フロントエンドエンジニアのためのセキュリティ対策 ~XSS編~ / #frontkansai 2019

by Masashi Hirano

Slide 1

Slide 1 text

Frontend Conference 2019 #frontkansai Masashi Hirano @shisama_ ϑϩϯτΤϯυΤϯδχΞͷͨΊͷ ηΩϡϦςΟରࡦ~XSSฤ~

Slide 2

Slide 2 text

ฏ໺ ণ࢜ / Masashi Hirano @shisama_ shisama Node.js Core Collaborator ؔ੢NodeֶԂOrganizer

Slide 3

Slide 3 text

͜Μͳਓʹௌ͍ͯ΄͍͠ • ηΩϡϦςΟʹؔ৺͕͋Δํ • XSSʹֶ͍ͭͯͼ͍ͨํ(ॳதڃऀ) • WebΤϯδχΞ ಛʹϑϩϯτΤϯυΤϯδχΞ

Slide 4

Slide 4 text

Agenda • WebͷηΩϡϦςΟಈ޲ • ੬ऑੑ(XSS)ͷ࢓૊Έͱରࡦ • XSSͷجૅ • ରࡦ: จࣈྻͷΤεέʔϓ • ରࡦ: ϒϥ΢βͷػೳ(CSPɺTrusted Types) • ηΩϡϦςΟ΁ͷҙࣝ

Slide 5

Slide 5 text

WebͷηΩϡϦςΟಈ޲

Slide 6

Slide 6 text

https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html

Slide 7

Slide 7 text

https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html ಧग़݅਺ (2019೥7݄ʙ9݄)

Slide 8

Slide 8 text

https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html ෼ྨ ݄ʙ݄ ಧग़ड෇։͔࢝Βͷྦྷܭ ιϑτ΢ΣΞ੡඼ ݅ ݅ ΢ΣϒαΠτ ݅ ݅ ߹ܭ ݅ ݅ ಧग़݅਺ (2019೥7݄ʙ9݄)

Slide 9

Slide 9 text

https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html ෼ྨ ݄ʙ݄ ಧग़ड෇։͔࢝Βͷྦྷܭ ιϑτ΢ΣΞ੡඼ ݅ ݅ ΢ΣϒαΠτ ݅ ݅ ߹ܭ ݅ ݅ 8FC͕ιϑτ΢ΣΞʹ ൺ΂ͯഒҎ্ͷಧग़਺ ಧग़݅਺ (2019೥7݄ʙ9݄)

Slide 10

Slide 10 text

https://www.ipa.go.jp/security/vuln/report/vuln2019q3.html ΢ΣϒαΠτͷ੬ऑੑͷछྨผͷಧग़ XSS (ΫϩεαΠτɾεΫϦϓςΟϯά) DNSͷઃఆෆඋ SQLΠϯδΣΫγϣϯ HTTPͷෆਖ਼ར༻ σΟϨΫτϦɾτϥόʔαϧ ϑΝΠϧͷޡެ։ ͦͷଞ

Slide 11

Slide 11 text

https://www.youtube.com/watch?v=DDtM9caQ97I&t=633s

Slide 12

Slide 12 text

https://www.hackerone.com/resources/top-10-vulnerabilities HackerOne 2018 Total Report

