Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OWT2017JP - OWASP BWA
Search
OWASP Japan
September 30, 2017
Technology
9
3.5k
OWT2017JP - OWASP BWA
#OWT2017JP
Training Course using OWASP BWA
by 松浦知史, 東京工業大学
OWASP Japan
September 30, 2017
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
320
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
940
20190107_AbuseCaseCheatSheet
owaspjapan
0
160
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
900
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.2k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
230
elegance_of_OWASP_Top10_2017
owaspjapan
2
500
Other Decks in Technology
See All in Technology
事業貢献を考えるための技術改善の目標設計と改善実績 / Targeted design of technical improvements to consider business contribution and improvement performance
oomatomo
0
100
TSKaigi 2024 の登壇から広がったコミュニティ活動について
tsukuha
0
160
PHP ユーザのための OpenTelemetry 入門 / phpcon2024-opentelemetry
shin1x1
2
730
2024年にチャレンジしたことを振り返るぞ
mitchan
0
140
LINEスキマニにおけるフロントエンド開発
lycorptech_jp
PRO
0
330
複雑性の高いオブジェクト編集に向き合う: プラガブルなReactフォーム設計
righttouch
PRO
0
120
第3回Snowflake女子会_LT登壇資料(合成データ)_Taro_CCCMK
tarotaro0129
0
200
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
360
5分でわかるDuckDB
chanyou0311
10
3.2k
DUSt3R, MASt3R, MASt3R-SfM にみる3D基盤モデル
spatial_ai_network
2
190
Storage Browser for Amazon S3
miu_crescent
1
240
NilAway による静的解析で「10 億ドル」を節約する #kyotogo / Kyoto Go 56th
ytaka23
3
380
Featured
See All Featured
Building Your Own Lightsaber
phodgson
103
6.1k
GraphQLとの向き合い方2022年版
quramy
44
13k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.2k
Code Reviewing Like a Champion
maltzj
520
39k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Embracing the Ebb and Flow
colly
84
4.5k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
247
1.3M
How to Think Like a Performance Engineer
csswizardry
22
1.2k
What's in a price? How to price your products and services
michaelherold
243
12k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
170
Transcript
08"41#8"Λ༻ֶ͍ͨੜ ͓Αͼ৬һ͚τϨʔχϯά ౦ژۀେֶɹֶज़ࠃࡍใηϯλʔɹ দӜ࢙ (
[email protected]
)
2 দӜ ࢙ (MATSUURA Satoshi) ౦ژۀେֶ ֶज़ࠃࡍใηϯλʔ ।ڭत ౦େCERT ౷ׅऀ
http://cert.titech.ac.jp ▪ ηΩϡϦςΟڭҭ • αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜ (౦େɾम࢜ର) • IT-Keys / SecCap (ෳͷ࢈ֶ৫ɾम࢜ର) ▪ ݚڀ׆ಈ • geographical overlay network, େنηϯαωοτϫʔΫ, ࢄPub/ Sub, DTN, ηΩϡϦςΟϩάੳͱػցֶश
ίʔεΛ௨ͯ͠Կֶ͕Δ͔ • OWASP BWA(Broken Web Application)ͱԿ͔ • ԋश࣮ࢪऀ͓Αͼडߨऀʹର͢ΔڭҭޮՌ • OWASP
BWAΛར༻ͨ͠ԋशڥͷߏஙํ๏ • ۩ମతͳ߈ܸγφϦΦͷ࡞खॱ • ۩ମతͳԋश࣮ࢪखॱ(ͷग़͠ํ) – डߨऀ͕ཧղ͍͢͠ͷཻͱॱ൪Λߟྀ • ۩ମతͳԋश࣮ࢪྫͱTips – OWASP TOP10Ճֶ͑ͨੜ/৬һ͚ͷԋश࣮ࢪྫ 3
OWASP BWA(Broken Web Application) 4 ɾηΩϡϦςΟֶश༻ͷ੬ऑͳΞϓϦΛؚΉLinux͕ϕʔεͱͳͬͨVMΠϝʔδ ) ઈରʹάϩʔόϧͳڥʹଓͤͣɺִ͞ΕͨNATڥͰར༻ͯ͠Լ͞ ͍ OWASP
BWAτοϓϖʔδ ଟछଟ༷ͳΞϓϦ͕༻ҙ͞Ε͍ͯΔ τϨʔχϯάΞϓϦ ੬ऑੑΛ๊͑ͨΞϓϦͳͲ
BWAͷରऀ • WEBΞϓϦέʔγϣϯͷηΩϡϦςΟΛֶͼ͍ͨํ • ϦεΫධՁٕज़(ϖωτϨɺ੬ऑੑஅͳͲ)ΛखಈͰࢼ͍ͨ͠ํ • ࣗಈԽπʔϧΛςετ͍ͨ͠ํ • ιʔείʔυ͕ηΩϡΞ͔Ͳ͏͔ੳ͍ͨ͠ํ •
WEBʹର͢Δ߈ܸΛࢹ͍ͨ͠ํ • WAFͷٕज़Λςετ͍ͨ͠ํ 5 ใηΩϡϦςΟͷॳֶऀ͔ΒΞϓϦέʔγϣϯ։ൃऀɺηΩϡϦςΟػثͷӡ༻୲ ऀ·Ͱɺతʹ߹Θͤͯ෯͍ٕज़ऀ͕ར༻Ͱ͖Δɻ໊લͷ௨ΓWEB͕த৺ɻ!
