Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gitlab.comで見つけたXSSの話

489c8b0a930ed88ad275345d7476b945?s=47 ooooooo_q
February 21, 2020
Technology
0
300

 Gitlab.comで見つけたXSSの話

489c8b0a930ed88ad275345d7476b945?s=128

ooooooo_q

February 21, 2020
Tweet

More Decks by ooooooo_q

See All by ooooooo_q
JSONをパースする.pdf
489c8b0a930ed88ad275345d7476b945?s=48 ooooooo_q
0
68
xlsx出力を Live reloadで(仮)
489c8b0a930ed88ad275345d7476b945?s=48 ooooooo_q
0
280
A-Frameを使って Mobile VRを公開する
489c8b0a930ed88ad275345d7476b945?s=48 ooooooo_q
1
310
nds_8_reftest.pdf
489c8b0a930ed88ad275345d7476b945?s=48 ooooooo_q
0
240

Other Decks in Technology

See All in Technology
失敗を経験したあなたへ〜建設的なインシデントの振り返りを行うために実践するべきこと〜
8989dfee7c4a1360817fccb657d695bc?s=48 nobuakikikuchi
0
170
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
0b238801605070def81a98cfe8061aee?s=48 shonansurvivors
0
170
GitHub 엔터프라이즈 어카운트 소개 및 엔터프라이즈 서버 구축 경험
330c5e37fb238d6b319ae6e18770f44b?s=48 posquit0
1
140
Scrum Fest Niigata 2022 開発エンジニアに聞いてみよう!
478bd912a17b65fa0ab8c1d81912b9b1?s=48 moritamasami
1
200
技術広報の役割を定義してみた 2022年春
E2b467a18ec383cfa0068207e43df7fa?s=48 afroscript
3
2.4k
Puny to Powerful PostgreSQL Rails Apps
65e84915478a95a22dd40da712f304df?s=48 andyatkinson
PRO
0
280
5分で完全理解するGoのiota
9c23bec5e8b0aa1d9458d40800987347?s=48 uji
3
2.1k
ドキュメントの翻訳に必要なこと
0d0586f83b68c623c4f04c752c4b515b?s=48 mayukosawai
0
160
ニフティでSRE推進活動を始めて取り組んできたこと
374e82d9428869942bed1de094a7ca95?s=48 niftycorp
2
410
srenext2022-skaru
B16717ef4b7aab0b253d933c3934f280?s=48 mixi_engineers
1
640
YAMLを書くだけで構築できる分散ストレージ
842515eaf8fbb2dfcc75197e7797dc15?s=48 sat
PRO
0
190
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
E12b5afe5b4e6552019c09d6ac4128c3?s=48 tocyuki
3
480

Featured

See All Featured
Building Better People: How to give real-time feedback that sticks.
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
343
17k
Reflections from 52 weeks, 52 projects
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
337
17k
Building Flexible Design Systems
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
310
33k
It's Worth the Effort
Ba530e786553390f3fb271848485681c?s=48 3n
172
25k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
E425fe9f170efa0dfaf8ab69d7107418?s=48 aki_i
21
14k
Embracing the Ebb and Flow
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
73
3.3k
Navigating Team Friction
245cee81a9c424266e5e401d844ea881?s=48 lara
175
11k
Thoughts on Productivity
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
43
2.2k
How New CSS Is Changing Everything About Graphic Design on the Web
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
212
11k
Keith and Marios Guide to Fast Websites
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
404
21k
Fontdeck: Realign not Redesign
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
4.1k
The Brand Is Dead. Long Live the Brand.
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
45
2.7k

Transcript

  1. GITLAB.COMͰ ݟ͚ͭͨXSSͷ࿩ AgriNote Salad Bar #1 @ooooooo_q 1

  2. ࠓ೔͸஬औΓͷ࿩Λ͠·͢ (ը૾: ͍Β͢ͱ΍: ՆٳΈͷΠϥετʮ஬औΓʯ) 2

  3. ஬औΓ? 3

  4. BUG HUNTING? 4

  5. #6(#06/5: όά㲈੬ऑੑͷใࠂͷड෇੍౓ ϒϥ΢βɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ঑͕ۚ΋Β͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ΋ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5

  6. ೔ຊͰ΋ .JYJ αΠϘ΢ζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6

  7. #6()6/5*/(࣌ͷ஫ҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎࿭ʹͳΔ͜ͱ͸େ఍ېࢭ %P4ͱ͔ 044͸खΛ෇͚΍͍͢ खݩͰಈ࡞ͤ͞Ε͹ଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨ໰୊ͷमਖ਼͕Θ͔Δ 7

  8. #6()6/5&3 ੬ऑੑใࠂΛߦ͏৆ۚՔ͗ ྑ͍఺ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔ͸ଞͱൺ΂ͯগͳΊ ࣮ࡍʹ͸ηΩϡϦςΟͷษڧ໨తͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍Δਓ͸Ք͍Ͱ͍Δ͕ʜʣ 8

  9. ͪͳΈʹ ࣮ࡍͷ஬ͷ৆ۚՔ͗΋ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕ෎ࡖࢢ 9

  10. GITLAB 10

  11. (*5-"# 11

  12. (*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN Ϋϥ΢υαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12

  13. (*5-"#4&$63*5: ௨ৗͷϦϦʔεͱ͸ผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ఍݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ೔ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ಺༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱ΋ͳ͍Α͏ ͚ͩͲίϛοτ͸େମݕ౼ͭ͘ ੬ऑੑʹ͸$7&͕ൃߦ͞Ε͍ͯͯαϚϦ΋ॻ͔Ε͍ͯΔ 13

  14. GITLAB BUG BOUNTY 14

  15. (*5-"##6(#06/5: ೥݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ೥ळʹใ঑ۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε͹࠷ߴ  944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15

  16. (*5-"##6(#06/5: ɹɹ 16

  17. ← ͜͜·Ͱલఏͷઆ໌ 17

  18. GITLAB.COMͰݟ͚ͭͨXSSͷ࿩ → 18

  19. ͋Δ೔ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19

  20. 63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMF΍QBDLBHFKTPOͷύοέʔδ໊͸ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20

  21. %06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β޷͖ͳλά͕ॻ͚Δ 21

  22. XSS CSP 22

  23. 944 $SPTT4JUF4DSJQUJOH ૝ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑͹ɺϒϥ΢βͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷ৘ใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧ΢ϯτ৐ͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱ͸େ఍Ͱ͖Δ (JUMBCͰ944͕͋Δͷ͸ةݥ 23

  24. 944 24

  25. $41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ๷͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰ͸਺ϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ͸·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍͸ͣ 25

  26. ੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ৚݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍଴ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใ঑ۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26

  27. 3&7&35͠ͳ͍৔߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͸͔ͳΓ໘౗ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳ΍ͭΛ๷͙ શ෦Ծ૝%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27

  28. (ը૾: ͍Β͢ͱ΍: ௏ͱ༡ͿࢠڙͷΠϥετ) 28

  29. 29

  30. ͔͜͜Β͸͕࣌ؒ ༨ͬͨ࣌༻ 30

  31. $41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰ͸BMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ৔߹ͷΈ (JUMBCͰ͸KRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦෼͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ৔߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ

    BλάͷEBUBYYY͸%PNQVSJGZͰ΋஄͔Εͳ͍ 31