Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OWT2017JP - OWASP BWA
Search
OWASP Japan
September 30, 2017
Technology
9
3.5k
OWT2017JP - OWASP BWA
#OWT2017JP
Training Course using OWASP BWA
by 松浦知史, 東京工業大学
OWASP Japan
September 30, 2017
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
320
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
970
20190107_AbuseCaseCheatSheet
owaspjapan
0
160
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
940
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.2k
Shifting Left Like a Boss
owaspjapan
2
280
OWASP Top 10 and Your Web Apps
owaspjapan
2
370
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
230
elegance_of_OWASP_Top10_2017
owaspjapan
2
510
Other Decks in Technology
See All in Technology
EMConf JP 2025 懇親会LT / EMConf JP 2025 social gathering
sugamasao
2
200
php-conference-nagoya-2025
fuwasegu
0
150
アジャイルな開発チームでテスト戦略の話は誰がする? / Who Talks About Test Strategy?
ak1210
1
610
ウォンテッドリーのデータパイプラインを支える ETL のための analytics, rds-exporter / analytics, rds-exporter for ETL to support Wantedly's data pipeline
unblee
0
130
株式会社Awarefy(アウェアファイ)会社説明資料 / Awarefy-Company-Deck
awarefy
3
11k
役員・マネージャー・著者・エンジニアそれぞれの立場から見たAWS認定資格
nrinetcom
PRO
4
6.2k
AIエージェント入門
minorun365
PRO
32
18k
遷移の高速化 ヤフートップの試行錯誤
narirou
6
1.2k
Amazon Q Developerの無料利用枠を使い倒してHello worldを表示させよう!
nrinetcom
PRO
2
120
Visualize, Visualize, Visualize and rclone
tomoaki0705
9
83k
RayでPHPのデバッグをちょっと快適にする
muno92
PRO
0
190
わたしがEMとして入社した「最初の100日」の過ごし方 / EMConfJp2025
daiksy
14
5.1k
Featured
See All Featured
The Cost Of JavaScript in 2023
addyosmani
47
7.4k
We Have a Design System, Now What?
morganepeng
51
7.4k
How to Ace a Technical Interview
jacobian
276
23k
How to Think Like a Performance Engineer
csswizardry
22
1.4k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
4
380
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
YesSQL, Process and Tooling at Scale
rocio
172
14k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
4
430
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
640
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
Transcript
08"41#8"Λ༻ֶ͍ͨੜ ͓Αͼ৬һ͚τϨʔχϯά ౦ژۀେֶɹֶज़ࠃࡍใηϯλʔɹ দӜ࢙ (
[email protected]
)
2 দӜ ࢙ (MATSUURA Satoshi) ౦ژۀେֶ ֶज़ࠃࡍใηϯλʔ ।ڭत ౦େCERT ౷ׅऀ
http://cert.titech.ac.jp ▪ ηΩϡϦςΟڭҭ • αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜ (౦େɾम࢜ର) • IT-Keys / SecCap (ෳͷ࢈ֶ৫ɾम࢜ର) ▪ ݚڀ׆ಈ • geographical overlay network, େنηϯαωοτϫʔΫ, ࢄPub/ Sub, DTN, ηΩϡϦςΟϩάੳͱػցֶश
ίʔεΛ௨ͯ͠Կֶ͕Δ͔ • OWASP BWA(Broken Web Application)ͱԿ͔ • ԋश࣮ࢪऀ͓Αͼडߨऀʹର͢ΔڭҭޮՌ • OWASP
BWAΛར༻ͨ͠ԋशڥͷߏஙํ๏ • ۩ମతͳ߈ܸγφϦΦͷ࡞खॱ • ۩ମతͳԋश࣮ࢪखॱ(ͷग़͠ํ) – डߨऀ͕ཧղ͍͢͠ͷཻͱॱ൪Λߟྀ • ۩ମతͳԋश࣮ࢪྫͱTips – OWASP TOP10Ճֶ͑ͨੜ/৬һ͚ͷԋश࣮ࢪྫ 3
OWASP BWA(Broken Web Application) 4 ɾηΩϡϦςΟֶश༻ͷ੬ऑͳΞϓϦΛؚΉLinux͕ϕʔεͱͳͬͨVMΠϝʔδ ) ઈରʹάϩʔόϧͳڥʹଓͤͣɺִ͞ΕͨNATڥͰར༻ͯ͠Լ͞ ͍ OWASP
BWAτοϓϖʔδ ଟछଟ༷ͳΞϓϦ͕༻ҙ͞Ε͍ͯΔ τϨʔχϯάΞϓϦ ੬ऑੑΛ๊͑ͨΞϓϦͳͲ
BWAͷରऀ • WEBΞϓϦέʔγϣϯͷηΩϡϦςΟΛֶͼ͍ͨํ • ϦεΫධՁٕज़(ϖωτϨɺ੬ऑੑஅͳͲ)ΛखಈͰࢼ͍ͨ͠ํ • ࣗಈԽπʔϧΛςετ͍ͨ͠ํ • ιʔείʔυ͕ηΩϡΞ͔Ͳ͏͔ੳ͍ͨ͠ํ •
WEBʹର͢Δ߈ܸΛࢹ͍ͨ͠ํ • WAFͷٕज़Λςετ͍ͨ͠ํ 5 ใηΩϡϦςΟͷॳֶऀ͔ΒΞϓϦέʔγϣϯ։ൃऀɺηΩϡϦςΟػثͷӡ༻୲ ऀ·Ͱɺతʹ߹Θͤͯ෯͍ٕज़ऀ͕ར༻Ͱ͖Δɻ໊લͷ௨ΓWEB͕த৺ɻ!
