Web技術の基本 7回目 / Introduction to Web technologies 7th class

Slide 1

Slide 1 text

Webٕज़ͷجຊ ୈ7ճ Keisuke KAMIYA

Slide 2

Slide 2 text

ࠓճͷςʔϚ

Slide 3

Slide 3 text

Chapter 6 WebͷηΩϡϦςΟͱೝূ

Slide 4

Slide 4 text

໨࣍ 1. WebγεςϜͷηΩϡϦςΟ 2. ύεϫʔυΫϥοΩϯά, DOS߈ܸ 3. WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ 4. ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ 5. WebγεςϜͷ੬ऑੑ 6. ϑΝΠΞʔ΢Υʔϧ 7. IDS, IPS 8. WAF 9. ҉߸Խ 10.ެ։伴ূ໌ॻ 11.ೝূ 12.ೝՄ 13.CAPTCHA

Slide 5

Slide 5 text

Slide 6

Slide 6 text

WebγεςϜͷηΩϡϦςΟ • WebγεςϜ͸೔ʑൃୡ͠, ৽ͨͳػೳ͕௥Ճ͞ΕΔ ‣ ৽ػೳΛѱ༻ͯ͠߈ܸΛ࢓ֻ͚Δ͜ͱ͕ଟʑ͋Δ - ݸਓ৘ใΛҾ͖ൈ͘ - ແବʹෛՙΛ͔͚Δ • WebγεςϜΛӡ༻্͍ͯ͘͠Ͱ, ηΩϡϦςΟରࡦ͸ ඞਢࣄ߲ ‣ ৗʹ৽ͨͳ߈ܸख๏ʹ͍ͭͯΞϯςφΛష͓ͬͯ͘ඞ ཁ͕͋Δ

Slide 7

Slide 7 text

WebγεςϜͷηΩϡϦςΟ • ৘ใηΩϡϦςΟ  ҎԼͷ3ͭΛҡ࣋͢Δ͜ͱʢISO/IEC17799ΑΓʣ ‣ ػີੑ(Conﬁdentiality)  ڐՄ͞Εͨਓ͚͕ͩ৘ใʹΞΫηεͰ͖Δ͜ͱ ‣ ׬શੑ(Integrity)  ৘ใ͕ഁյɾվ͟Μɾফڈ͞Ε͍ͯͳ͍͜ͱ ‣ Մ༻ੑ(Availability)  ඞཁͳ࣌ʹ͍ͭͰ΋ΞΫηεͰ͖Δ͜ͱ ৘ใͷCIAͱ΋ݺ͹ΕΔ

Slide 8

Slide 8 text

WebγεςϜͷηΩϡϦςΟ • ηΩϡϦςΟରࡦ͸ҎԼͷ3ͭʹ෼͚ͯߟ͑Δ ‣ ϦεΫ  ৘ใηΩϡϦςΟ͕ҡ࣋Ͱ͖Δ, ԿΒ͔ͷଛࣦ͕ൃੜ ͢ΔՄೳੑ ‣ ڴҖ  ϦεΫΛݱ࣮Խͤ͞ΔཁҼ ‣ ੬ऑੑ  ڴҖʹର͢ΔऑΈ

Slide 9

Slide 9 text

WebγεςϜͷηΩϡϦςΟ ػີ৘ใ ෆਖ਼ΞΫηε ڴҖ ෆਖ਼ΞΫηεΛڐ͢ ηΩϡϦςΟʔϗʔϧ ੬ऑੑ ৘ใγεςϜ ؅ཧऀ ϦεΫ ػີ৘ใΛୣΘΕΔͱ ࣾձత৴༻Λࣦ͏

Slide 10

Slide 10 text

WebγεςϜͷηΩϡϦςΟ • ιϑτ΢ΣΞͷΞοϓσʔτʹ͸, ੬ऑੑରࡦ͕੝Γࠐ ·Ε͍ͯΔ΋ͷ͕ଟ͍ ‣ ୯ʹػೳ௥ՃͰΞοϓσʔτ͍ͯ͠ΔΘ͚Ͱ͸ͳ͍ ‣ WindowsͰ͋Ε͹, Widows UpdateͰఏڙ • اۀ͕੬ऑੑରࡦύονΛ഑෍͢ΔલʹϢʔβʔʹ߈ ܸΛ࢓ֻ͚ΔθϩσΠ߈ܸͱ͍͏ڴҖ΋ଘࡏ͢Δ ‣ Bashͷ੬ऑੑͰ͜Μͳͷ͕͋Γ·ͨ͠Ͷ WebγεςϜͷηΩϡϦςΟ ऴྃ

Slide 11

Slide 11 text

Slide 12

Slide 12 text

ύεϫʔυΫϥοΩϯά DOS߈ܸ

Slide 13

Slide 13 text

ύεϫʔυΫϥοΩϯά • ύεϫʔυΫϥοΩϯά  IDͱύεϫʔυʹΑΔೝূΛߦͳ͏ձһ੍WebαΠτ ͔ΒϢʔβʔͷύεϫʔυΛൈ͖ग़ͦ͏ͱ͢Δ߈ܸ ‣ ༗໊ͳ߈ܸख๏ - Dictionary Attack - Brute-force Attack

Slide 14

Slide 14 text

ύεϫʔυΫϥοΩϯά(Dictionary Attack) • Dictionary Attack(ࣙॻ߈ܸ)  Α͘࢖ΘΕΔύεϫʔυʹ࢖ΘΕΔ୯ޠΛ·ͱΊͨ ϑΝΠϧʢࣙॻʣΛ༻ҙ͓͖ͯ͠, ॱ൪ʹࢼ͢ํ๏ %JDUJPOBSZ"UUBDL 123456 abcdef aaaaaa password admin Α͘࢖ΘΕΔ ύεϫʔυͷҰཡΛࢼ͢

Slide 15

Slide 15 text

ύεϫʔυΫϥοΩϯά(Dictionary Attack) • ຖ೥SplashData(ηΩϡϦςΟاۀ)͸ʮ࠷ѱͷύεϫʔυʯϥ ϯΩϯάΛൃද͍ͯ͠Δ • ࣍ͷΑ͏ͳ΋ͷ্͕Ґʹೖ͍ͬͯΔ ‣ 123456 ‣ password ‣ welcome ‣ starwars ‣ 123123 • ͦͷଞ͸ҎԼ͔Β  https://www.teamsid.com/worst-passwords-2017-full-list/

Slide 16

Slide 16 text

ύεϫʔυΫϥοΩϯά(Dictionary Attack) • OWASPͷSecListsʹ͸, ϋοΫ͞ΕΔՄೳੑͷߴ͍ύε ϫʔυ΍IDͷϦετ͕ࡌ͍ͬͯΔ ‣ OWASP͸, The Open Web Application Security Projectͱ͍͏ηΩϡϦςΟؔ࿈ͷίϛϡχςΟ ‣ GitHub্ʹͰެ։͞Ε͍ͯΔ  https://github.com/danielmiessler/SecLists

Slide 17

Slide 17 text

ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༨ஊ • ͋Δ೔, “Remove my password from lists so hackers won’t be able to hack me”ͱ͍͏Pull Request͕… ‣ ͋ΔϢʔβʔ͕ࣗ෼ͷύεϫʔυ͕ࡌ͍ͬͯΔ͜ͱ ʹযͬͯ, ࡟আͨ͠ϑΝΠϧͰPull RequestΛૹͬ ͨͬΆ͍ ‣ ίϝϯτཝ͕େتརձ৔ʹͳͬͯ·ͨ͠  https://github.com/danielmiessler/SecLists/pull/155

