$30 off During Our Annual Pro Sale. View Details »

Gitlab.comで見つけたXSSの話

Avatar for ooooooo_q ooooooo_q
February 21, 2020
Technology
0
360

 Gitlab.comで見つけたXSSの話

Avatar for ooooooo_q

ooooooo_q

February 21, 2020
Tweet

More Decks by ooooooo_q

See All by ooooooo_q
JSONをパースする.pdf
Avatar for ooooooo_q ooooooo_q
0
150
xlsx出力を Live reloadで(仮)
Avatar for ooooooo_q ooooooo_q
0
410
A-Frameを使って Mobile VRを公開する
Avatar for ooooooo_q ooooooo_q
1
390
nds_8_reftest.pdf
Avatar for ooooooo_q ooooooo_q
0
370

Other Decks in Technology

See All in Technology
Oracle Technology Night #95 GoldenGate 26ai の実装に迫る1
Avatar for oracle4engineer oracle4engineer
PRO
0
150
法人支出管理領域におけるソフトウェアアーキテクチャに基づいたテスト戦略の実践
Avatar for ogugu ogugu9
1
210
大企業でもできる!ボトムアップで拡大させるプラットフォームの作り方
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
1
570
[JAWS-UG 横浜支部 #91]DevOps Agent vs CloudWatch Investigations -比較と実践-
Avatar for sh_fk2 sh_fk2
1
240
最近のLinux普段づかいWaylandデスクトップ元年
Avatar for Takuma Nakajima penguin2716
1
670
GitLab Duo Agent Platformで実現する“AI駆動・継続的サービス開発”と最新情報のアップデート
Avatar for Taisuke Inoue jeffi7
0
210
AI駆動開発における設計思想 認知負荷を下げるフロントエンドアーキテクチャ/ 20251211 Teppei Hanai
Avatar for SHIFT EVOLVE shift_evolve
PRO
2
190
regrowth_tokyo_2025_securityagent
Avatar for h-ashisan hiashisan
0
170
世界最速級 memcached 互換サーバー作った
Avatar for yasukata yasukata
0
330
Sansanが実践する Platform EngineeringとSREの協創
Avatar for SansanTech sansantech
PRO
2
670
グレートファイアウォールを自宅に建てよう
Avatar for 綿糸てせ ctes091x
0
140
「Managed Instances」と「durable functions」で広がるAWS Lambdaのユースケース
Avatar for Lamaglama39 lamaglama39
0
280

Featured

See All Featured
Balancing Empowerment & Direction
Avatar for Lara Hogan lara
5
790
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
273
21k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.6k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
Avatar for Sam Stephenson sstephenson
162
15k
It's Worth the Effort
Avatar for 3n 3n
187
29k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
76
5.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Practical Tips for Bootstrapping Information Extraction Pipelines
Avatar for Matthew Honnibal honnibal
25
1.6k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
24
3.8k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
128
54k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k

Transcript

  1. GITLAB.COMͰ ݟ͚ͭͨXSSͷ࿩ AgriNote Salad Bar #1 @ooooooo_q 1

  2. ࠓ೔͸஬औΓͷ࿩Λ͠·͢ (ը૾: ͍Β͢ͱ΍: ՆٳΈͷΠϥετʮ஬औΓʯ) 2

  3. ஬औΓ? 3

  4. BUG HUNTING? 4

  5. #6(#06/5: όά㲈੬ऑੑͷใࠂͷड෇੍౓ ϒϥ΢βɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ঑͕ۚ΋Β͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ΋ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5

  6. ೔ຊͰ΋ .JYJ αΠϘ΢ζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6

  7. #6()6/5*/(࣌ͷ஫ҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎࿭ʹͳΔ͜ͱ͸େ఍ېࢭ %P4ͱ͔ 044͸खΛ෇͚΍͍͢ खݩͰಈ࡞ͤ͞Ε͹ଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨ໰୊ͷमਖ਼͕Θ͔Δ 7

  8. #6()6/5&3 ੬ऑੑใࠂΛߦ͏৆ۚՔ͗ ྑ͍఺ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔ͸ଞͱൺ΂ͯগͳΊ ࣮ࡍʹ͸ηΩϡϦςΟͷษڧ໨తͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍Δਓ͸Ք͍Ͱ͍Δ͕ʜʣ 8

  9. ͪͳΈʹ ࣮ࡍͷ஬ͷ৆ۚՔ͗΋ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕ෎ࡖࢢ 9

  10. GITLAB 10

  11. (*5-"# 11

  12. (*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN Ϋϥ΢υαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12

  13. (*5-"#4&$63*5: ௨ৗͷϦϦʔεͱ͸ผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ఍݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ೔ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ಺༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱ΋ͳ͍Α͏ ͚ͩͲίϛοτ͸େମݕ౼ͭ͘ ੬ऑੑʹ͸$7&͕ൃߦ͞Ε͍ͯͯαϚϦ΋ॻ͔Ε͍ͯΔ 13

  14. GITLAB BUG BOUNTY 14

  15. (*5-"##6(#06/5: ೥݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ೥ळʹใ঑ۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε͹࠷ߴ  944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15

  16. (*5-"##6(#06/5: ɹɹ 16

  17. ← ͜͜·Ͱલఏͷઆ໌ 17

  18. GITLAB.COMͰݟ͚ͭͨXSSͷ࿩ → 18

  19. ͋Δ೔ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19

  20. 63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMF΍QBDLBHFKTPOͷύοέʔδ໊͸ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20

  21. %06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β޷͖ͳλά͕ॻ͚Δ 21

  22. XSS CSP 22

  23. 944 $SPTT4JUF4DSJQUJOH ૝ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑͹ɺϒϥ΢βͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷ৘ใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧ΢ϯτ৐ͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱ͸େ఍Ͱ͖Δ (JUMBCͰ944͕͋Δͷ͸ةݥ 23

  24. 944 24

  25. $41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ๷͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰ͸਺ϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ͸·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍͸ͣ 25

  26. ੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ৚݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍଴ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใ঑ۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26

  27. 3&7&35͠ͳ͍৔߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͸͔ͳΓ໘౗ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳ΍ͭΛ๷͙ શ෦Ծ૝%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27

  28. (ը૾: ͍Β͢ͱ΍: ௏ͱ༡ͿࢠڙͷΠϥετ) 28

  29. 29

  30. ͔͜͜Β͸͕࣌ؒ ༨ͬͨ࣌༻ 30

  31. $41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰ͸BMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ৔߹ͷΈ (JUMBCͰ͸KRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦෼͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ৔߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ

    BλάͷEBUBYYY͸%PNQVSJGZͰ΋஄͔Εͳ͍ 31