Speaker Deck
Speaker Deck Pro
Sign in
Sign up
for free
OWT2017JP - OWASP BWA
OWASP Japan
September 30, 2017
Technology
9
3k
OWT2017JP - OWASP BWA
#OWT2017JP
Training Course using OWASP BWA
by 松浦知史, 東京工業大学
OWASP Japan
September 30, 2017
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
owaspjapan
0
250
owaspjapan
0
340
owaspjapan
0
96
owaspjapan
5
390
owaspjapan
9
2.1k
owaspjapan
2
160
owaspjapan
2
330
owaspjapan
1
150
owaspjapan
2
400
Other Decks in Technology
See All in Technology
sat
1
970
kenya888
1
110
mmarukaw
0
1.4k
kentaro
1
320
shotakashihara
1
1.3k
line_developers
PRO
0
1.8k
toshinoritakai
1
190
satoshirobatofujimoto
0
110
line_developers
PRO
0
140
osonoi
0
160
sylph01
0
160
comucal
PRO
0
410
Featured
See All Featured
rocio
155
11k
holman
288
130k
kneath
294
39k
roundedbygravity
241
21k
lemiorhan
626
42k
bermonpainter
342
26k
productmarketing
5
640
philhawksworth
190
17k
maggiecrowley
8
390
lauravandoore
11
1.2k
jcasabona
7
520
morganepeng
18
1.1k
Transcript
08"41#8"Λ༻ֶ͍ͨੜ ͓Αͼ৬һ͚τϨʔχϯά ౦ژۀେֶɹֶज़ࠃࡍใηϯλʔɹ দӜ࢙ (matsuura@gsic.titech.ac.jp)
2 দӜ ࢙ (MATSUURA Satoshi) ౦ژۀେֶ ֶज़ࠃࡍใηϯλʔ ।ڭत ౦େCERT ౷ׅऀ
http://cert.titech.ac.jp ▪ ηΩϡϦςΟڭҭ • αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜ (౦େɾम࢜ର) • IT-Keys / SecCap (ෳͷ࢈ֶ৫ɾम࢜ର) ▪ ݚڀ׆ಈ • geographical overlay network, େنηϯαωοτϫʔΫ, ࢄPub/ Sub, DTN, ηΩϡϦςΟϩάੳͱػցֶश
ίʔεΛ௨ͯ͠Կֶ͕Δ͔ • OWASP BWA(Broken Web Application)ͱԿ͔ • ԋश࣮ࢪऀ͓Αͼडߨऀʹର͢ΔڭҭޮՌ • OWASP
BWAΛར༻ͨ͠ԋशڥͷߏஙํ๏ • ۩ମతͳ߈ܸγφϦΦͷ࡞खॱ • ۩ମతͳԋश࣮ࢪखॱ(ͷग़͠ํ) – डߨऀ͕ཧղ͍͢͠ͷཻͱॱ൪Λߟྀ • ۩ମతͳԋश࣮ࢪྫͱTips – OWASP TOP10Ճֶ͑ͨੜ/৬һ͚ͷԋश࣮ࢪྫ 3
OWASP BWA(Broken Web Application) 4 ɾηΩϡϦςΟֶश༻ͷ੬ऑͳΞϓϦΛؚΉLinux͕ϕʔεͱͳͬͨVMΠϝʔδ ) ઈରʹάϩʔόϧͳڥʹଓͤͣɺִ͞ΕͨNATڥͰར༻ͯ͠Լ͞ ͍ OWASP
BWAτοϓϖʔδ ଟछଟ༷ͳΞϓϦ͕༻ҙ͞Ε͍ͯΔ τϨʔχϯάΞϓϦ ੬ऑੑΛ๊͑ͨΞϓϦͳͲ
BWAͷରऀ • WEBΞϓϦέʔγϣϯͷηΩϡϦςΟΛֶͼ͍ͨํ • ϦεΫධՁٕज़(ϖωτϨɺ੬ऑੑஅͳͲ)ΛखಈͰࢼ͍ͨ͠ํ • ࣗಈԽπʔϧΛςετ͍ͨ͠ํ • ιʔείʔυ͕ηΩϡΞ͔Ͳ͏͔ੳ͍ͨ͠ํ •
WEBʹର͢Δ߈ܸΛࢹ͍ͨ͠ํ • WAFͷٕज़Λςετ͍ͨ͠ํ 5 ใηΩϡϦςΟͷॳֶऀ͔ΒΞϓϦέʔγϣϯ։ൃऀɺηΩϡϦςΟػثͷӡ༻୲ ऀ·Ͱɺతʹ߹Θͤͯ෯͍ٕज़ऀ͕ར༻Ͱ͖Δɻ໊લͷ௨ΓWEB͕த৺ɻ!