Slide 18

Slide 18 text

ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༁ɿࠓ͸999ݸͷύεϫʔυͳͷͰ, ϑΝΠϧ໊Λม͑ΔͷΛ๨Εͳ͍Ͱ

Slide 19

Slide 19 text

ύεϫʔυΫϥοΩϯά(Dictionary Attack) ༁ɿ͜Ε͸ηΩϡϦςΟʔϗʔϧͩ, ૣ͘Ϛʔδ͠ͳ͍ͱ ༁ɿdolphinsͳΒ҆৺ͩͧʢ࡟আ͞ΕͨͷͰʣ

Slide 20

Slide 20 text

ύεϫʔυΫϥοΩϯά(Brute-force Attack) • Brute-force Attack(૯౰Γ߈ܸ)  ύεϫʔυʹ࢖༻Մೳͳจࣈͷ૊Έ߹ΘͤΛશͯࢼ͢ ૯౰Γํࣜͷ߈ܸ #SVUFGPSDF"UUBDL 111111 ͢΂ͯͷύλʔϯΛ ࢼߦ͢Δ 111112 111113 111114 111115

Slide 21

Slide 21 text

ύεϫʔυΫϥοΩϯά(Brute-force Attack) • ύεϫʔυΛઃఆ͢Δ࣌ʹʮจࣈྻͷ௕͕͞୹͍ʯ΍ ʮ࢖༻͢Δจࣈछ͕গͳ͍ʯͱ͜ͷ߈ܸͷඃ֐ʹ߹͏ Մೳੑ͕ߴ͘ͳΔ ‣ ύεϫʔυʹ࢖͏จࣈྻ͸࣍ͷΑ͏ͳ఺ʹ஫ҙ͢Δ - ୹͗͢ΔύεϫʔυΛආ͚Δ  ୹͗͢ΔͱಥഁͰ͖ͯ͠·͏ - ӳ਺ࣈ͚ͩͰͳ͘ه߸΋࢖༻͢Δ  ૊Έ߹ΘͤΛෳࡶʹ͢Δ

Slide 22

Slide 22 text

ύεϫʔυΫϥοΩϯά DOS߈ܸ

Slide 23

Slide 23 text

DOS߈ܸ • DoS(Denial of Service)߈ܸ  ୹࣌ؒʹαʔό͕ॲཧ͖͠Εͳ͍Α͏ͳେྔͷΞΫηε Λߦͳ͏͜ͱͰ, αʔϏεఀࢭʹؕΒͤΔ߈ܸ ‣ ओͳखஈ - SYN Flood߈ܸ - F5 ߈ܸ - ping ﬂood  ICMP echo request(ping)ΛେྔʹૹΓ͚ͭΔ

Slide 24

Slide 24 text

DOS߈ܸ(SYN Flood) • SYN Flood߈ܸ  TCPͷίωΫγϣϯཱ֬ʹ࢖༻͢ΔSYNύέοτΛѱ༻ ͨ͠߈ܸ • ߈ܸํ๏ 1. SYNύέοτΛ߈ܸର৅ʹେྔʹૹΔ 2. SYN ACKύέοτ͕ฦͬͯ͘Δ 3. ͜ͷSYN ACKύέοτʹରͯ͠Ԡ౴Λ͠ͳ͍ - ߈ܸର৅ͷαʔό͸͠͹Β͘Ԡ౴Λ଴ͪଓ͚Δ

Slide 25

Slide 25 text

DOS߈ܸ(SYN Flood) • Ԡ౴Λ଴ͭؒ, αʔό͸ϝϞϦΛফඅ͢Δ ‣ Ұ౓ʹେྔʹϦΫΤετΛૹΓϝϞϦΛେྔফඅ SYNύέοτ SYN ACKύέοτ SYNύέοτ SYN ACKύέοτ SYNύέοτ SYN ACKύέοτ SYNύέοτ 4:/"$,ύέοτΛฦ͢΋ͷͷ ͦΕҎ߱ͷ Ԡ౴͕ͳ͍ͷͰ΢ΣΠϋϯυγΣΠΫͷ్தঢ়ଶ Ͱ଴ͪଓ͚Δ αʔό͕৽͍͠4:/ύέοτʹରԠͰ͖ͳ͘ͳΓ ผͷϢʔβʔ͕ΞΫηεͰ͖ͳ͘ͳΔ 4:/ύέοτΛେྔʹૹΔ

Slide 26

Slide 26 text

DOS߈ܸ(F5 Attack) • F5߈ܸ  ߈ܸର৅ͷαʔόʹ୹࣌ؒʹେྔͷΞΫηεΛߦ͏͜ͱ Ͱ, ෛՙΛߴΊॲཧΛෆՄೳʹ͢Δ߈ܸ ‣ F5Ωʔʹϒϥ΢βͷWebϖʔδͷ࠶ಡࠐػೳׂ͕Γ ౰ͯΒΕ͍ͯΔ͜ͱ͔Β໋໊ ϖʔδͷ࠶ಡࠐ ϖʔδͷ࠶ಡࠐ ϖʔδͷ࠶ಡࠐ ϖʔδͷ࠶ಡࠐ ϖʔδͷཁٻ େྔͷϦΫΤετ͕དྷΔͨΊߴෛՙʹ

Slide 27

Slide 27 text

DDoS߈ܸ • DDoS(Distributed Denial of Service)߈ܸ  DoS߈ܸͱ͸ҟͳΓ, ෳ਺ͷίϯϐϡʔλ͔Βಉ࣌ʹ߈ ܸΛ࢓ֻ͚Δํ๏ ‣ ओͳखஈ - Smurf  ICMP echo request(ping)Λ  ϒϩʔυΩϟετ͢Δ

Slide 28

Slide 28 text

DDoS߈ܸ(Smurf) • Smurf߈ܸ  ICMP echo request(ping)ͷੑ࣭Λར༻ͨ͠߈ܸ ‣ ѼઌΛ౿Έ୆ͷωοτϫʔΫΞυϨεʹ͢Δ 10.0.22.0/24 ѼઌΛ౿Έ୆ͷωοτϫʔΫ ͷϒϩʔυΩϟετΞυϨεʹ ૹ৴ݩΛ߈ܸର৅ͷΞυϨεʹ͢Δ͜ͱͰ, ICMP echo reply͕େྔʹૹΒΕΔ

Slide 29

Slide 29 text

ICMPͱ͸ • ICMP(Internet Control Message Protocol)  IPωοτϫʔΫͰ༻͍ΒΕΔϓϩτίϧͰ͋Γ, Τϥʔ ͷ௨஌΍ωοτϫʔΫͷ৘ใΛরձ͢ΔͨΊʹ࢖༻ ‣ RFC792Ͱنఆ ‣ ICMP͸શͯͷIPϞδϡʔϧ(ιϑτ΢ΣΞ)ʹ࣮૷͞Ε ͍ͯͳ͚Ε͹ͳΒͳ͍͙Β͍ॏཁ

Slide 30

Slide 30 text

ICMPͱ͸ • ICMPͷ༻్͸ओʹ2ͭ 1. Τϥʔ௨஌  ܦ࿏ͷ్தͰΤϥʔ͕ൃੜͨ͜͠ͱΛૹ৴ݩʹ௨஌ 2. ৘ใরձ  ૹ৴ݩͷϗετ͕ଞͷػثʹ৘ใΛ໰͍߹ΘͤΔ ‣ ໨తIPϗετͷଘࡏ֬ೝ, ωοτϚεΫ, ࣌ࠁͳͲ • ͜ΕΒͷ৘ใ͸λΠϓͱίʔυͷ૊Έ߹ΘͤͰදݱ ‣ Ұ෦Λ঺հ

