Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWT2017JP - OWASP BWA

OWASP Japan
September 30, 2017

OWT2017JP - OWASP BWA

#OWT2017JP
Training Course using OWASP BWA
by 松浦知史, 東京工業大学

OWASP Japan

September 30, 2017
Tweet

More Decks by OWASP Japan

Other Decks in Technology

Transcript

  1. 08"41#8"Λ༻ֶ͍ͨੜ
    ͓Αͼ৬һ޲͚τϨʔχϯά
    ౦ژ޻ۀେֶɹֶज़ࠃࡍ৘ใηϯλʔɹ
    দӜ஌࢙ ([email protected])

    View Slide

  2. 2
    দӜ ஌࢙ (MATSUURA Satoshi)
    ౦ژ޻ۀେֶ ֶज़ࠃࡍ৘ใηϯλʔ ।ڭत
    ౦޻େCERT ౷ׅ੹೚ऀ
    http://cert.titech.ac.jp
    ■  ηΩϡϦςΟڭҭ
    •  αΠόʔηΩϡϦςΟಛผઐ໳ֶमϓϩάϥϜ (౦޻େɾम࢜ର৅)
    •  IT-Keys / SecCap (ෳ਺ͷ࢈׭ֶ૊৫ɾम࢜ର৅)
    ■  ݚڀ׆ಈ
    •  geographical overlay network, େن໛ηϯαωοτϫʔΫ, ෼ࢄPub/
    Sub, DTN, ηΩϡϦςΟϩά෼ੳͱػցֶश

    View Slide

  3. ίʔεΛ௨ͯ͠Կֶ͕΂Δ͔
    •  OWASP BWA(Broken Web Application)ͱ͸Կ͔
    •  ԋश࣮ࢪऀ͓Αͼडߨऀʹର͢ΔڭҭޮՌ
    •  OWASP BWAΛར༻ͨ͠ԋश؀ڥͷߏஙํ๏
    •  ۩ମతͳ߈ܸγφϦΦͷ࡞੒खॱ
    •  ۩ମతͳԋश࣮ࢪखॱ(໰୊ͷग़͠ํ)
    –  डߨऀ͕ཧղ͠΍͍͢໰୊ͷཻ౓ͱॱ൪Λߟྀ
    •  ۩ମతͳԋश࣮ࢪྫͱTips
    –  OWASP TOP10΋Ճֶ͑ͨੜ/৬һ޲͚ͷԋश࣮ࢪྫ
    3

    View Slide

  4. OWASP BWA(Broken Web Application)
    4
    ɾηΩϡϦςΟֶश༻ͷ੬ऑͳΞϓϦΛؚΉLinux͕ϕʔεͱͳͬͨVMΠϝʔδ
    ஫) ઈରʹάϩʔόϧͳ؀ڥʹ઀ଓͤͣɺִ཭͞ΕͨNAT؀ڥ౳Ͱར༻ͯ͠Լ͞
    ͍
    OWASP BWAτοϓϖʔδ
    ଟछଟ༷ͳΞϓϦ͕༻ҙ͞Ε͍ͯΔ
    τϨʔχϯάΞϓϦ΍
    ੬ऑੑΛ๊͑ͨΞϓϦͳͲ

    View Slide

  5. BWAͷର৅ऀ
    •  WEBΞϓϦέʔγϣϯͷηΩϡϦςΟΛֶͼ͍ͨํ
    •  ϦεΫධՁٕज़(ϖωτϨɺ੬ऑੑ਍அͳͲ)ΛखಈͰࢼ͍ͨ͠ํ
    •  ࣗಈԽπʔϧΛςετ͍ͨ͠ํ
    •  ιʔείʔυ͕ηΩϡΞ͔Ͳ͏͔෼ੳ͍ͨ͠ํ
    •  WEBʹର͢Δ߈ܸΛ؂ࢹ͍ͨ͠ํ
    •  WAF౳ͷٕज़Λςετ͍ͨ͠ํ
    5
    ৘ใηΩϡϦςΟͷॳֶऀ͔ΒΞϓϦέʔγϣϯ։ൃऀɺηΩϡϦςΟػثͷӡ༻୲
    ౰ऀ·Ͱɺ໨తʹ߹Θͤͯ෯޿͍ٕज़ऀ͕ར༻Ͱ͖Δɻ໊લͷ௨ΓWEB͕த৺ɻ!

