Tweet
Tweet

Slide 1

Slide 1 text

libinjection SQLi͔ΒXSS·Ͱ Nick Galbreath @ngalbreath! Signal Sciences Corp! [email protected] Code Blue ∙ ౦ژ ∙ 2014-02-18 ϦϒΠϯδΣΫγϣϯ

Slide 2

Slide 2 text

This is also in English! ೔ຊޠ͸ͪ͜Βˣ https://speakerdeck.com/ngalbreath/
 codeblue2014-en-libinjection-from-sqli-to-xss https://speakerdeck.com/ngalbreath/
 codeblue2014-jp-libinjection-from-sqli-to-xss

Slide 3

Slide 3 text

χοΫɾΨϧϒϨε
 Nick Galbreath
 @ngalbreath • ϑΝ΢ϯμʔ/CTO of Signal Sciences Corp • લ৬: IponWeb (Ϟείϫ, ౦ژ) • ͦͷલ: Etsy.com (χϡʔϤʔΫࢢ)

Slide 4

Slide 4 text

ʮlibinjectionʯͱ͸ʁ • SQLi߈ܸΛݕग़͢ΔͨΊͷখ͞ͳϥΠϒϥϦʔ • Cݴޠ • PythonɺluaɺphpͷAPI • Black Hat USA 2012Ͱॳొ৔ • ΦʔϓϯιʔεͱBSDϥΠηϯε • https://github.com/client9/libinjection

Slide 5

Slide 5 text

ͳΜͰlibinjectionͳͷ? • طଘͷݕग़ͷ΄ͱΜͲ͕ਖ਼نදݱͰߦΘΕΔ • Ϣχοτςετ͕ͳ͍ • ύϑΥʔϚϯεʢ଎౓ʣςετ͕ͳ͍ • ιʔείʔυͷΧόʔྖҬςετ͕ͳ͍ • ਖ਼֬ੑͷςετ͕ͳ͍ • ޡݕग़ͷςετ͕ͳ͍

Slide 6

Slide 6 text

libinjection SQLiͷݱࡏ • Version 3.9.1 • 8000 SQLi ಛ௃ • 400+ Ϣχοτςετ • 85,000+ SQLi αϯϓϧ

Slide 7

Slide 7 text

ݱࡏͷ࢖ΘΕํ • mod_security WAF http://www.modsecurity.org/ • ironbee WAF https://www.ironbee.com/ • glastopf honeypot http://glastopf.org/ • ϓϥΠϕʔτͳWAFs • ͞·͟·ͳاۀ಺Ͱ • αʔυύʔςΟͷJava࣮૷
 https://github.com/Kanatoko/libinjection-Java • αʔυύʔςΟͷ.NET࣮૷
 https://github.com/kochetkov/ Libinjection.NetLibinjection.Net

Slide 8

Slide 8 text

XSS

Slide 9

Slide 9 text

SQLiͱͷྨࣅੑ • ඪ४తͳϥΠϒϥϦʔ͕ͳ͍ • ͋Δͱͯ͠΋ݶΒΕͨςετ͔͠ଘࡏ͠ͳ͍ • ਖ਼نදݱʹج͍ͮͨݕग़ • ΋ͬͱྑ͘Ͱ͖ͳ͍͔ʁ

Slide 10

Slide 10 text

2छྨͷXSS • HTML ΠϯδΣΫγϣϯ߈ܸ • Javascript ΠϯδΣΫγϣϯ߈ܸ

Slide 11

Slide 11 text

XSS Javascript 
 ΠϯδΣΫγϣϯ • DOMελΠϧͷ߈ܸ • طଘͷjavascriptίʔυ΁ͷ߈ܸ • ຊ౰ͷݕग़͸ΫϥΠΞϯτͰ͔͠Ͱ͖ͳ͍ • ͔ͳΓͷ೉୊

Slide 12

Slide 12 text

HTML ΠϯδΣΫγϣϯ • HTML ΠϯδΣΫγϣϯͱ͸ɺHTMLͷτʔΫϯԽ ΞϧΰϦζϜʹର͢Δ߈ܸ 
 (text “foo” to tags , foo, ) • HTMLͷίϯςΩετΛjavascriptʹมߋ͠ɺ৽͍͠ javascriptΛ௥Ճ͢Δ͜ͱ͕໨త • ͜ΕΒͷ߈ܸ͸ݕग़Ͱ͖Δ΂͖

Slide 13

Slide 13 text

HTML ΠϯδΣΫγϣϯ
 αϯϓϧ XSS (HTML) (tag attribute name) (tag attribute value) (Ҿ༻ූͷத) (Ҿ༻ූͷத) (IEͷΈ!)