Slide 31

Slide 31 text

ICMPͱ͸ λΠϓ ίʔυ ಺༰ छྨ ΤίʔԠ౴ ৘ใরձ Ѽઌ౸ୡෆೳ Τϥʔ௨஌ ѼઌωοτϫʔΫʹ౸ୡͰ͖ͳ͍ Ѽઌϗετʹ౸ୡͰ͖ͳ͍ ʜ ૹ৴ݩ཈੍ʢύέοτͷૹग़཈੍௨஌ʣ Τϥʔ௨஌ ϦμΠϨΫτ Τϥʔ௨஌ ࢦఆωοτϫʔΫ΁ͷ࠷దܦ࿏௨஌ ࢦఆϗετ΁ͷ࠷దܦ࿏௨஌ ʜ Τίʔཁٻ ৘ใরձ ʜ

Slide 32

Slide 32 text

DOS߈ܸ(Smurf) • ICMPͱ͍͏ϓϩτίϧ͸ඇৗʹॏཁͰ͸͋Δ͕, ௨ৗ ϧʔλଆͰःஅ͍ͯ͠Δ͜ͱ͕ଟ͍ ‣ ߈ܸʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ • ةͳ͍ͳΒશͯࢭΊͯ͠·͑͹ྑͦ͞͏ ‣ IP௨৴͕શ͘Ͱ͖ͳ͘ͳΔ͜ͱ͸ͳ͍ ‣ ͕, ϒϥοΫϗʔϧϧʔλͷΑ͏ͳ͜ͱ΋ • ඞཁͳtypeͷΈ௨͢Α͏ͳઃఆΛ͢Δ΂͖ ύεϫʔυΫϥοΩϯά, DoS߈ܸ ऴྃ

Slide 33

Slide 33 text

Slide 34

Slide 34 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • ҎԼͷ2ͭͷ߈ܸʹ͍ͭͯղઆ 1. ηογϣϯϋΠδϟοΫ  ηογϣϯIDΛ౪ΜͰෆਖ਼ʹΞΫηε 2. σΟϨΫτϦτϥόʔαϧ  ./΍../ͱ͍͏จࣈΛ࢖ͬͯ, ௨ৗΞΫηεෆՄೳͳ ϑΝΠϧʹΞΫηε

Slide 35

Slide 35 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • ηογϣϯϋΠδϟοΫ ‣ ηογϣϯIDΛ౪ௌ͢Δ͜ͱͰ, ଞਓʹͳΓ͢·ͯ͠ ௨৴Λߦ͏߈ܸ - ϩάΠϯͯ͠࢖༻͢ΔWebγεςϜͰ͸, Cookie΍ ηογϣϯIDΛ࢖ͬͯϩάΠϯϢʔβʔΛ؅ཧ - ηογϣϯID͕෼͔Ε͹, ଞਓʹͳΓ͢·ͤΔ

Slide 36

Slide 36 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ ϢʔβʔID, ύεϫʔυ ηογϣϯIDͷൃߦ BCD ϦΫΤετ(SID=abc123) ௨ৗͷϩάΠϯ ϢʔβʔID, ύεϫʔυ ηογϣϯIDͷൃߦ BCD ηογϣϯϋΠδϟοΫ ౪ௌ ϦΫΤετ(SID=abc123)

Slide 37

Slide 37 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • σΟϨΫτϦτϥόʔαϧ ‣ ʮ./ʯ΍ʮ../ʯͳͲͷจࣈྻΛ࢖༻͢Δ͜ͱͰ, ௨ৗ ެ։͍ͯ͠ͳ͍৘ใʹΞΫηε͢Δ߈ܸ - index.html͔Β, /etc/passwordʹΞΫηε / etc/ user passwd var/ www/ index.html / etc/ user passwd var/ www/ index.html /index.html ../../etc/passwd

Slide 38

Slide 38 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ GET /index.html JOEFYIUNM ௨ৗͷϦΫΤετ GET ../../etc/password QBTTXPSE σΟϨΫτϦτϥόʔαϧ ͸্̍ͭͷσΟϨΫτϦΛද͢ಛघͳจࣈྻ 8FCެ։σΟϨΫτϦΑΓ্ͷ֊૚΁ḷ͍͖ͬͯ ެ։͞Ε͍ͯͳ͍ϑΝΠϧΛૹ৴ͤͯ͞͠·͏

Slide 39

Slide 39 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • PHPͷ࣮૷ͰݟͯΈΔ(WikiΑΓҾ༻) 1)1ͷϓϩάϥϜ )551ϦΫΤετ GET /vulnerable.php HTTP/1.0 Cookie: TEMPLATE=../../../../../../../../../etc/passwd

Slide 40

Slide 40 text

WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ • αʔόͷԠ౴͸࣍ͷΑ͏ʹͳΔ ‣ /etc/passwdͷத਎͕ݟ͑ͯ͠·͍ͬͯΔ HTTP/1.0 200 OK Content-Type: text/html Server: Apache root:fi3sED95ibqR6:0:1:System Operator:/:/bin/ksh daemon:*:1:1::/tmp: phpguru:f8fk3j1OIf31.:182:100:Developer:/home/users/phpguru/:/bin/csh Ҿ༻ɿhttps://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ • ͜ͷΑ͏ͳจࣈྻΛड͚෇͚ͳ͍Α͏ʹϓϩάϥϜଆ ͰνΣοΫ͢Δඞཁ͕͋Δ WebγεςϜͷಛ௃Λར༻ͨ͠߈ܸ ऴྃ

Slide 41

Slide 41 text

Slide 42

Slide 42 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • ҎԼͷ3ͭͷख๏ʹ͍ͭͯղઆ 1. ΫϩεαΠτεΫϦϓςΟϯά(XSS)  ೖྗ಺༰Λදࣔ͢ΔWebϖʔδʹର͢Δ߈ܸ 2. ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)  ϢʔβΛὃ͠, Ϣʔβ͕ҙਤ͠ͳ͍ϦΫΤετΛαʔόʹૹ ৴͢Δ 3. SQLΠϯδΣΫγϣϯ  ૹ৴͢Δ৘ใʹSQLΛຒΊࠐΉ͜ͱͰ, DBʹҙਤ͠ͳ͍ಈ ࡞ΛߦΘͤΔ

Slide 43

Slide 43 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • ΫϩεαΠτεΫϦϓςΟϯά(XSS)  ܝࣔ൘αΠτͷΑ͏ͳ, Ϣʔβͷೖྗ಺༰Λදࣔ͢Δλ ΠϓͷWebαΠτͷ੬ऑੑΛಥ͘߈ܸ ‣ ѱҙͷ͋ΔϢʔβʔ͕εΫϦϓτΛೖྗ͢Δ͜ͱͰ, ೚ҙͷϢʔβʔͷը໘ʹεΫϦϓτ͕දࣔ͞ΕΔ - ϑΥʔϜʹJavaScriptͷalertλάΛ࢓ࠐΉ - ϖʔδΛڧ੍సૹͤ͞Δͱ͔ - ηογϣϯϋΠδϟοΫ