BWAͷத • Training Applications – ੬ऑੑຖʹίʔε͕༻ҙ͞Ε͓ͯΓɺΛղ͖ͳ͕ΒֶΔWEBΞϓϦ • Realistic, Intentionally Vulnerable
Applications – ଟछଟ༷ͳ੬ऑੑ͕ҙਤతʹ࡞Γࠐ·ΕͨWEBΞϓϦ • Old Versions of Real Applications – WordPressͳͲ࣮ࡏ͢ΔΞϓϦ(੬ऑੑͷ͋Δݹ͍όʔδϣϯ) • Applications for Testing Tools • Demonstration Pages / Small Applications • OWASP Demonstration Applications 6 ࠷ॳ͔Β੬ऑੑΛ๊༷͑ͨʑͳΞϓϦؚ͕·Ε͓ͯΓɺԋश࣮ࢪऀԋशڥͷߏங γφϦΦͷ࡞ʹूதग़དྷΔɻ·ͨVMͰ͞Ε͍ͯΔͷͰڥߏங༰қɻ! ֤ʑ10छྨ΄Ͳ! ༻ҙ͞Ε͍ͯΔ!
ࠓճԋशΛߦͬͨର(౦େੜ/౦େ৬һ) • ౦େੜ (ओʹमֶ࢜ੜ) – αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜΛडߨ – CSͷجૅཧدΓͷߨ͕ٛଟ͍(ྑ͍ࣄ) – جૅྗΛԠ༻͢Δ࣮ફతͳ(ߨٛ)Λఏڙ͍ͨ͠!
• ౦େCERT (ओʹࣄһ+ٕज़৬һ) – ৫CSIRTۀΛ୲ – ʑηΩϡϦςΟͷʹ৮ΕΔ͕ৄࡉΛΔػձ͕ແ͍ – ΈΛΓɺۀͰͷஅྗΛ্͍ͤͨ͞! 7
࠲ֶͱԋश 8 ԋशڥ͕Γ͍ͯͳ͍ঢ়گͰ͋ͬͨͷͰɺͰ͖ΔݶΓߏஙίετΛ͑ͳ͕Βԋश Λߦ͏ͨΊʹOWASP BWAΛ࠾༻ͨ͠ɻ! ࣝͷར༻/Ԡ༻! ࣝͷशಘ!
9 ۩ମతͳγφϦΦͷ ࡞खॱΛհ͠·͢
ԋशڥ/γφϦΦͷ࡞ϙϦγʔ • डߨऀ͕ແཧͳ͘४උ͠ࢀՃͰ͖Δԋशڥ • ݱ࣮ͷڥʹஔ͖͑ͯ૾Մೳͳԋशڥ • ग़དྷΔ͚ͩडߨऀ͕ࣗྗͰղ͚Δͷཻ/ • ղ͖ਐΊΔͱࣗવͱ߈ܸγφϦΦ͕ཧղͰ͖Δߏ 10
੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ෳࡶͳXSSΛडߨऀʹͲ͏ཧղͯ͠͏͔ 11
XSSશମͷγφϦΦΛղ • ΫοΩʔใΛ֬ೝ͠ɺมߋ͢Δ (1,6) – ϒϥβΛར༻͠ΫοΩʔͷૢ࡞ΛΔ • ੬ऑੑͷ֬ೝͱނҙͷใ࿙Ӯ (1,4,5) –
ݕࡧϑΥʔϜΛར༻͠ΫοΩʔใΛૹ৴ • ߈ܸίʔυͷ࡞/ઃஔ (2,3,4) – ΫοΩʔใΛૹ৴͢ΔίʔυΛؚΜͩURLͷੜ 12 Λখ͘͞ղ͢Δ͜ͱͰͷқ͕Լ͢ΔɻώϯτΛՃ͑Δ͜ͱͰଟ͘ͷ डߨऀ͕ࣗྗͰղ͢Δࣄ͕Մೳɻ্ه̏ͭΛΈ߹ΘͤΔͱશମͷγφϦΦʹɻ!
