Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OWASP ZAPで 脆弱性診断士気分を味わってみた話

石川 博
March 07, 2019
Technology
0
410

OWASP ZAPで 脆弱性診断士気分を味わってみた話

石川 博

March 07, 2019
Tweet

More Decks by 石川 博

See All by 石川 博
RAMユーザのパスワード誤入力をSlackに通知させてみた / Tried to notify Slack the wrong password of the RAM user
pirox07_dora
0
300
Since no time to construct an infrastructure, I tried using Serverless Framework. / インフラつくる時間がなかったから Serverless Framework を 使ってみた話
pirox07_dora
0
120
NetskopeにみるWebサービスの信頼性評価 / Reliability evaluation of Web service by Netskope
pirox07_dora
0
150
bantoで今すぐOKRを始めるためにStripeを選んだ理由 / Reason for choosing Stripe to start OKR right now with banto
pirox07_dora
2
880

Other Decks in Technology

See All in Technology
Por que testes de unidade não são suficientes para seus microsserviços
rponte
1
1.1k
CloudWatch複合アラームでELBの5XXをいい感じに検知しようとしたらうまくいかなかった話 / cloudwatch alarm elb 5xx
gotok365
0
570
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
高さ比べじゃない、キャリアは歩んできた道
dzeyelid
0
220
ブロックテーマでどう変わる?新しいWordPressのWebサイト制作
tbshiki
0
140
Head toward Java 20 and Java 21
line_developers
PRO
0
130
モノリスからの脱却に向けた 物流システムリプレイスの概要紹介 / Towards Decentralized Logistics System Replacement from Monolithic Structure
yumayabe
0
270
IaCのCI/CDを考えよう / JAWS-UG_Okayama_IaC_CICD
taishin
0
140
NestJS をかじってみた / MIERUNE BBQ #01 / #mierune
tacck
0
200
ChatGPTをどう使うか?(JJUGナイトセミナー5/23)
shin_higuchi
0
750
Data-Centric AIのためのベンチマーク
x_ttyszk
0
510
株式会社オプティム_採用会社紹介資料 / optim-recruit
optim
0
9.5k

Featured

See All Featured
How to train your dragon (web standard)
notwaldorf
69
4.4k
GraphQLの誤解/rethinking-graphql
sonatard
41
8.2k
[RailsConf 2023] Rails as a piece of cake
palkan
6
1.5k
In The Pink: A Labor of Love
frogandcode
133
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
346
18k
Building Applications with DynamoDB
mza
86
5.1k
Designing Experiences People Love
moore
130
22k
Facilitating Awesome Meetings
lara
35
4.8k
Building Adaptive Systems
keathley
29
1.5k
Building Your Own Lightsaber
phodgson
96
5k
Optimizing for Happiness
mojombo
366
66k
Git: the NoSQL Database
bkeepers
PRO
420
60k

Transcript

  1. 08"41;"1Ͱ
    ੬ऑੑ਍அ࢜ؾ෼ΛຯΘͬͯΈͨ࿩

    08"41&WFOJOH0LJOBXB-5
    ੴ઒ത

    View Slide

  2. ࣗݾ঺հ
    ੴ઒തʢ͍͔͠ΘͻΖ͠ʣ
    w ࣾ಺৘γεΠϯϑϥ୲౰
    w ɹɹɹ[email protected]

    View Slide

  3. 08"41;"1ͱ͸ʁ
    w 08"41;FE"UUBDL1SPYZ
    w 08"41ൃɺແྉͷηΩϡϦςΟπʔϧ
    w 8FCΞϓϦͷ੬ऑੑݕग़Λαϙʔτ
    w εύΠμʔػೳʢࣗಈΫϩʔϦϯάʣɺ

    "DUJWF4DBOʢ੬ऑੑ਍அ༻ͷݕࠪจࣈྻͰεΩϟϯʣɺ
    ϩʔΧϧϓϩΩγػೳʢखಈͰͷ੬ऑੑ਍அʣɺFUD
    w "1*Λୟ͍ͯ֎෦͔Βͷૢ࡞΋Մೳ
    ͱΓ͋͑ͣɺ๭Πϕϯτ༻ʹͭͬͨ͘