Slide 14

Slide 14 text

HTML τʔΫϯԽ΢Σϒϒϥ΢β • ͜Ε·Ͱɺ͢΂ͯͷϒϥ΢βʔ͸HTMLΛҟͳΔํ๏Ͱ τʔΫϯԽ͍ͯͨ͠ • յΕͨHTMLλάɺ૝ఆ֎ͷจࣈ΍ΤϯίʔυΛ࢖ͬͨ ͋ΒΏΔ߈ܸ͕ൃੜͯ͠͠·͍ͬͯͨ • ݱࡏͰ͸ɺ΄΅͢΂ͯͷϒϥ΢βʔ͕HTML5Ͱنఆ͞ ΕͨΞϧΰϦζϜΛ࢖༻͍ͯ͠Δ • HTML5ͷΞϧΰϦζϜ͸ͱͯ΋ਖ਼֬

Slide 15

Slide 15 text

͢΂ͯͷεςοϓ http://www.w3.org/html/wg/drafts/html/CR/syntax.html#tokenization

Slide 16

Slide 16 text

εςοϓ͕͔ͳΓ໌֬

Slide 17

Slide 17 text

σεΫτοϓϒϥ΢βͷ60ˋҎ্͸ɺ HTML5Ͱ͋Δ http://tnw.co/1cqFueo IE 9 9% IE 10 11% IE 11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%

Slide 18

Slide 18 text

ϞόΠϧϒϥ΢βͷ90ˋ͕
 HTML5Ͱ͋Δ http://bit.ly/JQSZxb

Slide 19

Slide 19 text

࢒Γ͕ɺIE6ɺIE7ɺIE8 • IE6 ͕ফ͑Δͷ͸࣌ؒͷ໰୊ • IE7 ͷࢢ৔γΣΞ͸ͨͬͨ2% • IE8 ͷࢢ৔γΣΞ͸20% • ΄ͱΜͲ͕Windows XP • ͜ΕΒͷࢢ৔γΣΞ͕͜ΕҎ্૿͑Δ͜ͱ͸ͳ͍

Slide 20

Slide 20 text

libinjection XSS

Slide 21

Slide 21 text

HTML̑΢Σϒϒϥ΢β ʹ͓͚ΔHTML ΠϯδΣΫ γϣϯ߈ܸ • No: XML / XSLT ΠϯδΣΫγϣϯ • No: IE6ɺIE7ɺOpera • FFɺChromeͷݹ͍όʔδϣϯ • No: DOMελΠϧͷ߈ܸ

Slide 22

Slide 22 text

libinjection HTML5 • ׬શͳHTML5τʔΫϯԽ • πϦʔ΍DOMΛߏங͠ͳ͍ • ͍͔ͳΔσʔλ΋ίϐʔ͠ͳ͍

Slide 23

Slide 23 text

τʔΫϯԽͷαϯϓϧ TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE alert(1); TAG_NAME_CLOSE >

Slide 24

Slide 24 text

ҟͳΔHTMLίϯςΩετͰ νΣοΫ ֤Πϯϓοτ͸ɺ6ͭͷҟͳΔHTMLίϯςΩετͰνΣοΫ͞Ε Δɻ XSS (raw HTML) (tag attribute name) (tag attribute value) (Ҿ༻ූͷத) (Ҿ༻ූͷத) (IEͷΈ!)