BWAͷத • Training Applications – ੬ऑੑຖʹίʔε͕༻ҙ͞Ε͓ͯΓɺΛղ͖ͳ͕ΒֶΔWEBΞϓϦ • Realistic, Intentionally Vulnerable
Applications – ଟछଟ༷ͳ੬ऑੑ͕ҙਤతʹ࡞Γࠐ·ΕͨWEBΞϓϦ • Old Versions of Real Applications – WordPressͳͲ࣮ࡏ͢ΔΞϓϦ(੬ऑੑͷ͋Δݹ͍όʔδϣϯ) • Applications for Testing Tools • Demonstration Pages / Small Applications • OWASP Demonstration Applications 6 ࠷ॳ͔Β੬ऑੑΛ๊༷͑ͨʑͳΞϓϦؚ͕·Ε͓ͯΓɺԋश࣮ࢪऀԋशڥͷߏங γφϦΦͷ࡞ʹूதग़དྷΔɻ·ͨVMͰ͞Ε͍ͯΔͷͰڥߏங༰қɻ! ֤ʑ10छྨ΄Ͳ! ༻ҙ͞Ε͍ͯΔ!
ࠓճԋशΛߦͬͨର(౦େੜ/౦େ৬һ) • ౦େੜ (ओʹमֶ࢜ੜ) – αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜΛडߨ – CSͷجૅཧدΓͷߨ͕ٛଟ͍(ྑ͍ࣄ) – جૅྗΛԠ༻͢Δ࣮ફతͳ(ߨٛ)Λఏڙ͍ͨ͠!
• ౦େCERT (ओʹࣄһ+ٕज़৬һ) – ৫CSIRTۀΛ୲ – ʑηΩϡϦςΟͷʹ৮ΕΔ͕ৄࡉΛΔػձ͕ແ͍ – ΈΛΓɺۀͰͷஅྗΛ্͍ͤͨ͞! 7
࠲ֶͱԋश 8 ԋशڥ͕Γ͍ͯͳ͍ঢ়گͰ͋ͬͨͷͰɺͰ͖ΔݶΓߏஙίετΛ͑ͳ͕Βԋश Λߦ͏ͨΊʹOWASP BWAΛ࠾༻ͨ͠ɻ! ࣝͷར༻/Ԡ༻! ࣝͷशಘ!
9 ۩ମతͳγφϦΦͷ ࡞खॱΛհ͠·͢
ԋशڥ/γφϦΦͷ࡞ϙϦγʔ • डߨऀ͕ແཧͳ͘४උ͠ࢀՃͰ͖Δԋशڥ • ݱ࣮ͷڥʹஔ͖͑ͯ૾Մೳͳԋशڥ • ग़དྷΔ͚ͩडߨऀ͕ࣗྗͰղ͚Δͷཻ/ • ղ͖ਐΊΔͱࣗવͱ߈ܸγφϦΦ͕ཧղͰ͖Δߏ 10
੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ෳࡶͳXSSΛडߨऀʹͲ͏ཧղͯ͠͏͔ 11
XSSશମͷγφϦΦΛղ • ΫοΩʔใΛ֬ೝ͠ɺมߋ͢Δ (1,6) – ϒϥβΛར༻͠ΫοΩʔͷૢ࡞ΛΔ • ੬ऑੑͷ֬ೝͱނҙͷใ࿙Ӯ (1,4,5) –
ݕࡧϑΥʔϜΛར༻͠ΫοΩʔใΛૹ৴ • ߈ܸίʔυͷ࡞/ઃஔ (2,3,4) – ΫοΩʔใΛૹ৴͢ΔίʔυΛؚΜͩURLͷੜ 12 Λখ͘͞ղ͢Δ͜ͱͰͷқ͕Լ͢ΔɻώϯτΛՃ͑Δ͜ͱͰଟ͘ͷ डߨऀ͕ࣗྗͰղ͢Δࣄ͕Մೳɻ্ه̏ͭΛΈ߹ΘͤΔͱશମͷγφϦΦʹɻ!