ϢʔβʹΑΔΫοΩʔͷฤू 13 ɾϒϥβͷΞυϨεόʔͰJavaScriptΛ࣮ߦՄೳ ɾΫοΩʔͷදࣔ - javascript:alert(document.cookie); ɾΫοΩʔͷՃɾฤू - javascript:void(document.cookie=”id=abcd1234”); αΠτΛ๚Εͨ࣌Ͱcookieແ͠
ΞυϨεόʔΑΓcookieΛՃ ΞυϨεόʔΑΓcookieΛฤू
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) 14 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻
߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 15 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
BWAΛར༻͠ɺγφϦΦΛ࣮͢Δ 16 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ ChromeXSS੬ऑੑ͕͋ΔϑΥʔϜͰͷεΫϦϓτ࣮ߦ ͕ݫ੍͘͠ݶ͞Ε͍ͯΔɻFirefoxܯࠂͷΈɻWin/Mac
ͱडߨऀڥ͕·ͪ·ͪͰ͋ΔࣄΛߟ͑FirefoxΛ࠾༻ɻ डߨऀPC্ͷ Firefox BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA͕ىಈग़དྷΕɺޙFirefoxΛडߨऀʹΠϯετʔϧ͖ͯͯ͠͏ࣄͱผ్ ApacheͳͲhttpdΛ४උ͠ɺΞΫηεϩά͕ݟΒΕΔ༷ʹ͓͚ͯͩ͘͠Ͱ४උྃɻ!
ʔɺ ·͔ͬ͢͡ʔ ࣮ࡍͷ४උաఔ ͬͺΓ ԋशΛ Γ͍ͨ ʂʂ Ғ͍ਓ ͱʹ͔͘
Δ͔͠ͳ͍ ୲ऀ 2िؒఔͷ४උظؒ • ձٞͰ४උίετͷߴ͔͞Βԋशஅ೦͢Δํʹ͔͏͕ɺͷҰ͕ • 2िؒఔͰۀͷ߹ؒʹԋशڥΛ࡞ΓࠐΉࣄʹ(தʑʹେมɻBWAʹײँ) • ࣮ࡍʹBWAͷΞϓϦΛར༻͠ࢼߦࡨޡ͠ͳ͕ΒγφϦΦΛ࡞ɻ͜͜·Ͱͷ આ໌ͷ༷ʹશͯτοϓμϯͱ͍͏༁ʹதʑ͍͔ͳ͍ɻ • ԋश୲ऀXSSͳͲԋशʹ݁͢Δ͚ࣝͩͰແ͘ɺγφϦΦͷ࡞ೳ ྗɺHTTPͷཧղɺԾڥͷߏஙೳྗͳͲ෯͍ࣝೳྗ͕ʹ͘ɻ 17
18 ࣮ࡍͷΛݟͯɺ γφϦΦΛḷͬͯΈ·͠ΐ͏
੬ऑੑ͕͋ΔݕࡧϑΥʔϜ @ BWA WackoPicko 19 1. ௨ৗͷݕࡧ! 2. HTMLλάΛؚΜͩݕࡧ! 3.
