Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP_Fukuoka_Meeting_02_Go_SCP_hoka

6ed12627fec46a135f1bce5d56f3568e?s=47 nwiizo
April 14, 2021
160

 OWASP_Fukuoka_Meeting_02_Go_SCP_hoka

OWASP Fukuoka Meeting #2
https://owasp-kyushu.connpass.com/event/205625/

近年、Go言語でWebアプリケーションを開発する機会が増えてきました。本セッションではOWASP セキュアコーディングプラクティス - クイックリファレンスガイド に準拠している OWASP/Go-SCP についての概要といくつかの例題について紹介しようとおもってたのですが途中で飽きて適当なこと喋る資料になってます。

6ed12627fec46a135f1bce5d56f3568e?s=128

nwiizo

April 14, 2021
Tweet

Transcript

  1. None
  2. ⚫ ⚫ ⚫ ⚫ ⚫

  3. None
  4. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  5. None
  6. None
  7. None
  8. None
  9. https://owasp.org/www-project-go-secure-coding-practices-guide/ より

  10. None
  11. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

    ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫
  12. None
  13. https://owasp.org/www-project-top-ten/

  14. package main import "net/http" import "io” func handler (w http.ResponseWriter,

    r *http.Request) { io.WriteString(w, r.URL.Query().Get("param1")) } func main () { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  15. package main import "net/http" import "io” func handler (w http.ResponseWriter,

    r *http.Request) { io.WriteString(w, r.URL.Query().Get("param1")) } func main () { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  16. package main import "net/http" import "io” func handler (w http.ResponseWriter,

    r *http.Request) { io.WriteString(w, r.URL.Query().Get("param1")) } func main () { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  17. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  18. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  19. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  20. package main import "net/http" import "html/template“ func handler(w http.ResponseWriter, r

    *http.Request) { param1 := r.URL.Query().Get("param1") tmpl := template.New("hello") tmpl, _ = tmpl.Parse(`{{define "T"}}{{.}}{{end}}`) tmpl.ExecuteTemplate(w, "T", param1) } func main() { http.HandleFunc("/", handler) http.ListenAndServe(":8080", nil) } ⚫ ⚫ ⚫
  21. https://owasp.org/www-project-top-ten/

  22. SELECT number, expireDate, cvv FROM creditcards WHERE customerId = 1

    OR 1=1 ctx := context.Background() customerId := r.URL.Query().Get("id") query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = " + customerId row, _ := db.QueryContext(ctx, query) query := "SELECT number, expireDate, cvv FROM creditcards WHERE customerId = ?" stmt, _ := db.QueryContext(ctx, query, customerId)
  23. package main import "fmt" import "math/rand" func main() { fmt.Println("Random

    Number: ", rand.Intn(1984)) } ⚫ ⚫ $ for i in (seq 5); go run main.go ; end Random Number: 1825 Random Number: 1825 Random Number: 1825 Random Number: 1825 Random Number: 1825
  24. package main import "fmt" import "math/big" import "crypto/rand" func main()

    { rand, _ := rand.Int(rand.Reader, big.NewInt(1984)) fmt.Printf("Random Number: %d¥n", rand) } ⚫ ⚫ $ for i in (seq 2); go run main.go ; end Random Number: 688 Random Number: 1309
  25. ⚫ ⚫ ⚫ ⚫

  26. None
  27. None
  28. ⚫ ⚫ ⚫

  29. None
  30. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  31. ⚫ ⚫ ⚫ ⚫ ⚫

  32. ⚫ ⚫ ⚫ ⚫

  33. ⚫ ⚫ ⚫ ⚫ ⚫ pass False

  34. ⚫ ⚫ pass False

  35. • • • • •

  36. None
  37. None
  38. None
  39. None
  40. https://docs.docker.com/docker-hub/builds/automated-testing/

  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫

  48. ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫ ⚫