ϢʔβʹΑΔΫοΩʔͷฤू 13 ɾϒϥβͷΞυϨεόʔͰJavaScriptΛ࣮ߦՄೳ ɾΫοΩʔͷදࣔ - javascript:alert(document.cookie); ɾΫοΩʔͷՃɾฤू - javascript:void(document.cookie=”id=abcd1234”); αΠτΛ๚Εͨ࣌Ͱcookieແ͠
ΞυϨεόʔΑΓcookieΛՃ ΞυϨεόʔΑΓcookieΛฤू
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) 14 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻
߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 15 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
BWAΛར༻͠ɺγφϦΦΛ࣮͢Δ 16 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ ChromeXSS੬ऑੑ͕͋ΔϑΥʔϜͰͷεΫϦϓτ࣮ߦ ͕ݫ੍͘͠ݶ͞Ε͍ͯΔɻFirefoxܯࠂͷΈɻWin/Mac
ͱडߨऀڥ͕·ͪ·ͪͰ͋ΔࣄΛߟ͑FirefoxΛ࠾༻ɻ डߨऀPC্ͷ Firefox BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA͕ىಈग़དྷΕɺޙFirefoxΛडߨऀʹΠϯετʔϧ͖ͯͯ͠͏ࣄͱผ్ ApacheͳͲhttpdΛ४උ͠ɺΞΫηεϩά͕ݟΒΕΔ༷ʹ͓͚ͯͩ͘͠Ͱ४උྃɻ!
ʔɺ ·͔ͬ͢͡ʔ ࣮ࡍͷ४උաఔ ͬͺΓ ԋशΛ Γ͍ͨ ʂʂ Ғ͍ਓ ͱʹ͔͘
Δ͔͠ͳ͍ ୲ऀ 2िؒఔͷ४උظؒ • ձٞͰ४උίετͷߴ͔͞Βԋशஅ೦͢Δํʹ͔͏͕ɺͷҰ͕ • 2िؒఔͰۀͷ߹ؒʹԋशڥΛ࡞ΓࠐΉࣄʹ(தʑʹେมɻBWAʹײँ) • ࣮ࡍʹBWAͷΞϓϦΛར༻͠ࢼߦࡨޡ͠ͳ͕ΒγφϦΦΛ࡞ɻ͜͜·Ͱͷ આ໌ͷ༷ʹશͯτοϓμϯͱ͍͏༁ʹதʑ͍͔ͳ͍ɻ • ԋश୲ऀXSSͳͲԋशʹ݁͢Δ͚ࣝͩͰແ͘ɺγφϦΦͷ࡞ೳ ྗɺHTTPͷཧղɺԾڥͷߏஙೳྗͳͲ෯͍ࣝೳྗ͕ʹ͘ɻ 17
18 ࣮ࡍͷΛݟͯɺ γφϦΦΛḷͬͯΈ·͠ΐ͏
੬ऑੑ͕͋ΔݕࡧϑΥʔϜ @ BWA WackoPicko 19 1. ௨ৗͷݕࡧ! 2. HTMLλάΛؚΜͩݕࡧ! 3.