Slide 25

Slide 25 text

໰୊ͷ͋ΔτʔΫϯΛআ֎ • ໰୊ͷ͋ΔλάɺΞτϦϏϡʔτɺόϦϡʔ͕আ֎͞ ΕΔɻ • λάɿɺXML·ͨ͸SVGʹؔ࿈͢Δ͢΂ͯ • ΞτϦϏϡʔτͷ໊લ: on*ͳͲ • ΞτϦϏϡʔτͷόϦϡʔɿjavascriptͷURL • ͳͲͳͲ

Slide 26

Slide 26 text

τϨʔχϯάσʔλ

Slide 27

Slide 27 text

XSS Cheat Sheets • ΄ͱΜͲ͕࣌ޮ(Firefox 3! ) • ݹ͍߈ܸ͕আڈ͞ΕΔ

Slide 28

Slide 28 text

HTML5SEC.org • ૉ੖Β͍͠৘ใࢿݯ • Ұ෦ݹ͍߈ܸͳͲ࠷৽Ͱ͸ͳ͍΋ͷ΋

Slide 29

Slide 29 text

@soaj1664ashar • ৽͍͠߈ܸΛఆظతʹ։ൃͯ͠Δ • XSS͕޷͖ͳΒɺ൴ΛϑΥϩʔ͠Α͏ • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA • http://bit.ly/1iXODkW

Slide 30

Slide 30 text

߈ܸ /εΩϟφʔ • XSSεΩϟφʔͷΞ΢τϓοτΛ׆༻ • Shazzer fuzzͷσʔλϕʔε
 http://shazzer.co.uk/
 (ModSecurityνʔϜͷ͓͔͛)

Slide 31

Slide 31 text

ݱࡏͷঢ়گ

Slide 32

Slide 32 text

طʹ׆༻Ͱ͖·͢ • github
 https://github.com/client9/libinjection • ΢ΣϒαΠτ
 https://libinjection.client9.com/ • ·ͩΞϧϑΝஈ֊

Slide 33

Slide 33 text

$ make test-xss ./reader -t -i -x -m 10 ../data/xss* ../data/xss-html5secorg.txt 149 False test 62_1 ../data/xss-html5secorg.txt 151 False test 62_2 ../data/xss-html5secorg.txt 153 False test 62_3 ../data/xss-html5secorg.txt 352 False test 102 ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--` --!> ../data/xss-soaj1664ashar.txt 21 False ../data/xss-xenotix.txt 17 False "'`> ../data/xss-xenotix.txt 19 False '`">javascript:alert(1) ../data/xss-xenotix.txt 610 False `"'> ../data/xss-xenotix.txt 613 False `"'> ../data/xss-xenotix.txt 615 False `"'> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639݅ͷ૯αϯϓϧ਺ 1628͕݅ਖ਼͍͠XSSݕग़਺ 11݅ͷݕग़࿙Ε

Slide 34

Slide 34 text

IEɿҾ༻ූʹؔ͢Δ໰୊ • IE 8͸ɺӳޠͰ͍͏ͱ͜Ζͷ‘unbalanced quotes’ ʢҾ༻ූ͕ਖ਼͘͠ด͍ͯ͡ͳ͍ͳͲʣʹର͢Δಈ࡞ ͕͓͔͍͠ • ͜ͷ໰୊ʹؔͯ͠͸ݱࡏରԠ͕ਐߦத

Slide 35

Slide 35 text

ύϑΥʔϚϯε  ݅Ҏ্Λ ඵͰνΣοΫ

Slide 36

Slide 36 text

2014-02-18ͷTO DO • ·ͩΞϧϑΝஈ֊ — ݱ࣌఺Ͱ͸ૉ੖Β͍͠ϛε͕Ӆ͞Ε͍ͯΔ Մೳੑ͸͋Δ • ݕग़࿙Εʹؔ͢ΔQA͸ະ׬੒ • Ұ෦ͷIEΠϯδΣΫγϣϯʹ͸ະରԠ • ࣮ݧͷͨΊͷςετϕου͕ͳ͍ʢࠓिޙ൒ʹͰ΋ʣ • QAͷॆ࣮ɺίʔυͷΧόϨοδͷڧԽ͕ඞཁ • εΫϦϓτݴޠͷରԠ͸·ͩʢ͍ۙ͏ͪʣ

Slide 37

Slide 37 text

[email protected] ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