    View Slide

  6. BWAͷத਎
    •  Training Applications
    –  ੬ऑੑຖʹίʔε͕༻ҙ͞Ε͓ͯΓɺ໰୊Λղ͖ͳ͕Βֶ΂ΔWEBΞϓϦ
    •  Realistic, Intentionally Vulnerable Applications
    –  ଟछଟ༷ͳ੬ऑੑ͕ҙਤతʹ࡞Γࠐ·ΕͨWEBΞϓϦ
    •  Old Versions of Real Applications
    –  WordPressͳͲ࣮ࡏ͢ΔΞϓϦ(੬ऑੑͷ͋Δݹ͍όʔδϣϯ)
    •  Applications for Testing Tools
    •  Demonstration Pages / Small Applications
    •  OWASP Demonstration Applications
    6
    ࠷ॳ͔Β੬ऑੑΛ๊༷͑ͨʑͳΞϓϦؚ͕·Ε͓ͯΓɺԋश࣮ࢪऀ͸ԋश؀ڥͷߏங
    ΍γφϦΦͷ࡞੒ʹूதग़དྷΔɻ·ͨVMͰ഑෍͞Ε͍ͯΔͷͰ؀ڥߏங΋༰қɻ!
    ֤ʑ10छྨ΄Ͳ!
    ༻ҙ͞Ε͍ͯΔ!

    View Slide

  7. ࠓճԋशΛߦͬͨର৅(౦޻େੜ/౦޻େ৬һ)
    •  ౦޻େੜ (ओʹमֶ࢜ੜ)
    –  αΠόʔηΩϡϦςΟಛผઐ໳ֶमϓϩάϥϜΛडߨ
    –  CSͷجૅཧ࿦دΓͷߨ͕ٛଟ͍(ྑ͍ࣄ)
    –  جૅྗΛԠ༻͢Δ࣮ફతͳ৔(ߨٛ)Λఏڙ͍ͨ͠!
    •  ౦޻େCERT (ओʹࣄ຿һ+ٕज़৬һ)
    –  ૊৫಺CSIRTۀ຿Λ୲౰
    –  ೔ʑηΩϡϦςΟͷ࿩୊ʹ͸৮ΕΔ͕ৄࡉΛ஌Δػձ͕ແ͍
    –  ࢓૊ΈΛ஌Γɺۀ຿Ͱͷ൑அྗ౳Λ޲্͍ͤͨ͞!
    7

    View Slide

  8. ࠲ֶͱԋश
    8
    ԋश؀ڥ͕଍Γ͍ͯͳ͍ঢ়گͰ͋ͬͨͷͰɺͰ͖ΔݶΓߏஙίετΛ཈͑ͳ͕Βԋश
    Λߦ͏ͨΊʹOWASP BWAΛ࠾༻ͨ͠ɻ!
    ஌ࣝͷར༻/Ԡ༻! ஌ࣝͷशಘ!

    View Slide

  9. 9
    ۩ମతͳγφϦΦͷ
    ࡞੒खॱΛ঺հ͠·͢

    View Slide

  10. ԋश؀ڥ/γφϦΦͷ࡞੒ϙϦγʔ
    •  डߨऀ͕ແཧͳ͘४උ͠ࢀՃͰ͖Δԋश؀ڥ
    •  ݱ࣮ͷ؀ڥʹஔ͖׵͑ͯ૝૾Մೳͳԋश؀ڥ
    •  ग़དྷΔ͚ͩडߨऀ͕ࣗྗͰղ͚Δ໰୊ͷཻ౓/೉౓
    •  ղ͖ਐΊΔͱࣗવͱ߈ܸγφϦΦ͕ཧղͰ͖Δ໰୊ߏ੒
    10

    View Slide

  11. ੬ऑͳ8αΠτ

    ϒϥ΢β
    ᠘αΠτ

    ϩάΠϯ͓Αͼ
    αΠτͷܧଓతར༻
    ᠘αΠτ΁ͷΞΫηε
    ੬ऑͳαΠτ΁ͷϦϯΫ΍POST
    (߈ܸ༻HTML/javascriptΛؚΉ)
    ߈ܸίʔυΛؚΜͩΞΫηε
    (߈ܸऀʹcookieΛૹ৴͢Δίʔυ)
    cookieͷ৘ใΛૹ৴
    cookie͔ΒηογϣϯIDΛऔಘ
    ϢʔβʹͳΓ͢·ͯ͠ΞΫηε
    ੬ऑͳ෦෼
    ෳࡶͳXSSΛडߨऀʹͲ͏ཧղͯ͠໯͏͔
    11