javascriptΛؚΜͩݕࡧ! ɾݕࡧจࣈྻ ɹ1.ɿhouse ɹ2.ɿ<s>house</s> ɹ3.ɿ<script>alert('hello');</script>
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ߈ܸίʔυΛؚΜͩΞΫηε
(߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ) 20
ԋश՝̍ 21 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛ֎෦αʔό(192.168.7.100)ʹ ɹɹૹ৴͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛΞΫηεϩάΑΓ֬ೝ͠ͳ͍͞ άάΔ KBWBTDSJQUΛར༻͢Δ JNHTSDz63-zΛར༻ͯ͠ɺ֎෦αʔόʹϝοηʔδΛૹΔ 'JSFGPYͷ։ൃπʔϧΛ׆༻͢Δ πʔϧˠ8&#։ൃˠ։ൃπʔϧΛදࣔ
ώϯτ
FirefoxͷWEB։ൃπʔϧ 22 ཁૉͷௐࠪ (HTMLͷதΛ͏)! ௨৴ͷௐࠪ (HTTPͷதΛ͏)! - WEB։ൃʹ͔ܽͤͳ͍πʔϧɻChrome / Safariʹඪ४Ͱଐ
- πʔϧ→WEB։ൃ→։ൃπʔϧͷදࣔͱḷΔ (Mac: Cmd + Opt + i)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 23 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
ԋश՝̎ 24 ̍ɽcookieͷதΛදࣔͯ͠͠·͏ϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠Լਤͷ༷ͳuser/passͷೖྗΛٻΊΔϑΥʔϜΛ࡞͠ͳ͍͞ ̏ɽϘλϯ͕ԡ͞Εͨ࣌ʹೖྗ͞ΕͨใΛ(ෆਖ਼ͳ)֎෦αʔόʹૹ৴͢ΔΑ͏ʹ͠ͳ͍͞ ̐ɽ্ه̎ͭͷػೳΛ࣋ͬͨϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̑ɽܝࣔ൘ʹ্ه(4.)ͷURLʹ༠ಋ͢ΔϦϯΫΛॻ͖ࠐΈͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A
#8"8BDLP1JDLP 'JSFGPY #8":B[E "QBDIF ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε
੬ऑͳαΠτͷϦϯΫPOST (߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ԋशΛ௨ͯ͠શମͷγφϦΦΛཧղͯ͠͏ 25 ܝࣔ൘αΠτΛ๚Εෆ༻ҙʹURLΛΫϦοΫͨ͠ॴɺଞͰϩάΠϯ͍ͯͨ͠ը૾ڞ༗αΠτ ʹෆਖ਼ʹ৵ೖ͞Εͯ͠·͍ɺϓϥΠϕʔτͳࣸਅΛݟΒΕΔͷةݥੑ͕͋ΔࣄΛ࣮ײͯ͠ ͏ɻଞͷαʔϏεؚΊͯͲΜͳඃ͕ൃੜ͢Δ͔डߨऀʹߟ͑ͯ͏ɻ!
26 ͋ͬ͞Γͱղ͚ͨडߨੜ͚ʹ Ճͨ͠(͓·͚)
GETةݥɺPOST҆શʁʁ 27 ɾGETͰͳ͘POSTΛ͏͖(ͱ͍͏ਓ͕͍Δ) URLʹ߈ܸίʔυΛຒΊΒΕͳ͍ͷͰɺ҆શͩͱצҧ͍͍ͯ͠Δ ݕࡧϑΥʔϜɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Phishing with XSS ͜͜ͷݕࡧϑΥʔϜPOSTΛར༻͍ͯ͠Δɻຊʹ҆શͰ͠ΐ͏͔ʁ
ԋश՝̏ 28 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛෆਖ਼ͳWEBαʔόʹૹ৴͠ͳ͍͞ ̏ɽԼهͷ༷ͳೝূใΛೖྗ͢ΔϑΥʔϜΛ࡞Γͳ͍͞ ̐ɽೝূใΛೖྗ͠ɺͦͷ༰Λෆਖ਼WEBαʔόʹૹ৴͠ͳ͍͞
