Slide 1
Slide 1 text
Securing Web Apps
with Modern
Platform Features
Securing Web Apps
with Modern
Platform Features
@sunecosuri
Date: 2019-06-19
Google I/O’19 ͷWebΛ·ͱΊΔձ
Λ·ͱΊͯΈΔ
Slide 2
Slide 2 text
Securing Web Apps
with Modern
Platform Features
ҙ
·ͱΊͯΈΔɺͱॻ͍ͨͷͷ
Ұ෦Λં͍ͬͯΔՕॴ͕͋ΔͨΊશͯ·ͱΊΒΕ͍ͯ·ͤΜ
ৄࡉݩͷಈըʹͳΔηογϣϯΛ͝ཡ͍ͩ͘͞
https://www.youtube.com/watch?v=DDtM9caQ97I
Slide 3
Slide 3 text
GMOϖύϘ ΤϯδχΞ
ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ
໐ւ ߂ً / @sunecosuri
ϚωʔδυΫϥυνʔϜ
Slide 4
Slide 4 text
Overview
Overview
XSSCSRFͳͲͷ͋Γ͕ͪͳ੬ऑੑ͖ʹͬͯWebΛ·ͤɺ·ͨGoogleͷ
Vulnerability Reward ProgramͰසൟʹใࠂ͞Ε͍ͯ·͢ɻ࠷৽ͷWebϓϥοτϑΥʔϜʹ
͓͚ΔηΩϡϦςΟͷΈΛֶΜͰɺ͋ͳͨͷαʔϏεΛΠϯδΣΫγϣϯ͔Β͍Ͱةݥͳ
αΠτ͔Βִ͠·͠ΐ͏ɻ
·ͨɺWebͰͬͱηϯγςΟϒͳΞϓϦΛक͍ͬͯΔGoogleͷηΩϡϦςΟνʔϜͷܦݧ
ʹΑͬͯಘΒΕͨϒϥβͷ৽ػೳʹΑͬͯɺ͋ͳͨͷΞϓϦέʔγϣϯΛकΔͨΊͷνΣοΫ
ϦετΛΓ·͠ΐ͏ɻ
͜ ͷ η ο γ ϣ ϯ ʹ ͭ ͍ ͯ
Slide 5
Slide 5 text
όάใࠂใ੍ۚͷڈͷׂ߹
Slide 6
Slide 6 text
Cross-site
scripting
Cross-site scripting (XSS)
I n j e c t i o n s
1. ϩάΠϯϢʔβʔ͕߈ܸऀͷϖʔδΛ๚
2. ߈ܸऀ͕ϢʔβʔΛ੬ऑͳURLʹ༠ಋ͢Δ
https://test.example/?query=
3. εΫϦϓτ͕࣮ߦ͞Εɺ߈ܸऀ͕ϢʔβʔͷઃఆʹΞΫηε͢Δ
Slide 7
Slide 7 text
XSS is
turai
͜ΕΒͷΠϯδΣΫγϣϯ߈ܸ
ʹରͯ͠XSSۀքશମͰେ͖
ͳͱͳ͍ͬͯΔ
Slide 8
Slide 8 text
Let’s start
CSP
·ͣɺίϯςϯπηΩϡϦςΟ
ϙϦγʔ͔Β࢝Ί·͠ΐ͏
Slide 9
Slide 9 text
Content
Security
Policy
Content Security Policy Level3
Ϧ ι ʔε ୯ Ґ Ͱ s c r i p t ͷ ࣮ ߦ Λ ੍ ޚ Ͱ ͖ Δ ػ ߏ
ΞϓϦέʔγϣϯͷεΫϦϓτ࣮ߦʹؔ͢Δ͖Ίࡉ͔͘
੍ޚ͢ΔΈΛಋೖͯ͠XSS͔Βޚ͢Δ
scriptͷ࣮ߦϓϥάΠϯͷಡΈࠐΈΛίϯτϩʔϧ͢Δ
͜ͱ͕Ͱ͖Δ
CSPɺదͳΤεέʔϓ·ͨXSSΛڐ༰͢ΔόάΛमਖ਼͢ΔͷͰ͋Γ·ͤΜ
Slide 10
Slide 10 text
How to
implement
Ͳ͏࣮ͬͯ͢Δͷ͔
Slide 11
Slide 11 text
Content
Security
Policy
CSPHTTP Response Header
Chrome dev tools ͷNetworkλϒ͔ΒͷΩϟϓνϟ
ࢦఆͨ͠Ϩεϙϯεʹؔ͢ΔϙϦγʔΛɺϒϥβଆͰ
औಘ͠ɺࢦఆͨ͠ϙϦγʔΛಡΜͰ࣮ߦՄ൱Λ੍ޚ͢Δ
Slide 12
Slide 12 text
support for
reports
CSPϨϙʔτઐ༻Ϟʔυα
ϙʔτ͍ͯ͠·͢
Slide 13
Slide 13 text
support for
reports
Slide 14
Slide 14 text
Content
Security
Policy
Nonce-Based CSP ͷߟ͑ํ
͜ͷΑ͏ʹCSPΛઃఆ͢Δͱ
nonce ͳ͠ͷscriptϒϥβʹΑͬͯϒϩοΫ
༗ޮͳnonceΛ࣋ͭεΫϦϓτλάͰ͋Ε࣮ߦ
্هͷΑ͏ͳnonceΛϦΫΤετ͝ͱʹมߋ͢Ε߈ܸऀ༧ଌͰ͖ͳ͍
Slide 15
Slide 15 text
CDNͱ͔ͷଞͷॴͰ
ϗετ͞Ε͍ͯΔJavaScript࣮ߦ