BWAͷத • Training Applications – ੬ऑੑຖʹίʔε͕༻ҙ͞Ε͓ͯΓɺΛղ͖ͳ͕ΒֶΔWEBΞϓϦ • Realistic, Intentionally Vulnerable
Applications – ଟछଟ༷ͳ੬ऑੑ͕ҙਤతʹ࡞Γࠐ·ΕͨWEBΞϓϦ • Old Versions of Real Applications – WordPressͳͲ࣮ࡏ͢ΔΞϓϦ(੬ऑੑͷ͋Δݹ͍όʔδϣϯ) • Applications for Testing Tools • Demonstration Pages / Small Applications • OWASP Demonstration Applications 6 ࠷ॳ͔Β੬ऑੑΛ๊༷͑ͨʑͳΞϓϦؚ͕·Ε͓ͯΓɺԋश࣮ࢪऀԋशڥͷߏங γφϦΦͷ࡞ʹूதग़དྷΔɻ·ͨVMͰ͞Ε͍ͯΔͷͰڥߏங༰қɻ! ֤ʑ10छྨ΄Ͳ! ༻ҙ͞Ε͍ͯΔ!
ࠓճԋशΛߦͬͨର(౦େੜ/౦େ৬һ) • ౦େੜ (ओʹमֶ࢜ੜ) – αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜΛडߨ – CSͷجૅཧدΓͷߨ͕ٛଟ͍(ྑ͍ࣄ) – جૅྗΛԠ༻͢Δ࣮ફతͳ(ߨٛ)Λఏڙ͍ͨ͠!
• ౦େCERT (ओʹࣄһ+ٕज़৬һ) – ৫CSIRTۀΛ୲ – ʑηΩϡϦςΟͷʹ৮ΕΔ͕ৄࡉΛΔػձ͕ແ͍ – ΈΛΓɺۀͰͷஅྗΛ্͍ͤͨ͞! 7
࠲ֶͱԋश 8 ԋशڥ͕Γ͍ͯͳ͍ঢ়گͰ͋ͬͨͷͰɺͰ͖ΔݶΓߏஙίετΛ͑ͳ͕Βԋश Λߦ͏ͨΊʹOWASP BWAΛ࠾༻ͨ͠ɻ! ࣝͷར༻/Ԡ༻! ࣝͷशಘ!
9 ۩ମతͳγφϦΦͷ ࡞खॱΛհ͠·͢
ԋशڥ/γφϦΦͷ࡞ϙϦγʔ • डߨऀ͕ແཧͳ͘४උ͠ࢀՃͰ͖Δԋशڥ • ݱ࣮ͷڥʹஔ͖͑ͯ૾Մೳͳԋशڥ • ग़དྷΔ͚ͩडߨऀ͕ࣗྗͰղ͚Δͷཻ/ • ղ͖ਐΊΔͱࣗવͱ߈ܸγφϦΦ͕ཧղͰ͖Δߏ 10
੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ෳࡶͳXSSΛडߨऀʹͲ͏ཧղͯ͠͏͔ 11
XSSશମͷγφϦΦΛղ • ΫοΩʔใΛ֬ೝ͠ɺมߋ͢Δ (1,6) – ϒϥβΛར༻͠ΫοΩʔͷૢ࡞ΛΔ • ੬ऑੑͷ֬ೝͱނҙͷใ࿙Ӯ (1,4,5) –
ݕࡧϑΥʔϜΛར༻͠ΫοΩʔใΛૹ৴ • ߈ܸίʔυͷ࡞/ઃஔ (2,3,4) – ΫοΩʔใΛૹ৴͢ΔίʔυΛؚΜͩURLͷੜ 12 Λখ͘͞ղ͢Δ͜ͱͰͷқ͕Լ͢ΔɻώϯτΛՃ͑Δ͜ͱͰଟ͘ͷ डߨऀ͕ࣗྗͰղ͢Δࣄ͕Մೳɻ্ه̏ͭΛΈ߹ΘͤΔͱશମͷγφϦΦʹɻ!