    ɹɹɹɹɹɹ͓ࢠ༷޲͚8FCΞϓϦΛ਍அͯ͠Έͨɻ

    View Slide

  4. ࢥߟλΠϓ਍அΞϓϦɿ/&0,JET
    w ࣭໰ʹ౴͑ͯࢥߟλΠϓΛ͸͖͡ग़͢ʂʂ

    View Slide

  5. /&0,JETͷߏ੒
    w ͜Μͳײ͡Ͱ͢ɻ
    AWS
    Lambda
    Amazon

    S3
    Amazon

    DynamoDB
    Amazon API
    Gateway
    3&45"1*
    ɾઃ໰ηοτ
    ɾ਍அ݁Ռ
    ɾઃ໰ηοτΛฦ͢
    ɾճ౴݁Ռͷ਍அ
    ɾ੩తWebαΠτ
    ɹɹɹɹ1$ʹ08"41;"1Λಋೖɹɹɹɹɹɹɹɹ

    View Slide

  6. ࠓճ΍ͬͨ͜ͱ
    w 1$ϩʔΧϧʹ08"41;"1Λಋೖͯ͠Έͨɻ
    w "DUJWF4DBOͰࣗಈ਍அΛ૸ΒͤͯΈͨɻ
    w ϓϩΩγػೳͰ௨৴Λվ͟Μͯ͠Έͨɻ
    ɹɹɹɹɹɹɹɹɹɹͷຊͰʔ͢

    View Slide

  7. ʢ̍ʣ08"41;"1ͷಋೖʢίϯςφʣ
    w ϩʔΧϧ1$ʢ.BDʣʹΠϯετʔϧ
    w ίϯςφͰ08"41;"1Λಈ͔ͯ͠Έ·ͨ͠ɻ
    w %PDLFSެࣜͷίϯςφΠϝʔδ͕͋Γ·͢ɻ

    IUUQTIVCEPDLFSDPNSPXBTQ[BQEPDLFSTUBCMF

    View Slide

  8. ʢ̍ʣ08"41;"1ͷಋೖʢίϯςφʣ
    w ଧͭ΂͠ʂʂ
    w 1$ίϯςφؒͰϘϦϡʔϜΛϚ΢ϯτ͓͚ͯ͠͹ɺϨϙʔτͷ
    ϑΝΠϧΛϩʔΧϧ؀ڥͰ΋ѻ͑Δ
    w ᶃʮ08"41;"1઀ଓ༻ʢ(6*ʣʯͱᶄʮϓϩΩγ༻ʯͰ

    ϙʔτϑΥϫʔσΟϯάΛͭઃఆ͢Δ
    w 8FCϒϥ΢β͔Β઀ଓʂʂ

    IUUQMPDBMIPTU BOPOZNUSVFBQQ;"1
    $ docker pull owasp/zap2docker-stable
    $ docker run -u zap -v /tmp/owaspzap:/home/zap
    -p 10001:8080 -p 10002:8090
    -i owasp/zap2docker-stable zap-webswing.sh

    View Slide

  9. ʢ̍ʣ08"41;"1ͷಋೖʢίϯςφʣ
    w ىಈʂʂʂʂʂ

    View Slide

  10. w ͜Μͳײ͡ʂʂʂʂʂ
    ʢ̍ʣ08"41;"1ͷಋೖʢίϯςφʣ

    View Slide

  11. ʢ̎ʣ"DUJWF4DBOͰ੬ऑੑνΣοΫ
    w "DUJWF4DBOػೳͱ͸ʁʁ
    w ର৅63-ʹରͯࣗ͠ಈͰ੬ऑੑεΩϟϯΛ࣮ࢪ
    w 63-ͷ୳ࡧ΋΍ͬͯ͘ΕΔɻ
    w ط஌ͷ੬ऑੑΛݕग़͢ΔͨΊͷจࣈྻͷ௥Ճɻ
    w ਍அ͕ʮ߈ܸʯͱ൑அ͞ΕΔ৔߹͕͋ΔͷͰɺવΔ΂͖ਃ੥Λɻ

    View Slide

  12. ʢ̎ʣ"DUJWF4DBOͰ੬ऑੑνΣοΫ
    w εΩϟϯதͷը໘
    w 63-୳ࡧ
    w 3FRVFTUͷ63-຤ඌʹʮRVFSZYYYʜʯΛ෇༩
    w ౷ܭ
    w ॲཧ࣌ؒʜ
    w ϦΫΤετ਺ʜ
    ฏۉϦΫΤετඵͰͨ͠ɻ
    ʢϐʔΫͰϦΫΤετඵ͙Β͍ʣ