Slide 44

Slide 44 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ εΫϦϓτ͕ ຒΊࠐ·Εͨϖʔδ ᶄѱҙͷ͋ΔαΠτͷ ϦϯΫʹΞΫηε ᶅѱҙͷ͋ΔεΫϦϓτΛܝࣔ൘ʹॻ͖ ࠐΉΫϥΠΞϯτεΫϦϓτ͕ૹΒΕΔ ᶃѱҙͷ͋ΔεΫϦϓτΛࣗಈతʹ ܝࣔ൘ʹॻ͖ࠐΜͰ͠·͏ϦϯΫΛ දࣔ ᶆҙਤͤͣѱҙͷ͋ΔεΫ ϦϓτΛॻ͖͜ΜͰ͠·͏ ѱҙͷ͋Δϖʔδ ᶇϖʔδΛදࣔ ᶈܝࣔ൘ʹදࣔ͞Εͨѱҙ ͷ͋ΔεΫϦϓτΛ࣮ߦ

Slide 45

Slide 45 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)  ʮϩάΠϯ͕ඞཁͳαΠτʹରͯ͠ૢ࡞Λߦ͏ʯϦϯΫ ʹϢʔβʔ͕ΞΫηε͢Δ͜ͱͰඃ֐Λड͚Δ߈ܸ ‣ ͍ͨͣΒతॻ͖ࠐΈ ‣ ෆਖ਼αΠτ΁ͷ༠ಋ ‣ ෆਖ਼ͳॻ͖ࠐΈΛେྔʹߦͳ͏DoS߈ܸ - CSRF(γʔαʔϑ)ͱΑΈ·͢

Slide 46

Slide 46 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ SNS ᶄѱҙͷ͋ΔαΠτͷ ϦϯΫʹΞΫηε ᶅ4/4ͷૢ࡞Λߦͳ͏ΫϥΠΞϯτεΫ Ϧϓτ͕ૹΒΕΔ ᶃ4/4ͳͲʹରͯ͠ૢ࡞Λߦ͏Α͏ ͳϦϯΫΛදࣔ͢Δ ᶆࣄલʹ4/4ʹϩάΠϯ͍ͯ͠Δͱ ҙਤ͠ ͳ͍ૢ࡞Λߦͬͯ͠·͏ ѱҙͷ͋Δϖʔδ ᶇ4/4ଆ͸ϩάΠϯͨ͠ຊਓ͔Βͷૢ࡞ʹݟ͑ͯ͠·͏

Slide 47

Slide 47 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ • SQLΠϯδΣΫγϣϯ  SQLΛ࢖༻͢ΔλΠϓͷσʔλϕʔεΛ࢖༻͢ΔΞϓϦ έʔγϣϯʹରͯ͠, ຊདྷೖྗͱͯ͠࢖͏͜ͱ͕૝ఆ͞ Ε͍ͯͳ͍SQLจΛૠೖ͠߈ܸ͢Δํ๏ ‣ ࣮ࡍʹSQLจΛݟͯߟ͑ͯΈΔ

Slide 48

Slide 48 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ JE VTFS@JE QBTTXPSE NBJM@BEES :4% :4%!FYBNQMFDPN VTFSTςʔϒϧ RVFSZ 1)1Λ૝ఆ $query = <<

Slide 49

Slide 49 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ RVFSZ 1)1Λ૝ఆ $query = <<

Slide 50

Slide 50 text

ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ΠϯδΣΫγϣϯରࡦ • จࣈྻ݁߹Λ࢖ͬͯSQLจΛ૊Έཱͯͳ͍ ‣ ΤεέʔϓॲཧΛ͔ͬ͠Γߦͳ͏ - ϓϨʔεϗϧμʔ, ม਺όΠϯυ, ϓϦϖΞʔ౓ε ςʔτϝϯτ ʢࢀߟʣSQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ  https://www.ipa.go.jp/ﬁles/000024396.pdf ΞϓϦέʔγϣϯͷ੬ऑੑΛૂ͏߈ܸ ऴྃ

Slide 51

Slide 51 text

Slide 52

Slide 52 text

WebγεςϜͷ੬ऑੑ • WebγεςϜͷ੬ऑੑΛ׬શʹແ͘͢͜ͱ͸ࠔ೉ Ҿ༻ɿ1. 2017೥ୈ4࢛൒ظɹιϑτ΢ΣΞ౳ͷ੬ऑੑؔ࿈৘ใʹؔ͢Δಧग़ঢ়گ(2018/1/25ܝࡌ) https://www.ipa.go.jp/security/vuln/report/vuln2017q4.html

Slide 53

Slide 53 text

ηΩϡϦςΟϗʔϧ θϩσΠ߈ܸ

Slide 54

Slide 54 text

WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ηΩϡϦςΟϗʔϧ  ιϑτ΢ΣΞ੡඼ͷܽؕʹΑΓ, ݖݶ͕ͳ͍ͱຊདྷͰ͖ ͳ͍͸ͣͷૢ࡞͕ݖݶΛ࣋ͨͳ͍ϢʔβʔͰ΋࣮ߦͰ͖ ͯ͠·ͬͨΓ, ݟ͑Δ΂͖Ͱͳ͍৘ใ͕ݟ͑ͯ͠·͏Α ͏ͳෆ۩߹ ‣ Windows΍LinuxͳͲͷOS, Apache΍nginxͳͲͷ WebαʔόͳͲͷιϑτ΢ΣΞ͔Βൃݟ

Slide 55

Slide 55 text

WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ൃݟ͞ΕͨηΩϡϦςΟϗʔϧ͸, ੬ऑੑରࡦ৘ใσʔ λϕʔεͰ؅ཧ͞Ε͍ͯΔ ‣ ࠃ಺֎ͷ੬ऑੑରࡦ৘ใ͕ܝࡌ͞Ε͍ͯΔ  https://jvndb.jvn.jp/ ‣ ੬ऑੑͷҰͭҰͭʹ൪߸͕ৼΒΕ͍ͯΔ - JVNDB-xxxx-xxxxxx - CVE-xxxx-xxx

Slide 56

Slide 56 text

WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • ੬ऑੑରࡦ৘ใσʔλϕʔεʹ͸ҎԼͷ৘ใ͕ܝࡌ ‣ ֓ཁ ‣ ਂࠁ౓ ‣ ରࡦ ‣ ϕϯμ৘ใʢ੬ऑੑ΁ͷରԠঢ়گʣ ‣ CVEʢڞ௨੬ऑੑࣝผࢠʣ • JVNDBͱCVE͸Կ͕ҧ͏ͷ͔ʁ

Slide 57

Slide 57 text

WebγεςϜͷ੬ऑੑʢηΩϡϦςΟϗʔϧʣ • CVE(Common Vulnerabilities and Exposures)  ڞ௨੬ऑੑࣝผࢠͱݺ͹ΕΔ΋ͷͰ, ΞϝϦΧͷMITRE ͕ࣾ࠾൪͍ͯ͠Δ੬ऑੑࣝผࢠͷ͜ͱ. ‣ ੬ऑੑରࡦ৘ใσʔλϕʔεಉ༷, ੬ऑੑ৘ใ͕ެ։ ͞Ε͍ͯΔ(http://cve.mitre.org/) • JVN͸CVEޓ׵ೝఆΛड͚͍ͯΔ ‣ ੬ऑੑϖʔδͷԼͷํʹCVE΋ॻ͍ͯ͋Δ ࢀߟϦϯΫɿhttps://www.ipa.go.jp/security/vuln/CVE.html