ϢʔβʹΑΔΫοΩʔͷฤू 13 ɾϒϥβͷΞυϨεόʔͰJavaScriptΛ࣮ߦՄೳ ɾΫοΩʔͷදࣔ - javascript:alert(document.cookie); ɾΫοΩʔͷՃɾฤू - javascript:void(document.cookie=”id=abcd1234”); αΠτΛ๚Εͨ࣌Ͱcookieແ͠
ΞυϨεόʔΑΓcookieΛՃ ΞυϨεόʔΑΓcookieΛฤू
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) 14 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻
߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 15 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
BWAΛར༻͠ɺγφϦΦΛ࣮͢Δ 16 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ ChromeXSS੬ऑੑ͕͋ΔϑΥʔϜͰͷεΫϦϓτ࣮ߦ ͕ݫ੍͘͠ݶ͞Ε͍ͯΔɻFirefoxܯࠂͷΈɻWin/Mac
ͱडߨऀڥ͕·ͪ·ͪͰ͋ΔࣄΛߟ͑FirefoxΛ࠾༻ɻ डߨऀPC্ͷ Firefox BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA͕ىಈग़དྷΕɺޙFirefoxΛडߨऀʹΠϯετʔϧ͖ͯͯ͠͏ࣄͱผ్ ApacheͳͲhttpdΛ४උ͠ɺΞΫηεϩά͕ݟΒΕΔ༷ʹ͓͚ͯͩ͘͠Ͱ४උྃɻ!
ʔɺ ·͔ͬ͢͡ʔ ࣮ࡍͷ४උաఔ ͬͺΓ ԋशΛ Γ͍ͨ ʂʂ Ғ͍ਓ ͱʹ͔͘
Δ͔͠ͳ͍ ୲ऀ 2िؒఔͷ४උظؒ • ձٞͰ४උίετͷߴ͔͞Βԋशஅ೦͢Δํʹ͔͏͕ɺͷҰ͕ • 2िؒఔͰۀͷ߹ؒʹԋशڥΛ࡞ΓࠐΉࣄʹ(தʑʹେมɻBWAʹײँ) • ࣮ࡍʹBWAͷΞϓϦΛར༻͠ࢼߦࡨޡ͠ͳ͕ΒγφϦΦΛ࡞ɻ͜͜·Ͱͷ આ໌ͷ༷ʹશͯτοϓμϯͱ͍͏༁ʹதʑ͍͔ͳ͍ɻ • ԋश୲ऀXSSͳͲԋशʹ݁͢Δ͚ࣝͩͰແ͘ɺγφϦΦͷ࡞ೳ ྗɺHTTPͷཧղɺԾڥͷߏஙೳྗͳͲ෯͍ࣝೳྗ͕ʹ͘ɻ 17
18 ࣮ࡍͷΛݟͯɺ γφϦΦΛḷͬͯΈ·͠ΐ͏
੬ऑੑ͕͋ΔݕࡧϑΥʔϜ @ BWA WackoPicko 19 1. ௨ৗͷݕࡧ! 2. HTMLλάΛؚΜͩݕࡧ! 3.
