Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
認証・認可の仕組みを理解する上で知っておきたい基礎知識/auth-overview
Search
nishina
May 08, 2020
Programming
1
240
認証・認可の仕組みを理解する上で知っておきたい基礎知識/auth-overview
nishina
May 08, 2020
Tweet
Share
More Decks by nishina
See All by nishina
1週間で終わらせるはじめてのGo言語学習/beginner-study-go
nishina555
1
150
Postmanを利用したAPI開発/postman-tutorial
nishina555
0
98
テキスト校正ツールtextlintの 紹介と導入方法/textlint-overview
nishina555
0
94
REST APIとの比較でざっくり理解するGraphQL/graphql-introduction
nishina555
0
190
ウィンドウ操作に便利な ショートカットとアプリ紹介/mac-window-shortcut
nishina555
0
160
IPアドレス(IPv4)の仕組み/overview-of-ipaddress
nishina555
0
140
図で理解する自然言語処理/nlp_tutorial
nishina555
0
270
ToDoアプリで学ぶReact/Redux入門/vtecx2_lt2
nishina555
2
2.9k
DiveIntoOSSThroughHacktoberfest_SPMKT
nishina555
1
320
Other Decks in Programming
See All in Programming
Namespace and Its Future
tagomoris
6
700
testingを眺める
matumoto
1
140
基礎から学ぶ大画面対応(Learning Large-Screen Support from the Ground Up)
tomoya0x00
0
1.5k
ファインディ株式会社におけるMCP活用とサービス開発
starfish719
0
1.6k
AIでLINEスタンプを作ってみた
eycjur
1
230
Oracle Database Technology Night 92 Database Connection control FAN-AC
oracle4engineer
PRO
1
450
Ruby×iOSアプリ開発 ~共に歩んだエコシステムの物語~
temoki
0
320
アプリの "かわいい" を支えるアニメーションツールRiveについて
uetyo
0
270
モバイルアプリからWebへの横展開を加速した話_Claude_Code_実践術.pdf
kazuyasakamoto
0
330
機能追加とリーダー業務の類似性
rinchoku
2
1.3k
GitHubとGitLabとAWS CodePipelineでCI/CDを組み比べてみた
satoshi256kbyte
4
240
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
380
Featured
See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Being A Developer After 40
akosma
90
590k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
9
810
RailsConf 2023
tenderlove
30
1.2k
Navigating Team Friction
lara
189
15k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