    View Slide

  12. XSSશମͷγφϦΦΛ෼ղ
    •  ΫοΩʔ৘ใΛ֬ೝ͠ɺมߋ͢Δ (1,6)
    –  ϒϥ΢βΛར༻͠ΫοΩʔͷૢ࡞Λ஌Δ
    •  ੬ऑੑͷ֬ೝͱނҙͷ৘ใ࿙Ӯ (1,4,5)
    –  ݕࡧϑΥʔϜΛར༻͠ΫοΩʔ৘ใΛૹ৴
    •  ߈ܸίʔυͷ࡞੒/ઃஔ (2,3,4)
    –  ΫοΩʔ৘ใΛૹ৴͢ΔίʔυΛؚΜͩURLͷੜ੒
    12
    ໰୊Λখ͘͞෼ղ͢Δ͜ͱͰ໰୊ͷ೉қ౓͕௿Լ͢ΔɻώϯτΛՃ͑Δ͜ͱͰଟ͘ͷ
    डߨऀ͕ࣗྗͰղ౴͢Δࣄ͕Մೳɻ্ه̏ͭΛ૊Έ߹ΘͤΔͱશମͷγφϦΦʹɻ!

    View Slide

  13. ϢʔβʹΑΔΫοΩʔͷฤू
    13
    ɾϒϥ΢βͷΞυϨεόʔͰ͸JavaScriptΛ࣮ߦՄೳ
    ɾΫοΩʔͷදࣔ
    - javascript:alert(document.cookie);
    ɾΫοΩʔͷ௥Ճɾฤू
    - javascript:void(document.cookie=”id=abcd1234”);
    αΠτΛ๚Εͨ࣌఺Ͱcookie͸ແ͠
    ΞυϨεόʔΑΓcookieΛ௥Ճ
    ΞυϨεόʔΑΓcookieΛฤू

    View Slide

  14. ނҙͷ৘ใ࿙Ӯ(ϢʔβʹΑΔࣗര)
    14
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ᠘αΠτ

    ϩάΠϯ͓Αͼ
    αΠτͷܧଓతར༻
    ߈ܸίʔυΛؚΜͩΞΫηε
    (߈ܸऀʹcookieΛૹ৴͢Δίʔυ)
    cookieͷ৘ใΛૹ৴
    ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜ౳ʹೖྗ͢Δͱɺ
    ߈ܸίʔυ͕࣮ߦ͞Εɺcookie౳ͷ৘ใ͕࿙Ӯͯ͠͠·͏
    ੬ऑͳ෦෼(ݕࡧϑΥʔϜ౳)

    View Slide

  15. ߈ܸίʔυΛؚΜͩURLͷ࡞੒/ઃஔ
    15
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ᠘αΠτ

    ᠘αΠτ΁ͷΞΫηε
    ੬ऑͳαΠτ΁ͷϦϯΫ΍POST
    (߈ܸ༻HTML/javascriptΛؚΉ)
    ߈ܸίʔυΛؚΜͩΞΫηε
    (߈ܸऀʹcookieΛૹ৴͢Δίʔυ)
    ϝʔϧຊจதͷURL౳͔Β᠘αΠτ΁༠ಋ͞Εͯ͠·͍ɺ
    ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏

    View Slide

  16. BWAΛར༻͠ɺγφϦΦΛ࣮૷͢Δ
    16
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ৘ใ࿙ӮઌͷαΠτ

    Chrome͸XSS੬ऑੑ͕͋ΔϑΥʔϜͰͷεΫϦϓτ࣮ߦ
    ͕ݫ੍͘͠ݶ͞Ε͍ͯΔɻFirefox͸ܯࠂͷΈɻWin/Mac
    ͱडߨऀ؀ڥ͕·ͪ·ͪͰ͋ΔࣄΛߟ͑FirefoxΛ࠾༻ɻ
    डߨऀPC্ͷ
    Firefox
    BWA্ͷࣸਅڞ༗α
    Πτ”WackoPicko”
    ApacheͳͲͷ
    httpd
    ᠘αΠτ

    BWA্ͷܝࣔ
    ൘”Yazd”
    BWA͕ىಈग़དྷΕ͹ɺޙ͸FirefoxΛडߨऀʹΠϯετʔϧ͖ͯͯ͠໯͏ࣄͱผ్
    ApacheͳͲhttpdΛ४උ͠ɺΞΫηεϩά͕ݟΒΕΔ༷ʹ͓͚ͯͩ͘͠Ͱ४උ׬ྃɻ!