Slide 13

Slide 13 text

https://blog.cybozu.io/entry/2019/06/20/160000 Cybozu BugBounty 2018

Slide 14

Slide 14 text

https://www.owasp.org/index.php/Japan " ΠϯδΣΫγϣϯ 42-ΠϯδΣΫγϣϯɺίϚϯυΠϯδΣΫγϣϯͳͲ " ೝূͷෆඋ Ϣʔβʔͷೝূ৘ใͷ࿙Ӯ " ػඍͳ৘ใͷ࿐ग़ ࡒ຿৘ใ΍ݸਓ৘ใͳͲ઄औɺվ͟Μ " 9.-֎෦ΤϯςΟςΟࢀর 99& ֎෦ΤϯςΟςΟʹΑΔϦϞʔτίʔυͷ࣮ߦͳͲ " ΞΫηε੍ޚͷෆඋ ଞͷϢʔβʔͷσʔλ΍ݖݶͷมߋ " ෆద੾ͳηΩϡϦςΟઃఆ ҆શͰͳ͍ઃఆʹΑΔ໰୊ " ΫϩεαΠτεΫϦϓςΟϯά 944 ϒϥ΢β্ͰͷεΫϦϓτ࣮ߦʹΑΔ৘ใ࿙͍͑ͳͲ " ҆શͰͳ͍σγϦΞϥΠθʔγϣϯ ϦϞʔτ͔Βͷίʔυ࣮ߦ " ط஌ͷ੬ऑੑͷ͋Δίϯϙʔωϯτͷ࢖༻ ੬ऑੑͷ͋ΔϥΠϒϥϦͳͲʹΑΔ߈ܸ΍ѱӨڹ " ෆे෼ͳϩΪϯάͱϞχλϦϯά ϞχλϦϯάͷෆඋʹΑΔ߈ܸݕ஌࿙Ε OWASP Top10 2017

Slide 15

Slide 15 text

͜͜·Ͱͷ·ͱΊ: WebͷηΩϡϦςΟಈ޲ • ੬ऑੑͷଟ͕͘WebαΠτ͔Βൃੜ͢Δ΋ͷ • WebαΠτͷ੬ऑੑͰ࠷΋ଟ͍ͷ͸XSS • ಛʹॏେͳϦεΫ͕10ݸ͋Δ

Slide 16

Slide 16 text

XSS

Slide 17

Slide 17 text

XSSͷڴҖ • ίϯςϯπͷվ͟Μ • ηογϣϯϋΠδϟοΫ • ݸਓ৘ใ࿙Ӯ ※ҰྫͰ͢

Slide 18

Slide 18 text

YouTubeͷඃ֐ࣄྫ • σϚͷϙοϓΞοϓදࣔɺଞαΠτ΁ͷϦμΠϨΫτͳͲ

Slide 19

Slide 19 text

Twitterͷඃ֐ࣄྫ • ԕִϋΠδϟοΫʹΑΔϦπΠʔτ౤ߘ

Slide 20

Slide 20 text

KADOKAWAͷඃ֐ࣄྫ • վ͟ΜʹΑΔϚϧ΢ΣΞ૊ΈࠐΈɺݸਓ৘ใ͕౪·ΕΔ

Slide 21

Slide 21 text

3छྨͷXSS • Reﬂected XSS • Stored XSS • DOM Based XSS

Slide 22

Slide 22 text

ᶃ ߈ܸऀ͕༻ҙͨ͠ϖʔδʹΞΫηε Reﬂected XSS (൓ࣹܕXSS) ᶄ εΫϦϓτΛύϥϝʔλʹ ͯ͠ର৅αΠτʹભҠ alert("XSS") ?token=“”/>alert(“XSS")

Slide 23

Slide 23 text

Reﬂected XSS (൓ࣹܕXSS) alert("XSS")

ΫΤϦετϦϯάͷ஋Λͦͷ··HTMLʹ൓ө

Slide 24

Slide 24 text

Reﬂected XSS (൓ࣹܕXSS) alert("XSS")

ΫΤϦετϦϯάͷ஋Λͦͷ··HTMLʹ൓ө

Slide 25

Slide 25 text

ᶃ ϑΥʔϜ͔ΒPOST ᶄ POST͞Εͨ ஋Λͦͷ··อଘ alert(“xss")

alert(1)

ᶅ ଞͷϢʔβʔ͕αΠτʹΞΫηε ᶆ DBͷ஋ΛHTMLʹ൓ө Stored XSS (஝ੵܕXSS)

Slide 26

Slide 26 text

ᶃ ϑΥʔϜ͔ΒPOST ᶄ POST͞Εͨ ஋Λͦͷ··อଘ alert("XSS")

alert(1)

ᶅ ଞͷϢʔβʔ͕αΠτʹΞΫηε ᶆ DBͷ஋ΛHTMLʹ൓ө Stored XSS (஝ੵܕXSS)

Slide 27

Slide 27 text

DOM Based XSS const hash = decodeURIComponent(location.hash.slice(1)); document.querySelector('#result').innerHTML = hash;

