Slide 1
Slide 1 text
ϑϩϯτΤϯυ։ൃͷͨΊͷ
ηΩϡϦςΟೖ
ฏ ণ࢜ (@shisama_)
Slide 2
Slide 2 text
ฏ ণ࢜ / Masashi Hirano
Frontend Developer
@shisama_
shisama
Node.js Core Collaborator
ࣾձਓେֶੜ@UoPeople
Slide 3
Slide 3 text
ʲએʳ2݄13ʹॻ੶Λग़൛͠·͢ʂ
੬ऑੑͷΈͱରࡦΛίʔυ
Λॻ͖ͳ͕ΒֶΔϋϯζΦϯ
ܝࡌ͍ͯ͠·͢ʂ
ࠓॻ੶͔Βൈਮͨ͠༰Λ
ൃද͠·͢ɻ
ϑϩϯτΤϯυ։ൃͷͨΊͷηΩϡϦςΟೖ
Slide 4
Slide 4 text
WebΞϓϦέʔγϣϯʹ
ͲΜͳηΩϡϦςΟϦεΫ͕͋Δͷ͔
Slide 5
Slide 5 text
WebΞϓϦέʔγϣϯͰൃੜ͢ΔηΩϡϦςΟϦεΫ
08"415PQ
" ΞΫηε੍ޚͷෆඋ
" ҉߸Խͷࣦഊ
" ΠϯδΣΫγϣϯ
" ҆શ͕֬ೝ͞Εͳ͍ෆ҆ͳઃܭ
" ηΩϡϦςΟͷઃఆϛε
" ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ
" ࣝผͱೝূͷࣦഊ
" ιϑτΣΞͱσʔλͷ߹ੑͷෆ۩߹
" ηΩϡϦςΟϩάͱϞχλϦϯάͷࣦഊ
" αʔόʔαΠυϦΫΤετϑΥʔδΣϦ
Slide 6
Slide 6 text
• ҉߸Խͷࣦഊ
• ΞΫηε੍ޚͷෆඋ
• ΠϯδΣΫγϣϯ
• ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ
ࠓճ͓͢ΔηΩϡϦςΟϦεΫ
Slide 7
Slide 7 text
• ҉߸Խͷࣦഊ ➡ ௨৴σʔλͷ҉߸Խ
• ΞΫηε੍ޚͷෆඋ ➡ CORSΛͬͨΞΫηε੍ޚ
• ΠϯδΣΫγϣϯ ➡ XSSରࡦ
• ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ ➡ ੬ऑͳϥΠϒϥϦͷνΣοΫ
ࠓճ͓͢ΔηΩϡϦςΟϦεΫ
Slide 8
Slide 8 text
• ҉߸Խͷࣦഊ ➡ ௨৴σʔλͷ҉߸Խ
• ΞΫηε੍ޚͷෆඋ ➡ CORSΛͬͨΞΫηε੍ޚ
• ΠϯδΣΫγϣϯ ➡ XSSରࡦ
• ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ ➡ ੬ऑͳϥΠϒϥϦͷνΣοΫ
ࠓճ͓͢ΔηΩϡϦςΟϦεΫ
Slide 9
Slide 9 text
Webϖʔδͷදࣔϒϥβͱαʔόͷ௨৴͔Β͡·Δ
HTML
JS
WebαΠτͷαʔό
site.example
ଞͷWebαΠτCDNͷαʔό
JSON
Ϣʔβ͕WebαΠτΞΫηε
HTMLͳͲͷϦιʔεΛૹ৴
WebαΠτͱผͷαʔόϦΫΤετ
ϦιʔεΛૹ৴
Slide 10
Slide 10 text
Webϖʔδͷදࣔϒϥβͱαʔόͷ௨৴͔Β͡·Δ
HTML
JS
WebαΠτͷαʔό
site.example
ଞͷWebαΠτCDNͷαʔό
JSON
Ϣʔβ͕WebαΠτΞΫηε
HTMLͳͲͷϦιʔεΛૹ৴
WebαΠτͱผͷαʔόϦΫΤετ
ϦιʔεΛૹ৴
௨৴ʹ)551ͱ͍͏ϓϩτίϧ
͕ΘΕ͍ͯΔ
௨৴్தͰ߈ܸΛ͞ΕΔͱɺϒϥβ
αʔόͰରࡦ͍͍ͯͯ͠ແҙຯ
Slide 11
Slide 11 text
HTTPͷऑ
• ௨৴σʔλͷ౪ௌ͕Մೳ
• ௨৴૬ख͕ຊ͔Θ͔Βͳ͍
• ௨৴σʔλͷվ͟Μ
Slide 12
Slide 12 text
௨৴σʔλͷ౪ௌ
• HTTPͷσʔλ҉߸Խ͞Ε͍ͯͳ͍ฏจͷ··ૹ৴͞ΕΔ
• ௨৴్தͰ߈ܸऀ͕౪ௌ͢Δͱ
σʔλ͕ݟ͑ͯ͠·͏
Slide 13
Slide 13 text
௨৴૬ख͕ຊ͔Θ͔Βͳ͍
• ௨৴ઌͷαʔό͕ຊ͔Ͳ͏͔ূ໌Ͱ͖ͳ͍
• ِͷαʔό͕ຊʹͳΓ͢·͢͜ͱ͕Ͱ͖Δ
• URLͰͷΈ௨৴૬खΛ
ಛఆ͢ΔͨΊɺِ͔
Ͳ͏͔Θ͔Βͳ͍