    View Slide

  17. ΍΂ʔɺ
    ·͔ͬ͢͡ʔ
    ࣮ࡍͷ४උաఔ
    ΍ͬͺΓ
    ԋशΛ
    ΍Γ͍ͨ
    ʂʂ
    Ғ͍ਓ

    ͱʹ͔͘
    ΍Δ͔͠ͳ͍
    ୲౰ऀ

    2िؒఔ౓ͷ४උظؒ
    •  ձٞͰ४උίετͷߴ͔͞Βԋश͸அ೦͢Δํ޲ʹ޲͔͏͕ɺ௽ͷҰ੠͕
    •  2िؒఔ౓Ͱۀ຿ͷ߹ؒʹԋश؀ڥΛ࡞ΓࠐΉࣄʹ(தʑʹେมɻBWAʹײँ)
    •  ࣮ࡍʹ͸BWAͷΞϓϦΛར༻͠ࢼߦࡨޡ͠ͳ͕ΒγφϦΦΛ࡞੒ɻ͜͜·Ͱͷ
    આ໌ͷ༷ʹશͯτοϓμ΢ϯͱ͍͏༁ʹ͸தʑ͍͔ͳ͍ɻ
    •  ԋश୲౰ऀ͸XSSͳͲԋश໰୊ʹ௚݁͢Δ஌͚ࣝͩͰແ͘ɺγφϦΦͷ࡞੒ೳ
    ྗɺHTTP౳ͷཧղɺԾ૝؀ڥͷߏஙೳྗͳͲ෯޿͍஌ࣝ΍ೳྗ͕਎ʹ෇͘ɻ
    17

    View Slide

  18. 18
    ࣮ࡍͷ໰୊Λݟͯɺ
    γφϦΦΛḷͬͯΈ·͠ΐ͏

    View Slide

  19. ੬ऑੑ͕͋ΔݕࡧϑΥʔϜ @ BWA WackoPicko
    19
    1. ௨ৗͷݕࡧ!
    2. HTMLλάΛؚΜͩݕࡧ!
    3. javascriptΛؚΜͩݕࡧ!
    ɾݕࡧจࣈྻ
    ɹ1.ɿhouse
    ɹ2.ɿhouse
    ɹ3.ɿalert('hello');

    View Slide

  20. ނҙͷ৘ใ࿙Ӯ(ϢʔβʹΑΔࣗര)
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ᠘αΠτ

    ϩάΠϯ͓Αͼ
    αΠτͷܧଓతར༻
    ߈ܸίʔυΛؚΜͩΞΫηε
    (߈ܸऀʹcookieΛૹ৴͢Δίʔυ)
    cookieͷ৘ใΛૹ৴
    ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜ౳ʹೖྗ͢Δͱɺ
    ߈ܸίʔυ͕࣮ߦ͞Εɺcookie౳ͷ৘ใ͕࿙Ӯͯ͠͠·͏
    ੬ऑͳ෦෼(ݕࡧϑΥʔϜ౳)
    20

    View Slide

  21. ԋश՝୊̍
    21
    ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷத਎Λදࣔͤ͞ͳ͍͞
    ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷத਎Λ֎෦αʔό(192.168.7.100)ʹ
    ɹɹૹ৴͠ɺ৘ใ͕࿙Ӯ͍ͯ͠ΔࣄΛΞΫηεϩάΑΓ֬ೝ͠ͳ͍͞
    άάΔ
    KBWBTDSJQUΛར༻͢Δ
    JNHTSDz63-zΛར༻ͯ͠ɺ֎෦αʔόʹϝοηʔδΛૹΔ
    'JSFGPYͷ։ൃπʔϧΛ׆༻͢Δ πʔϧˠ8։ൃˠ։ൃπʔϧΛදࣔ


    ώϯτ

    View Slide

  22. FirefoxͷWEB։ൃπʔϧ
    22
    ཁૉͷௐࠪ (HTMLͷதΛ௥͏)! ௨৴ͷௐࠪ (HTTPͷதΛ௥͏)!
    - WEB։ൃʹ͸͔ܽͤͳ͍πʔϧɻChrome / Safari౳ʹ΋ඪ४Ͱ෇ଐ
    - πʔϧ→WEB։ൃ→։ൃπʔϧͷදࣔͱḷΔ (Mac: Cmd + Opt + i)