Slide 58

Slide 58 text

ηΩϡϦςΟϗʔϧ θϩσΠ߈ܸ

Slide 59

Slide 59 text

θϩσΠ߈ܸ • θϩσΠ߈ܸ  ൃݟ͞ΕͨηΩϡϦςΟϗʔϧʹର͢Δमਖ਼ϓϩάϥϜ ͕։ൃ͞ΕΔલʹ, ηΩϡϦςΟϗʔϧΛར༻ͨ͠߈ܸ Λ࢓ֻ͚Δ͜ͱ ‣ मਖ਼ϓϩάϥϜ͕഑෍͞ΕΔલͳͷͰ, ͸͖ͬΓͱ͠ ͨରԠࡦ͕ͳ͍ ‣ ϕϯμ͕Ұ࣌ճආࡦͳͲΛެද͍ͯ͠Δࣄ͕ଟ͍ͷͰ ৘ใΛऩू͢Δඞཁ͕͋Δ WebγεςϜͷ੬ऑੑ ऴྃ

Slide 60

Slide 60 text

Slide 61

Slide 61 text

ϑΝΠΞʔ΢Υʔϧ • ϑΝΠΞʔ΢Υʔϧ  Πϯλʔωοτͱ಺෦ωοτϫʔΫͷؒʹઃஔ͠, ૹड ৴͞ΕΔσʔλΛ؂ࢹͯ͠௨৴ͷڐՄɾڋ൱Λߦͳ͏ ΋ͷ Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό ߈ܸऀ ڐՄ͞Εͨ௨৴Ҏ֎͸௨աͤ͞ͳ͍ ಺෦ωοτϫʔΫ

Slide 62

Slide 62 text

ϑΝΠΞʔ΢Υʔϧ • ύέοτϑΟϧλܕϑΝΠΞʔ΢Υʔϧ  ૹड৴͞ΕΔύέοτͷIPΞυϨεͱϙʔτ൪߸ΛνΣο Ϋ͢Δ͜ͱͰ, ௨৴ͷڐՄ/ڋ൱Λߦͳ͏΋ͷ ‣ ࣾ಺Ϣʔβʔ޲͚ͷWebγεςϜΛྫʹߟ͑Δ ϑΝΠΞʔ΢Υʔϧ Webαʔό ߈ܸऀ

Slide 63

Slide 63 text

ϑΝΠΞʔ΢Υʔϧʢࣾ಺޲͚ʣ ϑΝΠΞʔ΢Υʔϧ Webαʔό ߈ܸऀ ϑΟϧλ৚݅ ʲڐՄʳ ํ޲ɿΠϯλʔωοτˠ಺෦ ૹ৴ݩ*1ΞυϨεɿຊࣾɾࢧࣾͷ*1ΞυϨε ૹ৴ݩϙʔτ൪߸ɿશͯ Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε Ѽઌϙʔτ൪߸ɿ ʲڋ൱ʳ ্هҎ֎͢΂ͯ ͦ΋ͦ΋ΞΫηεͰ͖ͳ͍

Slide 64

Slide 64 text

ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ • ͨͩ͠ෆಛఆଟ਺޲͚ͷαʔϏεͰ͸, ࣾ಺޲͚ͷΑ͏ ʹૹ৴ݩIPΞυϨεͰϑΟϧλϦϯά͢Δͷ͸೉͍͠ ‣ ϙʔτͷڐՄ͸࠷௿ݶʹͯ͠, ڐՄͨ͠ϙʔτʹର͠ ͯͷ߈ܸ͸͔ͬ͠Γͱରࡦ͢Δඞཁ͕͋Δ ϑΝΠΞʔ΢Υʔϧ Webαʔό ߈ܸऀ

Slide 65

Slide 65 text

ϑΝΠΞʔ΢Υʔϧʢෆಛఆଟ਺޲͚ʣ ϑΝΠΞʔ΢Υʔϧ Webαʔό ϑΟϧλ৚݅ ʲڐՄʳ ํ޲ɿΠϯλʔωοτˠ಺෦ ૹ৴ݩ*1ΞυϨεɿ͢΂ͯ ૹ৴ݩϙʔτ൪߸ɿશͯ Ѽઌ*1ΞυϨεɿ8FCαʔόͷ*1ΞυϨε Ѽઌϙʔτ൪߸ɿ ʲڋ൱ʳ ্هҎ֎͢΂ͯ ڐՄ͞Εͨϙʔτʹ͔͠ΞΫηε Ͱ͖ͳ͍ͷͰ ߈ܸखஈ͕ݶΒΕΔ ߈ܸऀ 80ͱ443͸։͚͍ͯΔͷͰ, ͜͜΁ͷ߈ܸ͸ରࡦ͕ඞཁ ϑΝΠΞʔ΢Υʔϧ ऴྃ

Slide 66

Slide 66 text

Slide 67

Slide 67 text

IDS, IPS • ϑΝΠΞʔ΢ΥʔϧͰ๷͖͗Εͳ͍߈ܸΛ๷͙खஈ ‣ IDS(Intrusion Detection System)  ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δ ‣ IPS(Intrusion Prevention System)  ෆਖ਼ͳΞΫηεΛ؂ࢹ͠, ݕ஌͢Δͱ௨஌͢Δͱͱ΋ ʹ௨৴Λःஅ͢Δ Πϯλʔωοτ ϑΝΠΞʔ΢Υʔϧ Webαʔό ωοτϫʔΫܕIDS/IPS

Slide 68

Slide 68 text

IDS, IPS • ෆਖ਼ͳ௨৴Λःஅ͢ΔIPSͷํ͕ڧݻͳηΩϡϦςΟΛ ࣮ݱՄೳ ‣ ҟৗͳ௨৴ͷݕ஌΋׬શͰ͸ͳ͘, ௨ৗͷ௨৴Λޡݕ ஌ͯ͠͠·͏͜ͱ΋ʢ௨৴ͷःஅʣ ‣ Մ༻ੑͷ௿Լʹͭͳ͕Δ • IDSͱIPS͸ద౰ʹ࢖͍෼͚Δ͜ͱ͕ඞཁ

Slide 69

Slide 69 text

IDS, IPS Webαʔό IDS ߈ܸऀ ҟৗΛݕ஌ Webαʔό IPS ߈ܸऀ ҟৗΛݕ஌ *%4 *14 ௨৴Λ ःஅ͢Δ ௨৴͸ ͦͷ··௨͢

Slide 70

Slide 70 text

IDS, IPSͷݕ஌ํ๏ • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ ‣ γάωνϟܕʢෆਖ਼ݕ஌ܕʣ  طଘͷ߈ܸख๏ʹ͓͚Δ௨৴ύλʔϯ͕ొ࿥͞Εͨσʔ λϕʔεʢγάωνϟʣΛ༻ҙ͓͖ͯ͠, ίϨͱরΒ͠ ߹ΘͤΔ͜ͱͰҟৗݕ஌Λߦͳ͏. (SYN Floodͱ͔) ‣ ΞϊϚϦʔܕʢҟৗݕ஌ܕʣ  ਖ਼ৗͰ͋Δঢ়ଶΛఆ͓͖ٛͯ͠, ͦΕ͔Β֎Εͨ৔߹͕ ҟৗͱΈͳ͢ IDS/IPS ऴྃ

Slide 71

Slide 71 text

Slide 72

Slide 72 text

WAF • WAF(Web Application Framework)  WebΞϓϦέʔγϣϯͷલͰ, ѱҙͷ͋Δσʔλؚ͕· Ε͍ͯͳ͍͔νΣοΫ͢ΔϑΝΠΞʔ΢Υʔϧ ‣ IDS/IPSΛ࢖͏͜ͱͰ, DoS߈ܸ౳ʹ͸ର߅Ͱ͖Δ - ͔͠͠, SQLΠϯδΣΫγϣϯ΍XSS, ύϥϝʔλվ ͟ΜͳͲͷ߈ܸ͸๷͙͜ͱ͜ͱ͕Ͱ͖ͳ͍ͨΊ WAFΛ࢖༻͢Δ