Slide 14
Slide 14 text
௨৴σʔλͷվ͟Μ
• ௨৴σʔλͷ༰͕ਖ਼͍͔͠ݕূ͢ΔΈ͕ͳ͍
• ͨͱ͑ɺϒϥβ͕ૹ৴ͨ͠σʔλͱαʔό͕ड৴ͨ͠σʔλ͕Ұ
க͢Δ͔ݕূͰ͖ͳ͍
• ௨৴్தͰվ͟Μʢॻ͖͑ʣ
͕͋ͬͯݕͰ͖ͳ͍
Slide 15
Slide 15 text
HTTPSԽͰHTTPͷऑͷࠀ
• ௨৴σʔλͷ҉߸Խ
• ௨৴૬खͷݕূ
• վ͟ΜνΣοΫ
Slide 16
Slide 16 text
HTTP௨৴ͷલʹ҉߸Խ௨৴Λ
ཱ֬͢Δ
Slide 17
Slide 17 text
௨৴σʔλͷ҉߸Խ
• TLSͱ͍͏ϓϩτίϧΛར༻ͯ͠௨৴Λ҉߸Խ͢Δ
• ҉߸Խʹʮެ։伴҉߸ํࣜʯͱʮڞ௨伴҉߸ํࣜʯΛ༻͍Δ
ެ։伴҉߸ํࣜɿ҉߸伴ͷड͚͠؆୯͕ͩॲཧ͕͍
ڞ௨伴҉߸ํࣜɿ҉߸伴ͷड͚͍͕͠͠ॲཧ͍
Slide 18
Slide 18 text
௨৴૬खͷݕূ
• ిࢠূ໌ॻΛͬͯ௨৴૬ख͕ຊ͔ݕূ͢Δ
• ిࢠূ໌ॻೝূہʢCAʣ͕ൃߦͨ͠ͷΛ͏
• ϒϥβʹ͋Β͔͡Ίϧʔτূ໌ॻͱݺΕΔిࢠূ໌ॻ͕Έࠐ
·Ε͓ͯΓɺαʔό͔Βड͚औͬͨిࢠূ໌ॻͱরΒ͠߹Θͤͯূ໌
ॻ͕ຊ͔ݕূ͢Δ
• ূ໌ॻِ͕ͩͬͨ߹ɺϒϥβܯࠂը໘Λදࣔ͢Δ
Slide 19
Slide 19 text
վ͟ΜνΣοΫ
• ҉߸௨৴ͷͨΊʹૹ৴ͨ͠҉߸伴ిࢠূ໌ॻʹվ͟Μ͕ͳ͍͔
νΣοΫ͢Δ
• ͠҉߸伴ిࢠূ໌ॻʹվ͟Μ͕͋ΕɺͦͷޙͷHTTP௨৴҆
શͰͳ͍ͨΊ௨৴Λऴྃ͢Δ
Slide 20
Slide 20 text
WebαΠτશମͷHTTPSԽʢৗ࣌SSLԽʣ͕ඞਢʹͳ͖͍ͬͯͯΔ
• IABʢΠϯλʔωοτΞʔΩςΫνϟҕһձʣ͕ʮ৽͘͠ϓϩτίϧ
Λઃܭ͢Δͱ͖҉߸ػೳΛඞਢʹ͖͢ʯͱओு
• HTTPଓͷ߹ɺϒϥβͷURLόʔʹܯࠂ͕
දࣔ͞ΕΔ
• HTTPSଓͷϖʔδͰ͔͑͠ͳ͍API͋Δ
ྫɿPayment Request API
Slide 21
Slide 21 text
WebαΠτΛHTTPSԽͷͨΊʹ͢Δ͜ͱ
• Mixed ContentΛमਖ਼͢Δ
• HTTP→HTTPSͷϦμΠϨΫτઃఆ
• HSTSΛઃఆ͢Δ
Slide 22
Slide 22 text
Mixed Contentͷةݥੑ
• 1ͭͷϖʔδ্ͰHTTPSͰ৴͞ΕͨϦιʔεͱHTTPͰ৴͞ΕͨϦ
ιʔε͕ࠞࡏ͢Δ͜ͱΛMixed ContentͱݺͿ
• HTML͕HTTPSʹ৴͞Ε͍ͯͯαϒϦιʔεͷJavaScriptͳͲ͕
HTTPͰ৴͞Ε͍ͯΔͱɺ͔ͦ͜Β߈ܸ͞ΕΔՄೳੑ͕͋Δ
• Chrome DevToolsͳͲΛ͍ͳ͕ΒMixed ContentΛमਖ਼͠ͳ͚Ε
ͳΒͳ͍
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
HTTP→HTTPSͷϦμΠϨΫτઃఆ
• http://͔Β͡·ΔURLͷϦϯΫ͕ଞͷWebαΠτʹషΒΕ͍ͯΔͳ
Ͳͷࣄ͔ΒHTTP৴ΛΊΔ͜ͱ͕Ͱ͖ͳ͍͜ͱ͋Δ
• HTMLʹαϒϦιʔεͷURLΛϕλॻ͖͍ͯ͠ΔͳͲͷ߹ɺҰʹ
मਖ਼͍͠ͷͰHTTP৴Λ͓ͯ͘͠έʔε͋Δ
• αʔόଆͰHTTPͷϦΫΤετΛͯ͢HTTPSϦμΠϨΫτ͢Δઃ
ఆΛೖΕΔ
Slide 25
Slide 25 text
HSTSΛઃఆ͢Δ
• HSTSʢHTTP Strict Transport Securityʣϒϥβ͔Βૹ৴͢ΔϦΫ
ΤετΛHTTPSʹڧ੍͢Δ͜ͱ͕Ͱ͖Δػೳ
• Strict-Transport-SecurityϔομΛड͚औͬͨϒϥβͦͷWebαΠ
τͷ࣍ճҎ߱ͷϦΫΤετHTTPSͰߦ͏
• HSTSͷظݶΛઃఆ͢Δ
max-age͕ඞਢ
Slide 26
Slide 26 text
αϒυϝΠϯʹHSTSΛઃఆ͢Δ
• Strict-Transport-Security:
includeSubdomainsͰ
αϒυϝΠϯʹHSTSΛ