͞Εͳ͘ͳͬͯ͠·͏ͷͰ…ʁ
Slide 16
Slide 16 text
Content
Security
Policy
ͦͷͨΊͷ ‘strict-dynamic’
strict-dynamic Λ༻͢Δͱɺ͢Ͱʹ৴པ͞Ε͍ͯΔεΫϦϓτΛڐՄ͢Δ͜ͱͰɺ
nonceͷ͍ͭͨεΫϦϓτ͔Βੜ͞ΕͨεΫϦϓτ࣮ߦՄೳʹͳΔ
࣮ߦ͞ΕΔ
Slide 17
Slide 17 text
Content
Security
Policy
ͲͷΑ͏ʹಋೖ͢Δ͔
1. onclickhrefͰࢦఆ͞ΕΔΠϯϥΠϯΠϕϯτϋϯυϥʔΛͳ͘͢
2.αʔόʔαΠυςϯϓϨʔτʹͯnonceΛࢦఆ͢Δ
3.ϨεϙϯεϔομʔͰCSPΛࢦఆ͢Δ
Slide 18
Slide 18 text
Trusted
Types
Trusted-types
D o m ͷ ߋ ৽ ʹ ੍ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ
1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ͞ΕΔ
Trusted TypesΦϒδΣΫτͰͷΈɺDOMΛߋ৽Ͱ͖Δ
2.αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹूͰ͖Δ
https://github.com/WICG/trusted-types ʹͯɺ
શͯͷϒϥβͰػೳ͢Δ Polyfill ༻ҙ͞Ε͓ͯΓࢼͤΔΑ͏ʹͳ͍ͬͯΔ
Slide 19
Slide 19 text
1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞͢Δ
2. ϙϦγʔΛ༻ͯ͠৴པͰ͖ΔܕͷΦϒδΣΫτΛ࡞͢Δ
͋
3. ࡞ͨ͠ ”samplePolicy” Λ CSPheader ʹՃ͢Δ͜ͱͰར༻Ͱ͖Δ
Trusted
Types
Trusted-types
D o m ͷ ߋ ৽ ʹ ੍ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ
Slide 20
Slide 20 text
Trusted
Types
Default Policy String ͕ೖͬͨ࣌ͷ
fallbackͱͯ͠ػೳ͢Δ
1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞͢Δ
2. CSP headerʹՃ͢Δ
Slide 21
Slide 21 text
Trusted
Types
1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ͞ΕΔTrusted TypesΦϒδΣΫτͰͷΈɺ
DOMΛߋ৽Ͱ͖Δ
2. αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹूͰ͖Δ
ৄ͘͠ https://github.com/WICG/trusted-types
ͳʹ͕خ͍͠ͷ͔
T r u s t e d T y p e s ͷ
Slide 22
Slide 22 text
cross-site
request
forgeries
CSRFରࡦͷ
Slide 23
Slide 23 text
cross-site
request
forgeries
• same-origin: ಉ͡εΩʔϚɺϗετɺϙʔτΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ
- https://www.google.com/foo
- https://www.google.com/bar
• same-site: ಉ͡εΩʔϚͱυϝΠϯΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ
- https://mail.google.com
- https://photos.google.com
• cross-site: ͦͷଞ (https://www.youtube.com/, https://www.google.com/)
Origin ͱ Site ͷҧ͍ʹ͍ͭͯ
Slide 24
Slide 24 text
Sec-Fetch-Site
Sec-Fetch-Modeʹ͍ͭͯ
কདྷతʹheaderͰಉҰorigin͔corsͳͲผͰ͖Δ
Slide 25
Slide 25 text
͓͠·͍