    View Slide

  23. ߈ܸίʔυΛؚΜͩURLͷ࡞੒/ઃஔ
    23
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ᠘αΠτ

    ᠘αΠτ΁ͷΞΫηε
    ੬ऑͳαΠτ΁ͷϦϯΫ΍POST
    (߈ܸ༻HTML/javascriptΛؚΉ)
    ߈ܸίʔυΛؚΜͩΞΫηε
    (߈ܸऀʹcookieΛૹ৴͢Δίʔυ)
    ϝʔϧຊจதͷURL౳͔Β᠘αΠτ΁༠ಋ͞Εͯ͠·͍ɺ
    ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏

    View Slide

  24. ԋश՝୊̎
    24
    ̍ɽcookieͷத਎Λදࣔͯ͠͠·͏ϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞੒͠ͳ͍͞
    ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠Լਤͷ༷ͳuser/passͷೖྗΛٻΊΔϑΥʔϜΛ࡞੒͠ͳ͍͞
    ̏ɽϘλϯ͕ԡ͞Εͨ࣌ʹೖྗ͞Εͨ৘ใΛ(ෆਖ਼ͳ)֎෦αʔόʹૹ৴͢ΔΑ͏ʹ͠ͳ͍͞
    ̐ɽ্ه̎ͭͷػೳΛ࣋ͬͨϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞੒͠ͳ͍͞
    ̑ɽܝࣔ൘ʹ্ه(໰୊4.)ͷURLʹ༠ಋ͢ΔϦϯΫΛॻ͖ࠐΈͳ͍͞
    ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A

    View Slide

  25. #8"8BDLP1JDLP

    'JSFGPY

    #8":B[E
    "QBDIF

    ϩάΠϯ͓Αͼ
    αΠτͷܧଓతར༻
    ᠘αΠτ΁ͷΞΫηε
    ੬ऑͳαΠτ΁ͷϦϯΫ΍POST
    (߈ܸ༻HTML/javascriptΛؚΉ)
    ߈ܸίʔυΛؚΜͩΞΫηε
    (߈ܸऀʹcookieΛૹ৴͢Δίʔυ)
    cookieͷ৘ใΛૹ৴
    cookie͔ΒηογϣϯIDΛऔಘ
    ϢʔβʹͳΓ͢·ͯ͠ΞΫηε
    ੬ऑͳ෦෼
    ԋशΛ௨ͯ͠શମͷγφϦΦΛཧղͯ͠໯͏
    25
    ܝࣔ൘αΠτΛ๚Εෆ༻ҙʹURLΛΫϦοΫͨ͠ॴɺଞͰϩάΠϯ͍ͯͨ͠ը૾ڞ༗αΠτ
    ʹෆਖ਼ʹ৵ೖ͞Εͯ͠·͍ɺϓϥΠϕʔτͳࣸਅΛݟΒΕΔ౳ͷةݥੑ͕͋ΔࣄΛ࣮ײͯ͠
    ໯͏ɻଞͷαʔϏε΋ؚΊͯͲΜͳඃ֐͕ൃੜ͢Δ͔डߨऀʹߟ͑ͯ໯͏ɻ!

    View Slide

  26. 26
    ͋ͬ͞Γͱղ͚ͨडߨੜ޲͚ʹ
    ௥Ճͨ͠໰୊(͓·͚)

    View Slide

  27. GET͸ةݥɺPOST͸҆શʁʁ
    27
    ɾGETͰ͸ͳ͘POSTΛ࢖͏΂͖(ͱ͍͏ਓ͕͍Δ)
    URLʹ߈ܸίʔυΛຒΊΒΕͳ͍ͷͰɺ҆શͩͱצҧ͍͍ͯ͠Δ
    ݕࡧϑΥʔϜɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Phishing with XSS
    ͜͜ͷݕࡧϑΥʔϜ͸POSTΛར༻͍ͯ͠Δɻຊ౰ʹ҆શͰ͠ΐ͏͔ʁ