ϩέʔγϣϯϋογϡͷ஋Λ JavaScriptͰૠೖ

Slide 28

Slide 28 text

DOM Based XSS const hash = decodeURIComponent(location.hash.slice(1)); document.querySelector('#result').innerHTML = hash;

ϩέʔγϣϯϋογϡͷ஋Λ JavaScriptͰૠೖ

Slide 29

Slide 29 text

DOM Based XSS const hash = decodeURIComponent(location.hash.slice(1)); document.querySelector('#result').innerHTML = hash; ιʔε (Source) γϯΫ (Sink) ୅දతͳSink - innerHTML - location.href - document.write - jQuery() ͳͲ ୅දతͳSource - location.hash - location.href - document.referrer - IndexedDB ͳͲ

Slide 30

Slide 30 text

3छྨͷXSS • Reﬂected XSS • Stored XSS • DOM Based XSS ࠷ऴతʹ͸ඃ֐ऀͷϒϥ΢β্Ͱ JavaScript͕࣮ߦ͞ΕΔ

Slide 31

Slide 31 text

ओͳXSSͷରࡦ • ةݥͳจࣈྻͷΤεέʔϓɾ࡟আ • ϒϥ΢βͷػೳΛ࢖͏

Slide 32

Slide 32 text

ओͳXSSͷରࡦ • ةݥͳจࣈྻͷΤεέʔϓɾ࡟আ • ϒϥ΢βͷػೳΛ࢖͏

Slide 33

Slide 33 text

HTMLಛघจࣈͷΤεέʔϓॲཧ cookieHijack() <script> cookieHijack() </script> & < ม׵લ ม׵ޙ > “ ‘ & < > " ' Τεέʔϓॲཧ

Slide 34

Slide 34 text

ةݥͳจࣈྻͷ࡟আॲཧ

࡟আॲཧ

Slide 35

Slide 35 text

จࣈྻͷΤεέʔϓɾ࡟আॲཧͷ࣮૷ function sanitizer(str) { return str .replace(/&/g, "&") .replace(//g, ">") .replace(/"/g, """) .replace(/'/g, "'") ... }

Slide 36

Slide 36 text

จࣈྻͷΤεέʔϓɾ࡟আॲཧͷ࣮૷ function sanitizer(str) { return str .replace(/&/g, "&") .replace(//g, ">") .replace(/"/g, """) .replace(/'/g, "'") ... } ࣮૷͢Δ͕େม ςετ΋େม ࢓༷࿙Ε͍ͯͳ͍͔ෆ҆

Slide 37

Slide 37 text

ݴޠػೳ΍OSSΛ࢖͏ • ϓϩάϥϛϯάݴޠ΍ओཁͳϑϨʔϜϫʔΫʹ͸Τεέʔϓػೳ Λඋ͍͑ͯΔ • Τεέʔϓ༻ͷϥΠϒϥϦ΋ଟ਺ଘࡏ͠·͢

Slide 38

Slide 38 text

https://reactjs.org/docs/introducing-jsx.html#jsx-prevents-injection-attacks

Slide 39

Slide 39 text

const App = props => (

alert(“xss")

); React DOM escapes any values by default

Slide 40

Slide 40 text

const App = props => (

alert(“xss")

); React DOM escapes any values by default 944͸ى͖ͳ͍

Slide 41

Slide 41 text

const App = (props) => (

click me!

); React DOM escapes any values by default

Slide 42

Slide 42 text

const App = (props) => (

click me!

); React DOM escapes any values by default

Slide 43

Slide 43 text

ReactͷXSS • javascript:εΩʔϜͳͲଐੑ஋͸Τεέʔϓ͞Εͳ͍ • Ϣʔβʔ͕ೖྗͰ͖Ε͹XSS͸ൃੜ͢Δ

{title}

Slide 44

Slide 44 text

const Link = props => { const protocol = new URL(props.url).protocol; const safeUrl = /^https?:/.test(protocol) ? props.url : ""; return {props.children}; }; const App = () => { const { url, title, onChangeUrl, onChangeTitle } = useInput(); return (

{title}

); };

Slide 45

Slide 45 text

{title}

); }; IUUQ·ͨ͸IUUQTϓϩτίϧͷΈڐՄ͢Δ͜ͱ ͰɺzKBWBTDSJQUz͔Β࢝·ΔจࣈྻΛແ֐Խ click me!

