Slide 1

Slide 1 text

OWASP ZAPʹֶͿɺ WebΞϓϦέʔγϣϯʹજΉ ੬ऑੑͷௐࠪख๏Λ঺հ 2016/2/26 #bpstudy @YuhoKameda

Slide 2

Slide 2 text

ࣗݾ঺հ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist ओͳۀ຿಺༰ WebΞϓϦέʔγϣϯ੬ऑੑ਍அ ϓϥοτϑΥʔϜ੬ऑੑ਍அ SOC/CSIRTۀ຿ ۓٸҊ݅ରԠཁһ…

Slide 3

Slide 3 text

ZAP Newsletter 2015/12 ZAPϓϩδΣΫτϦʔμ ͔Βͷ঺հͰ౤ߘ http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html

Slide 4

Slide 4 text

Agenda εΩϟφπʔϧൺֱ ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯౓ ͔Βൺֱͯ͠঺հ͠·͢ɻ OWASP ZAPΛ࢖ͬͨ੬ऑੑͷௐࠪ ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ ΔͨΊͷແྉπʔϧΛ࢖͍ɺௐࠪͷྲྀΕΛ঺ հ͠·͢ɻ

Slide 5

Slide 5 text

؆୯ͳΞϯέʔτ 1. ੬ऑੑ਍அΛฉ͍ͨ͜ͱ͕͋Δਓ 
 2. ࣗ਎ͷձࣾͰɺ੬ऑੑ਍அͷαʔϏεΛґཔͨ͠Γड ͚͍ͯΔਓ 
 3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ ͚Α͏ͱͨ͜͠ͱ͕͋Δਓ
 4. OWASP ZAPΛ࢖ͬͨ͜ͱ͕͋Δਓ

Slide 6

Slide 6 text

(ຊ୊)ηΩϡϦςΟεΩϟφͱ͸ ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪର৅ʹଘࡏ͢Δ੬ऑੑΛݕग़͢ Δπʔϧ WebΞϓϦέʔγϣϯ੬ऑੑ਍அͷ৔߹… SQLΠϯδΣΫγϣϯ ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ ϓϥοτϑΥʔϜ੬ऑੑ਍அͷ৔߹… ϛυϧ΢ΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ

Slide 7

Slide 7 text

ηΩϡϦςΟεΩϟφ঺հ

Slide 8

Slide 8 text

WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφ঺հ WebInspect AppScan Vex OWASP ZAP Nikto w3af ༗ঈ ແঈ

Slide 9

Slide 9 text

༗ঈ ແঈ ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφ঺հ

Slide 10

Slide 10 text

༗ঈπʔϧͱແঈπʔϧ ͷҧ͍

Slide 11

Slide 11 text

ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ ݕ߲ࠪ໨ ଟ͍ গͳ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ྉۚ ඇৗʹߴ͍ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

Slide 12

Slide 12 text

༗ঈπʔϧͱແঈπʔϧͱ ZAPͷҧ͍

Slide 13

Slide 13 text

ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP ݕ߲ࠪ໨ ଟ͍ গͳ͍ ଟ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍) ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ೔ຊޠରԠ͋Γ ྉۚ ඇৗʹߴ͍ ແঈ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ެ։ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

Slide 14

Slide 14 text

੬ऑੑͷݟ͚ͭํ

Slide 15

Slide 15 text

WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠ ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε Λ෼ੳͯ͠੬ऑੑͷ༗ແΛ൑ఆ ᶃ௨ৗͷϦΫΤετ ϒϥ΢β౳ͰɺWebϖʔδΛӾཡ ᶅProxyʹΑΓ վ͟Μ͞ΕͨϦΫΤετ ᶆαʔό͔ΒͷϨεϙϯε ᶇϩάͷه࿥ ඞཁʹΑΓɺϨεϙϯεͷ վ͟ΜΛߦ͏ Proxy ݕࠪର৅ ᶄProxyʹΑΔվ͟Μ GET/POST/Cookieଞɺ ϔομΛෆਖ਼ͳ஋ʹมߋ͢Δ ᶈProxyΛ௨աͨ͠Ϩεϙϯε