    View Slide

  28. ԋश՝୊̏
    28
    ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷத਎Λදࣔͤ͞ͳ͍͞
    ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷத਎Λෆਖ਼ͳWEBαʔόʹૹ৴͠ͳ͍͞
    ̏ɽԼهͷ༷ͳೝূ৘ใΛೖྗ͢ΔϑΥʔϜΛ࡞Γͳ͍͞
    ̐ɽೝূ৘ใΛೖྗ͠ɺͦͷ಺༰Λෆਖ਼WEBαʔόʹૹ৴͠ͳ͍͞

    View Slide

  29. ԋश՝୊̐
    29
    ̍ɽܝࣔ൘(Yazd)ʹ᠘Λ࢓ֻ͚ɺ՝୊̏ͷೝূ৘ใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞
    ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A
    ̎ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺ৘ใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞
    ̏ɽܝࣔ൘(WebGoat)ʹ᠘Λ࢓ֻ͚ɺೝূ৘ใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞
    ܝࣔ൘ɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Stored XSS Attacks
    ̐ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺ৘ใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞
    :B[Eͷܝࣔ൘͸೔ຊޠʹରԠ͍ͯ͠ͳ͍ͷͰɺϝοηʔδ͸ӳޠͰྑ͍
    'JSFGPYͷ։ൃπʔϧͰ)551௨৴ͷ಺༰Λ೺Ѳ͢Δ
    'PSN JOQVUλάͰ1045͕Մೳ
    )5.-ͷߏ଄Λௐࠪ͠ɺѱҙ͋Δίʔυ͕Ͳͷ෦෼ʹ൓ө͞ΕΔ͔֬ೝ͢Δ

    ώϯτ

    View Slide

  30. 30
    ηΩϡϦςΟԋशΛ࣮ࢪͨ͠
    ༷ࢠΛ۩ମతʹ঺հ͠·͢

    View Slide

  31. ౦޻େੜ޲͚ͷηΩϡϦςΟ߹॓
    •  ର৅ऀɿ౦޻େੜ(ओʹम࢜) 10໊ఔ౓
    •  ։࠵஍/ظؒɿശࠜͷϗςϧ / 2ധ3೔
    •  डߨऀͷϨϕϧɿཧܥֶੜͱͯ͠ߴ͍جૅྗΛ࣋ͭɻҰํͰHTML΍
    JSɺHTTP౳ͷWEBٕज़ͷجૅΛ஌Βͳֶ͍ੜ΋Ұఆͷׂ߹ଘࡏ͢Δɻη
    ΩϡϦςΟٕज़ʹڵຯ͕͋Δఔ౓ͰɺCTFࢀՃऀͳͲ͸͍ͳ͍ঢ়گɻ
    31
    ໰୊Λղ༷͘ࢠ

    ԋशձ৔ͷ༷ࢠ

    View Slide

  32. ߹॓ʹ͓͚Δԋश؀ڥͷ४උ
    •  ߹॓લʹडߨऀ֤ࣗͷϚγϯʹOWASP BWAΛΠϯετʔϧ͖ͯͯ͠໯͏
    •  VMWare Player(Win) / VirtualBox(Win/Mac) / VMWare fusion(Macɾ༗ঈ)ͰBWA͕໰୊ແ͘ىಈ
    •  Firefox΋ซͤͯΠϯετʔϧͯ͘͠ΔΑ͏ʹࢦࣔ
    •  ਺ߦͷΠϯετʔϧղઆΛࣄલʹૹͬͨͷΈͰɺಛஈͷτϥϒϧ͸ແ͠
    •  ApacheͳͲ͸ԋश౰೔ʹผ్ࢦࣔͯ͠४උͯ͠໯͏
    •  VirtualBox΍OWASP BWAͰ਺GB͋ΔͷͰUSBϝϞϦ౳ೖΕ͓ͯ͘ͱτϥϒϧ࣌ʹ໾ཱͭ
    •  ֤ࣗͷPC಺Ͱ׬݁ͯ͠ԋश͕ߦ͑Δঢ়ଶ (ձ৔ͷωοτϫʔΫ؀ڥ͕ಡΊͳ͍ͨΊ)
    32
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ৘ใ࿙ӮઌͷαΠτ

    डߨऀPC্ͷ
    Firefox
    ApacheͳͲͷ
    httpd
    ᠘αΠτ

    BWA্ͷܝࣔ
    ൘”Yazd”
    BWA্ͷࣸਅڞ༗α
    Πτ”WackoPicko”
    ੬ऑͳ8αΠτ

    ϒϥ΢β
    ৘ใ࿙ӮઌͷαΠτ

    डߨऀPC্ͷ
    Firefox
    ApacheͳͲͷ
    httpd
    ᠘αΠτ

    BWA্ͷܝࣔ
    ൘”Yazd”
    BWA্ͷࣸਅڞ༗α
    Πτ”WackoPicko”