javascriptΛؚΜͩݕࡧ! ɾݕࡧจࣈྻ ɹ1.ɿhouse ɹ2.ɿ<s>house</s> ɹ3.ɿ<script>alert('hello');</script>
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ߈ܸίʔυΛؚΜͩΞΫηε
(߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ) 20
ԋश՝̍ 21 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛ֎෦αʔό(192.168.7.100)ʹ ɹɹૹ৴͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛΞΫηεϩάΑΓ֬ೝ͠ͳ͍͞ άάΔ KBWBTDSJQUΛར༻͢Δ JNHTSDz63-zΛར༻ͯ͠ɺ֎෦αʔόʹϝοηʔδΛૹΔ 'JSFGPYͷ։ൃπʔϧΛ׆༻͢Δ πʔϧˠ8&#։ൃˠ։ൃπʔϧΛදࣔ
ώϯτ
FirefoxͷWEB։ൃπʔϧ 22 ཁૉͷௐࠪ (HTMLͷதΛ͏)! ௨৴ͷௐࠪ (HTTPͷதΛ͏)! - WEB։ൃʹ͔ܽͤͳ͍πʔϧɻChrome / Safariʹඪ४Ͱଐ
- πʔϧ→WEB։ൃ→։ൃπʔϧͷදࣔͱḷΔ (Mac: Cmd + Opt + i)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 23 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
ԋश՝̎ 24 ̍ɽcookieͷதΛදࣔͯ͠͠·͏ϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠Լਤͷ༷ͳuser/passͷೖྗΛٻΊΔϑΥʔϜΛ࡞͠ͳ͍͞ ̏ɽϘλϯ͕ԡ͞Εͨ࣌ʹೖྗ͞ΕͨใΛ(ෆਖ਼ͳ)֎෦αʔόʹૹ৴͢ΔΑ͏ʹ͠ͳ͍͞ ̐ɽ্ه̎ͭͷػೳΛ࣋ͬͨϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̑ɽܝࣔ൘ʹ্ه(4.)ͷURLʹ༠ಋ͢ΔϦϯΫΛॻ͖ࠐΈͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A
#8"8BDLP1JDLP 'JSFGPY #8":B[E "QBDIF ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε
੬ऑͳαΠτͷϦϯΫPOST (߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ԋशΛ௨ͯ͠શମͷγφϦΦΛཧղͯ͠͏ 25 ܝࣔ൘αΠτΛ๚Εෆ༻ҙʹURLΛΫϦοΫͨ͠ॴɺଞͰϩάΠϯ͍ͯͨ͠ը૾ڞ༗αΠτ ʹෆਖ਼ʹ৵ೖ͞Εͯ͠·͍ɺϓϥΠϕʔτͳࣸਅΛݟΒΕΔͷةݥੑ͕͋ΔࣄΛ࣮ײͯ͠ ͏ɻଞͷαʔϏεؚΊͯͲΜͳඃ͕ൃੜ͢Δ͔डߨऀʹߟ͑ͯ͏ɻ!
26 ͋ͬ͞Γͱղ͚ͨडߨੜ͚ʹ Ճͨ͠(͓·͚)
GETةݥɺPOST҆શʁʁ 27 ɾGETͰͳ͘POSTΛ͏͖(ͱ͍͏ਓ͕͍Δ) URLʹ߈ܸίʔυΛຒΊΒΕͳ͍ͷͰɺ҆શͩͱצҧ͍͍ͯ͠Δ ݕࡧϑΥʔϜɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Phishing with XSS ͜͜ͷݕࡧϑΥʔϜPOSTΛར༻͍ͯ͠Δɻຊʹ҆શͰ͠ΐ͏͔ʁ
ԋश՝̏ 28 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛෆਖ਼ͳWEBαʔόʹૹ৴͠ͳ͍͞ ̏ɽԼهͷ༷ͳೝূใΛೖྗ͢ΔϑΥʔϜΛ࡞Γͳ͍͞ ̐ɽೝূใΛೖྗ͠ɺͦͷ༰Λෆਖ਼WEBαʔόʹૹ৴͠ͳ͍͞