Slide 16

Slide 16 text

WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php?q=word

Slide 17

Slide 17 text

WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ

word

ʙུʙ

Slide 18

Slide 18 text

WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php? q=“>alert(document.cookie);word

Slide 19

Slide 19 text

WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ

“>alert(document.cookie);word

ʙུʙ

Slide 20

Slide 20 text

ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/

Slide 21

Slide 21 text

ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ

Slide 22

Slide 22 text

ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ αʔό/αʔϏεͷઃఆ΍ɺ όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ਺ ϨεϙϯεΛ෼ੳ

Slide 23

Slide 23 text

੬ऑੑͷཧղ

Slide 24

Slide 24 text

੬ऑੑΛମݧ֮ͯ͑͠Α͏ https://www.ipa.go.jp/security/vuln/appgoat/

Slide 25

Slide 25 text

੬ऑੑΛମݧ֮ͯ͑͠Α͏ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Slide 26

Slide 26 text

OWASP TOP 10 - 2013 https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

Slide 27

Slide 27 text

੬ऑੑͷ঺հ

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

ݕࠪͷྲྀΕ

Slide 30

Slide 30 text

WebΞϓϦέʔγϣϯͷݕࠪ ਍அ͍ͨ͠Webϖʔδͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

Slide 31

Slide 31 text

ϓϥοτϑΥʔϜͷݕࠪ ਍அ͍ͨ͠IPΞυϨεͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

Slide 32

Slide 32 text

ZAPΛ࢖ͬͨݕࠪͷྲྀΕ

Slide 33

Slide 33 text

஫ҙࣄ߲ ຊεϥΠυʹهࡌͷߦҝΛɺࣗ਎ͷ؅ཧԼʹͳ͍ωο τϫʔΫ/ίϯϐϡʔλʹߦͬͨ৔߹ɺ߈ܸߦҝͱ൑ அ͞ΕΔ৔߹͕͋Γ·͢ɻ ࣗ਎ͷ؅ཧԼʹ͋ΔωοτϫʔΫ΍αʔόʹରͯ͠ ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ

Slide 34

Slide 34 text

؀ڥ४උ OWASP ZAPͷΠϯετʔϧ OWASP ZAP 2.4.3(2015/12/4 released) ਍அπʔϧ OWASP BWAͷΠϯετʔϧ OWASP BWA 1.2 (2015/8/3 released) ਍அର৅ͱͳΔΞϓϦέʔγϣϯ ࣮ࡍʹؼ୐͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ ४උͷৄࡉ͸ɺԼهͰɻ http://zapjp.blogspot.jp/ https://www.owasp.org/index.php/User:Yuho_Kameda

Slide 35

Slide 35 text

OWASP ZAPͱ͸ʁ OWASP ZAP (Zed Attack Proxy) WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ਍ அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ ϩʔΧϧϓϩΩγπʔϧ https://code.google.com/p/zaproxy/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Slide 36

Slide 36 text

OWASP BWAͱ͸ʁ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Slide 37

Slide 37 text

WebΞϓϦͷ੬ऑੑΛ୳͢ BWAͷதʹ͋Δɺݹ͍WordpressΛର৅ Wordpress 2.0.0 ࠷৽͸4.4.2 (2016/2/2)

Slide 38

Slide 38 text

WebΞϓϦͷ੬ऑੑΛ୳͢ ϓϩΩγπʔϧ࢖༻࣌ͷϒϥ΢βઃఆ(IEྫ)

Slide 39

Slide 39 text

WebΞϓϦͷ੬ऑੑΛ୳͢ ਍அର৅ൣғΛܾఆ Include In Context ಛఆσΟϨΫτϦ഑Լ͚ͩ਍அ͕Մೳ

Slide 40

Slide 40 text

WebΞϓϦͷ੬ऑੑΛ୳͢ ର৅ΛΫϩʔϦϯά(εύΠμʔ) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