For a Future-Friendly Web
brad_frost
180
9.9k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
34
3.1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
A Tale of Four Properties
chriscoyier
160
23k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
840
Transcript
ਔՊ ढ़ ೝূɾೝՄͷΈΛཧղ͢Δ্Ͱ ͓͖͍ͬͯͨجૅࣝ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ೝূͱೝՄͷҧ͍ʹ͍ͭͯ • ηογϣϯೝূͱτʔΫϯೝূͷҧ͍ʹ͍ͭͯ • ೝূͷηΩϡϦςΟϦεΫXSSɾCSRFʹ͍ͭͯ ೝূɾೝՄʹؔ͢Δ֓ཁͱجૅࣝͷڞ༗ ϞϊϦγοΫͳΞϓϦΛׂ͢Δʹ͋ͨΓɺೝূɾೝՄͷ࣮ํ๏ ͷݕ౼ආ͚ͯ௨Ε·ͤΜɻ
Լ४උͱͯ͠ɺࠓճೝূɾೝՄͷجૅࣝʹ͍ͭͯ·ͱΊ·ͨ͠
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূ࣮ख๏
• ·ͱΊ
• εςʔτϑϧ • ݱࡏͷঢ়ଶΛͭ • ྫ: FTP, TCP, BGP, OSPF,
EIGRP, SMTP, SSH • εςʔτϨε • ݱࡏͷঢ়ଶΛͨͳ͍ • ྫ: HTTP, UDP, IP, DNS εςʔτϑϧͱεςʔτϨεʹ͍ͭͯ σʔλ௨৴ʹεςʔτϑϧͱεςʔτϨεͷ2छྨ͕͋Δ
εςʔτϑϧͳΓͱΓ ͝จʁ ηοτͷυϦϯΫʁ ళͰঌ্͕͠Γ·͔͢ʁ ϋϯόʔΨʔηοτ͍ͩ͘͞ ίʔϥ͍ͩ͘͞ ͍
εςʔτϨεͳΓͱΓ ͝จʁ ηοτͷ߹ɺυϦϯΫจͯ͠Լ͍͞ จͷࡍళͰঌ্͕͠Δ͔͓͑Լ͍͞ ϋϯόʔΨʔηοτ͍ͩ͘͞ ϋϯόʔΨʔηοτͱίʔϥ͍ͩ͘͞ ϋϯόʔΨʔηοτͱίʔϥ͍ͩ͘͞ ళͰ৯·͢
• WebαΠτHTTP௨৴Λར༻͢ΔͷͰεςʔτϨε • ࣮ࡍʹECαΠτͷʮങ͍Χΰʯɺঢ়ଶʹԠͯ͡ αΠτͷڍಈΛม͍͑ͨ ηογϣϯͷඞཁੑ HTTP௨৴ͰεςʔτϑϧΛ࣮ݱ͢ΔͨΊͷׂ͕ηογϣϯ
• Cookie • WebStorage • SessionStorage • LocalStorage ηογϣϯใͷอଘઌ
ΫϥΠΞϯτ(ϒϥβ)ʹCookieͱWebStorageͷ2छྨ͕ଘࡏ
• αʔόʔଆͷηογϣϯΛཧ͢ΔͨΊͷͷ • 4KBͷσʔλαΠζ੍͕͋Δ • ΫϥΠΞϯτ͔ΒαʔόʔͷϦΫΤετ࣌ࣗಈૹ৴ • αʔόʔ͔ΒΫϥΠΞϯτͷϨεϙϯε࣌ Set-Cookieϔομʔʹηοτͯ͠ૹΒΕΔ
ηογϣϯใͷอଘઌ: Cookie
• ΫϥΠΞϯτଆͷηογϣϯΛཧ͢Δͷ • ΫϥΠΞϯτଆͰར༻Ͱ͖ΔσʔλϕʔεͷΑ͏ͳͷ • ϒϥβ͕։͍ͯΔ͚࣌ͩར༻ՄೳͳʮSessionStorageʯ • ӬଓతʹσʔλΛอଘͰ͖ΔʮLocalStorageʯ ηογϣϯใͷอଘઌ:
WebStorage
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ೝূʢAuthenticationʣ • ୭Ͱ͋Δ͔Λ֬ೝ͢Δ͜ͱ • ྫ: ύεϫʔυೝূɺࢦೝূͳͲ • ೝূʹࣦഊͨ͠ͱ͖ͷΤϥʔʮ401 Unauthorizedʯ
• ೝՄʢAuthorizationʣ • ૢ࡞ͷݖݶΛ༩͑Δ͜ͱ • ྫ: Ӿཡ੍ݶͷ͋ΔϖʔδͷΞΫηεͳͲ • ݖݶෆʹΑΔΤϥʔʮ403 Forbiddenʯ ೝূͱೝՄͷҧ͍
ೝূͷख๏ʹ͍ͭͯ ηογϣϯʔεͷೝূ ʢεςʔτϑϧʣ τʔΫϯϕʔεͷೝূ ʢεςʔτϨεʣ
ηογϣϯʔεͷೝূ 1. ΫϨσϯγϟϧΛPOST 2. ೝূޭޙɺηογϣϯใ ͕ฦͬͯ͘Δ 3. ηογϣϯใΛར༻ͯ͠ ೝՄ௨৴Λߦ͏
