Slide 1

Slide 1 text

Securing Web Apps with Modern Platform Features Securing Web Apps with Modern Platform Features @sunecosuri Date: 2019-06-19
 Google I/O’19 ͷWebΛ·ͱΊΔձ Λ·ͱΊͯΈΔ

Slide 2

Slide 2 text

Securing Web Apps with Modern Platform Features ஫ҙ ·ͱΊͯΈΔɺͱॻ͍ͨ΋ͷͷ
 Ұ෦Λ୺ં͍ͬͯΔՕॴ͕͋ΔͨΊશͯ·ͱΊΒΕ͍ͯ·ͤΜ
 ৄࡉ͸ݩͷಈըʹͳΔηογϣϯΛ͝ཡ͍ͩ͘͞
 
 https://www.youtube.com/watch?v=DDtM9caQ97I

Slide 3

Slide 3 text

GMOϖύϘ ΤϯδχΞ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ
 ໐ւ ߂ً / @sunecosuri ϚωʔδυΫϥ΢υνʔϜ

Slide 4

Slide 4 text

Overview Overview XSS΍CSRFͳͲͷ͋Γ͕ͪͳ੬ऑੑ͸௕͖ʹ౉ͬͯWebΛ೰·ͤɺ·ͨGoogleͷ Vulnerability Reward ProgramͰ΋සൟʹใࠂ͞Ε͍ͯ·͢ɻ࠷৽ͷWebϓϥοτϑΥʔϜʹ ͓͚ΔηΩϡϦςΟͷ࢓૊ΈΛֶΜͰɺ͋ͳͨͷαʔϏεΛΠϯδΣΫγϣϯ͔Β๷͍Ͱةݥͳ αΠτ͔Βִ཭͠·͠ΐ͏ɻ
 ·ͨɺWebͰ΋ͬͱ΋ηϯγςΟϒͳΞϓϦΛक͍ͬͯΔGoogleͷηΩϡϦςΟνʔϜͷܦݧ ʹΑͬͯಘΒΕͨϒϥ΢βͷ৽ػೳʹΑͬͯɺ͋ͳͨͷΞϓϦέʔγϣϯΛकΔͨΊͷνΣοΫ ϦετΛ஌Γ·͠ΐ͏ɻ ͜ ͷ η ο γ ϣ ϯ ʹ ͭ ͍ ͯ

Slide 5

Slide 5 text

όάใࠂใ঑੍ۚ౓ͷڈ೥ͷׂ߹

Slide 6

Slide 6 text

Cross-site scripting Cross-site scripting (XSS) I n j e c t i o n s 1. ϩάΠϯϢʔβʔ͕߈ܸऀͷϖʔδΛ๚໰ 2. ߈ܸऀ͕ϢʔβʔΛ੬ऑͳURLʹ༠ಋ͢Δ
 https://test.example/?query= 3. εΫϦϓτ͕࣮ߦ͞Εɺ߈ܸऀ͕ϢʔβʔͷઃఆʹΞΫηε͢Δ

Slide 7

Slide 7 text

XSS is turai ͜ΕΒͷΠϯδΣΫγϣϯ߈ܸ
 ʹରͯ͠XSS͸ۀքશମͰେ͖ ͳ໰୊ͱͳ͍ͬͯΔ

Slide 8

Slide 8 text

Let’s start CSP ·ͣɺίϯςϯπηΩϡϦςΟ ϙϦγʔ͔Β࢝Ί·͠ΐ͏

Slide 9

Slide 9 text

Content Security Policy Content Security Policy Level3 Ϧ ι ʔε ୯ Ґ Ͱ s c r i p t ͷ ࣮ ߦ Λ ੍ ޚ Ͱ ͖ Δ ػ ߏ ΞϓϦέʔγϣϯͷεΫϦϓτ࣮ߦʹؔ͢Δ͖Ίࡉ͔͘ ੍ޚ͢Δ࢓૊ΈΛಋೖͯ͠XSS͔Β๷ޚ͢Δ
 scriptͷ࣮ߦ΍ϓϥάΠϯͷಡΈࠐΈΛίϯτϩʔϧ͢Δ ͜ͱ͕Ͱ͖Δ CSP͸ɺద੾ͳΤεέʔϓ·ͨ͸XSSΛڐ༰͢ΔόάΛमਖ਼͢Δ΋ͷͰ͸͋Γ·ͤΜ

Slide 10

Slide 10 text

How to implement Ͳ͏΍࣮ͬͯ૷͢Δͷ͔

Slide 11

Slide 11 text

Content Security Policy CSP͸HTTP Response Header Chrome dev tools ͷNetworkλϒ͔ΒͷΩϟϓνϟ ࢦఆͨ͠Ϩεϙϯεʹؔ͢ΔϙϦγʔΛɺϒϥ΢βଆͰ औಘ͠ɺࢦఆͨ͠ϙϦγʔΛಡΜͰ࣮ߦՄ൱Λ੍ޚ͢Δ