javascriptΛؚΜͩݕࡧ! ɾݕࡧจࣈྻ ɹ1.ɿhouse ɹ2.ɿ<s>house</s> ɹ3.ɿ<script>alert('hello');</script>
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ߈ܸίʔυΛؚΜͩΞΫηε
(߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ) 20
ԋश՝̍ 21 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛ֎෦αʔό(192.168.7.100)ʹ ɹɹૹ৴͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛΞΫηεϩάΑΓ֬ೝ͠ͳ͍͞ άάΔ KBWBTDSJQUΛར༻͢Δ JNHTSDz63-zΛར༻ͯ͠ɺ֎෦αʔόʹϝοηʔδΛૹΔ 'JSFGPYͷ։ൃπʔϧΛ׆༻͢Δ πʔϧˠ8&#։ൃˠ։ൃπʔϧΛදࣔ
ώϯτ
FirefoxͷWEB։ൃπʔϧ 22 ཁૉͷௐࠪ (HTMLͷதΛ͏)! ௨৴ͷௐࠪ (HTTPͷதΛ͏)! - WEB։ൃʹ͔ܽͤͳ͍πʔϧɻChrome / Safariʹඪ४Ͱଐ
- πʔϧ→WEB։ൃ→։ൃπʔϧͷදࣔͱḷΔ (Mac: Cmd + Opt + i)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 23 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
ԋश՝̎ 24 ̍ɽcookieͷதΛදࣔͯ͠͠·͏ϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠Լਤͷ༷ͳuser/passͷೖྗΛٻΊΔϑΥʔϜΛ࡞͠ͳ͍͞ ̏ɽϘλϯ͕ԡ͞Εͨ࣌ʹೖྗ͞ΕͨใΛ(ෆਖ਼ͳ)֎෦αʔόʹૹ৴͢ΔΑ͏ʹ͠ͳ͍͞ ̐ɽ্ه̎ͭͷػೳΛ࣋ͬͨϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̑ɽܝࣔ൘ʹ্ه(4.)ͷURLʹ༠ಋ͢ΔϦϯΫΛॻ͖ࠐΈͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A
#8"8BDLP1JDLP 'JSFGPY #8":B[E "QBDIF ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε
੬ऑͳαΠτͷϦϯΫPOST (߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ԋशΛ௨ͯ͠શମͷγφϦΦΛཧղͯ͠͏ 25 ܝࣔ൘αΠτΛ๚Εෆ༻ҙʹURLΛΫϦοΫͨ͠ॴɺଞͰϩάΠϯ͍ͯͨ͠ը૾ڞ༗αΠτ ʹෆਖ਼ʹ৵ೖ͞Εͯ͠·͍ɺϓϥΠϕʔτͳࣸਅΛݟΒΕΔͷةݥੑ͕͋ΔࣄΛ࣮ײͯ͠ ͏ɻଞͷαʔϏεؚΊͯͲΜͳඃ͕ൃੜ͢Δ͔डߨऀʹߟ͑ͯ͏ɻ!
26 ͋ͬ͞Γͱղ͚ͨडߨੜ͚ʹ Ճͨ͠(͓·͚)
GETةݥɺPOST҆શʁʁ 27 ɾGETͰͳ͘POSTΛ͏͖(ͱ͍͏ਓ͕͍Δ) URLʹ߈ܸίʔυΛຒΊΒΕͳ͍ͷͰɺ҆શͩͱצҧ͍͍ͯ͠Δ ݕࡧϑΥʔϜɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Phishing with XSS ͜͜ͷݕࡧϑΥʔϜPOSTΛར༻͍ͯ͠Δɻຊʹ҆શͰ͠ΐ͏͔ʁ
ԋश՝̏ 28 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛෆਖ਼ͳWEBαʔόʹૹ৴͠ͳ͍͞ ̏ɽԼهͷ༷ͳೝূใΛೖྗ͢ΔϑΥʔϜΛ࡞Γͳ͍͞ ̐ɽೝূใΛೖྗ͠ɺͦͷ༰Λෆਖ਼WEBαʔόʹૹ৴͠ͳ͍͞