ԋश՝̐ 29 ̍ɽܝࣔ൘(Yazd)ʹ᠘Λֻ͚ɺ՝̏ͷೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A ̎ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ ̏ɽܝࣔ൘(WebGoat)ʹ᠘Λֻ͚ɺೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site
Scripting(XSS)→Stored XSS Attacks ̐ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ :B[Eͷܝࣔ൘ຊޠʹରԠ͍ͯ͠ͳ͍ͷͰɺϝοηʔδӳޠͰྑ͍ 'JSFGPYͷ։ൃπʔϧͰ)551௨৴ͷ༰ΛѲ͢Δ 'PSN JOQVUλάͰ1045͕Մೳ )5.-ͷߏΛௐࠪ͠ɺѱҙ͋Δίʔυ͕Ͳͷ෦ʹө͞ΕΔ͔֬ೝ͢Δ ώϯτ
30 ηΩϡϦςΟԋशΛ࣮ࢪͨ͠ ༷ࢠΛ۩ମతʹհ͠·͢
౦େੜ͚ͷηΩϡϦςΟ߹॓ • ରऀɿ౦େੜ(ओʹम࢜) 10໊ఔ • ։࠵/ظؒɿശࠜͷϗςϧ / 2ധ3 • डߨऀͷϨϕϧɿཧܥֶੜͱͯ͠ߴ͍جૅྗΛ࣋ͭɻҰํͰHTML
JSɺHTTPͷWEBٕज़ͷجૅΛΒͳֶ͍ੜҰఆͷׂ߹ଘࡏ͢Δɻη ΩϡϦςΟٕज़ʹڵຯ͕͋ΔఔͰɺCTFࢀՃऀͳͲ͍ͳ͍ঢ়گɻ 31 Λղ༷͘ࢠ ԋशձͷ༷ࢠ
߹॓ʹ͓͚Δԋशڥͷ४උ • ߹॓લʹडߨऀ֤ࣗͷϚγϯʹOWASP BWAΛΠϯετʔϧ͖ͯͯ͠͏ • VMWare Player(Win) / VirtualBox(Win/Mac) /
VMWare fusion(Macɾ༗ঈ)ͰBWA͕ແ͘ىಈ • FirefoxซͤͯΠϯετʔϧͯ͘͠ΔΑ͏ʹࢦࣔ • ߦͷΠϯετʔϧղઆΛࣄલʹૹͬͨͷΈͰɺಛஈͷτϥϒϧແ͠ • ApacheͳͲԋशʹผ్ࢦࣔͯ͠४උͯ͠͏ • VirtualBoxOWASP BWAͰGB͋ΔͷͰUSBϝϞϦೖΕ͓ͯ͘ͱτϥϒϧ࣌ʹཱͭ • ֤ࣗͷPCͰ݁ͯ͠ԋश͕ߦ͑Δঢ়ଶ (ձͷωοτϫʔΫڥ͕ಡΊͳ͍ͨΊ) 32 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko”
߹॓ͷϓϩάϥϜ • 1 (౦େ ߨࢣਞ) – ωοτϫʔΫ/ೝূ/WEB/OSʹؔ͢Δߨٛ – OWASP TOP
10ʹؔ͢Δௐࠪ(άϧʔϓϫʔΫ) • 2 (౦େ ߨࢣਞ) – OWASP TOP 10ʹؔ͢Δൃදͱٞ – OWASP BWAΛ༻͍ͨԋश • 3 (ָఱCERT ߨࢣਞ) – ָఱΛऔΓר͘ϦΞϧͳηΩϡϦςΟͷ – XSS / SQLi / RCEΛத৺ͱͨ͠ԋश – ιʔγϟϧΤϯδχΞϦϯάͷ 33 TOP 10άϧʔϓؒͰͷॏෳΛڐ̎͠ɼ̏ͷςʔϚΛௐ͓ࠪΑͼൃදɻ͕σϞΛ࡞͢ Δͱ͍͏ྗͷೖΕΑ͏Ͱ͋ͬͨɻBWAԋश4࣌ؒͷ༧ఆ͕ϓϩάϥϜ͕ԡͯ͠͠·͍2࣌ؒ ͷΈɻ͕࣌ؒΓͳ͍ͱͷҙݟ͕ଟग़͕ͨɺԋश՝̎·Ͱଟ͘ͷडߨऀ͕ղ͍͍ͯ ͨɻ!
౦େ৬һ͚ηΩϡϦςΟԋश • ରऀɿ౦େCERT(ओʹࣄ৬һʴٕज़৬һ) 5໊ • ։࠵/ظؒɿ౦େͷձٞࣨ / 2ϲ݄(1.5࣌ؒ/ि) • डߨऀͷϨϕϧɿʑηΩϡϦςΟͷʹ৮Ε
Δ͕ٕज़తͳৄࡉΛֶश͢Δػձແ͍ɻCSͷό οΫάϥϯυ͋·Γແ͍ɻ1໊ใܥग़Ͱ2 ճ(3࣌ؒ)΄ͲͰશͯऴྃɻ 34 Ώͬ͘ΓਐΊΔࣄ͕ॏཁɻֶੜʹࣄલߨٛͰWEBʹ͓͚ΔηογϣϯཧಉҰੜݩϙ ϦγʔͳͲʹݴٴ͕ͨ͠ɺ৬һ͚Ͱ͞ΒʹHTMLλά؆୯ͳJSͷ࣮ߦͷํͳͲؚ Ίͯेʹ࣌ؒΛऔͬͯਐΊͨɻ͔͔͕࣌ؒͬͨԋश՝̎·Ͱଟ͕͘ղͰ͖ͨɻ!