    View Slide

  33. ߹॓ͷϓϩάϥϜ
    •  1೔໨ (౦޻େ ߨࢣਞ)
    –  ωοτϫʔΫ/ೝূ/WEB/OSʹؔ͢Δߨٛ
    –  OWASP TOP 10ʹؔ͢Δௐࠪ(άϧʔϓϫʔΫ)
    •  2೔໨ (౦޻େ ߨࢣਞ)
    –  OWASP TOP 10ʹؔ͢Δൃදͱٞ࿦
    –  OWASP BWAΛ༻͍ͨԋश
    •  3೔໨ (ָఱCERT ߨࢣਞ)
    –  ָఱΛऔΓר͘ϦΞϧͳηΩϡϦςΟͷ࿩୊
    –  XSS / SQLi / RCEΛத৺ͱͨ͠ԋश
    –  ιʔγϟϧΤϯδχΞϦϯάͷ࿩୊
    33
    TOP 10͸άϧʔϓؒͰͷॏෳΛڐ̎͠ɼ̏ͷςʔϚΛௐ͓ࠪΑͼൃදɻ൒਺͕σϞΛ࡞੒͢
    Δͱ͍͏ྗͷೖΕΑ͏Ͱ͋ͬͨɻBWAԋश͸4࣌ؒͷ༧ఆ͕ϓϩάϥϜ͕ԡͯ͠͠·͍2࣌ؒ
    ͷΈɻ͕࣌ؒ଍Γͳ͍ͱͷҙݟ͕ଟ਺ग़͕ͨɺԋश՝୊̎·Ͱ͸ଟ͘ͷडߨऀ͕ղ͍͍ͯ
    ͨɻ!

    View Slide

  34. ౦޻େ৬һ޲͚ηΩϡϦςΟԋश
    •  ର৅ऀɿ౦޻େCERT(ओʹࣄ຿৬һʴٕज़৬һ) 5໊
    •  ։࠵஍/ظؒɿ౦޻େ಺ͷձٞࣨ / 2ϲ݄(1.5࣌ؒ/ि)
    •  डߨऀͷϨϕϧɿ೔ʑηΩϡϦςΟͷ࿩୊ʹ͸৮Ε
    Δ͕ٕज़తͳৄࡉΛֶश͢Δػձ͸ແ͍ɻCSͷό
    οΫάϥ΢ϯυ΋͋·Γແ͍ɻ1໊͸৘ใܥग़਎Ͱ2
    ճ(3࣌ؒ)΄ͲͰશͯऴྃɻ
    34
    Ώͬ͘ΓਐΊΔࣄ͕ॏཁɻֶੜʹ΋ࣄલߨٛͰWEBʹ͓͚Δηογϣϯ؅ཧ΍ಉҰੜ੒ݩϙ
    ϦγʔͳͲʹݴٴ͕ͨ͠ɺ৬һ޲͚Ͱ͸͞ΒʹHTMLλά΍؆୯ͳJSͷ࣮ߦͷ࢓ํͳͲ΋ؚ
    Ίͯे෼ʹ࣌ؒΛऔͬͯਐΊͨɻ࣌ؒ͸͔͔͕ͬͨԋश՝୊̎·Ͱ͸ଟ͕͘ղ౴Ͱ͖ͨɻ!