ԋश՝̐ 29 ̍ɽܝࣔ൘(Yazd)ʹ᠘Λֻ͚ɺ՝̏ͷೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A ̎ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ ̏ɽܝࣔ൘(WebGoat)ʹ᠘Λֻ͚ɺೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site
Scripting(XSS)→Stored XSS Attacks ̐ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ :B[Eͷܝࣔ൘ຊޠʹରԠ͍ͯ͠ͳ͍ͷͰɺϝοηʔδӳޠͰྑ͍ 'JSFGPYͷ։ൃπʔϧͰ)551௨৴ͷ༰ΛѲ͢Δ 'PSN JOQVUλάͰ1045͕Մೳ )5.-ͷߏΛௐࠪ͠ɺѱҙ͋Δίʔυ͕Ͳͷ෦ʹө͞ΕΔ͔֬ೝ͢Δ ώϯτ
30 ηΩϡϦςΟԋशΛ࣮ࢪͨ͠ ༷ࢠΛ۩ମతʹհ͠·͢
౦େੜ͚ͷηΩϡϦςΟ߹॓ • ରऀɿ౦େੜ(ओʹम࢜) 10໊ఔ • ։࠵/ظؒɿശࠜͷϗςϧ / 2ധ3 • डߨऀͷϨϕϧɿཧܥֶੜͱͯ͠ߴ͍جૅྗΛ࣋ͭɻҰํͰHTML
JSɺHTTPͷWEBٕज़ͷجૅΛΒͳֶ͍ੜҰఆͷׂ߹ଘࡏ͢Δɻη ΩϡϦςΟٕज़ʹڵຯ͕͋ΔఔͰɺCTFࢀՃऀͳͲ͍ͳ͍ঢ়گɻ 31 Λղ༷͘ࢠ ԋशձͷ༷ࢠ
߹॓ʹ͓͚Δԋशڥͷ४උ • ߹॓લʹडߨऀ֤ࣗͷϚγϯʹOWASP BWAΛΠϯετʔϧ͖ͯͯ͠͏ • VMWare Player(Win) / VirtualBox(Win/Mac) /
VMWare fusion(Macɾ༗ঈ)ͰBWA͕ແ͘ىಈ • FirefoxซͤͯΠϯετʔϧͯ͘͠ΔΑ͏ʹࢦࣔ • ߦͷΠϯετʔϧղઆΛࣄલʹૹͬͨͷΈͰɺಛஈͷτϥϒϧແ͠ • ApacheͳͲԋशʹผ్ࢦࣔͯ͠४උͯ͠͏ • VirtualBoxOWASP BWAͰGB͋ΔͷͰUSBϝϞϦೖΕ͓ͯ͘ͱτϥϒϧ࣌ʹཱͭ • ֤ࣗͷPCͰ݁ͯ͠ԋश͕ߦ͑Δঢ়ଶ (ձͷωοτϫʔΫڥ͕ಡΊͳ͍ͨΊ) 32 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko”
߹॓ͷϓϩάϥϜ • 1 (౦େ ߨࢣਞ) – ωοτϫʔΫ/ೝূ/WEB/OSʹؔ͢Δߨٛ – OWASP TOP
10ʹؔ͢Δௐࠪ(άϧʔϓϫʔΫ) • 2 (౦େ ߨࢣਞ) – OWASP TOP 10ʹؔ͢Δൃදͱٞ – OWASP BWAΛ༻͍ͨԋश • 3 (ָఱCERT ߨࢣਞ) – ָఱΛऔΓר͘ϦΞϧͳηΩϡϦςΟͷ – XSS / SQLi / RCEΛத৺ͱͨ͠ԋश – ιʔγϟϧΤϯδχΞϦϯάͷ 33 TOP 10άϧʔϓؒͰͷॏෳΛڐ̎͠ɼ̏ͷςʔϚΛௐ͓ࠪΑͼൃදɻ͕σϞΛ࡞͢ Δͱ͍͏ྗͷೖΕΑ͏Ͱ͋ͬͨɻBWAԋश4࣌ؒͷ༧ఆ͕ϓϩάϥϜ͕ԡͯ͠͠·͍2࣌ؒ ͷΈɻ͕࣌ؒΓͳ͍ͱͷҙݟ͕ଟग़͕ͨɺԋश՝̎·Ͱଟ͘ͷडߨऀ͕ղ͍͍ͯ ͨɻ!
౦େ৬һ͚ηΩϡϦςΟԋश • ରऀɿ౦େCERT(ओʹࣄ৬һʴٕज़৬һ) 5໊ • ։࠵/ظؒɿ౦େͷձٞࣨ / 2ϲ݄(1.5࣌ؒ/ि) • डߨऀͷϨϕϧɿʑηΩϡϦςΟͷʹ৮Ε
Δ͕ٕज़తͳৄࡉΛֶश͢Δػձແ͍ɻCSͷό οΫάϥϯυ͋·Γແ͍ɻ1໊ใܥग़Ͱ2 ճ(3࣌ؒ)΄ͲͰશͯऴྃɻ 34 Ώͬ͘ΓਐΊΔࣄ͕ॏཁɻֶੜʹࣄલߨٛͰWEBʹ͓͚ΔηογϣϯཧಉҰੜݩϙ ϦγʔͳͲʹݴٴ͕ͨ͠ɺ৬һ͚Ͱ͞ΒʹHTMLλά؆୯ͳJSͷ࣮ߦͷํͳͲؚ Ίͯेʹ࣌ؒΛऔͬͯਐΊͨɻ͔͔͕࣌ؒͬͨԋश՝̎·Ͱଟ͕͘ղͰ͖ͨɻ!