ԋश՝̐ 29 ̍ɽܝࣔ൘(Yazd)ʹ᠘Λֻ͚ɺ՝̏ͷೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A ̎ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ ̏ɽܝࣔ൘(WebGoat)ʹ᠘Λֻ͚ɺೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site
Scripting(XSS)→Stored XSS Attacks ̐ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ :B[Eͷܝࣔ൘ຊޠʹରԠ͍ͯ͠ͳ͍ͷͰɺϝοηʔδӳޠͰྑ͍ 'JSFGPYͷ։ൃπʔϧͰ)551௨৴ͷ༰ΛѲ͢Δ 'PSN JOQVUλάͰ1045͕Մೳ )5.-ͷߏΛௐࠪ͠ɺѱҙ͋Δίʔυ͕Ͳͷ෦ʹө͞ΕΔ͔֬ೝ͢Δ ώϯτ
30 ηΩϡϦςΟԋशΛ࣮ࢪͨ͠ ༷ࢠΛ۩ମతʹհ͠·͢
౦େੜ͚ͷηΩϡϦςΟ߹॓ • ରऀɿ౦େੜ(ओʹम࢜) 10໊ఔ • ։࠵/ظؒɿശࠜͷϗςϧ / 2ധ3 • डߨऀͷϨϕϧɿཧܥֶੜͱͯ͠ߴ͍جૅྗΛ࣋ͭɻҰํͰHTML
JSɺHTTPͷWEBٕज़ͷجૅΛΒͳֶ͍ੜҰఆͷׂ߹ଘࡏ͢Δɻη ΩϡϦςΟٕज़ʹڵຯ͕͋ΔఔͰɺCTFࢀՃऀͳͲ͍ͳ͍ঢ়گɻ 31 Λղ༷͘ࢠ ԋशձͷ༷ࢠ
߹॓ʹ͓͚Δԋशڥͷ४උ • ߹॓લʹडߨऀ֤ࣗͷϚγϯʹOWASP BWAΛΠϯετʔϧ͖ͯͯ͠͏ • VMWare Player(Win) / VirtualBox(Win/Mac) /
VMWare fusion(Macɾ༗ঈ)ͰBWA͕ແ͘ىಈ • FirefoxซͤͯΠϯετʔϧͯ͘͠ΔΑ͏ʹࢦࣔ • ߦͷΠϯετʔϧղઆΛࣄલʹૹͬͨͷΈͰɺಛஈͷτϥϒϧແ͠ • ApacheͳͲԋशʹผ్ࢦࣔͯ͠४උͯ͠͏ • VirtualBoxOWASP BWAͰGB͋ΔͷͰUSBϝϞϦೖΕ͓ͯ͘ͱτϥϒϧ࣌ʹཱͭ • ֤ࣗͷPCͰ݁ͯ͠ԋश͕ߦ͑Δঢ়ଶ (ձͷωοτϫʔΫڥ͕ಡΊͳ͍ͨΊ) 32 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko”
߹॓ͷϓϩάϥϜ • 1 (౦େ ߨࢣਞ) – ωοτϫʔΫ/ೝূ/WEB/OSʹؔ͢Δߨٛ – OWASP TOP
10ʹؔ͢Δௐࠪ(άϧʔϓϫʔΫ) • 2 (౦େ ߨࢣਞ) – OWASP TOP 10ʹؔ͢Δൃදͱٞ – OWASP BWAΛ༻͍ͨԋश • 3 (ָఱCERT ߨࢣਞ) – ָఱΛऔΓר͘ϦΞϧͳηΩϡϦςΟͷ – XSS / SQLi / RCEΛத৺ͱͨ͠ԋश – ιʔγϟϧΤϯδχΞϦϯάͷ 33 TOP 10άϧʔϓؒͰͷॏෳΛڐ̎͠ɼ̏ͷςʔϚΛௐ͓ࠪΑͼൃදɻ͕σϞΛ࡞͢ Δͱ͍͏ྗͷೖΕΑ͏Ͱ͋ͬͨɻBWAԋश4࣌ؒͷ༧ఆ͕ϓϩάϥϜ͕ԡͯ͠͠·͍2࣌ؒ ͷΈɻ͕࣌ؒΓͳ͍ͱͷҙݟ͕ଟग़͕ͨɺԋश՝̎·Ͱଟ͘ͷडߨऀ͕ղ͍͍ͯ ͨɻ!
౦େ৬һ͚ηΩϡϦςΟԋश • ରऀɿ౦େCERT(ओʹࣄ৬һʴٕज़৬һ) 5໊ • ։࠵/ظؒɿ౦େͷձٞࣨ / 2ϲ݄(1.5࣌ؒ/ि) • डߨऀͷϨϕϧɿʑηΩϡϦςΟͷʹ৮Ε
Δ͕ٕज़తͳৄࡉΛֶश͢Δػձແ͍ɻCSͷό οΫάϥϯυ͋·Γແ͍ɻ1໊ใܥग़Ͱ2 ճ(3࣌ؒ)΄ͲͰશͯऴྃɻ 34 Ώͬ͘ΓਐΊΔࣄ͕ॏཁɻֶੜʹࣄલߨٛͰWEBʹ͓͚ΔηογϣϯཧಉҰੜݩϙ ϦγʔͳͲʹݴٴ͕ͨ͠ɺ৬һ͚Ͱ͞ΒʹHTMLλά؆୯ͳJSͷ࣮ߦͷํͳͲؚ Ίͯेʹ࣌ؒΛऔͬͯਐΊͨɻ͔͔͕࣌ؒͬͨԋश՝̎·Ͱଟ͕͘ղͰ͖ͨɻ!