    View Slide

  35. ԋश؀ڥͷߏங
    ੬ऑͳ8αΠτ

    ৘ใ࿙ӮઌͷαΠτ

    ApacheͳͲͷ
    httpd
    ᠘αΠτ

    BWA্ͷܝࣔ
    ൘”Yazd”
    BWA্ͷࣸਅڞ༗α
    Πτ”WackoPicko”
    •  VMWare vSphere (ESXi)ͷ؀ڥʹBWAΛ४උ
    •  ެࣜαΠτ͔Βऔಘͨ͠.vmxϑΝΠϧΛVMWare OVFToolΛར༻ͯ͠.ovaʹม׵ͯ͠ར༻͢Δ
    •  BWAެࣜͷOVA(ver 1.2 / 1.1.1)͸ىಈͤͣWEB্Ͱ΋ಉ༷ͷࢦఠ༗Γ
    •  OVFToolίϚϯυ͸Win/Mac/Linux൛͕༻ҙ͞Ε͍ͯΔʢMacͷ৔߹͸Լهͷ༷ʹม׵͢Δ)
    •  /Applications/VMware\ OVF\ Tool/ovftool --acceptAllEulas path/to/vm/VM01.vmwarevm/VM01.vmx path/to/output/VM01.ova
    •  vSphere client͔Β্هͰੜ੒ͨ͠.ovaϑΝΠϧΛσϓϩΠ͢Ε͹BWA͕ར༻Մೳ
    •  ࣮ݧ༻ͷԾ૝Խج൫্Ͱߦ͕ͬͨ҆શͷͨΊԋश࣌Ҏ֎͸BWAͷిݯOFFʹ (εφοϓγϣοτΛऔͬͯॳظԽ΋༗ޮ)
    •  डߨऀ͸FirefoxΛΠϯετʔϧͨ͠PCΛ࣋ࢀ͢Δ͚ͩ
    35
    vSphere 6.0 @ Mac mini 2012
    (16GB MEM, 256GB SSDx2)

    View Slide

  36. ֶੜ޲͚ / ৬һ޲͚ͷԋशΛ௨ͯ͠ͷࡶײ
    •  جૅྗͷࠩͦ͋͜Εɺ࣌ؒΛֻ͚Ε͹ஈ֊Λ௥ͬͯղ౴͕Մೳ
    •  खΛಈ͔͠ͳ͕Β໰୊͕ղ͚ͨ࣌͸೥ྸʹؔΘΒָͣͦ͠͏Ͱ͋Δ
    •  ಛʹ৬һ͸۩ମతʹةݥͰ͋ΔͱॳΊͯ૝૾Ͱ͖Δέʔε΋ଟ͍
    •  ֶੜ޲͚ʹ͸಺༰Λॆ࣮͢Δඞཁ͕͋Δ(ଟ͘ΛֶΜͰཉ͍͠)
    •  ಥग़ͯ͠ਐΉֶੜ͕͍ͯ΋ɺղ͘΂͖୊ࡐ͸BWAʹ૬౰͋ΔͷͰ์ஔϓϨʔՄೳ
    •  ৬һ޲͚ʹ͸ICT؅ཧऀͳͲ෯޿͘ࢀՃͯ͠໯͍ɺҙࣝ޲্ΛਤΔࣄ͕ޮՌత
    •  ؀ڥߏங͸BWAͷύοέʔδϯάͱVMͷ͓͔͛Ͱ૬౰ʹָͰ͋Δ(γφϦΦ࡞੒ʹूதग़དྷ
    Δ)
    •  ԋश࣮ࢪऀ͸෯޿ֶ͘΂ΔɻηΩϡϦςΟΛֶͼ͍ͨ։ൃऀूஂͰ͋Ε͹ɺ֤ࣗͰςʔϚΛܾ
    Ίͯ1࣌ؒఔ౓ͷԋशΛॱ൪ʹ୲౰͢Δͱޮ཰తʹશମͷϨϕϧΞοϓ͕ਤΕΔͷͰ͸ͳ͍͔
    36
    ΍Δͱܾ·ͬͨ࣌͸४උʹෆ҆΋ײ͡·͕ͨ͠ɺBWAͷΞϓϦ͕ॆ࣮͍ͯ͠ΔͷͰ४උ͸͠
    қ͔ͬͨͰ͢ɻडߨऀͷ൓Ԡ΋ϙδςΟϒͰཧղ΋ਂ·ͬͨΑ͏Ͱɺ΍ͬͯྑ͔ͬͨͰ͢ɻ!

    View Slide

  37. ·ͱΊ
    •  OWASP BWA(Broken Web Application)ͷ঺հ
    •  γφϦΦͷ࡞੒ϙϦγʔ / ࡞੒खॱ
    •  XSSʹؔ͢Δ۩ମతͳ໰୊ͷཻ౓/ॱ൪
    •  XSSʹؔ͢Δԋश՝୊1-4
    •  ֶੜ/৬һ޲͚ͷԋश಺༰(എܠ/؀ڥߏங)ͷ঺հ
    37
    ηΩϡϦςΟԋश͸Ҏ֎ͱ؆୯ʹ࢝ΊΒΕ·͢ɻ·ͩͷํ͸ੋඇʂ!

    View Slide