Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Gitlab.comで見つけたXSSの話
ooooooo_q
February 21, 2020
Technology
0
300
Gitlab.comで見つけたXSSの話
ooooooo_q
February 21, 2020
Tweet
Share
More Decks by ooooooo_q
See All by ooooooo_q
JSONをパースする.pdf
ooooooo_q
0
68
xlsx出力を Live reloadで(仮)
ooooooo_q
0
280
A-Frameを使って Mobile VRを公開する
ooooooo_q
1
310
nds_8_reftest.pdf
ooooooo_q
0
240
Other Decks in Technology
See All in Technology
失敗を経験したあなたへ〜建設的なインシデントの振り返りを行うために実践するべきこと〜
nobuakikikuchi
0
170
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
shonansurvivors
0
170
GitHub 엔터프라이즈 어카운트 소개 및 엔터프라이즈 서버 구축 경험
posquit0
1
140
Scrum Fest Niigata 2022 開発エンジニアに聞いてみよう!
moritamasami
1
200
技術広報の役割を定義してみた 2022年春
afroscript
3
2.4k
Puny to Powerful PostgreSQL Rails Apps
andyatkinson
PRO
0
280
5分で完全理解するGoのiota
uji
3
2.1k
ドキュメントの翻訳に必要なこと
mayukosawai
0
160
ニフティでSRE推進活動を始めて取り組んできたこと
niftycorp
2
410
srenext2022-skaru
mixi_engineers
1
640
YAMLを書くだけで構築できる分散ストレージ
sat
PRO
0
190
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
tocyuki
3
480
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
343
17k
Reflections from 52 weeks, 52 projects
jeffersonlam
337
17k
Building Flexible Design Systems
yeseniaperezcruz
310
33k
It's Worth the Effort
3n
172
25k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_i
21
14k
Embracing the Ebb and Flow
colly
73
3.3k
Navigating Team Friction
lara
175
11k
Thoughts on Productivity
jonyablonski
43
2.2k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
212
11k
Keith and Marios Guide to Fast Websites
keithpitt
404
21k
Fontdeck: Realign not Redesign
paulrobertlloyd
73
4.1k
The Brand Is Dead. Long Live the Brand.
mthomps
45
2.7k
Transcript
GITLAB.COMͰ ݟ͚ͭͨXSSͷ AgriNote Salad Bar #1 @ooooooo_q 1
ࠓऔΓͷΛ͠·͢ (ը૾: ͍Β͢ͱ: ՆٳΈͷΠϥετʮऔΓʯ) 2
औΓ? 3
BUG HUNTING? 4
#6(#06/5: όά㲈੬ऑੑͷใࠂͷड੍ ϒϥβɺϑϨʔϜϫʔΫɺݴޠɺ҉߸௨՟ɺଞʜ ใ͕ۚΒ͑Δͷ͕༗໊ άοζ͚ͩͱ͔ϙΠϯτ͚ͩͷ͜ͱ ϓϥοτϑΥʔϜ IUUQTIBDLFSPOFDPNEJSFDUPSZQSPHSBNT IUUQTCVHDSPXEDPNQSPHSBNT 5