τʔΫϯϕʔεͷೝূʢ1/3ʣ 1. ΫϨσϯγϟϧΛPOST 2. ೝূޭޙɺτʔΫϯ͕ฦͬͯ ͘Δ 3. τʔΫϯΛར༻ͯ͠ೝՄ௨৴Λ ߦ͏
ɾํ๏1: Authorizationϔομʔʹ τʔΫϯΛηοτ ɾํ๏2: CookieʹτʔΫϯΛอଘ
• ࣝผࢠܕ • DBʹτʔΫϯͷใΛอଘ͓ͯ͘͠λΠϓͷτʔΫϯ • แܕ • ΞΫηετʔΫϯʹඥ͘ใΛΞΫηετʔΫϯࣗମͷதʹຒ ΊࠐΉͷɻ •
JWTแܕ τʔΫϯϕʔεͷೝূʢ2/3ʣ τʔΫϯͷछྨʹ͍ͭͯ \ lTDPQFzlYYYz lDMJFOU@JEzlYYYz lFYQzlYYYz lJBUzlYYYz lTVCzlYYYz lJTTzlYYYz lKUJzlYYYz ^ แܕ ࣝผࢠܕ
• OAuth2.0ʹ͍ͭͯ • τʔΫϯͷܗࣜɺτʔΫϯͷཁٻͱͦͷԠͳͲɺ τʔΫϯͷ༷Λඪ४Խͨ͠ͷ • ʮೝՄʯΛඪ४Խͨ͠ͷͰ͋Γʮೝূʯ෦ είʔϓ֎ • OAuth2.0Ͱඪ४Խ͞Ε͍ͯΔϑϩʔ
• ೝՄίʔυϑϩʔ • ΠϯϓϦγοτϑϩʔ • ϦιʔεΦʔφʔɾύεϫʔυɾΫϨσϯγϟϧζϑϩʔ • ΫϥΠΞϯτɾΫϨσϯγϟϧζϑϩʔ • ϦϑϨογϡτʔΫϯϑϩʔ τʔΫϯϕʔεͷೝূʢ3/3ʣ
• XSS • ѱҙͷ͋ΔJavaScript͕ΫϥΠΞϯτଆͰ࣮ߦ͞Εɺ ػີใ͕ൈ͔ΕΔͳͲͷඃ͕ൃੜ͢Δ੬ऑੑ • ΫϥΠΞϯτଆͰൃੜ͢Δ੬ऑੑ • CSRF •
ѱҙͷ͋ΔϦΫΤετΛαʔόʔड͚͚ɺ ҙਤ͠ͳ͍ॲཧ͕ߦΘΕͯ͠·͏੬ऑੑ • αʔόʔଆͰൃੜ͢Δ੬ऑੑ ೝূɾೝՄʹ͓͚ΔηΩϡϦςΟϦεΫ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ηογϣϯϕʔε • τʔΫϯϕʔε • CookieʹอଘɺϦΫΤετ࣌ʹCookieΛࣗಈૹ৴ • CookieʹอଘɺAuthorizationϔομʔʹ༩ͯ͠ϦΫΤετ • LocalStorageʹอଘɺAuthorizationϔομʔʹ༩ͯ͠
ϦΫΤετ ೝূɾೝՄͷख๏·ͱΊ ηογϣϯϕʔε1ͭɺτʔΫϯϕʔε3ͭͷ߹ܭ4छྨΛհ ࢀߟIUUQTRJJUBDPN)JSPNJJUFNTFBGGE
• XSSରࡦ • Cookieʹhttp:onlyΛ͚ͭΔ͜ͱͰJavaScriptͰΞΫηε Ͱ͖ͳ͍Α͏ʹ͢Δ • CSRFରࡦ • CSRFτʔΫϯ •
ύεϫʔυΛ࠶ೖྗ͢Δ༷ʹ͢Δ ηογϣϯϕʔε Cookieࣗಈૹ৴͞ΕΔͷͰɺѱҙͷ͋ΔϦΫΤετ͔ผ ͢ΔͨΊʹCSRFରࡦʹ͍ͭͯߟ͑Δඞཁ͕͋Δ
• XSSରࡦ • Cookieʹhttp:onlyΛ͚ͭΔ͜ͱͰJavaScriptͰΞΫηε Ͱ͖ͳ͍Α͏ʹ͢Δ • CSRFରࡦ • CSRFτʔΫϯ •
ύεϫʔυΛ࠶ೖྗ͢Δ༷ʹ͢Δ τʔΫϯϕʔε: Cookieʹอଘɾૹ৴ ηογϣϯϕʔεͷ࣌ͱಉ͡
• XSSରࡦ • ϑϨʔϜϫʔΫͷػೳΛར༻ͯ͠ϥΠϒϥϦʹ੬ऑੑ͕ ͳ͍͔νΣοΫ • CSRFରࡦ • CookieͷτʔΫϯݕূͰར༻͠ͳ͍ͷͰߟྀෆཁ
τʔΫϯϕʔε: Cookieʹอଘɾϔομʔૹ৴ ϔομʔʹηοτ͢ΔτʔΫϯΛCookie͔ΒऔΓग़ͨ͢Ίʹ http:falseʹ͠ͳ͍ͱ͍͚ͳ͍ͷͰXSS੬ऑੑ͕ൃੜ͢Δ
• XSSରࡦ • ϑϨʔϜϫʔΫͷػೳΛར༻ͯ͠ϥΠϒϥϦʹ੬ऑੑ͕ ͳ͍͔νΣοΫ • CSRFରࡦ • LocalStorageͷσʔλϦΫΤετ࣌ʹࣗಈͰૹΒΕΔ͜ ͱͳ͍ͷͰߟྀෆཁ
τʔΫϯϕʔε: LocalStorageʹอଘɾϔομʔૹ৴ LocalStorageJavaScriptͰΞΫηεͰ͖ΔͷͰXSSͷϦεΫ ͋Γ
࣍ • ࠓճ͢༰ • ηογϣϯʹؔ͢Δجૅࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮ख๏
• ·ͱΊ
• ೝূ୭Ͱ͋Δ͔Λ֬ೝ͢Δ͜ͱɺೝՄૢ࡞ͷݖݶΛ༩͑ Δ͜ͱ • ೝূํ๏ʹηογϣϯํࣜͱτʔΫϯํࣜͷ2͕ͭ͋Δ • ೝূͷΈΛ࣮͢Δ߹XSSͱCSRFͷ੬ऑੑΛҙࣝ ͢Δ ·ͱΊ