ԋशڥͷߏங ੬ऑͳ8&#αΠτ ใ࿙ӮઌͷαΠτ ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ
൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” • VMWare vSphere (ESXi)ͷڥʹBWAΛ४උ • ެࣜαΠτ͔Βऔಘͨ͠.vmxϑΝΠϧΛVMWare OVFToolΛར༻ͯ͠.ovaʹมͯ͠ར༻͢Δ • BWAެࣜͷOVA(ver 1.2 / 1.1.1)ىಈͤͣWEB্Ͱಉ༷ͷࢦఠ༗Γ • OVFToolίϚϯυWin/Mac/Linux൛͕༻ҙ͞Ε͍ͯΔʢMacͷ߹Լهͷ༷ʹม͢Δ) • /Applications/VMware\ OVF\ Tool/ovftool --acceptAllEulas path/to/vm/VM01.vmwarevm/VM01.vmx path/to/output/VM01.ova • vSphere client͔Β্هͰੜͨ͠.ovaϑΝΠϧΛσϓϩΠ͢ΕBWA͕ར༻Մೳ • ࣮ݧ༻ͷԾԽج൫্Ͱߦ͕ͬͨ҆શͷͨΊԋश࣌Ҏ֎BWAͷిݯOFFʹ (εφοϓγϣοτΛऔͬͯॳظԽ༗ޮ) • डߨऀFirefoxΛΠϯετʔϧͨ͠PCΛ࣋ࢀ͢Δ͚ͩ 35 vSphere 6.0 @ Mac mini 2012 (16GB MEM, 256GB SSDx2)
ֶੜ͚ / ৬һ͚ͷԋशΛ௨ͯ͠ͷࡶײ • جૅྗͷࠩͦ͋͜Εɺ࣌ؒΛֻ͚Εஈ֊Λͬͯղ͕Մೳ • खΛಈ͔͠ͳ͕Β͕ղ͚ͨ࣌ྸʹؔΘΒָͣͦ͠͏Ͱ͋Δ • ಛʹ৬һ۩ମతʹةݥͰ͋ΔͱॳΊͯ૾Ͱ͖Δέʔεଟ͍ •
ֶੜ͚ʹ༰Λॆ࣮͢Δඞཁ͕͋Δ(ଟ͘ΛֶΜͰཉ͍͠) • ಥग़ͯ͠ਐΉֶੜ͕͍ͯɺղ͖͘ࡐBWAʹ૬͋ΔͷͰ์ஔϓϨʔՄೳ • ৬һ͚ʹICTཧऀͳͲ෯͘ࢀՃ͍ͯ͠ɺҙ্ࣝΛਤΔࣄ͕ޮՌత • ڥߏஙBWAͷύοέʔδϯάͱVMͷ͓͔͛Ͱ૬ʹָͰ͋Δ(γφϦΦ࡞ʹूதग़དྷ Δ) • ԋश࣮ࢪऀ෯ֶ͘ΔɻηΩϡϦςΟΛֶͼ͍ͨ։ൃऀूஂͰ͋Εɺ֤ࣗͰςʔϚΛܾ Ίͯ1࣌ؒఔͷԋशΛॱ൪ʹ୲͢ΔͱޮతʹશମͷϨϕϧΞοϓ͕ਤΕΔͷͰͳ͍͔ 36 Δͱܾ·ͬͨ࣌४උʹෆ҆ײ͡·͕ͨ͠ɺBWAͷΞϓϦ͕ॆ࣮͍ͯ͠ΔͷͰ४උ͠ қ͔ͬͨͰ͢ɻडߨऀͷԠϙδςΟϒͰཧղਂ·ͬͨΑ͏Ͱɺͬͯྑ͔ͬͨͰ͢ɻ!
·ͱΊ • OWASP BWA(Broken Web Application)ͷհ • γφϦΦͷ࡞ϙϦγʔ / ࡞खॱ
• XSSʹؔ͢Δ۩ମతͳͷཻ/ॱ൪ • XSSʹؔ͢Δԋश՝1-4 • ֶੜ/৬һ͚ͷԋश༰(എܠ/ڥߏங)ͷհ 37 ηΩϡϦςΟԋशҎ֎ͱ؆୯ʹ࢝ΊΒΕ·͢ɻ·ͩͷํੋඇʂ!