Slide 12

Slide 12 text

support for reports CSP͸Ϩϙʔτઐ༻Ϟʔυ΋α ϙʔτ͍ͯ͠·͢

Slide 13

Slide 13 text

support for reports

Slide 14

Slide 14 text

Content Security Policy Nonce-Based CSP ͷߟ͑ํ ͜ͷΑ͏ʹCSPΛઃఆ͢Δͱ nonce ͳ͠ͷscript͸ϒϥ΢βʹΑͬͯϒϩοΫ ༗ޮͳnonceΛ࣋ͭεΫϦϓτλάͰ͋Ε͹࣮ߦ ্هͷΑ͏ͳnonceΛϦΫΤετ͝ͱʹมߋ͢Ε͹߈ܸऀ͸༧ଌͰ͖ͳ͍

Slide 15

Slide 15 text

CDNͱ͔ͷଞͷ৔ॴͰ
 ϗετ͞Ε͍ͯΔJavaScript͸࣮ߦ
 ͞Εͳ͘ͳͬͯ͠·͏ͷͰ͸…ʁ

Slide 16

Slide 16 text

Content Security Policy ͦͷͨΊͷ ‘strict-dynamic’ strict-dynamic Λ࢖༻͢Δͱɺ͢Ͱʹ৴པ͞Ε͍ͯΔεΫϦϓτΛڐՄ͢Δ͜ͱͰɺ
 nonceͷ͍ͭͨεΫϦϓτ͔Βੜ੒͞ΕͨεΫϦϓτ͸࣮ߦՄೳʹͳΔ ࣮ߦ͞ΕΔ

Slide 17

Slide 17 text

Content Security Policy ͲͷΑ͏ʹಋೖ͢Δ͔ 1. onclick΍hrefͰࢦఆ͞ΕΔΠϯϥΠϯΠϕϯτϋϯυϥʔΛͳ͘͢ 2.αʔόʔαΠυςϯϓϨʔτʹͯnonceΛࢦఆ͢Δ 3.ϨεϙϯεϔομʔͰCSPΛࢦఆ͢Δ

Slide 18

Slide 18 text

Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ ੍ ໿ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ੒͞ΕΔ
 Trusted TypesΦϒδΣΫτͰͷΈɺDOMΛߋ৽Ͱ͖Δ 2.αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹू໿Ͱ͖Δ https://github.com/WICG/trusted-types ʹͯɺ 
 શͯͷϒϥ΢βͰػೳ͢Δ Polyfill ΋༻ҙ͞Ε͓ͯΓࢼͤΔΑ͏ʹͳ͍ͬͯΔ

Slide 19

Slide 19 text

1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞੒͢Δ
 
 
 
 2. ϙϦγʔΛ࢖༻ͯ͠৴པͰ͖ΔܕͷΦϒδΣΫτΛ࡞੒͢Δ
 
 ͋ 3. ࡞੒ͨ͠ ”samplePolicy” Λ CSPheader ʹ௥Ճ͢Δ͜ͱͰར༻Ͱ͖Δ
 
 Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ ੍ ໿ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ

Slide 20

Slide 20 text

Trusted Types Default Policy͸ String ͕ೖͬͨ࣌ͷ fallbackͱͯ͠ػೳ͢Δ 1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞੒͢Δ 2. CSP headerʹ௥Ճ͢Δ

Slide 21

Slide 21 text

Trusted
 Types 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ੒͞ΕΔTrusted TypesΦϒδΣΫτͰͷΈɺ DOMΛߋ৽Ͱ͖Δ 2. αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹू໿Ͱ͖Δ ৄ͘͠͸ https://github.com/WICG/trusted-types ͳʹ͕خ͍͠ͷ͔ T r u s t e d T y p e s ͷ

Slide 22

Slide 22 text

cross-site request forgeries CSRFରࡦͷ࿩

Slide 23

Slide 23 text

cross-site request forgeries • same-origin: ಉ͡εΩʔϚɺϗετɺϙʔτΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ 
 - https://www.google.com/foo
 - https://www.google.com/bar • same-site: ಉ͡εΩʔϚͱυϝΠϯΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ 
 - https://mail.google.com
 - https://photos.google.com • cross-site: ͦͷଞ (https://www.youtube.com/, https://www.google.com/) Origin ͱ Site ͷҧ͍ʹ͍ͭͯ

Slide 24

Slide 24 text

Sec-Fetch-Site
 Sec-Fetch-Modeʹ͍ͭͯ কདྷతʹheaderͰಉҰorigin͔corsͳͲ൑ผͰ͖Δ

Slide 25

Slide 25 text

͓͠·͍