Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP_Fukuoka_Meeting_02_Go_SCP_hoka

nwiizo
April 14, 2021
240

 OWASP_Fukuoka_Meeting_02_Go_SCP_hoka

OWASP Fukuoka Meeting #2
https://owasp-kyushu.connpass.com/event/205625/

近年、Go言語でWebアプリケーションを開発する機会が増えてきました。本セッションではOWASP セキュアコーディングプラクティス - クイックリファレンスガイド に準拠している OWASP/Go-SCP についての概要といくつかの例題について紹介しようとおもってたのですが途中で飽きて適当なこと喋る資料になってます。

nwiizo

April 14, 2021
Tweet

Transcript

  1. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

    ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫
  2. package main import "net/http" import "io” func handler (w http.ResponseWriter,

    r *http.Request) { io.WriteString(w, r.URL.Query().Get("param1")) } func main () { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  3. package main import "net/http" import "io” func handler (w http.ResponseWriter,

    r *http.Request) { io.WriteString(w, r.URL.Query().Get("param1")) } func main () { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  4. package main import "net/http" import "io” func handler (w http.ResponseWriter,

    r *http.Request) { io.WriteString(w, r.URL.Query().Get("param1")) } func main () { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  5. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  6. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  7. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  8. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  9. SELECT number, expireDate, cvv FROM creditcards WHERE customerId = 1

    OR 1=1 ctx := context.Background() customerId := r.URL.Query().Get("id") query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = " + customerId row, _ := db.QueryContext(ctx, query) query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = ?" stmt, _ := db.QueryContext(ctx, query, customerId)
  10. package main import "fmt" import "math/rand" func main() { fmt.Println("Random

    Number: ", rand.Intn(1984)) } ⚫ ⚫ $ for i in (seq 5); go run main.go ; end Random Number: 1825 Random Number: 1825 Random Number: 1825 Random Number: 1825 Random Number: 1825
  11. package main import "fmt" import "math/big" import "crypto/rand" func main()

    { rand, _ := rand.Int(rand.Reader, big.NewInt(1984)) fmt.Printf("Random Number: %d¥n", rand) } ⚫ ⚫ $ for i in (seq 2); go run main.go ; end Random Number: 688 Random Number: 1309