ద༻ͤ͞Δ͜ͱ͕Մೳ
Slide 27
Slide 27 text
PreloadΛ͑ॳճ͔ΒHTTPSΛڧ੍Ͱ͖Δ
Slide 28
Slide 28 text
• ҉߸Խͷࣦഊ ➡ ௨৴σʔλͷ҉߸Խ
• ΞΫηε੍ޚͷෆඋ ➡ CORSΛͬͨΞΫηε੍ޚ
• ΠϯδΣΫγϣϯ ➡ XSSରࡦ
• ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ ➡ ੬ऑͳϥΠϒϥϦͷνΣοΫ
ࠓճ͓͢ΔηΩϡϦςΟϦεΫ
Slide 29
Slide 29 text
֎෦͔ΒͷΞΫηεʹΑΔ
• ෳͷWebαΠτͷίϯςϯπΛ1ͭͷWebϖʔδͰར༻͢Δ͜ͱ͕
Մೳ
• APIͷݺͼग़͠ɺiframeΛͬͨίϯςϯπͷຒΊࠐΈɺը૾ͷऔ
ಘ etc…
• ͋ΒΏΔWebαΠτ͔Β੍ݶͳ͠ʹΞΫηεͰ͖Δঢ়ଶʹͳ͍ͬͯΔ
ͱػີใͷ࿙͍͑վ͟ΜͳͲͷ߈ܸͷՄೳੑ͕͋Δ
Slide 30
Slide 30 text
֎෦͔ΒͷΞΫηεʹΑΔ
Slide 31
Slide 31 text
Originͱ͍͏ڥք
• ϒϥβʹ֎෦ͷΞΫηεΛ੍ݶ͢ΔOriginͱ͍͏ڥքઢ͕ઃ͚
ΒΕ͍ͯΔ
• OriginεΩʔϜ+ϗετ໊+ϙʔτ൪߸ͷΈ߹ΘͤΛࢦ͢
Slide 32
Slide 32 text
Originͱ͍͏ڥք
• 2ͭͷURLͷOrigin͕ಉ͡߹ɺಉҰΦϦδϯʢSame OriginʣͱݺͿ
• 2ͭͷURLͷOrigin͕ҟͳΔ߹ɺΫϩεΦϦδϯʢCross Origin)ͱ
ݺͿ
Slide 33
Slide 33 text
Same Origin Policy(ಉҰΦϦδϯϙϦγʔɺSOP)
• ϒϥβҰ෦ͷσʔλͷΓऔΓΛSame Origin͚ͩʹ੍ݶ͍ͯ͠
Δɻͬ͘͟Γݴ͏ͱ͜Ε͕Same Origin Policy
Slide 34
Slide 34 text
Same Origin PolicyʹΑΔ੍ݶର
• JavaScriptʢfetchɺXHRʣΛͬͨΫϩεΦϦδϯͷϦΫΤετ
• JavaScriptΛͬͨiframeͷΫϩεΦϦδϯͷϖʔδͷΞΫηε
• ΫϩεΦϦδϯͷը૾ΛಡΈࠐΜͩཁૉͷσʔλͷΞΫ
ηε
• Web StorageIndexedDBʹอଘ͞ΕͨΫϩεΦϦδϯͷσʔλͷ
ΞΫηε
Slide 35
Slide 35 text
• ͨͱ͑ɺfetchؔΛͬͯΫϩεΦϦδϯϦΫΤετΛૹ৴͢
Ε͜ͷΑ͏ͳΤϥʔ͕ൃੜ͢Δ
JavaScriptʢfetchɺXHRʣΛͬͨ
ΫϩεΦϦδϯͷϦΫΤετ
Slide 36
Slide 36 text
Cross Origin Resource SharingʢCORSʣ
• CORSΛ͑ɺΫϩεΦϦδϯؒͷϦΫΤετΛڐՄ͢Δ͜ͱͰ͖
Δ
• JavaScriptʢfetchɺXHRʣΛͬͨΫϩεΦϦδϯͱͷσʔλͷΓ
ͱΓ͕ՄೳʹͳΔ
Slide 37
Slide 37 text
CORSͷΈ
• ΫϩεΦϦδϯͷαʔόϦΫΤετࣗମૹ৴͞ΕͯɺϨεϙϯε
ฦͬͯ͘Δ
• ϨεϙϯεͷCORSϔομʹΑͬͯαʔό͕ڐՄͨ͠ϦΫΤετͱ
அͨ͠ΒɺϒϥβϨεϙϯεͷσʔλͷऔΓग़͠ΛڐՄ͢Δ
Slide 38
Slide 38 text
CORSͷΈ
• αʔό͕ڐՄͨ͠Origin͔Ͳ͏͔ఆ͢ΔͨΊʹ
Access-Control-Allow-Originͱ͍͏ϨεϙϯεϔομΛར༻͢Δ
ྫ `Access-Control-Allow-Origin: https://site.example`
Slide 39
Slide 39 text
CORSͷ՝
• σʔλΛऔͬͯ͘Δ͚ͩͳΒ͜͜·Ͱͷઆ໌Ͱͳ͍
• σʔλΛߋ৽ɾআͳͲ෭࡞༻Λى͜͢ϦΫΤετͷ߹ɺϦΫΤ
ετࣗମΛ͙ඞཁ͕͋Δ
• ͨͱ͑σʔλΛআ͢ΔϦΫΤετ͕ૹ৴͞Εͯαʔόಧ͘ͱ
αʔόϨεϙϯεΛฦ͢લʹσʔλΛআͯ͠͠·͏͔͠Εͳ͍
