
akosma
87
590k
Optimizing for Happiness
mojombo
376
70k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
24k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
28
2k
Teambox: Starting and Learning
jrom
133
8.8k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
Automating Front-end Workflow
addyosmani
1366
200k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
400
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
Transcript
੬ऑੑൃݟऀ͕͢Δۙͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ݄
ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃܞଳిϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦ݄ͯΑΓݱ৬ɻϦΫϧʔτͷ*%ཧج ൫ͷηΩϡϦςΟอकϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯϒϥβͷ੬ऑੑΛ୳͢͜ ͱɻʹใࠂͨ͠੬ऑੑ݅Λ͑Δɻஶॻʹ
ϒϥβϋοΫʢ༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ
੬ऑੑΛൃݟ͢ΔਓͷࢹͰ ͍ͯ͠Δ8FCٕज़Λհ͠·͢
Server Push
• ʹΓٞͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ4FSWFS4FOU&WFOUT8FC4PDLFU • *&5'Ͱ)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹɺϒϥβͰ1VTI௨Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ1VTI"1*ͷ༷ࡦఆ͕ߦͳΘΕ͍ͯΔ
• ͦΜͳதɺݸਓతʹ͍ͯ͠Δͷʜ 4FSWFS1VTI
multipart / x-mixed-replace
http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html
• ɺ/FUTDBQFʹࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ৴खஈͱͯ͠༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻ • ݱࡏͰɺ'JSFGPY͘Β͍͔͠·ͱʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜ͰΘΕ͍ͯΔͷ͔
NVMUJQBSUYNJYFESFQMBDF
#VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea
3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY
Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδͷσʔλ ϖʔδͷσʔλ
Կނ͍ͯ͠Δ͔ͱ͍͏ͱ
ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
·ͩͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471
https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮͕ෆશͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕Δ͜ͱͷํ͕େͩͱஅ͠ɺ .P[JMMBະमਖ਼ͷ੬ऑੑใΛ։ࣔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a
href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ
৽͍͠ϔομ͕ొ͢Δͨͼָ͠ΊΔ
HTTP/2
• ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱհͨ͠ +YDL͞Μͱͷग़ձ͍ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/
ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠
• )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Εɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -
ಉ͡ϦιʔεΛఏڙ͢Δସαʔόͷ༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯཧͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";
flickr.com ෳυϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection
flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ
flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)
Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘ ࣮࣭తͳڴҖ͋·Γͳ͍ͷͰʁ
ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱݶΒͳ͍ • ྫ͑ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏
͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ
)551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:
h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate
"MU4WDͷਖ਼͍࣮͜͠͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ
࣮ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ͚Δ͜ͱ͕Ͱ͖Δ
͜ͷ࣮ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight
(OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ
https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲڻ͍͍ͯΔɻ͜Ε"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ
ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙग़͖ͯͦ͏
FlyWeb
https://flyweb.github.io/#showcase
• .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰࡌ - BCPVUDPOGJH
Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC
• ෳͷεϚϗΛଓ͠ɺϒϥβ্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4
'MZ8FCͷΈ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞͷ͕ͦͷαʔόʹΞΫηε
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢
αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ
ϩʔΧϧΤϦΞʹ͋Δผͷ͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ
#POKPVSରԠΦϑΟεϓϦϯλͷཧը໘։͚Δ • 'JSFGPYͷ'MZ8FCΟϯυ@IUUQUDQʹରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢ΔػثʹΞΫηεͰ͖Δ
'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ཧը໘ʹͳΓ͢·͢ ཧը໘ʹΞΫηεͨ͠ʹ ϚϧΣΞ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ
navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var
h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠ʹ TFUVQCBU Λ
͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ
(PPHMF༁ܦ༝Ͱ։͚ͦΕͬΆ͍υϝΠϯʹ
ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ
None
͜ͷ··ͷ༷ͩͱຊʹѱ༻͞Εͦ͏
• 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ͍ͯ͠Δ8FCٕज़Λͭհ͠·ͨ͠