    View Slide

  13. ʢ̎ʣ"DUJWF4DBOͰ੬ऑੑνΣοΫ
    w ग़·ͨ͠ɺ਍அ݁Ռɻ
    w ͋Γ·ͨ͠ɺ੬ऑੑɻ

    View Slide

  14. ʢ̎ʣ"DUJWF4DBOͰ੬ऑੑνΣοΫ
    w ਍அ݁Ռʢશͯ)551ϔομؔ࿈ʣ
    λΠϓ ϦεΫ ֓ཁ ରࡦ
    X-Frame-Options
    Header Not Set

    w ΫϦοΫδϟοΩϯά߈ܸͷϦεΫ
    w JGSBNFͰΛຒΊࠐΈɺݟ͑ͳ͍ʢಁ໌ͳʣ8FCϖ
    ʔδͷϘλϯΛΫϦοΫͤ͞Δɺ౳
    ɾ)551ϔομʹ
    ɹʮ9'3".&015*0/ʯΛ

    ɹઃఆ͢΂͠

    Web Browser XSS
    Protection Not
    Enabled

    w 944ʢΫϩεαΠτεΫϦϓςΟϯάʣͷϦεΫ
    w ϒϥ΢βଆͷ944ϑΟϧλ༗ޮԽͷઃఆ͕͞Ε͍ͯ
    ͳ͍ʢσϑΥϧτ͸༗ޮʹͳ͍ͬͯΔʣ
    ɾ)551ϔομʹ
    ɹʮ99441SPUFDUJPOʯΛ
    ɹઃఆ͢΂͠

    X-Content-Type-
    Options Header
    Missing

    w ϒϥ΢βଆͰҙਤ͠ͳ͍ಈ࡞ΛҾ͖ى͜͢ϦεΫ
    w ίϯςϯπλΠϓ͕ࢦఆ͞Ε͍ͯͳ͍ͷͰɺϒϥ΢
    βଆͰͷޡͬͨ൑அॲཧΛͯ͠͠·͏Մೳੑ͋Γ
    ɾ)551ϔομʹ
    ɹʮ9$POUFOU5ZQF0QUJPOTʯΛ

    ɹઃఆ͢΂͠

    View Slide

  15. w 08"41;"1ΛϓϩΩγαʔόͱͯ͠ར༻ɻ

    ௨৴Λશ෦೷͍ͪΌ͏ɺ)5514Ͱ΋೷͍ͪΌ͏ɻ
    ʢ08"41;"1Ͱσίʔυͪ͠Ό͏ɻʣ
    w Πϝʔδ͸͜Μͳײ͡ɻ
    ʢ̏ʣϓϩΩγػೳͰ௨৴ͷվ͟Μ
    w 08"41;"1ΛϓϩΩγαʔόͱͯ͠ࢦఆ
    w 08"41;"1Ͱ࡞੒ͨ͠$"ϧʔτূ໌ॻΛొ࿥

    View Slide

  16. ʢ̏ʣϓϩΩγػೳͰ௨৴ͷվ͟Μ
    w 3FTQPOTFͷσʔλͷ಺༰Λ֬ೝɻ
    ໊લͱ਍அ݁Ռ

    View Slide

  17. ʢ̏ʣϓϩΩγػೳͰ௨৴ͷվ͟Μ
    w ௚઀ॻ͖׵͑Δ͜ͱ͕Ͱ͖Δɻ
    վ͟Μ

    View Slide

  18. w վ͟Μ͞Εͨ਍அ݁Ռ͕දࣔɻ
    ʢ̏ʣϓϩΩγػೳͰ௨৴ͷվ͟Μ
    ઃܭͷ্ݶΛ
    ௒͑ͨ఺਺
    λΠϓͷҰۃԽ΋
    ઃܭ࣌ͷ૝ఆ֎