Slide 41

Slide 41 text

WebΞϓϦͷ੬ऑੑΛ୳͢ ݁Ռ… େྔʹநग़Ͱ͖ͨʂ

Slide 42

Slide 42 text

WebΞϓϦͷ੬ऑੑΛ୳͢ ಈతεΩϟϯ(֤ύϥϝʔλ΁ݕࠪ஋Λૹ৴) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

Slide 43

Slide 43 text

ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ

Slide 44

Slide 44 text

WebΞϓϦͷ੬ऑੑΛ୳͢ ݹ͗ͯ͢ŗŽŖŪେྔ

Slide 45

Slide 45 text

ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ݕ஌ͨ͠৘ใΛΞϥʔτͰ֬ೝ ૹ৴࣌ͷϦΫΤετ΋ ࠶ݱՄೳʂ

Slide 46

Slide 46 text

ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ όʔδϣϯ͕ݹ͍… ࠷৽όʔδϣϯΛ֬ೝ όʔδϣϯΞοϓ΍ύονΛద༻͠Α͏ʂ ίʔυ͕ϘϩϘϩ… ίʔυΛमਖ਼͠Α͏ʂ ઃఆ͕σϑΥϧτͷ··… ద੾ʹઃఆ͠Α͏ʂ

Slide 47

Slide 47 text

ZAPίϛϡχςΟͷ঺հ

Slide 48

Slide 48 text

ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • OWASP ZAP Developer Group – ϝϯόʔ਺ɿ434ਓ – ։࢝೔ɿ2010/08/17 – ओͳ಺༰ • ZAP։ൃʹؔ͢Δ͜ͱ • Extensionͷ։ൃ • όάमਖ਼ • OWASP ZAP User Group – ϝϯόʔ਺ɿ431ਓ – ։࢝೔ɿ2012/05/22 – ओͳ಺༰ • ࢖͍ํͷ࣭໰ • ࣮૷ͯ͠΄͍͠ϦΫΤε τ

Slide 49

Slide 49 text

ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • ZAP຋༁ϓϩδΣΫτ • ೔ຊޠ຋༁౓͸30% (2015/2/10ݱࡏ) • ͩΕͰ΋ࢀՃՄೳ • http://crowdin.com/owasp-zap/

Slide 50

Slide 50 text

·ͱΊ ·ͣ͸։ൃ؀ڥͷαʔό΍WebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ ͏ ςετ޻ఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛ࢖ͬͨ؆қ਍அΛߦ ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ ͏ ࣄલʹ؅ཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛ೺Ѳ͠ɺରࡦΛ ݕ౼͠·͠ΐ͏ ࣗલͰWebΞϓϦΛ਍அ ਍அαʔϏεΛ׆༻

Slide 51

Slide 51 text

ηΩϡϦςΟνΣοΫ ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ http://www.slideshare.net/zaki4649/free-securitycheck

Slide 52

Slide 52 text

ηΩϡϦςΟνΣοΫ ੬ऑੑ਍அͷجຊख๏ ແྉͰख͕͔͔ؒΒͳ͍ʂ Πϯϑϥฤ ϙʔτεΩϟϯ ੬ऑੑεΩϟϯ WebΞϓϦέʔγϣϯฤ ࣗಈ਍அ ZAPͷػೳ঺հ ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ

Slide 53

Slide 53 text

੬ऑੑΛݟ͚ͭΔ࢓ࣄ΁ ੬ऑੑ਍அ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ ϓϩδΣΫτ 2014 OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG ੬ऑੑ਍அ࢜ʹඞཁͳೳྗͷϚοϐϯά ϓϩάϥϚ͔ΒωοτϫʔΫ஌ࣝɺྙཧ؍·Ͱ 2014/12/24 ʮ੬ऑੑ਍அ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։ https://www.owasp.org/index.php/Japan http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf

Slide 54

Slide 54 text

Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail [email protected]