Slide 1
Slide 1 text
CEMI
2023/11/27
Slide 2
Slide 2 text
࣍
Contents
01ɹձࣾ֓ཁ
02ɹࣗݾհ
03ɹCEMI
Slide 3
Slide 3 text
ձࣾ֓ཁ
about Asobica
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
ࣗݾհ
profile
Slide 11
Slide 11 text
໊લ Ԭ ৻࢘
ׂ WEBΞϓϦ։ൃΤϯδχΞ
ॅ·͍ ฌݿݝ
ۙͷܦྺ հޢࣄۀऀ͚ࢧԉαʔϏε։ൃɺϕϏʔγολʔͷϚονϯά
αʔϏε։ൃΛܦݧ͠ɺࠓͷ3݄ʹAsobicaೖࣾ
ࣗݾհ
Profile
Ո ࠺ɺஉʢ6ࡀʣɺ࣍உʢ4ࡀʣ
Slide 12
Slide 12 text
CEMI
cemi
Slide 13
Slide 13 text
⚫︎
CSV Excel Macro Injection ͱݺΕΔ੬ऑੑͷ͜ͱ
ͦͦCEMIͱʁ
CEMI
Slide 14
Slide 14 text
ݕࡧͯ͠ͻ͔͔ͬΒͳ͍
CEMI
Slide 15
Slide 15 text
CSVͱηοτͰΑ͏͘ώοτ
CEMI
Slide 16
Slide 16 text
߈ܸऀ͕CSVϑΝΠϧͷதʹExcelͷϚΫϩؔΛؚΉσʔλΛૠೖ
߈ܸͷΈ̍
CEMI
Slide 17
Slide 17 text
͜ͷϑΝΠϧ͕ྫ͑ExcelͰ։͔ΕΔͱɺૠೖ͞ΕͨϚΫϩ͕࣮ؔߦ͞ΕΔ
߈ܸͷΈ̎
CEMI
Slide 18
Slide 18 text
- ίϚϯυͷ࣮ߦ͕Ͱ͖Δ
Windowsͷ߹ɺి͕࣮ߦͰ͖Δ
=cmd|' /C calc'!A0
- ѱҙ͋ΔαʔόʔʹΞΫηεͤ͞Δ͜ͱ͕Ͱ͖ΔϦϯΫΛੜͰ͖Δ
=HYPERLINK(“https://example.com”)
ةݥੑͷҰྫ
CEMI
Slide 19
Slide 19 text
Լه༰ͰCSV࡞͢Δ
- ֤ηϧϑΟʔϧυΛμϒϧΫΥʔτͰғΉ
- ֤ηϧϑΟʔϧυͷલʹγϯάϧΫΦʔτΛ͚Δ
- μϒϧΫΥʔτͯ͢ɺ͞ΒʹμϒϧΫΥʔτΛͬͯΤεέʔϓ͢Δ
ɹࢀߟهࣄɿOWASP | CSV Injection
ɹhttps://owasp.org/www-community/attacks/CSV_Injection
ରࡦ̍
CEMI
Slide 20
Slide 20 text
def generate_csv(users)
CSV.generate(headers: true, force_quotes: true) do |csv|
csv << ["ID", "Name", "Profile"]
users.each do |user|
csv << [
user.id,
user.name,
"'#{user.profile}"
]
end
end
end
RubyͰͷରԠ
CEMI
- force_quotes: trueʹΑΓɺ֤ηϧϑΟʔϧυΛμϒϧ
ΫΥʔτͰғΉ͜ͱ͕Ͱ͖Δ
- γϯάϧΫΥʔτ͚ͭͯ͋͛Δඞཁ͕͋Δ
- จࣈྻͷμϒϧΫΥʔτΤεέʔϓͯ͘͠ΕΔ
ex: ͨͱ͑༩͑ΒΕͨจࣈྻ͕ʮ”NISHIOKA”ʯͷ
߹ɺʮ””NISHIOKA””ʯͱͳΔ
Slide 21
Slide 21 text
։ൃνʔϜʹ͍ͭͯ
about development
teams
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content