• Access-Control-Allow-OriginϔομͰɺϦΫΤετΛड͚औͬͨ
αʔόͷಈ࡞·Ͱ੍ޚͰ͖ͳ͍
Slide 40
Slide 40 text
CORSͷ՝
ᶃ σʔλΛআ͢ΔϦΫΤετΛૹ৴
ᶅ Access-Control-Allow-OriginΛؚΉ
ϨεϙϯεΛૹ৴
ᶄ σʔλͷআॲཧΛ࣮ߦ
ᶆ ϨεϙϯεΛഁغ
ϨεϙϯεσʔλഁغͰ͖ͯɺ
σʔλͷআࢭΊΕ͍ͯͳ͍
Slide 41
Slide 41 text
CORSͷΈʢϓϦϑϥΠτϦΫΤετʣ
• ෭࡞༻Λى͜͢Α͏ͳϦΫΤετࣄલʹͳ͍͔֬ೝ͢Δ
ϓϦϑϥΠτϦΫΤετͱݺΕΔϦΫΤετ͕ૹ৴͞ΕΔ
• ϓϦϑϥΠτϦΫΤετʹOPTIONSͱ͍͏HTTPϝιου͕ར༻͞
Εɺ࣮ࡍͷσʔλͷߋ৽ɾআॲཧ͠ͳ͍
• ϨεϙϯεຊจʹσʔλΛؚΊͳ͍
Slide 42
Slide 42 text
CORSͷΈʢϓϦϑϥΠτϦΫΤετʣ
Slide 43
Slide 43 text
ϓϦϑϥΠτϦΫΤετ͕ૹ৴͞ΕΔ݅
• GETɺHEADɺPOSTҎ֎ͷHTTPϝιου͕ར༻͞ΕΔͱ͖
• AcceptɺAccept-LanguageɺContent-LanguageɺContent-TypeҎ֎
ͷHTTPϔομ͕ૹ৴͞ΕΔͱ͖
Slide 44
Slide 44 text
ϓϦϑϥΠτϦΫΤετͰૹ৴͞ΕΔϔομ
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
• ҉߸Խͷࣦഊ ➡ ௨৴σʔλͷ҉߸Խ
• ΞΫηε੍ޚͷෆඋ ➡ CORSΛͬͨΞΫηε੍ޚ
• ΠϯδΣΫγϣϯ ➡ XSSରࡦ
• ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ ➡ ੬ऑͳϥΠϒϥϦͷνΣοΫ
ࠓճ͓͢ΔηΩϡϦςΟϦεΫ
ଞʹ42-ΠϯδΣΫγϣϯͳͲ͕
͋Δ͕ࠓ944͚ͩઆ໌͠·͢
Slide 47
Slide 47 text
XSSͱ
• ΫϩεαΠτεΫϦϓςΟϯάʢCross-Site Scriptingʣ
• Webϖʔδ্ͷJavaScriptͷܽؕΛૂ͏߈ܸख๏
• ෆਖ਼ͳεΫϦϓτΛૠೖʢΠϯδΣΫγϣϯʣ࣮ͯ͠ߦ͢Δ͜ͱͰػ
ີใͷ౪ΜͩΓɺϖʔδͷվ͟ΜΛߦͬͨΓ͢Δ
• ଞͷ੬ऑੑʹൺͯใࠂ͕݅ଟ͍
Slide 48
Slide 48 text
XSSͷڴҖ
• ػີใͷ࿙͍͑
• ِใͷදࣔ
• ҙਤ͠ͳ͍ૢ࡞ͷ࣮ߦ
• ηογϣϯใୣऔʹΑΔɺͳΓ͢·͠
• ِͷೖྗϑΥʔϜදࣔʹΑΔϑΟογϯά
Slide 49
Slide 49 text
XSSͷڴҖ
• YouTubeTwitterͳͲେ͖ͳαʔϏεඃΛड͚ͨ͜ͱ͕͋Δ
Slide 50
Slide 50 text
3छྨͷXSS
• ࣹܕXSSʢRe
fl
ected XSS)
• ੵܕXSSʢStored XSSʣ
• DOM-based XSS
Slide 51
Slide 51 text
ࣹܕXSS (Re
fl
ected XSS)
ᶃ ߈ܸऀ͕༻ҙͨ͠ϖʔδʹΞΫηε
ᶄ εΫϦϓτΛύϥϝʔλʹ
ͯ͠ରαΠτʹભҠ
alert("XSS") ?token=“”/>alert(“XSS")
Slide 52
Slide 52 text
ࣹܕXSSͷಛ
• αʔόͰϨεϙϯεͷHTMLΛΈཱͯΔͱ͖ʹϦΫΤετʹؚ·
ΕͨXSSͷίʔυΛͦͷ··HTMLөͯ͠͠·͏
• ϦΫΤετʹෆਖ਼εΫϦϓτؚ͕·Ε͍ͯΔͱ͖ͷΈʹൃੜ͢Δ
• ෆਖ਼ͳεΫϦϓτΛؚΉϦΫΤετΛૹ৴ͨ͠Ϣʔβʔ͚͕ͩඃΛ
ड͚Δ
Slide 53
Slide 53 text
ੵܕXSS (Stored XSS)
ᶃ ϑΥʔϜ͔ΒPOST
ᶄ POST͞Εͨ
Λͦͷ··อଘ
alert(“xss")
alert(1)
ᶅ ଞͷϢʔβʔ͕αΠτʹΞΫηε
ᶆ DBͷΛHTMLʹө
Slide 54
Slide 54 text