Slide 46

Slide 46 text

https://github.com/facebook/react/pull/15047

Slide 47

Slide 47 text

https://github.com/cure53/DOMPurify

Slide 48

Slide 48 text

$ npm install dompurify npm CDN DOMPurify

Slide 49

Slide 49 text

DOMPurify const untrustedStr = location.hash; //

const trustedStr = DOMPurify.sanitize(untrustedHTML); $('#foo').innerHTML = trustedStr; //

Slide 50

Slide 50 text

DOMPurify const untrustedStr = location.hash; //

const trustedStr = DOMPurify.sanitize(untrustedHTML); $('#foo').innerHTML = trustedStr; //

MPDBUJPOIBTIͷ஋͕ ͦͷ··4JOL͞ΕͨΒ εΫϦϓτ͕࣮ߦ͞ΕΔ

Slide 51

Slide 51 text

DOMPurify const untrustedStr = location.hash; //

const trustedStr = DOMPurify.sanitize(untrustedHTML); $('#foo').innerHTML = trustedStr; //

%0.1VSJGZTBOJUJ[FʹΑΓ ةݥͳจࣈྻ͚ͩআڈ͞ΕΔ

Slide 52

Slide 52 text

https://developer.cybozu.io/hc/ja/articles/360001038846-DOMPurifyΛ࢖ͬͯ҆શʹDOMΛදࣔ͠Α͏-

Slide 53

Slide 53 text

ओͳXSSͷରࡦ • ةݥͳจࣈྻͷΤεέʔϓɾ࡟আ • ϒϥ΢βͷػೳΛ࢖͏

Slide 54

Slide 54 text

ϒϥ΢β͸༷ʑͳ੬ऑੑରࡦͷػೳΛඋ͍͑ͯΔ X-XSS-Protection HttpOnly SameSite Content Security Policy Referer Referrer-Policy XSS Auditor ※ܝࡌ͸Ұ෦ Fetch Meta

Slide 55

Slide 55 text

https://www.w3.org/TR/CSP2/

Slide 56

Slide 56 text

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Slide 57

Slide 57 text

https://caniuse.com/#feat=mdn-http_headers_csp_content-security-policy

Slide 58

Slide 58 text

▼ Response Headers content-security-policy: script-src ‘self’ *.trusted.com σΟϨΫςΟϒ ιʔε • HTTPϨεϙϯεϔομʔʹ௥Ճ͢Δ • Ϧιʔεͷऔಘઌ΍εΫϦϓτͷ࣮ߦΛࢦఆͨ͠ιʔεͷΈʹ੍ݶͰ͖Δ • script-src ‘self’; img-src *.trusted.comͷ ͷΑ͏ʹෳ਺ઃఆ΋Մೳ script-src ‘self’; img-src *.trusted.com Content Security Policy

Slide 59

Slide 59 text

Content Security Policy • HTMLͷλάͰࢦఆͰ͖ΔͷͰϑϩϯτΤϯυ͚ͩͰ΋࣮૷Մೳ • ΑΓઌʹઃఆ͞Εͨ஋ͷ্ॻ͖ෆՄ • ΑΓઌʹಡΈࠐ·ΕͨϦιʔε΍εΫϦϓτʹ͸ద༻Ͱ͖ͳ͍ • Ͱ͸ઃఆͰ͖ͳ͍σΟϨΫςΟϒ͕͋Δ e.g. report-only

Slide 60

Slide 60 text

▼ Response Headers content-security-policy-report-only: script-src ‘self’ *.trusted.com report-uri /csp-report • ࣮ࡍͷCSPΛద༻ͤͣʹϨϙʔτ͚ͩૹΔ͜ͱ͕Մೳ • CSPͰڐՄ͞Ε͍ͯͳ͍৔߹ɺϨϙʔτΛPOST͢Δ • CSPͷຊ൪ಋೖલʹӨڹΛ֬ೝ͢Δ͜ͱ͕Մೳ • λάͰͷઃఆ͸ෆՄ Content-Security-Policy-Report-Only