ຊͰ .JYJ αΠϘζ 1JYJW -JOF $IBUXPSL ;BJN ଞ৭ʑ 6
#6()6/5*/(࣌ͷҙ ېࢭࣄ߲͕େମॻ͍ͯ͋ΔͷͰै͏ ଞͷϢʔβͷ໎ʹͳΔ͜ͱେېࢭ %P4ͱ͔ 044खΛ͚͍͢ खݩͰಈ࡞ͤ͞ΕଞʹӨڹ͕ग़ʹ͍͘ ͦΕ·Ͱݟ͔ͭͬͨͷमਖ਼͕Θ͔Δ 7
#6()6/5&3 ੬ऑੑใࠂΛߦ͏ۚՔ͗ ྑ͍ ࣗ༝ʹ͕࣌ؒऔΕΔ ඞཁͳίϛϡχέʔγϣϯྔଞͱൺͯগͳΊ ࣮ࡍʹηΩϡϦςΟͷษڧతͷਓ͕ଟ͍Β͍͠ ʢՔ͍Ͱ͍ΔਓՔ͍Ͱ͍Δ͕ʜʣ 8
ͪͳΈʹ ࣮ࡍͷͷۚՔ͗ͨ·ʹ͋Δ ϒϥοΫϋϯλʔʢΫϏΞΧπϠΧϛΩϦʣ IUUQXXXTBLBJJLJNPOPKQSFTVMU OFUFWFOUTLVCJBLB େࡕࡖࢢ 9
GITLAB 10
(*5-"# 11
(*5-"#$0.ͱ(*5-"#$&&& HJUMBCDPN ΫϥυαʔϏε ਵ࣌ߋ৽͞ΕΔ (JUMBC$&&& ΦϯϓϨϛε൛ ݄ͷϦϦʔε ͦΕҎ֎ʹQBUDI TFDVSJUZSFMFBTF 12
(*5-"#4&$63*5: ௨ৗͷϦϦʔεͱผʹηΩϡϦςΟ୯ಠͰϦϦʔε େ݄ ճ͋Δ ಁ໌ੑ͕ॏࢹ͞Ε͍ͯΔ ܦͭͱ੬ऑੑͷJTTVF͕ެ։͞ΕΔ ରԠ༰͕ެ։͞Ε͍ͯΔ͔ͱ͍͏ͱͦ͏Ͱͳ͍Α͏ ͚ͩͲίϛοτେମݕ౼ͭ͘ ੬ऑੑʹ$7&͕ൃߦ͞Ε͍ͯͯαϚϦॻ͔Ε͍ͯΔ 13
GITLAB BUG BOUNTY 14
(*5-"##6(#06/5: ݄͔ΒQVCJMDͰ͓͕ۚग़ΔΑ͏ʹͳͬͨ ळʹใۚͷֹ͕ഒʹ্͕ͬͨ 3$&ͳͲͰ͋Ε࠷ߴ 944Ͱ㲈ສԁҎ্ IUUQTIBDLFSPOFDPNHJUMBCɹ 15
(*5-"##6(#06/5: ɹɹ 16
← ͜͜·Ͱલఏͷઆ໌ 17
GITLAB.COMͰݟ͚ͭͨXSSͷ → 18
͋Δ (FNpMFͷද͕͓͔͍ࣔ͠ʜ 19
63-ͷࣗಈϦϯΫ HJUMBCDPNʹೖͬͨػೳ ϑΝΠϧͷதʹ͋Δ63-ͬΆ͍จࣈྻΛϦϯΫʹ͢Δػೳ ΫϥΠΞϯτଆͰͷϦϯΫԽ K2VFSZ 7VFKT (FNpMFQBDLBHFKTPOͷύοέʔδ໊ αʔόଆͰϦϯΫʹ͢Δػೳ͕Ҏલ͔Β͋Δ Bλάͷதͷ63-Λ͞ΒʹϦϯΫʹ͠Α͏ͱͯ͠͠·͏ 20
%06#-&-*/, Bͷଐੑʹผͷλά͕ೖΔ lz͕͔Ϳͬͯ͠·͍ɺ͔ͦ͜Β͖ͳλά͕ॻ͚Δ 21
XSS CSP 22
944 $SPTT4JUF4DSJQUJOH ఆ͍ͯ͠ͳ͍+BWB4DSJQUΛ࣮ߦͤ͞Δ ྫ͑ɺϒϥβͰϩάΠϯ͍ͯ͠Δͱ͖ ಉ͡υϝΠϯͷใΛऔಘͯ͠Ͳ͔͜ʹૹ৴ ΞΧϯτͬऔΓ +BWBTDSJQUͰՄೳͳ͜ͱେͰ͖Δ (JUMBCͰ944͕͋Δͷةݥ 23
944 24
$41 $POUFOU4FDVSJUZ1PMJDZ 944ͳͲΛ͙ػߏ આ໌Λॻ͕࣌ؒ͘ͳ͔ͬͨͷͰઆ໌ུ HJUMBCDPNͰϲ݄લʹ$41͕ద༻͞Εͨ 944͕ϒϩοΫ͞Εͨ ͔͠͠ɺ(JUMBC$&&&Ͱ·ͩద༻͞Ε͍ͯͳ͍ ϦϦʔε͞ΕͨΒةͳ͍ͣ 25
੬ऑੑΛใࠂ HJUMBCDPNͰͷ࠶ݱ݅Λଗ͑ͯIBDLFSPOFʹใࠂ IUUQTIBDLFSPOFDPNSFQPSUT τϦΞʔδ͞ΕΔ·Ͱि͙ؒΒ͍ͭ ʜ ͦͷؒʹ ໌Β͔ʹόάͩͬͨͷͰSFWFSU͞Εͨ ˠใۚͳ͠ ௨͍ͬͯͨΒ͓ͦΒ͘ʜ 26
3&7&35͠ͳ͍߹Ͳ͏ͳ͍͔ͬͯͨ ਖ਼نදݱͰͷରࡦ͔ͳΓ໘ ΫϥΠΞϯτଆͰ944ʹͳΓͦ͏ͳͭΛ͙ શ෦Ծ%0.ʹ͢Δͱ͔ʜ %0.Λશ෦֬ೝ͍ͯ͘͠ͱ͔ %PNQVSJGZΛೖΕΔ ʢ͔͠͠ɺCZQBTTՄೳʣ 27
(ը૾: ͍Β͢ͱ: ͱ༡ͿࢠڙͷΠϥετ) 28
29
͔͜͜Β͕࣌ؒ ༨ͬͨ࣌༻ 30
$41#:1"44 ผͷ(JUMBCͷใࠂͷதʹ͋ͬͨ IUUQTIBDLFSPOFDPNSFQPSUT KRVFSZVKTͰBMJOLλάͷઌΛBKBYͰऔͬͯ͘Δػೳ͕͋Δ EBUBSFNPUFͳͲͷଐੑ͕ॻ͔Ε͍ͯΔ߹ͷΈ (JUMBCͰKRVFSZͷBKBYTFUVQͰͳ͔ͥTDSJQUΛFWBM͢Δ෦͕͋Δ ߈ܸ༻ͷKTϑΝΠϧΛHJUMBCʹΞοϓϩʔυ BλάΛ࡞ͬͯKTϑΝΠϧΛࢦఆ͕Ͱ͖ͨ߹ ͦ͜ΛϢʔβʹΫϦοΫͤ͞ΔͱKTϑΝΠϧ͖࣮࣋ͬͯͯߦ IUNMJOKFDUJPO944͢Δͱ͕Ͱ͖ͯɺDTQCZQBTTͰ͖Δ
BλάͷEBUBYYY%PNQVSJGZͰ͔Εͳ͍ 31