Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Gitlab.comで見つけたXSSの話

Avatar for ooooooo_q ooooooo_q
February 21, 2020
Technology
370
0

 Gitlab.comで見つけたXSSの話

Avatar for ooooooo_q

ooooooo_q

February 21, 2020

More Decks by ooooooo_q

See All by ooooooo_q
JSONをパースする.pdf
Avatar for ooooooo_q ooooooo_q
0
160
xlsx出力を Live reloadで(仮)
Avatar for ooooooo_q ooooooo_q
0
420
A-Frameを使って Mobile VRを公開する
Avatar for ooooooo_q ooooooo_q
1
400
nds_8_reftest.pdf
Avatar for ooooooo_q ooooooo_q
0
380

Other Decks in Technology

See All in Technology
AWS Systems Managerのハイブリッドアクティベーションを使用したガバメントクラウド環境の統合管理
Avatar for Toru_Kubota toru_kubota
1
190
Oracle AI Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
1.3k
FlutterでPiP再生を実装した話
Avatar for 白井翔大 s9a17
0
240
CloudFrontのHost Header転送設定でパケットの中身はどう変わるのか?
Avatar for nagisa_53 nagisa53
1
230
Kiro Meetup #7 Kiro アップデート (2025/12/15〜2026/3/20)
Avatar for Katz Ueno katzueno
2
270
SaaSに宿る21g
Avatar for Yamakan kanyamaguc
2
180
AI時代のシステム開発者の仕事_20260328
Avatar for 閃利㈱河村 純 sengtor
0
320
ハーネスエンジニアリング×AI適応開発
Avatar for Ryohei Kamiya aictokamiya
1
910
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
3
2k
パワポ作るマンをMCP Apps化してみた
Avatar for iwamot iwamot
PRO
0
260
Databricks Appsで実現する社内向けAIアプリ開発の効率化
Avatar for R-Miura r_miura
0
160
CREがSLOを握ると 何が変わるのか
Avatar for neko maho nekomaho
0
320

Featured

See All Featured
Applied NLP in the Age of Generative AI
Avatar for Ines Montani inesmontani
PRO
4
2.2k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
3.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
The agentic SEO stack - context over prompts
Avatar for schlessera schlessera
0
720
Code Reviewing Like a Champion
Avatar for maltzj maltzj
528
40k
Max Prin - Stacking Signals: How International SEO Comes Together (And Falls Apart)
Avatar for Tech SEO Connect techseoconnect
PRO
0
140
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
950
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
1
330
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
672
58k
Rebuilding a faster, lazier Slack
Avatar for samanthasiow samanthasiow
85
9.4k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3.3k

Transcript

  1. GITLAB.COMͰ ݟ͚ͭͨXSSͷ࿩ AgriNote Salad Bar #1 @ooooooo_q 1

  2. ࠓ೔͸஬औΓͷ࿩Λ͠·͢ (ը૾: ͍Β͢ͱ΍: ՆٳΈͷΠϥετʮ஬औΓʯ) 2

  3. ஬औΓ? 3

  4. BUG HUNTING? 4

  5. #6(#06/5: όά㲈੬ऑੑͷใࠂͷड෇੍౓ ϒϥ΢βɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ঑͕ۚ΋Β͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ΋ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5

  6. ೔ຊͰ΋ .JYJ αΠϘ΢ζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6

  7. #6()6/5*/(࣌ͷ஫ҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎࿭ʹͳΔ͜ͱ͸େ఍ېࢭ %P4ͱ͔ 044͸खΛ෇͚΍͍͢ खݩͰಈ࡞ͤ͞Ε͹ଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨ໰୊ͷमਖ਼͕Θ͔Δ 7

  8. #6()6/5&3 ੬ऑੑใࠂΛߦ͏৆ۚՔ͗ ྑ͍఺ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔ͸ଞͱൺ΂ͯগͳΊ ࣮ࡍʹ͸ηΩϡϦςΟͷษڧ໨తͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍Δਓ͸Ք͍Ͱ͍Δ͕ʜʣ 8

  9. ͪͳΈʹ ࣮ࡍͷ஬ͷ৆ۚՔ͗΋ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕ෎ࡖࢢ 9

  10. GITLAB 10

  11. (*5-"# 11

  12. (*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN Ϋϥ΢υαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12

  13. (*5-"#4&$63*5: ௨ৗͷϦϦʔεͱ͸ผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ఍݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ೔ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ಺༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱ΋ͳ͍Α͏ ͚ͩͲίϛοτ͸େମݕ౼ͭ͘ ੬ऑੑʹ͸$7&͕ൃߦ͞Ε͍ͯͯαϚϦ΋ॻ͔Ε͍ͯΔ 13

  14. GITLAB BUG BOUNTY 14

  15. (*5-"##6(#06/5: ೥݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ೥ळʹใ঑ۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε͹࠷ߴ  944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15

  16. (*5-"##6(#06/5: ɹɹ 16

  17. ← ͜͜·Ͱલఏͷઆ໌ 17

  18. GITLAB.COMͰݟ͚ͭͨXSSͷ࿩ → 18

  19. ͋Δ೔ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19

  20. 63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMF΍QBDLBHFKTPOͷύοέʔδ໊͸ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20

  21. %06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β޷͖ͳλά͕ॻ͚Δ 21

  22. XSS CSP 22

  23. 944 $SPTT4JUF4DSJQUJOH ૝ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑͹ɺϒϥ΢βͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷ৘ใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧ΢ϯτ৐ͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱ͸େ఍Ͱ͖Δ (JUMBCͰ944͕͋Δͷ͸ةݥ 23

  24. 944 24

  25. $41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ๷͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰ͸਺ϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ͸·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍͸ͣ 25

  26. ੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ৚݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍଴ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใ঑ۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26

  27. 3&7&35͠ͳ͍৔߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͸͔ͳΓ໘౗ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳ΍ͭΛ๷͙ શ෦Ծ૝%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27

  28. (ը૾: ͍Β͢ͱ΍: ௏ͱ༡ͿࢠڙͷΠϥετ) 28

  29. 29

  30. ͔͜͜Β͸͕࣌ؒ ༨ͬͨ࣌༻ 30

  31. $41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰ͸BMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ৔߹ͷΈ (JUMBCͰ͸KRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦෼͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ৔߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ

    BλάͷEBUBYYY͸%PNQVSJGZͰ΋஄͔Εͳ͍ 31