Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gitlab.comで見つけたXSSの話

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for ooooooo_q ooooooo_q
February 21, 2020
Technology
0
360

 Gitlab.comで見つけたXSSの話

Avatar for ooooooo_q

ooooooo_q

February 21, 2020
Tweet

More Decks by ooooooo_q

See All by ooooooo_q
JSONをパースする.pdf
Avatar for ooooooo_q ooooooo_q
0
150
xlsx出力を Live reloadで(仮)
Avatar for ooooooo_q ooooooo_q
0
420
A-Frameを使って Mobile VRを公開する
Avatar for ooooooo_q ooooooo_q
1
390
nds_8_reftest.pdf
Avatar for ooooooo_q ooooooo_q
0
380

Other Decks in Technology

See All in Technology
20260204_Midosuji_Tech
Avatar for Takuya Yonezawa takuyay0ne
1
160
コミュニティが変えるキャリアの地平線:コロナ禍新卒入社のエンジニアがAWSコミュニティで見つけた成長の羅針盤
Avatar for Kento Suzuki kentosuzuki
0
120
ファインディの横断SREがTakumi byGMOと取り組む、セキュリティと開発スピードの両立
Avatar for adachi.ryo rvirus0817
1
1.4k
AIエージェントを開発しよう!-AgentCore活用の勘所-
Avatar for YukiOgawa yukiogawa
0
170
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
1k
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
15
400k
Agile Leadership Summit Keynote 2026
Avatar for seki at druby.org m_seki
1
650
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
5
17k
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
Avatar for Konishi tatsuhiro tatsukoni
0
220
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
3
970
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
5
1.6k
Oracle AI Database 移行・アップグレード勉強会 - RAT活用編
Avatar for oracle4engineer oracle4engineer
PRO
0
100

Featured

See All Featured
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1032
470k
Building a A Zero-Code AI SEO Workflow
Avatar for Ian Lurie portentint
PRO
0
320
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
500
How GitHub (no longer) Works
Avatar for Zach Holman holman
316
140k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.6k
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
290
The B2B funnel & how to create a winning content strategy
Avatar for Katarina Dahlin katarinadahlin
PRO
1
280
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
16
1.8k
A Guide to Academic Writing Using Generative AI - A Workshop
Avatar for Kenji Saito ks91
PRO
0
210
30 Presentation Tips
Avatar for Ian Lurie portentint
PRO
1
220
Primal Persuasion: How to Engage the Brain for Learning That Lasts
Avatar for Mike Taylor tmiket
0
250

Transcript

  1. GITLAB.COMͰ ݟ͚ͭͨXSSͷ࿩ AgriNote Salad Bar #1 @ooooooo_q 1

  2. ࠓ೔͸஬औΓͷ࿩Λ͠·͢ (ը૾: ͍Β͢ͱ΍: ՆٳΈͷΠϥετʮ஬औΓʯ) 2

  3. ஬औΓ? 3

  4. BUG HUNTING? 4

  5. #6(#06/5: όά㲈੬ऑੑͷใࠂͷड෇੍౓ ϒϥ΢βɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ঑͕ۚ΋Β͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ΋ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5

  6. ೔ຊͰ΋ .JYJ αΠϘ΢ζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6

  7. #6()6/5*/(࣌ͷ஫ҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎࿭ʹͳΔ͜ͱ͸େ఍ېࢭ %P4ͱ͔ 044͸खΛ෇͚΍͍͢ खݩͰಈ࡞ͤ͞Ε͹ଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨ໰୊ͷमਖ਼͕Θ͔Δ 7

  8. #6()6/5&3 ੬ऑੑใࠂΛߦ͏৆ۚՔ͗ ྑ͍఺ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔ͸ଞͱൺ΂ͯগͳΊ ࣮ࡍʹ͸ηΩϡϦςΟͷษڧ໨తͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍Δਓ͸Ք͍Ͱ͍Δ͕ʜʣ 8

  9. ͪͳΈʹ ࣮ࡍͷ஬ͷ৆ۚՔ͗΋ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕ෎ࡖࢢ 9

  10. GITLAB 10

  11. (*5-"# 11

  12. (*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN Ϋϥ΢υαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12

  13. (*5-"#4&$63*5: ௨ৗͷϦϦʔεͱ͸ผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ఍݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ೔ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ಺༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱ΋ͳ͍Α͏ ͚ͩͲίϛοτ͸େମݕ౼ͭ͘ ੬ऑੑʹ͸$7&͕ൃߦ͞Ε͍ͯͯαϚϦ΋ॻ͔Ε͍ͯΔ 13

  14. GITLAB BUG BOUNTY 14

  15. (*5-"##6(#06/5: ೥݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ೥ळʹใ঑ۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε͹࠷ߴ  944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15

  16. (*5-"##6(#06/5: ɹɹ 16

  17. ← ͜͜·Ͱલఏͷઆ໌ 17

  18. GITLAB.COMͰݟ͚ͭͨXSSͷ࿩ → 18

  19. ͋Δ೔ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19

  20. 63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMF΍QBDLBHFKTPOͷύοέʔδ໊͸ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20

  21. %06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β޷͖ͳλά͕ॻ͚Δ 21

  22. XSS CSP 22

  23. 944 $SPTT4JUF4DSJQUJOH ૝ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑͹ɺϒϥ΢βͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷ৘ใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧ΢ϯτ৐ͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱ͸େ఍Ͱ͖Δ (JUMBCͰ944͕͋Δͷ͸ةݥ 23

  24. 944 24

  25. $41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ๷͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰ͸਺ϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ͸·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍͸ͣ 25

  26. ੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ৚݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍଴ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใ঑ۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26

  27. 3&7&35͠ͳ͍৔߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͸͔ͳΓ໘౗ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳ΍ͭΛ๷͙ શ෦Ծ૝%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27

  28. (ը૾: ͍Β͢ͱ΍: ௏ͱ༡ͿࢠڙͷΠϥετ) 28

  29. 29

  30. ͔͜͜Β͸͕࣌ؒ ༨ͬͨ࣌༻ 30

  31. $41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰ͸BMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ৔߹ͷΈ (JUMBCͰ͸KRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦෼͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ৔߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ

    BλάͷEBUBYYY͸%PNQVSJGZͰ΋஄͔Εͳ͍ 31