ੵܕXSSͷಛ
• αʔόૹ৴͞Εͨෆਖ਼εΫϦϓτΛσʔλϕʔεͳͲʹอଘͯ͠͠
·͍ӬଓతʹXSSͷةݥ͕͋Δ
• σʔλϕʔεͷ༰͕ө͞ΕΔશͯͷϢʔβʔ͕ඃΛड͚Δ
• σʔλϕʔε͔Βෆਖ਼εΫϦϓτΛؚΉσʔλΛআ͢ΔͳͲରॲ͠
ͳ͍ݶΓɺඃࢭ·Βͳ͍
Slide 55
Slide 55 text
DOM-based XSS
const hash = decodeURIComponent(location.hash.slice(1));
document.querySelector('#result').innerHTML = hash;
ϩέʔγϣϯϋογϡͷΛ
JavaScriptͰૠೖ
Slide 56
Slide 56 text
DOM-based XSSͷಛ
• ϒϥβ্ͷJavaScriptΛͬͨDOMૢ࡞͕ݪҼͰൃੜ͢Δ
• ଞͷ2ͭͱҧ͍ϑϩϯτΤϯυͷίʔυͷෆඋʹΑͬͯൃੜ͢Δ
• αʔόΛհͣ͞ʹ߈ཱܸ͕͢ΔͨΊɺ߈ܸͷݕϩάऔಘ͕͠
͍
• ϑϩϯτΤϯυͷJavaScriptDevTools͔ΒݟΔ͜ͱ͕ग़དྷΔͨΊɺ
߈ܸऀ੬ऑੑΛൃݟ͍͢͠
Slide 57
Slide 57 text
DOM-based XSSͷݪҼ
const hash = decodeURIComponent(location.hash.slice(1));
document.querySelector('#result').innerHTML = hash;
ιʔε (Source)
γϯΫ (Sink)
දతͳSink
- innerHTML
- location.href
- document.write
- jQuery() ͳͲ
දతͳSource
- location.hash
- location.href
- document.referrer
- IndexedDB ͳͲ
Slide 58
Slide 58 text
දతͳXSSରࡦ
• จࣈྻͷΤεέʔϓ
• ReactɺVueɺAngularͳͲͷϑϨʔϜϫʔΫΛ͏
• javascript:εΩʔϜͷURLΛຒΊࠐ·ͳ͍
• DOMPurifyͳͲͷϥΠϒϥϦSanitizer APIΛͬͯةݥͳจࣈྻΛ
আڈ͢Δ
• Content Security Policy
Slide 59
Slide 59 text
จࣈྻͷΤεέʔϓ
cookieHijack()
<script>
cookieHijack()
</script>
&
<
มલ มޙ
>
“
‘
&
<
>
"
'
Τεέʔϓॲཧ
Slide 60
Slide 60 text
ReactͳͲͷϑϨʔϜϫʔΫΛ͏
• ReactɺVueɺAngularɺSvelteͳͲͷ༗໊ͳϥΠϒϥϦ/ϑϨʔϜϫʔΫΤεέʔϓॲཧΛ
ࣗಈͰͬͯ͘ΕΔ
• ։ൃऀΤεέʔϓॲཧΛ͢Δඞཁͳ͍
• ͨͩ͠ɺҰ෦ͷAPIΛ͏͜ͱͰXSSൃੜ͢Δ͜ͱ͕͋Γ·͢
• dangerouslySetInnerHTMLinnerHTMLͱಉ͘͡จࣈྻΛͦͷ··HTMLͱͯ͠ೝࣝ͢Δ
ʢReactʣ
• ޙड़ͷjavascript:εΩʔϜʹΑΔXSSʹରԠ͍ͯ͠ͳ͍ʢReactʣ
• ίϯιʔϧʹܯࠂग़Δ
Slide 61
Slide 61 text
javascript:εΩʔϜͷURLΛຒΊࠐ·ͳ͍
• ͨͱ͑ɺϦϯΫͷURLΛೖྗͰ͖ΔϑΥʔϜ͕͋ͬͨͱ͢Δ
• ϑΥʔϜʹhttps://example.comͱೖྗͨ͠Βhttps://example.com
ͷϦϯΫ͕ੜ͞ΕΔͱ͢Δ
ҙͷ63-ΛઃఆՄೳͱ͢Δ
Slide 62
Slide 62 text
javascript:εΩʔϜͷURLΛຒΊࠐ·ͳ͍
• ϑΥʔϜʹjavascript:alert(“xss”)ͱೖྗ͞ΕΔͱɺΫϦοΫͨ͠ͱ͖
ʹalert(“xss”)͕࣮ߦ͞ΕΔϦϯΫ͕Ͱ͖ͯ͠·͏
const App = (props) => (
click me!
