Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Gitlab.comで見つけたXSSの話
Search
ooooooo_q
February 21, 2020
Technology
0
340
Gitlab.comで見つけたXSSの話
ooooooo_q
February 21, 2020
Tweet
Share
More Decks by ooooooo_q
See All by ooooooo_q
JSONをパースする.pdf
ooooooo_q
0
130
xlsx出力を Live reloadで(仮)
ooooooo_q
0
400
A-Frameを使って Mobile VRを公開する
ooooooo_q
1
380
nds_8_reftest.pdf
ooooooo_q
0
350
Other Decks in Technology
See All in Technology
いつの間にか入れ替わってる!?新しいAWS Security Hubとは?
cmusudakeisuke
0
140
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
10
130k
AI エージェントと考え直すデータ基盤
na0
16
5.4k
インフラ寄りSREの生存戦略
sansantech
PRO
6
2.5k
United airlines®️ USA Contact Numbers: Complete 2025 Support Guide
unitedflyhelp
0
330
改めてAWS WAFを振り返る~業務で使うためのポイント~
masakiokuda
2
300
IPA&AWSダブル全冠が明かす、人生を変えた勉強法のすべて
iwamot
PRO
2
190
Rethinking Incident Response: Context-Aware AI in Practice
rrreeeyyy
1
130
SEQUENCE object comparison - db tech showcase 2025 LT2
nori_shinoda
0
160
マーケットプレイス版Oracle WebCenter Content For OCI
oracle4engineer
PRO
3
970
Delta airlines Customer®️ USA Contact Numbers: Complete 2025 Support Guide
deltahelp
0
930
敢えて生成AIを使わないマネジメント業務
kzkmaeda
2
470
Featured
See All Featured
A Tale of Four Properties
chriscoyier
160
23k
Bash Introduction
62gerente
613
210k
Facilitating Awesome Meetings
lara
54
6.4k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
Building Applications with DynamoDB
mza
95
6.5k
Visualization
eitanlees
146
16k
Rails Girls Zürich Keynote
gr2m
95
14k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
231
53k
Code Review Best Practice
trishagee
69
19k
Transcript
GITLAB.COMͰ ݟ͚ͭͨXSSͷ AgriNote Salad Bar #1 @ooooooo_q 1
ࠓऔΓͷΛ͠·͢ (ը૾: ͍Β͢ͱ: ՆٳΈͷΠϥετʮऔΓʯ) 2
औΓ? 3
BUG HUNTING? 4
#6(#06/5: όά㲈੬ऑੑͷใࠂͷड੍ ϒϥβɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ͕ۚΒ͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5
ຊͰ .JYJ αΠϘζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6
#6()6/5*/(࣌ͷҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎ʹͳΔ͜ͱେېࢭ %P4ͱ͔ 044खΛ͚͍͢ खݩͰಈ࡞ͤ͞ΕଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨͷमਖ਼͕Θ͔Δ 7
#6()6/5&3 ੬ऑੑใࠂΛߦ͏ۚՔ͗ ྑ͍ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔଞͱൺͯগͳΊ ࣮ࡍʹηΩϡϦςΟͷษڧతͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍ΔਓՔ͍Ͱ͍Δ͕ʜʣ 8
ͪͳΈʹ ࣮ࡍͷͷۚՔ͗ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕࡖࢢ 9
GITLAB 10
(*5-"# 11
(*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN ΫϥυαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12
(*5-"#4&$63*5: ௨ৗͷϦϦʔεͱผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱͳ͍Α͏ ͚ͩͲίϛοτେମݕ౼ͭ͘ ੬ऑੑʹ$7&͕ൃߦ͞Ε͍ͯͯαϚϦॻ͔Ε͍ͯΔ 13
GITLAB BUG BOUNTY 14
(*5-"##6(#06/5: ݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ळʹใۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε࠷ߴ 944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15
(*5-"##6(#06/5: ɹɹ 16
← ͜͜·Ͱલఏͷઆ໌ 17
GITLAB.COMͰݟ͚ͭͨXSSͷ → 18
͋Δ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19
63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMFQBDLBHFKTPOͷύοέʔδ໊ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20
%06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β͖ͳλά͕ॻ͚Δ 21
XSS CSP 22
944 $SPTT4JUF4DSJQUJOH ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑ɺϒϥβͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧϯτͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱେͰ͖Δ (JUMBCͰ944͕͋Δͷةݥ 23
944 24
$41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍ͣ 25
੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26
3&7&35͠ͳ͍߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͔ͳΓ໘ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳͭΛ͙ શ෦Ծ%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27
(ը૾: ͍Β͢ͱ: ͱ༡ͿࢠڙͷΠϥετ) 28
29
͔͜͜Β͕࣌ؒ ༨ͬͨ࣌༻ 30
$41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰBMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ߹ͷΈ (JUMBCͰKRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ
BλάͷEBUBYYY%PNQVSJGZͰ͔Εͳ͍ 31