Slide 61

Slide 61 text

{ "csp-report": { "document-uri": "http://example.com/index.html", "referrer": "", "blocked-uri": "http://invalid-cdn.com/js/react.js", "violated-directive": "script-src self *.trusted.com*", "original-policy": "script-src 'self' *.trusted.com; report-uri /csp-report/", "disposition": "report" } } Ϩϙʔτͷྫ

Slide 62

Slide 62 text

content-security-policy: script-src ‘self’ *.trusted.com : εΫϦϓτͷ࣮ߦ੍ݶ : ڐՄ͢ΔιʔεΛࢦఆ Content Security Policyͷ஋ʹ͍ͭͯ script-src ‘self’ *.trusted.com Ωʔϫʔυ ϗετ

Slide 63

Slide 63 text

σΟϨΫςΟϒ DPOOFDUTSD 9)3ɺ8FC4PDLFUͳͲͷ੍ݶ EFGBVMUTSD ଞͷϑΣονσΟϨΫςΟϒͷϑΥʔϧόοΫ JNHTSD ը૾ͷಡΈࠐΈઌΛ੍ݶ NFEJBTSD BVEJPWJEFPͷಡΈࠐΈઌΛ੍ݶ TDSJQUTSD εΫϦϓτͷ࣮ߦ৔ॴΛ੍ݶ TUZMFTSD ελΠϧͷద༻৔ॴΛ੍ݶ ୅දతͳσΟϨΫςΟϒ(ϑΣονͷҰ෦)

Slide 64

Slide 64 text

content-security-policy: script-src ‘self’

alert("XSS") ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ

Slide 65

Slide 65 text

content-security-policy: script-src ‘self’

alert("XSS") ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ ࢦఆ͞Εͨϗετͱҧ͏ͷͰېࢭ ❌

Slide 66

Slide 66 text

content-security-policy: script-src ‘self’

alert("XSS") ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ ❌ ❌ ΠϯϥΠϯεΫϦϓτ͸ېࢭ

Slide 67

Slide 67 text

content-security-policy: script-src ‘self’

alert("XSS") ϗετͱϙʔτ͕ಉ͡εΫϦϓτͷΈڐՄ ❌ ❌ ❌ Πϕϯτଐੑ΍KBWBTDSJQUͳͲ΋ېࢭ

Slide 68

Slide 68 text

content-security-policy: script-src ‘self’ ‘unsafe-inline’ ΠϯϥΠϯεΫϦϓτͷڐՄ • ΠϯϥΠϯεΫϦϓτΛڐՄ͍ͨ͠৔߹ • ໊લͷ௨Γunsafe(҆શͰ͸ͳ͍)

Slide 69

Slide 69 text

https://www.w3.org/TR/CSP2/#source-list-valid-nonces CSP Lv.2 nonce

Slide 70

Slide 70 text

content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa' alert("OK") alert(“NG") alert("NG") OPODFCBTFΤϯίʔυ஋

Slide 71

Slide 71 text

content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa' alert("OK") alert(“NG") alert("NG") OPODFͷ஋͕Ұக͍ͯ͠ΔͷͰ࣮ߦΛڐՄ OPODFCBTFΤϯίʔυ஋

Slide 72

Slide 72 text

content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa' alert("OK") alert(“NG") alert("NG") OPODF஋͕ෆҰக·ͨ͸ະࢦఆͳͷͰ࣮ߦΛېࢭ OPODFCBTFΤϯίʔυ஋

Slide 73

Slide 73 text

content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa' alert("OK") • nonceͷ஋͸αʔόʔଆͰϦΫΤετ͝ͱʹมߋ͢Δ͜ͱ • ਪଌ͞Εͳ͍ϥϯμϜͳ஋ʹ͢Δ͜ͱ • scriptλάΛಈతʹੜ੒Ͱ͖ͳ͍ nonceͷ஫ҙ఺

Slide 74

Slide 74 text

content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’ const script = document.createElement('script'); script.src = ‘/static/js/main.js’; document.head.appendChild(script); CSP Lv.3 strict-dynamic QBSTFSJOTFSUFEͰͳ͍TDSJQUͷಈతੜ੒͕Մೳ ※parser-inserted = HTMLύʔαʔ΍XMLύʔαʔʹΑͬͯૠೖ͞ΕΔ͜ͱ