ԋशڥͷߏங ੬ऑͳ8&#αΠτ ใ࿙ӮઌͷαΠτ ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ
൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” • VMWare vSphere (ESXi)ͷڥʹBWAΛ४උ • ެࣜαΠτ͔Βऔಘͨ͠.vmxϑΝΠϧΛVMWare OVFToolΛར༻ͯ͠.ovaʹมͯ͠ར༻͢Δ • BWAެࣜͷOVA(ver 1.2 / 1.1.1)ىಈͤͣWEB্Ͱಉ༷ͷࢦఠ༗Γ • OVFToolίϚϯυWin/Mac/Linux൛͕༻ҙ͞Ε͍ͯΔʢMacͷ߹Լهͷ༷ʹม͢Δ) • /Applications/VMware\ OVF\ Tool/ovftool --acceptAllEulas path/to/vm/VM01.vmwarevm/VM01.vmx path/to/output/VM01.ova • vSphere client͔Β্هͰੜͨ͠.ovaϑΝΠϧΛσϓϩΠ͢ΕBWA͕ར༻Մೳ • ࣮ݧ༻ͷԾԽج൫্Ͱߦ͕ͬͨ҆શͷͨΊԋश࣌Ҏ֎BWAͷిݯOFFʹ (εφοϓγϣοτΛऔͬͯॳظԽ༗ޮ) • डߨऀFirefoxΛΠϯετʔϧͨ͠PCΛ࣋ࢀ͢Δ͚ͩ 35 vSphere 6.0 @ Mac mini 2012 (16GB MEM, 256GB SSDx2)
ֶੜ͚ / ৬һ͚ͷԋशΛ௨ͯ͠ͷࡶײ • جૅྗͷࠩͦ͋͜Εɺ࣌ؒΛֻ͚Εஈ֊Λͬͯղ͕Մೳ • खΛಈ͔͠ͳ͕Β͕ղ͚ͨ࣌ྸʹؔΘΒָͣͦ͠͏Ͱ͋Δ • ಛʹ৬һ۩ମతʹةݥͰ͋ΔͱॳΊͯ૾Ͱ͖Δέʔεଟ͍ •
ֶੜ͚ʹ༰Λॆ࣮͢Δඞཁ͕͋Δ(ଟ͘ΛֶΜͰཉ͍͠) • ಥग़ͯ͠ਐΉֶੜ͕͍ͯɺղ͖͘ࡐBWAʹ૬͋ΔͷͰ์ஔϓϨʔՄೳ • ৬һ͚ʹICTཧऀͳͲ෯͘ࢀՃ͍ͯ͠ɺҙ্ࣝΛਤΔࣄ͕ޮՌత • ڥߏஙBWAͷύοέʔδϯάͱVMͷ͓͔͛Ͱ૬ʹָͰ͋Δ(γφϦΦ࡞ʹूதग़དྷ Δ) • ԋश࣮ࢪऀ෯ֶ͘ΔɻηΩϡϦςΟΛֶͼ͍ͨ։ൃऀूஂͰ͋Εɺ֤ࣗͰςʔϚΛܾ Ίͯ1࣌ؒఔͷԋशΛॱ൪ʹ୲͢ΔͱޮతʹશମͷϨϕϧΞοϓ͕ਤΕΔͷͰͳ͍͔ 36 Δͱܾ·ͬͨ࣌४උʹෆ҆ײ͡·͕ͨ͠ɺBWAͷΞϓϦ͕ॆ࣮͍ͯ͠ΔͷͰ४උ͠ қ͔ͬͨͰ͢ɻडߨऀͷԠϙδςΟϒͰཧղਂ·ͬͨΑ͏Ͱɺͬͯྑ͔ͬͨͰ͢ɻ!
·ͱΊ • OWASP BWA(Broken Web Application)ͷհ • γφϦΦͷ࡞ϙϦγʔ / ࡞खॱ
• XSSʹؔ͢Δ۩ମతͳͷཻ/ॱ൪ • XSSʹؔ͢Δԋश՝1-4 • ֶੜ/৬һ͚ͷԋश༰(എܠ/ڥߏங)ͷհ 37 ηΩϡϦςΟԋशҎ֎ͱ؆୯ʹ࢝ΊΒΕ·͢ɻ·ͩͷํੋඇʂ!