Slide 73

Slide 73 text

WAF ΠϯϑϥωοτϫʔΫ ʢར༻͞ΕΔιϑτ΢ΣΞʣ ιϑτ΢ΣΞ04  ར༻͞ΕΔιϑτ΢ΣΞ 8FCΞϓϦέʔγϣϯ  αΠτຖʹ։ൃ͞Εͨ෦෼ '8 कΔ෦෼ ੬ऑੑΛແ֐Խ *%4 *14 8"' F/WɿϑΝΠΞʔ΢Υʔϧ

Slide 74

Slide 74 text

WAF • ෆਖ਼ΞΫηεͷݕ஌ʹ͸2ͭͷํ๏͕ଘࡏ͢Δ ‣ ϒϥοΫϦετܕ  ಛఆͷύλʔϯʢϒϥοΫϦετʣͱরΒ͠߹Θͤͯѱҙͷ͋ Δ௨৴Λःஅ͢Δํ๏ - ৽ͨͳڴҖ͕ൃݟ͞Εͨ৔߹, Ϧετͷߋ৽͕͋Δ·Ͱରࡦ ෆՄೳ ‣ ϗϫΠτϦετܕ  ਖ਼ৗͳύλʔϯʢϗϫΠτϦετʣͱরΒ͠߹ΘͤͯͦΕʹద ߹͢Δ௨৴ͷΈ௨͢ - ਖ਼ৗͳ௨৴Λ௨͢ઃఆΛਖ਼͘͠ઃఆ͢Δඞཁ͋Γ

Slide 75

Slide 75 text

WAF F/W IDS/IPS WAF F/W IDS/IPS WAF ϒϥοΫϦετܕ ϗϫΠτϦετܕ ߈ܸऀ ߈ܸऀ 8"'ͷ։ൃݩ͔Βͷ ѱҙͷ͋ΔύλʔϯΛجʹর߹ ਖ਼ৗͳ௨৴ΛࣗΒͰఆٛͯ͠  νΣοΫ WAF ऴྃ

Slide 76

Slide 76 text

Slide 77

Slide 77 text

҉߸Խ • ҉߸Խ(Encryption)  ݩͷσʔλʢฏจʣΛ҉߸ԽΞϧΰϦζϜͰୈࡾऀ͕ಡ ΈऔΕͳ͍σʔλʢ҉߸จʣʹม׵͢Δ͜ͱ ‣ ໭͢͜ͱ͸෮߸ͱ͍͏ • ͜͜Ͱ͸҉߸ԽΛ2छྨʹ෼͚͔ͯ౤͛Δ 1. ௨৴ܦ࿏Ͱͷ҉߸Խ 2. อଘσʔλͷ҉߸Խ

Slide 78

Slide 78 text

௨৴ܦ࿏Ͱͷ҉߸Խ อଘσʔλͷ҉߸Խ

Slide 79

Slide 79 text

௨৴ܦ࿏Ͱͷ҉߸Խ • Ϣʔβʔͱͷσʔλͷ΍ΓऔΓʹ͸, ౪ௌ͞ΕΔͱࠔΔ σʔλ΋ଘࡏ͢Δ ‣ ࢯ໊΍ॅॴͳͲͷݸਓ৘ใ ‣ ΫϨδοτΧʔυ৘ใͷΑ͏ͳػີ৘ใ • ͜ͷΑ͏ͳσʔλ͸ฏจͰૹΔ΂͖Ͱ͸ͳ͍ ‣ HTTPͰ͸ͳ͘HTTPSΛ࢖༻͢Δ ‣ HTTPSͰ΋WebαΠτͦͷ΋ͷ͕ѱ࣭ͳ΋ͷͩͱμ ϝͳͷͰ, ࢖͏લʹ1౓͔֬ΊΔʢͦΕ͸ͦ͏ʣ

Slide 80

Slide 80 text

௨৴ܦ࿏Ͱͷ҉߸Խ อଘσʔλͷ҉߸Խ

Slide 81

Slide 81 text

อଘσʔλͷ҉߸Խ • αʔό΁ෆਖ਼৵ೖ͞Εͨ৔߹, ߈ܸऀ͸αʔό಺ͷσʔ λΛ؆୯ʹ౪Έग़͢͜ͱ͕ग़དྷͯ͠·͏ • ʢ࿦֎͚ͩͲʣύεϫʔυΛฏจͷ··σʔλϕʔε಺ ʹอଘ͢Δͷ͸ةݥ ‣ ສ͕Ұͷ͜ͱΛߟ͑ͯ, αʔό಺ͷσʔλΛ҉߸Խ

Slide 82

Slide 82 text

อଘσʔλͷ҉߸Խ • ࣌୅ͱڞʹ৭ʑߟҊ͞Εͨ ‣ ϓϨʔϯςΩετʢͦͷ··ʣ ‣ HashԽ  จࣈྻΛmd5ͱ͔ͰϋογϡԽ͢Δ ‣ SALT(MD5→SHA2)  ݩͷจࣈྻ+SALTͰϋογϡԽ ‣ ετϨονϯά ‣ bcrypt

Slide 83

Slide 83 text

อଘσʔλͷ҉߸Խ • ετϨονϯά  σʔλʹରͯ͠ϋογϡؔ਺Λෳ਺ճద༻ͯ͠อଘ͢Δ σʔλΛੜ੒͢Δํ๏ • BCrypt  Blowﬁsh҉߸ͷ࣮૷. ҎԼͷΑ͏ͳจࣈྻ͕ੜ੒͞ΕΔ $2a$10$vI8aWBnW3fID.ZQ4/zo1G.q1lRps.9cGLcZEiGDMVr5yUP1KUOYTa ҉߸Խ ऴྃ

Slide 84

Slide 84 text

Slide 85

Slide 85 text

ެ։伴ূ໌ॻ • ެ։伴ূ໌ॻ  ΍ΓऔΓ͢Δ૬ख͕ຊ෺Ͱ͋Δ͜ͱΛূ໌͢Δ΋ͷ ‣ ެ։伴҉߸ʹ࢖༻͢Δެ։伴ͷਖ਼౰ੑΛূ໌͢Δͨ Ίʹ࢖ΘΕΔ͜ͱ͕ଟ͍ͨΊ,SSLূ໌ॻͱ΋ݺ͹ΕΔ • ެ։伴ূ໌ॻͷ໾ׂ ‣ HTTPSʹ࢖͏ͨΊͷެ։伴ͷ࣋ͪओͷূ໌ ‣ ެ։伴ͷ࣋ͪओ͕ଘࡏ͢Δ͜ͱͷূ໌ʢ࣮ࡏূ໌ʣ

Slide 86

Slide 86 text

ެ։伴ূ໌ॻ • ެ։伴ূ໌ॻ͸, ೝূہ(CA:Certiﬁcate Authority)ͱݺ ͹ΕΔୈࡾऀػ͕ؔൃߦ͍ͯ͠Δ ‣ ঎༻͸༗ྉ͕ଟ͍͕, Let’s Encryptͱ͔ແྉͰ͢Ͷ • ূ໌ॻʹ͸༗ޮظݶ͕͋ΔͨΊ, ߋ৽࡞ۀ͕ඞཁ ‣ ߋ৽๨Ε͍ͯΔαΠτʹೖΔͱܯࠂ͕ग़Δϒϥ΢βͱ ͔͋Γ·͢ΑͶ • ࣗݾূ໌ॻʢΦϨΦϨূ໌ॻʣͬͯͷ΋͋Γ·͢ ‣ ͏ͪͷେֶͰ͢ ެ։伴ূ໌ॻ ऴྃ