KBWBTDSJQUεΩʔϜΛ͑ҙͷ
εΫϦϓτΛૠೖͰ͖Δ
Slide 63
Slide 63 text
javascript:εΩʔϜͷURLΛຒΊࠐ·ͳ͍
const Link = props => {
const protocol = new URL(props.url).protocol;
const safeUrl = /^https?:/.test(protocol) ? props.url : "";
return {props.children};
};
const App = (props) => {
return (
{title}
);
};
IUUQ·ͨIUUQT͔Β͡·Δ63-͚ͩΛ
ઃఆ͢ΔΑ͏ʹϑΟϧλϦϯά͢Δ
Slide 64
Slide 64 text
DOMPurifyΛͬͨةݥͳจࣈྻͷআڈ
• DOMPurifyOSSͷϥΠϒϥϦ
• npmCDN͔Βμϯϩʔυͯ͠͏͜ͱ͕Ͱ͖Δ
• จࣈྻ͔ΒXSSΛى͜͢ةݥͳจࣈྻΛআͯ͘͠ΕΔ
const untrustedStr = location.hash;
//
const trustedStr = DOMPurify.sanitize(untrustedStr);
$('#foo').innerHTML = trustedStr;
//
Slide 65
Slide 65 text
Sanitizer APIΛͬͨةݥͳจࣈྻͷআڈ
• ϒϥβʹΈࠐ·Ε͍ͯΔAPI
• Ͱ͖Δ͜ͱDOMPurifyͱࣅ͍ͯͯةݥͳจࣈྻΛআڈ͢Δ
const untrustedStr = location.hash;
//
const sanitizer = new Sanitizer(untrustedStr);
const target = document.getElementById(untrustedStr);
target.setHTML(untrustedStr, { sanitizer });
//
Slide 66
Slide 66 text
Content Security Policy (CSP)
• ڐՄ͞Ε͍ͯͳ͍JavaScriptͷ࣮ߦϦιʔεͷಡΈࠐΈͳͲΛϒ
ϩοΫ͢Δϒϥβͷػೳ
• Content-Security-Policyͱ͍͏ϨεϙϯεϔομʹΑͬͯԿΛͲ͏ϒ
ϩοΫ͢Δͷ͔ઃఆ͢Δ͜ͱ͕Մೳ
Slide 67
Slide 67 text
No content
Slide 68
Slide 68 text
Content Security Policyͷ༻ํ๏
• HTTPϨεϙϯεϔομʔʹՃ͢Δ
• ϦιʔεͷऔಘઌεΫϦϓτͷ࣮ߦΛࢦఆͨ͠ιʔεͷΈʹ੍ݶͰ͖Δ
• script-src ‘self’; img-src *.trusted.comͷ ͷΑ͏ʹෳઃఆՄೳ
▼ Response Headers
content-security-policy: script-src ‘self’ *.trusted.com
σΟϨΫςΟϒ ιʔε
script-src ‘self’; img-src *.trusted.com
Slide 69
Slide 69 text
Content Security Policyͷʹ͍ͭͯ
content-security-policy: script-src ‘self’ *.trusted.com
: εΫϦϓτͷ࣮ߦ੍ݶ
: ڐՄ͢ΔιʔεΛࢦఆ
script-src
‘self’ *.trusted.com
Ωʔϫʔυ ϗετ
Slide 70
Slide 70 text
දతͳσΟϨΫςΟϒ
σΟϨΫςΟϒ
DPOOFDUTSD 9)3ɺ8FC4PDLFUͳͲͷ੍ݶ
EFGBVMUTSD ଞͷϑΣονσΟϨΫςΟϒͷϑΥʔϧόοΫ
JNHTSD ը૾ͷಡΈࠐΈઌΛ੍ݶ
NFEJBTSD BVEJPWJEFPͷಡΈࠐΈઌΛ੍ݶ
TDSJQUTSD εΫϦϓτͷ࣮ߦॴΛ੍ݶ
TUZMFTSD ελΠϧͷద༻ॴΛ੍ݶ
Slide 71
Slide 71 text
͔ΒCSPΛ༗ޮʹͰ͖Δ
• HTMLͷλάͰࢦఆͰ͖ΔͷͰϑϩϯτΤϯυ͚ͩͰ࣮Մೳ
• ΑΓઌʹઃఆ͞Εͨͷ্ॻ͖ෆՄ
• ΑΓઌʹಡΈࠐ·ΕͨϦιʔεεΫϦϓτʹద༻Ͱ͖ͳ͍
• ͰઃఆͰ͖ͳ͍σΟϨΫςΟϒ͕͋Δ e.g. report-only
Slide 72
Slide 72 text
content-security-policy: script-src ‘self’
alert("XSS")
ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ
CSPͷྫ
Slide 73
Slide 73 text
CSPͷྫ
content-security-policy: script-src ‘self’
alert("XSS")
ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ
ࢦఆ͞Εͨϗετͱҧ͏ͷͰېࢭ
❌
Slide 74
Slide 74 text
CSPͷྫ
content-security-policy: script-src ‘self’
alert("XSS")
ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ
❌
❌
ΠϯϥΠϯεΫϦϓτېࢭ
Slide 75
Slide 75 text
CSPͷྫ
content-security-policy: script-src ‘self’
alert("XSS")
ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ
❌
❌
❌
ΠϕϯτଐੑKBWBTDSJQUͳͲېࢭ
Slide 76
Slide 76 text
CSPͷ՝
• CSP͕ద༻͞Ε͍ͯΔϖʔδͰΠϯϥΠϯεΫϦϓτېࢭ͞ΕΔ
• unsafe-inlineΩʔϫʔυΛ͑ΠϯϥΠϯεΫϦϓτΛڐՄͰ͖Δ
͕ɺXSSʹΑΓຒΊࠐ·ΕͨΠϯϥΠϯεΫϦϓτ·Ͱ࣮ߦͯ͠͠·
͏Մೳੑ͕͋Γ໊લͷͱ͓Γ҆શͰͳ͍ʢunsafe-inlineʣ
• ϗετ໊ͷࢦఆᷖճ͕ՄೳͰ͋Δ※
※ https://research.google/pubs/pub45542/
Slide 77
Slide 77 text
Strict CSP
• ҆શʹΠϯϥΠϯεΫϦϓτΛ࣮ߦͰ͖Δnonce·ͨhashΛϕʔε
ͱͨ͠Strict CSPͱ͍͏ઃఆ͕GoogleʹΑͬͯਪ͞Ε͍ͯΔ
Content-Security-Policy:
script-src 'nonce-tXCHNF14TxHbBvCj3G0WmQ==' 'strict-dynamic'
https: 'unsafe-inline';
object-src 'none';
base-uri 'none';
Slide 78
Slide 78 text
content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
alert("OK")
alert(“NG")
alert("NG")
OPODFCBTFΤϯίʔυ
Slide 79
Slide 79 text
content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
alert("OK")
alert(“NG")
alert("NG")
OPODFͷ͕Ұக͍ͯ͠ΔͷͰ࣮ߦΛڐՄ
OPODFCBTFΤϯίʔυ
Slide 80
Slide 80 text
content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
alert("OK")
alert(“NG")
alert("NG")
OPODF͕ෆҰக·ͨະࢦఆͳͷͰ࣮ߦΛېࢭ
OPODFCBTFΤϯίʔυ
Slide 81
Slide 81 text
nonceͷҙ
• nonceͷαʔόʔଆͰϦΫΤετ͝ͱʹมߋ͢Δ͜ͱ
• ਪଌ͞Εͳ͍ϥϯμϜͳʹ͢Δ͜ͱ
• scriptλάΛಈతʹੜͰ͖ͳ͍
content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa'
alert("OK")
Slide 82
Slide 82 text
strict-dynamic
content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’
const script = document.createElement('script');
script.src = ‘/static/js/main.js’;
document.head.appendChild(script);
QBSTFSJOTFSUFEͰͳ͍TDSJQUͷಈతੜ͕Մೳ
JOOFS)5.-ͳͲγϯΫʹͳΔؔېࢭ͞Ε͍ͯΔ
※parser-inserted = HTMLύʔαʔXMLύʔαʔʹΑͬͯૠೖ͞ΕΔ͜ͱ
Slide 83
Slide 83 text
CSPͷReport-OnlyϞʔυ
• ࣮ࡍͷCSPΛద༻ͤͣʹϨϙʔτ͚ͩૹΔ͜ͱ͕Մೳ
• CSPͰڐՄ͞Ε͍ͯͳ͍߹ɺϨϙʔτΛPOST͢Δ
• CSPͷຊ൪ಋೖલʹӨڹΛ֬ೝ͢Δ͜ͱ͕Մೳ
• λάͰͷઃఆෆՄ
▼ Response Headers
content-security-policy-report-only: script-src ‘self’ *.trusted.com
report-uri /csp-report
Slide 84
Slide 84 text
Ϩϙʔτͷྫ
{
"csp-report": {
"document-uri": "http://example.com/index.html",
