Gitlab.comで見つけたXSSの話

Transcript

1. GITLAB.COMͰ ݟ͚ͭͨXSSͷ࿩ AgriNote Salad Bar #1 @ooooooo_q 1

2. ࠓ೔͸஬औΓͷ࿩Λ͠·͢ (ը૾: ͍Β͢ͱ΍: ՆٳΈͷΠϥετʮ஬औΓʯ) 2

3. ஬औΓ? 3

4. BUG HUNTING? 4

5. #6(
   #06/5: όά
   㲈
   ੬ऑੑͷใࠂͷड෇੍౓
   ϒϥ΢βɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ
   ใ঑͕ۚ΋Β͑Δͷ͕༗໊
   άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ΋
   ϓϥοτϑΥʔϜ
   IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT
   IUUQTCVHDSPXEDPNQSPHSBNT 5

6. ೔ຊͰ΋ .JYJ
   αΠϘ΢ζ
   1JYJW
   -JOF
   $IBUXPSL
   ;BJN
   ଞ৭ʑ 6

7. #6(
   )6/5*/(࣌ͷ஫ҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏
   ଞͷϢʔβͷ໎࿭ʹͳΔ͜ͱ͸େ఍ېࢭ
   %P4ͱ͔
   044͸खΛ෇͚΍͍͢
   खݩͰಈ࡞ͤ͞Ε͹ଞʹӨڹ͕ग़ʹ͍͘
   ͦΕ·Ͱݟ͔ͭͬͨ໰୊ͷमਖ਼͕Θ͔Δ 7

8. #6(
   )6/5&3 ੬ऑੑใࠂΛߦ͏৆ۚՔ͗
   ྑ͍఺
   ࣗ༝ʹ͕࣌ؒऔΕΔ
   ඞཁͳίϛϡχέʔγϣϯྔ͸ଞͱൺ΂ͯগͳΊ
   ࣮ࡍʹ͸ηΩϡϦςΟͷษڧ໨తͷਓ͕ଟ͍Β͍͠
   ʢՔ͍Ͱ͍Δਓ͸Ք͍Ͱ͍Δ͕ʜʣ 8

9. ͪͳΈʹ ࣮ࡍͷ஬ͷ৆ۚՔ͗΋ͨ·ʹ͋Δ
   ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ
   IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB
   େࡕ෎ࡖࢢ
   9

10. GITLAB 10

11. (*5-"# 11

12. (*5-"#$0.ͱ(*5-"#
    $&&& HJUMBCDPN
    Ϋϥ΢υαʔϏε
    ਵ࣌ߋ৽͞ΕΔ
    (JUMBC
    $&&&
    ΦϯϓϨϛε൛
    ݄ͷϦϦʔε
    ͦΕҎ֎ʹQBUDI
    TFDVSJUZ
    SFMFBTF 12

13. (*5-"#
    4&$63*5: ௨ৗͷϦϦʔεͱ͸ผʹηΩϡϦςΟ୯ಠͰϦϦʔε
    େ఍݄ ճ͋Δ
    ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ
    ೔ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ
    ରԠ಺༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱ΋ͳ͍Α͏ ͚ͩͲίϛοτ͸େମݕ౼ͭ͘
    ੬ऑੑʹ͸$7&͕ൃߦ͞Ε͍ͯͯαϚϦ΋ॻ͔Ε͍ͯΔ 13

14. GITLAB BUG BOUNTY 14

15. (*5-"#
    #6(
    #06/5: ೥݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ
    ೥ळʹใ঑ۚͷֹ͕ഒʹ্͕ͬͨ
    3$&ͳͲͰ͋Ε͹࠷ߴ 
    
    944Ͱ
    㲈
    ສԁҎ্
    
    IUUQTIBDLFSPOFDPNHJUMBCɹ 15

16. (*5-"#
    #6(
    #06/5: ɹ
    ɹ 16

17. ← ͜͜·Ͱલఏͷઆ໌ 17

18. GITLAB.COMͰݟ͚ͭͨXSSͷ࿩ → 18

19. ͋Δ೔ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19

20. 63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ
    ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ
    ΫϥΠΞϯτଆͰͷϦϯΫԽ
    K2VFSZ
    
    7VFKT
    (FNpMF΍QBDLBHFKTPOͷύοέʔδ໊͸
    αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ
    
    Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20

21. %06#-&
    -*/, Bͷଐੑʹผͷλά͕ೖΔ
    lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β޷͖ͳλά͕ॻ͚Δ 21

22. XSS CSP 22

23. 944 $SPTT
    4JUF
    4DSJQUJOH
    ૝ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ
    ྫ͑͹ɺϒϥ΢βͰϩάΠϯ͍ͯ͠Δͱ͖
    ಉ͡υϝΠϯͷ৘ใΛऔಘͯ͠Ͳ͔͜ʹૹ৴
    ΞΧ΢ϯτ৐ͬऔΓ
    +BWBTDSJQUͰՄೳͳ͜ͱ͸େ఍Ͱ͖Δ
    (JUMBCͰ944͕͋Δͷ͸ةݥ 23

24. 944
     24

25. $41 $POUFOU
    4FDVSJUZ
    1PMJDZ
    944ͳͲΛ๷͙ػߏ
    આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ
    HJUMBCDPNͰ͸਺ϲ݄લʹ$41͕ద༻͞Εͨ
    944͕ϒϩοΫ͞Εͨ
    ͔͠͠ɺ(JUMBC
    $&&&Ͱ͸·ͩద༻͞Ε͍ͯͳ͍
    
    ϦϦʔε͞ΕͨΒةͳ͍͸ͣ 25

26. ੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ৚݅Λଗ͑ͯIBDLFSPOFʹใࠂ
    IUUQTIBDLFSPOFDPNSFQPSUT
    τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍଴ͭ
    ʜ
    ͦͷؒʹ
    ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ
    ˠ
    ใ঑ۚͳ͠
    ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26

27. 3&7&35͠ͳ͍৔߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͸͔ͳΓ໘౗
    
    ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳ΍ͭΛ๷͙
    શ෦Ծ૝%0.ʹ͢Δͱ͔ʜ
    %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔
    %PNQVSJGZΛೖΕΔ
    ʢ͔͠͠ɺCZQBTTՄೳʣ 27

28. (ը૾: ͍Β͢ͱ΍: ௏ͱ༡ͿࢠڙͷΠϥετ) 28

29. 29

30. ͔͜͜Β͸͕࣌ؒ ༨ͬͨ࣌༻ 30

31. $41
    #:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ
    IUUQTIBDLFSPOFDPNSFQPSUT
    KRVFSZVKTͰ͸B
    MJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ
    EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ৔߹ͷΈ
    (JUMBCͰ͸KRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦෼͕͋Δ
    ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ
    BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ৔߹
    ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ
    IUNM
    JOKFDUJPO
    
    944͢Δͱ͕Ͱ͖ͯɺDTQ
    CZQBTTͰ͖Δ
    

    BλάͷEBUBYYY͸%PNQVSJGZͰ΋஄͔Εͳ͍ 31