Slide 87

Slide 87 text

Slide 88

Slide 88 text

ೝূ • ೝূ  ձһ੍αΠτͳͲͰ, IDͱύεϫʔυΛ࢖༻͠ຊਓ֬ೝ Λߦ͏ॲཧͷ͜ͱ ‣ ͔ͭͯೝূͱ͍͑͹, ֤αΠτ͝ͱʹIDͱύεϫʔυ ͕ඞཁͩͬͨ - ݱࡏͰ͸, Google΍Twitter, FacebookͳͲͷଞαʔ ϏεͷΞΧ΢ϯτΛ࢖༻͢Δ͜ͱͰೝূΛߦ͏αΠ τ͕૿Ճ

Slide 89

Slide 89 text

ೝূ DBαʔό Webαʔό ར༻ऀʢϒϥ΢βʣ ID:ozisan password:kfAD2% ID:ozisan password:kfAD2% ϩάΠϯڐՄ ϩάΠϯ੒ޭ ར༻αΠτ͕૿Ճ͢Δͱʜ Webαʔό ར༻ऀʢϒϥ΢βʣ ೝূ ೝূ ೝূ

Slide 90

Slide 90 text

ೝূ • ଞͷαʔϏεͷೝূγεςϜΛ࢖༻Մೳ ‣ Ϣʔβ  ࣗ਎͕؅ཧ͢ΔΞΧ΢ϯτͷ਺͕গͳ͘ͳΔ ‣ αΠτӡӦࣾ  ଞࣾͷγεςϜΛར༻͢ΔΑ͏ʹࣗ਎ͷWebαΠτ Λ࣮૷͢Δ͜ͱͰ, ݸผʹར༻ऀ৘ใΛ؅ཧ͢Δඞཁ ͕ແ͍

Slide 91

Slide 91 text

ೝূ Webαʔό ར༻ऀʢϒϥ΢βʣ ར༻ ར༻ ར༻ ೝূ Google (PPHMFͷΞΧ΢ϯτͰ ೝূΛߦ͏ WebαΠτ͝ͱͷೝূ͕ෆཁͳ͚ͩͰͳ͘, ϩάΠϯ৘ใΛѻ͏ඞཁ͕ͳ͍

Slide 92

Slide 92 text

ೝূʢೝূAPIʣ • ೝূAPI  ೝূΛߦ͏ॲཧͷAPI. ‣ ೝূΛߦͳ͏WebΞϓϦέʔγϣϯ͕ϢʔβʔΛೝ ূAPIʹ༠ಋ͠, ೝূAPI͔Βೝূ݁Ռͷ௨஌Λ΋Β͏ ͜ͱʹΑͬͯϩάΠϯ͢Δ.

Slide 93

Slide 93 text

ೝূʢೝূAPIʣ ར༻ऀʢϒϥ΢βʣ ᶃϩάΠϯͷཁٻ ೝূαΠτ ᶄೝূAPI΁ͷϩάΠϯࢦࣔ ᶇϩάΠϯ੒ޭ௨஌ ᶅϩάΠϯ ᶆೝূ׬ྃͷ௨஌ ೝূ"1*Λఏڙ͢ΔαΠτʹ ΞΧ΢ϯτ͕ଘࡏ͢Δඞཁ͕͋Δ ձһ੍αΠτ ʢཁϩάΠϯʣ

Slide 94

Slide 94 text

ೝূʢೝূAPIʣ • ೝূAPIͷܽ఺ ‣ Ϣʔβʔ͕, ೝূAPIఏڙଆͷΞΧ΢ϯτΛ͍࣋ͬͯ ͳ͍ͱೝূ͢Δ͜ͱ͕Ͱ͖ͳ͍ ‣ ֤ࣾ͝ͱʹAPIͷ࢓༷͕ҟͳ͍ͬͯΔͷͰ, ͦΕͧΕ ʹผͷίʔυͰରԠ͠ͳ͍ͱ͍͚ͳ͍ • ͜ΕΛղܾ͢ΔͨΊʹOpenID͕͋Δ

Slide 95

Slide 95 text

ೝূʢOpenIDʣ • OpenID  ೝূAPIͷʮ֤αʔϏε͝ͱʹAPIͷ࢓༷͕ҟͳΔʯͱ ͍͏໰୊఺Λղܾ͢ΔͨΊʹ, ೝূॲཧΛඪ४Խͨ͠ϓ ϩτίϧ ‣ OpenIDΛ༻͍ͨγεςϜͷ৔߹, 1ͭͷIDͱύεϫʔ υ͕͋Ε͹ෳ਺ͷαΠτʹϩάΠϯ͕Մೳʢಛఆͷ αʔϏεͷΞΧ΢ϯτʹґଘ͠ͳ͍ʣ

Slide 96

Slide 96 text

ೝূʢOpenIDʣ ձһ੍αΠτ ʢཁϩάΠϯʣ ར༻ऀʢϒϥ΢βʣ ᶃOpenIDΞΧ΢ϯτ ೝূαΠτ ᶅOpenID΁ͷϩάΠϯࢦࣔ ᶈϩάΠϯ੒ޭ௨஌ ᶆϩάΠϯ ᶇೝূ׬ྃͷ௨஌ 0QFO*%αΠτͷ͍ͣΕ͔ʹ ΞΧ΢ϯτ͕͋Ε͹Α͍ ᶄΞΧ΢ϯτΛ࣋ͭαΠτΛ ݕࡧ͠, ҉߸Խ伴Λަ׵ ೝূ ऴྃ

Slide 97

Slide 97 text

Slide 98

Slide 98 text

ೝՄ • ೝূͱೝՄͷҧ͍ ‣ ೝূ  ௨৴ͷ૬ख͕୭Ͱ͋Δ͔֬ೝ͠, ਖ਼نͷར༻ऀʢຊ ਓʣͰ͋Δ͜ͱΛ֬ೝ͢Δ͜ͱ ‣ ೝՄ  ೝূʹΑͬͯ֬ೝ͞Εͨར༻ऀʹରͯ͠, αʔϏεͷ ڐՄΛߦͳ͏͜ͱ - ࠓճ͸ͬͪ͜ͷ࿩

Slide 99

Slide 99 text

ೝՄ • ͨͱ͑͹TwitterͰߟ͑ͯΈΔͱ… ‣ ೝূ  user_Aͱ͍͏ΞΧ΢ϯτͰϩάΠϯ ‣ ೝՄ  user_A໊ٛͷ౤ߘʹ͍ͭͯ͸ฤूandӾཡΛڐՄ͠, ͦͷଞͷΞΧ΢ϯτͷ౤ߘʹ͍ͭͯ͸ӾཡͷΈڐՄ ͢Δ • ͜ͷྫͩͱೝূͱೝՄ͕ີ݁߹

Slide 100

Slide 100 text

ೝՄ • ͔͠͠, ೝূͱೝՄΛผʹߟ͑Δ͜ͱ͕ଟ͘ͳͬͨ ‣ TwitterͰ͍͑͹, ୈࡾऀ͕ఏڙ͍ͯ͠ΔΫϥΠΞϯτ ͔ΒαʔϏεΛར༻ͨ͠Γ, ΞϓϦ͔ΒTwitterʹγΣ ΞΛߦͳ͏ػೳͳͲ - ೝՄͷҕৡΛߦͳ͏ඞཁ͕͋Δ • ͜ΕΛ࣮ݱ͢Δํ๏ ‣ OAuth ‣ OpenID Connect