ԋशڥͷߏங ੬ऑͳ8&#αΠτ ใ࿙ӮઌͷαΠτ ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ
൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” • VMWare vSphere (ESXi)ͷڥʹBWAΛ४උ • ެࣜαΠτ͔Βऔಘͨ͠.vmxϑΝΠϧΛVMWare OVFToolΛར༻ͯ͠.ovaʹมͯ͠ར༻͢Δ • BWAެࣜͷOVA(ver 1.2 / 1.1.1)ىಈͤͣWEB্Ͱಉ༷ͷࢦఠ༗Γ • OVFToolίϚϯυWin/Mac/Linux൛͕༻ҙ͞Ε͍ͯΔʢMacͷ߹Լهͷ༷ʹม͢Δ) • /Applications/VMware\ OVF\ Tool/ovftool --acceptAllEulas path/to/vm/VM01.vmwarevm/VM01.vmx path/to/output/VM01.ova • vSphere client͔Β্هͰੜͨ͠.ovaϑΝΠϧΛσϓϩΠ͢ΕBWA͕ར༻Մೳ • ࣮ݧ༻ͷԾԽج൫্Ͱߦ͕ͬͨ҆શͷͨΊԋश࣌Ҏ֎BWAͷిݯOFFʹ (εφοϓγϣοτΛऔͬͯॳظԽ༗ޮ) • डߨऀFirefoxΛΠϯετʔϧͨ͠PCΛ࣋ࢀ͢Δ͚ͩ 35 vSphere 6.0 @ Mac mini 2012 (16GB MEM, 256GB SSDx2)
ֶੜ͚ / ৬һ͚ͷԋशΛ௨ͯ͠ͷࡶײ • جૅྗͷࠩͦ͋͜Εɺ࣌ؒΛֻ͚Εஈ֊Λͬͯղ͕Մೳ • खΛಈ͔͠ͳ͕Β͕ղ͚ͨ࣌ྸʹؔΘΒָͣͦ͠͏Ͱ͋Δ • ಛʹ৬һ۩ମతʹةݥͰ͋ΔͱॳΊͯ૾Ͱ͖Δέʔεଟ͍ •
ֶੜ͚ʹ༰Λॆ࣮͢Δඞཁ͕͋Δ(ଟ͘ΛֶΜͰཉ͍͠) • ಥग़ͯ͠ਐΉֶੜ͕͍ͯɺղ͖͘ࡐBWAʹ૬͋ΔͷͰ์ஔϓϨʔՄೳ • ৬һ͚ʹICTཧऀͳͲ෯͘ࢀՃ͍ͯ͠ɺҙ্ࣝΛਤΔࣄ͕ޮՌత • ڥߏஙBWAͷύοέʔδϯάͱVMͷ͓͔͛Ͱ૬ʹָͰ͋Δ(γφϦΦ࡞ʹूதग़དྷ Δ) • ԋश࣮ࢪऀ෯ֶ͘ΔɻηΩϡϦςΟΛֶͼ͍ͨ։ൃऀूஂͰ͋Εɺ֤ࣗͰςʔϚΛܾ Ίͯ1࣌ؒఔͷԋशΛॱ൪ʹ୲͢ΔͱޮతʹશମͷϨϕϧΞοϓ͕ਤΕΔͷͰͳ͍͔ 36 Δͱܾ·ͬͨ࣌४උʹෆ҆ײ͡·͕ͨ͠ɺBWAͷΞϓϦ͕ॆ࣮͍ͯ͠ΔͷͰ४උ͠ қ͔ͬͨͰ͢ɻडߨऀͷԠϙδςΟϒͰཧղਂ·ͬͨΑ͏Ͱɺͬͯྑ͔ͬͨͰ͢ɻ!
·ͱΊ • OWASP BWA(Broken Web Application)ͷհ • γφϦΦͷ࡞ϙϦγʔ / ࡞खॱ
• XSSʹؔ͢Δ۩ମతͳͷཻ/ॱ൪ • XSSʹؔ͢Δԋश՝1-4 • ֶੜ/৬һ͚ͷԋश༰(എܠ/ڥߏங)ͷհ 37 ηΩϡϦςΟԋशҎ֎ͱ؆୯ʹ࢝ΊΒΕ·͢ɻ·ͩͷํੋඇʂ!