"referrer": "",
"blocked-uri": "http://invalid-cdn.com/js/react.js",
"violated-directive": "script-src self *.trusted.com*",
"original-policy": "script-src 'self' *.trusted.com; report-uri /csp-report/",
"disposition": "report"
}
}
Slide 85
Slide 85 text
XSSରࡦͰॏཁͳ͜ͱ
• XSSରࡦʹ༗໊ͳϥΠϒϥϦϑϨʔϜϫʔΫΛ͍·͠ΐ͏
• CSPXSSରࡦʹڧྗͳखஈ͚ͩͲɺ్தͰಋೖ͢Δͷ͍͠
• αʔϏεͷϦϦʔεલʹಋೖ͠ɺेʹݕূ͠·͠ΐ͏
• ӡ༻தͷWebΞϓϦέʔγϣϯReport-OnlyϞʔυͰӨڹൣғΛ
ेʹ֬ೝ͔ͯ͠ΒCSPΛ༗ޮʹ͍͖ͯ͠·͠ΐ͏
Slide 86
Slide 86 text
• ҉߸Խͷࣦഊ ➡ ௨৴σʔλͷ҉߸Խ
• ΞΫηε੍ޚͷෆඋ ➡ CORSΛͬͨΞΫηε੍ޚ
• ΠϯδΣΫγϣϯ ➡ XSSରࡦ
• ੬ऑͰݹ͘ͳͬͨίϯϙʔωϯτ ➡ ੬ऑͳϥΠϒϥϦͷνΣοΫ
ࠓճ͓͢ΔηΩϡϦςΟϦεΫ
Slide 87
Slide 87 text
JavaScriptͷϥΠϒϥϦࣄ
• Node.js / npmͷొʹΑΓJavaScriptͷϥΠϒϥϦ͕രൃతʹ
૿͑ͨ
• Node.jsϑϩϯτΤϯυͳͲJSͷ։ൃͰଟ͘ͷϥΠϒϥϦ͕
ΘΕ͍ͯΔ
Slide 88
Slide 88 text
http://www.modulecounts.com/
npmʹొ͞Ε͍ͯΔϥΠϒϥϦ͕
ѹతͳʹͳ͍ͬͯΔ
Slide 89
Slide 89 text
http://www.modulecounts.com/
npmʹొ͞Ε͍ͯΔϥΠϒϥϦ͕
ѹతͳʹͳ͍ͬͯΔ
͕ଟ͍ɺ
੬ऑੑͷ͋ΔϥΠϒϥϦଟ͍
Slide 90
Slide 90 text
JavaScriptϥΠϒϥϦͷ੬ऑੑࣄ
• ਓؾϥΠϒϥϦʹѱҙͷ͋Δίʔυ͕ૠೖ͞ΕΔࣄ݅
• ESLint (JavaScriptͷ࠷ϙϐϡϥʔͳ੩తղੳπʔϧ)ʹѱҙ
ͷ͋Δίʔυ͕ૠೖ͞Ε͍ͯͨ(20187݄)
• 1िؒʹ200ສDLͷϥΠϒϥϦevent-streamʹԾ௨՟Υ
Ϩοτ͔Β҉߸伴Λ౪Έग़͢ػೳ͕ૠೖ͞ΕΔ(201811݄)
Slide 91
Slide 91 text
JavaScriptϥΠϒϥϦͷ੬ऑੑࣄ
• ੈքͷτοϓ75,000ͷWebαΠτ(Alexaௐ)ͷ্Ґ37%͕Կ͔͠
Βͷ੬ऑੑͷ͋ΔJSϥΠϒϥϦΛ༻
• ϊʔεΠʔελϯେֶͷݚڀνʔϜʹΑΔௐࠪ݁Ռ(2017)
• ݹ͍ϥΠϒϥϦΛ༻͍ͯ͠Δ
• ࠂτϥοΩϯάɺιʔγϟϧϝσΟΞͷΟδΣοτʹຒΊ
ࠐ·Ε͍ͯΔ͜ͱ͕ଟ͍
Slide 92
Slide 92 text
੬ऑͳϥΠϒϥϦͷ༻Λ͙ରࡦ
• npm auditίϚϯυΛͬͨ੬ऑੑஅ
• DependabotɺSnykɺyamoryͳͲΛͬͨ੬ऑੑஅ
Slide 93
Slide 93 text
npm auditΛ͏
• npmʹඪ४ͰΈࠐ·Ε͍ͯΔίϚϯυπʔϧ
• ར༻͍ͯ͠Δnpmύοέʔδͷ੬ऑੑΛஅͯ͘͠ΕΔ
• npm installΛ͢Δͱ͖ʹࣗಈͰ࣮ߦ͞ΕΔ
• CIͰ࣮ߦ͢ΕࣗಈͰ੬ऑੑͷ͋ΔϥΠϒϥϦͷར༻Λ͙͜ͱ͕Ͱ͖Δ
• npm audit
fi
xίϚϯυͰ੬ऑͳϥΠϒϥϦͷΞοϓσʔτΛҰׅͰߦ͏͜ͱ
͕Ͱ͖Δ
Slide 94
Slide 94 text
੬ऑੑͷ͋ΔϥΠϒϥϦπʔϧΛݕ͢Δ
• ར༻͍ͯ͠ΔϥΠϒϥϦπʔϧͷ੬ऑੑΛݕ͢ΔΈΛ
͑·͠ΐ͏
• GitHubͷDependabotɺSnykɺyamoryͳͲ༷ʑͳαʔϏε͕ଘ
ࡏ͢Δ
• ͲͷαʔϏεಠࣗͷػೳ੬ऑੑσʔλϕʔεͳͲΛ͍࣋ͬͯ
Δ
Slide 95
Slide 95 text
DependabotΛ͏
• GitHubʹඪ४ͰඋΘ͍ͬͯΔ੬ऑੑஅαʔϏε
• ੬ऑੑͷ͋ΔϥΠϒϥϦΛΞοϓσʔτ͢ΔϓϧϦΫΤετΛࣗ
ಈͰ࡞
• ੬ऑੑͷ͋ΔϥΠϒϥϦπʔϧΛҰཡͰ֬ೝͰ͖Δ
• ϦϙδτϦͷઃఆը໘͔Β؆୯ʹ༗ޮʹͰ͖Δ
Slide 96
Slide 96 text
੬ऑͳϥΠϒϥϦΛݟ͚ͭΔͱɺ
Dependabot͕ڭ͑ͯ͘ΕΔ
Slide 97
Slide 97 text
Dependabot͕ϓϧϦΫΤετΛ࡞
ͯ͘͠ΕΔ
Slide 98
Slide 98 text
·ͱΊ
• ͍·͙͢HTTPSԽ͠Α͏
• CORSΛཧղͯ͠దʹΫϩεΦϦδϯͷΞΫηεΛ੍ޚ͠Α͏
• XSSରࡦϥΠϒϥϦϑϨʔϜϫʔΫɺCSPΛ͓͏
• ϥΠϒϥϦʹ੬ऑੑ͕ͳ͍͔֬ೝ͢ΔͨΊͷΈΛ͑Α͏
Slide 99
Slide 99 text
࠷ޙ·Ͱ͝ࢹௌ͍͖ͨͩ
͋Γ͕ͱ͏͍͟͝·ͨ͠