Slide 101

Slide 101 text

ೝՄʢOAuthʣ • OAuth  αΠτΛ·͍ͨͩೝՄʢݖݶͷೝՄʣΛ࣮ݱ͢ΔͨΊʹ ඪ४Խ͞Εͨϓϩτίϧ ‣ ݖݶͷೝՄΛߦͳ͏͚ͩͰ, ೝূ͸ߦΘͳ͍ ‣ ୈࡾऀʹIDͱύεϫʔυΛ౉͢͜ͱແ͘֎෦αʔϏεΛ ར༻͢Δ͜ͱ͕Մೳ ‣ τʔΫϯΛൃߦ͢Δ͜ͱͰ, ͦͷτʔΫϯΛ࣋ͬͨΫϥ ΠΞϯτʹݖݶΛҕৡ͢Δ • OAuthͷཧղʹ͸4ͭͷ୯ޠΛ஌͍ͬͯΔඞཁ͕͋Δ

Slide 102

Slide 102 text

ೝՄʢOAuthʣ • ϦιʔεΦʔφʔʢΤϯυϢʔβʔʣ  αʔϏεΛར༻͍ͯ͠ΔϢʔβʔ • ೝՄαʔόʔ  ೝՄΛߦ͍τʔΫϯΛൃߦ͢Δαʔό ‣ ϦιʔεαʔόͱಉҰͷαʔόͰ͋Δ͜ͱ͕͋Δ • Ϧιʔεαʔό  σʔλ͕ஔ͔Ε͍ͯΔαʔό • ΫϥΠΞϯτ  αʔϏεΛར༻͢ΔWebαΠτ΍ΞϓϦ

Slide 103

Slide 103 text

ೝՄʢOAuthʣ • ॲཧͷྲྀΕ 1. ΫϥΠΞϯτ͕ϦιʔεΦʔφʔʹڐՄΛཁٻ 2. ϦιʔεΦʔφʔ͕ڐՄ 3. ೝূαʔόʹτʔΫϯൃߦͷґཔ 4. ڐՄͷਖ਼౰ੑΛ֬ೝ͠τʔΫϯΛൃߦ 5. τʔΫϯΛ༻͍ͯαʔϏεʹ౤ߘ

Slide 104

Slide 104 text

ೝՄʢOAuthʣ ᶃڐՄཁٻ ᶄڐՄ ᶅτʔΫϯͷཁٻ ᶆτʔΫϯΛ ఏࣔ͠౤ߘ ᶇτʔΫϯΛఏࣔ͠౤ߘ 'BDFCPPL  ʢΫϥΠΞϯτʣ 5XJUUFS  ʢϦιʔεαʔόʣ Ϣʔβʔ  ʢϦιʔεΦʔφʔʣ

Slide 105

Slide 105 text

ೝՄʢOpenID Connectʣ • OpenID Connect  OAuth2.0Λϕʔεʹೝূػೳ͕௥Ճ͞Εͨϓϩτίϧ ‣ ೝূػೳ+ೝՄػೳΛಉ࣌ʹ࣮ݱͰ͖ΔͷͰ, OAuth ͷΑ͏ʹผ్ೝূͷํ๏Λ༻ҙ͢Δඞཁ͕ͳ͍ ‣ ͜ͷεϥΠυ͕Θ͔Γ΍ͦ͢͏  https://www.slideshare.net/kura_lab/openid- connect-id ೝՄ ऴྃ

Slide 106

Slide 106 text

Slide 107

Slide 107 text

CAPTCHA • CAPTCHA  ΫϥΠΞϯτ͕ίϯϐϡʔλ͔ਓ͔Λ൑அ͢Δ΋ͷ ‣ Completely Automated Public Turing Test To Tell Computers and Humans Apart(ίϯϐϡʔλͱਓؒ Λ۠ผ͢ΔͨΊͷ׬શʹࣗಈԽ͞Εͨެ։νϡʔϦ ϯάςετʣͷུ

Slide 108

Slide 108 text

CAPTCHA • ਓؒʹ͸༰қʹ(?)࣮ࢪͰ͖Δ͕, ίϯϐϡʔλͰ͸ࠔ೉ ͳॲཧΛߦΘͤΔ͜ͱͰ, ίϯϐϡʔλͰࣗಈԽͨ͠େ ྔ౤ߘεΫϦϓτͳͲΛ๷͙ ‣ ୅දతͳ΋ͷʹʮ࿪ΜͩจࣈͷಡΈऔΓʯ͕͋Δ Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html ͜Εͨ·ʹਓ΋ಡΈऔΕͳ͍ͷ͋Γ·ͤΜ͔…ʁ

Slide 109

Slide 109 text

CAPTCHA • จࣈͷಡΈऔΓ͚ͩͰ͸ͳ͘, ʮը૾ͷू߹ͷத͔Βࢦ ఆͨ͠छྨͷ΋ͷ͚ͩΛΫϦοΫ͢Δʯ΋ͷ΍, ʮύζ ϧͷϐʔεΛυϥοάͯ͠ਖ਼͍͠Ґஔʹ͸ΊΔʯͱ͍ͬ ͨΑ͏ͳ΋ͷ΋͋Δʢେม໘౗ʣ • Google͕։ൃͨ͠reCAPTCHAͰ͸ͦͷΑ͏ͳૢ࡞͕ ෆཁʹ ‣ ඍົͳ৔߹͸ࠓ·ͰͷΑ͏ͳCAPTCHAͷ൑ఆΛߦ͏ ৔߹΋͋Δ Ҿ༻ɿhttps://www.ipa.go.jp/security/awareness/vendor/programmingv2/contents/103.html CAPTCHA ऴྃ

Slide 110

Slide 110 text

ࢀߟϦϯΫ

Slide 111

Slide 111 text

ࢀߟϦϯΫ • ৘ใηΩϡϦςΟϚωδϝϯτͷن֨΍ඪ४(IPA)  https://www.ipa.go.jp/security/manager/protect/pdca/ risk_ass.html • ηογϣϯϋΠδϟοΫ  https://ja.wikipedia.org/wiki/ηογϣϯϋΠδϟοΫ • σΟϨΫτϦτϥόʔαϧ  https://ja.wikipedia.org/wiki/σΟϨΫτϦτϥόʔαϧ • ඿দ޻ۀߴߍ ωοτϫʔΫٕज़ࢿྉ

Slide 112

Slide 112 text

ࢀߟϦϯΫ • ΫϩεαΠτεΫϦϓςΟϯά(XSS)  https://www.trendmicro.com/ja_jp/security-intelligence/ research-reports/threat-solution/xss.html • ΫϩεαΠτϦΫΤετϑΥʔδΣϦ(CSRF)  https://www.trendmicro.com/ja_jp/security-intelligence/ research-reports/threat-solution/csrf.html • SQLΠϯδΣΫγϣϯରࡦʹ͍ͭͯ  https://www.ipa.go.jp/ﬁles/000024396.pdf • ڞ௨੬ऑੑࣝผࢠCVE֓આ  https://www.ipa.go.jp/security/vuln/CVE.html

Slide 113

Slide 113 text

ࢀߟϦϯΫ • WAFɺIPS/IDSɺF/W(ϑΝΠΞ΢Υʔϧ)ͱͷҧ͍  https://www.websecurity.symantec.com/ja/jp/theme/ waf-ips-ids • ύεϫʔυอଘํ๏ͷաڈͱݱࡏͦͯ͠ະདྷ  http://kengos.jp/2015/09/13/password.html • Α͘Θ͔ΔೝূͱೝՄ  https://dev.classmethod.jp/security/authentication- and-authorization/ • ͍Β͢ͱ΍  https://www.irasutoya.com/