Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gitlab.comで見つけたXSSの話

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for ooooooo_q ooooooo_q
February 21, 2020
Technology
0
360

 Gitlab.comで見つけたXSSの話

Avatar for ooooooo_q

ooooooo_q

February 21, 2020
Tweet

More Decks by ooooooo_q

See All by ooooooo_q
JSONをパースする.pdf
Avatar for ooooooo_q ooooooo_q
0
150
xlsx出力を Live reloadで(仮)
Avatar for ooooooo_q ooooooo_q
0
420
A-Frameを使って Mobile VRを公開する
Avatar for ooooooo_q ooooooo_q
1
390
nds_8_reftest.pdf
Avatar for ooooooo_q ooooooo_q
0
380

Other Decks in Technology

See All in Technology
生成AIを活用した音声文字起こしシステムの2つの構築パターンについて
Avatar for Kazuki Miura miu_crescent
PRO
3
210
SREチームをどう作り、どう育てるか ― Findy横断SREのマネジメント
Avatar for adachi.ryo rvirus0817
0
320
Digitization部 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
6.8k
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
Avatar for SansanTech sansantech
PRO
3
2.5k
Context Engineeringが企業で不可欠になる理由
Avatar for Hirosato Gamo hirosatogamo
PRO
3
620
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
Avatar for Kuniaki Moriya zepprix
0
460
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.7k
こんなところでも(地味に)活躍するImage Modeさんを知ってるかい?- Image Mode for OpenShift -
Avatar for Masataka Tsukamoto tsukaman
1
160
Oracle Cloud Observability and Management Platform - OCI 運用監視サービス概要 -
Avatar for oracle4engineer oracle4engineer
PRO
2
14k
Frontier Agents (Kiro autonomous agent / AWS Security Agent / AWS DevOps Agent) の紹介
Avatar for msysh msysh
3
180
今日から始める Amazon Bedrock AgentCore
Avatar for Har1101 har1101
4
410
Codex 5.3 と Opus 4.6 にコーポレートサイトを作らせてみた / Codex 5.3 vs Opus 4.6
Avatar for ama-ch ama_ch
0
180

Featured

See All Featured
Everyday Curiosity
Avatar for Cassini Nazir cassininazir
0
130
Designing for Timeless Needs
Avatar for Cassini Nazir cassininazir
0
130
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon szymonslowik
1
220
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
830
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
86
Digital Projects Gone Horribly Wrong (And the UX Pros Who Still Save the Day) - Dean Schuster
Avatar for UX Y'all uxyall
0
380
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
57
50k
Agile that works and the tools we love
Avatar for Rasmus Luckow-Nielsen rasmusluckow
331
21k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
174
15k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
110
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
515
110k

Transcript

  1. GITLAB.COMͰ ݟ͚ͭͨXSSͷ࿩ AgriNote Salad Bar #1 @ooooooo_q 1

  2. ࠓ೔͸஬औΓͷ࿩Λ͠·͢ (ը૾: ͍Β͢ͱ΍: ՆٳΈͷΠϥετʮ஬औΓʯ) 2

  3. ஬औΓ? 3

  4. BUG HUNTING? 4

  5. #6(#06/5: όά㲈੬ऑੑͷใࠂͷड෇੍౓ ϒϥ΢βɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ঑͕ۚ΋Β͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ΋ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5

  6. ೔ຊͰ΋ .JYJ αΠϘ΢ζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6

  7. #6()6/5*/(࣌ͷ஫ҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎࿭ʹͳΔ͜ͱ͸େ఍ېࢭ %P4ͱ͔ 044͸खΛ෇͚΍͍͢ खݩͰಈ࡞ͤ͞Ε͹ଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨ໰୊ͷमਖ਼͕Θ͔Δ 7

  8. #6()6/5&3 ੬ऑੑใࠂΛߦ͏৆ۚՔ͗ ྑ͍఺ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔ͸ଞͱൺ΂ͯগͳΊ ࣮ࡍʹ͸ηΩϡϦςΟͷษڧ໨తͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍Δਓ͸Ք͍Ͱ͍Δ͕ʜʣ 8

  9. ͪͳΈʹ ࣮ࡍͷ஬ͷ৆ۚՔ͗΋ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕ෎ࡖࢢ 9

  10. GITLAB 10

  11. (*5-"# 11

  12. (*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN Ϋϥ΢υαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12

  13. (*5-"#4&$63*5: ௨ৗͷϦϦʔεͱ͸ผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ఍݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ೔ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ಺༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱ΋ͳ͍Α͏ ͚ͩͲίϛοτ͸େମݕ౼ͭ͘ ੬ऑੑʹ͸$7&͕ൃߦ͞Ε͍ͯͯαϚϦ΋ॻ͔Ε͍ͯΔ 13

  14. GITLAB BUG BOUNTY 14

  15. (*5-"##6(#06/5: ೥݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ೥ळʹใ঑ۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε͹࠷ߴ  944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15

  16. (*5-"##6(#06/5: ɹɹ 16

  17. ← ͜͜·Ͱલఏͷઆ໌ 17

  18. GITLAB.COMͰݟ͚ͭͨXSSͷ࿩ → 18

  19. ͋Δ೔ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19

  20. 63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMF΍QBDLBHFKTPOͷύοέʔδ໊͸ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20

  21. %06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β޷͖ͳλά͕ॻ͚Δ 21

  22. XSS CSP 22

  23. 944 $SPTT4JUF4DSJQUJOH ૝ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑͹ɺϒϥ΢βͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷ৘ใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧ΢ϯτ৐ͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱ͸େ఍Ͱ͖Δ (JUMBCͰ944͕͋Δͷ͸ةݥ 23

  24. 944 24

  25. $41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ๷͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰ͸਺ϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ͸·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍͸ͣ 25

  26. ੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ৚݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍଴ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใ঑ۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26

  27. 3&7&35͠ͳ͍৔߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͸͔ͳΓ໘౗ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳ΍ͭΛ๷͙ શ෦Ծ૝%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27

  28. (ը૾: ͍Β͢ͱ΍: ௏ͱ༡ͿࢠڙͷΠϥετ) 28

  29. 29

  30. ͔͜͜Β͸͕࣌ؒ ༨ͬͨ࣌༻ 30

  31. $41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰ͸BMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ৔߹ͷΈ (JUMBCͰ͸KRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦෼͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ৔߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ

    BλάͷEBUBYYY͸%PNQVSJGZͰ΋஄͔Εͳ͍ 31