    View Slide

  19. ʢ̏ʣϓϩΩγػೳͰ௨৴ͷվ͟Μ
    w खಈͰΞϓϦΛૢ࡞͍ͯ͠Δ͏ͪʹɺ

    "DUJWF4DBOͰ͸ݕ஌Ͱ͖ͳ͔ͬͨ੬ऑੑ΍ɺ

    ୳ࡧର৅͔Β࿙Ε͍ͯͨ63-Λൃݟɻ
    w 501ϖʔδͰϑΥʔϜͷόϦσʔγϣϯʢະೖྗ͸/(ʣΛ

    ͍͍͔ͯͨͤ͠ɺҎ߱ͷϖʔδ͸νΣοΫͰ͖͍ͯͳ͔ͬͨ໛༷ɻ

    View Slide

  20. ৼΓฦΓ
    w ͓खܰʹ੬ऑੑ਍அ࢜ͬΆ͍ؾ෼͸ຯΘ͑ͨɻ
    w "DUJWF4DBOͰ͸ݟ͔ͭΒͳ͍੬ऑੑ΋͋ͬͨͷͰɺ
    ϚχϡΞϧૢ࡞ˠ஌ࣝɾϊ΢ϋ΢͕ඞཁɻ

    ʢո͍͠ͱ͜Ζʹ౰ͨΓΛ͚ͭͯखಈνΣοΫʣ
    w ֎෦ͷ੬ऑੑ਍அΛड͚Δલʹɺ08"41;"1Ͱ
    ηϧϑνΣοΫΛ͢Δͷ͸༗Γ͔΋ɻ

    ʢ੬ऑੑ૞ࡧπʔϧج൫Λ࡞ͬͯࣾ಺։์ɺͱ͔ʣ

    View Slide

  21. ͓·͚τϐοΫ
    w ॳΊͯ"84΁ͷϖωετϨʔγϣϯਃ੥ͨ͠ɻ
    w ਃ੥ϑΥʔϜ͕ӳޠ0OMZͳͷͰɺ

    Կͱॻ͚͹͍͍ͷ͔೰Έͳ͕Βਃ੥ɻ
    w ͕ɺ࠷ۙϙϦγʔมΘͬͨΑ͏Ͱʮਃ੥ෆཁʯͱճ౴
    ͕͖ͨɻ
    w %P4߈ܸɺେن໛ΠϕϯτҎ֎͸ਃ੥ෆཁʁ
    w /%"ʢൿີอ࣋ܖ໿ʣͷక݁͸ඞཁʁʁ

    ˠ"84͞Μʹ໰͍߹ΘͤதͰ͢

    View Slide

  22. ͓·͚τϐοΫ
    w %PDLFSίϯςφ൛ͷ08"41;"1
    w ίϯςφΠϝʔδʹ೔ຊޠϑΥϯτ͕ೖ͍ͬͯͳ͍ɻ
    w 08"41;"1ͷ΢Οϯυ΢Λ࠷େදࣔʹ͍ͯ͠Δͱɺ
    όοΫάϥ΢ϯυͷผ΢Οϯυ΢ʹؾ͚ͮͳ͍ɻɻ

    ˡ͜͏͍͏ͷɻ
    w ಉ࣌ར༻͸ηογϣϯ·Ͱʁ

    ʢผϒϥ΢β͔Βಉ࣌ʹܨ͍ͩΒΤϥʔʹͳͬͨɻʣ

    View Slide

  23. ͓·͚τϐοΫ
    w %PDLFSίϯςφ൛ͷ08"41;"1
    w ίϯςφىಈ͢Δͨͼʹ/BNF͕มΘΔ༡ͼ৺
    w [email protected]
    w [email protected]
    w [email protected]
    w [email protected]
    w [email protected]
    w [email protected]
    w ʜ
    ˞గਖ਼ʢਃ͠༁͋Γ·ͤΜͰͨ͠ʣ˞
    ͜Ε͸%PDLFSଆͷ࢓༷Ͱͨ͠ɻ
    Φʔϓϯιʔε൛%PDLFSͷίΞ෦෼Λ
    ίϯϙʔωϯτԽ͢Δʮ.PCZ1SPKFDUʯͱ͍͏
    औΓ૊Έ͕͋Γɺͦͷͳ͔ͷʮOBNFTHFOFSBUPSʯ
    Ͱίϯςφ໊Λੜ੒͍ͯ͠ΔΑ͏Ͱ͢ɻ
    ʢʡ@ʡͷࠨӈͷ୯ޠΛϥϯμϜͰ૊Έ߹Θͤʣ
    IUUQTHJUIVCDPNNPCZNPCZUSFFNBTUFS
    QLHOBNFTHFOFSBUPS

    View Slide