Slide 75

Slide 75 text

content-security-policy: script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’ const script = document.createElement('script'); script.textContent = location.hash.slice(1); document.head.appendChild(script); location.hashͷ஋ΛऔΔͱʁ

Slide 76

Slide 76 text

Slide 77

Slide 77 text

https://w3c.github.io/webappsec-trusted-types/dist/spec/

Slide 78

Slide 78 text

Trusted Types URL String HTML String Script String Scritp URL TrustedURL TrustedHTML TrustedScript TrustedScriptURL TrustedTypes จࣈྻΛ҆શͳܕʹม׵ͯ͠ݕূ͢Δ

Slide 79

Slide 79 text

content-security-policy: require-trusted-types-for ‘script’; trusted-types; script.textContent = location.hash.slice(1); document.head.appendChild(script); Trusted Types ҆શͳܕͰ͸ͳ͍ͷͰεΫϦϓτ͸࣮ߦ͞Εͳ͍

Slide 80

Slide 80 text

content-security-policy: require-trusted-types-for ‘script’; trusted-types *; script-src ‘nonce-EDNnf03nceIOfn39fn3e9h3sdfa’ ‘strict-dynamic’ const script = document.createElement('script'); script.textContent = location.hash.slice(1); document.head.appendChild(script);

Slide 81

Slide 81 text

Slide 82

Slide 82 text

content-security-policy: require-trusted-types-for ‘script'; trusted-types my-policy; const myPolicy = trustedTypes.createPolicy('my-policy', { createHTML: (s) => { return customSanitize(s) }, createURL: (s) => { /* ΤεέʔϓॲཧͳͲ */ }, createScript: (s) => { /* εΫϦϓτ಺༰ͷνΣοΫͳͲ */ }, }) Trusted Types Policy จࣈྻΛ҆શͳܕʹม׵͢ΔϙϦγʔΛੜ੒͢Δ

Slide 83

Slide 83 text

Trusted Types Policy ϙϦγʔʹΑͬͯੜ੒͞Εͨܕ͸࣮ߦՄೳʹͳΔ const hash = decodeURIComponent(location.hash.slice(1)); const trustedHtml = myPolicy.createHTML(hash) document.body.innerHTML = trustedHtml; content-security-policy: require-trusted-types-for ‘script’; trusted-types my-policy;

Slide 84

Slide 84 text

const myPolicy = trustedTypes.createPolicy("my-policy", { createHTML: (s) => { return DOMPurify.sanitize(s); } }); Trusted Types & DOMPurify const hash = decodeURIComponent(location.hash.slice(1)); const trustedHtml = myPolicy.createHTML(hash) document.body.innerHTML = trustedHtml;

Slide 85

Slide 85 text

https://github.com/w3c/webappsec-trusted-types/pull/205 5SVTUFE5ZQFTUSVTUFE5ZQFTʹϦωʔϜ͞Εͨ

Slide 86

Slide 86 text

https://www.chromestatus.com/feature/5650088592408576 Chrome 83 ͔Β͸σϑΥϧτͰ༗ޮ

Slide 87

Slide 87 text

chrome://ﬂags/#enable-experimental-web-platform-features ΋͠$ISPNFҎԼΛ࢖͍ͬͯΔ৔߹

Slide 88

Slide 88 text

Slide 89

Slide 89 text

• Demo Page: https://shisama.dev/xss-test/ • GitHub: https://github.com/shisama/xss-test/ • DOM Based XSS • CSP • Trusted Types ※devToolsͷconsoleΛ։͖ͳ͕Β֬ೝ͍ͯͩ͘͠͞

Slide 90

Slide 90 text

https://github.com/facebook/react/pull/16157/

Slide 91

Slide 91 text

͜͜·Ͱͷ·ͱΊ: XSS • XSS͸ϒϥ΢βͰεΫϦϓτΛ࣮ߦ͢Δ߈ܸख๏ • ೖྗ͞ΕͨจࣈྻͷΤεέʔϓͰରࡦՄೳ • ϒϥ΢βͷػೳͰରࡦՄೳ • CSP΍Trusted TypesͰΑΓ҆શʹXSSΛ๷͙͜ͱ͕Մೳ

Slide 92

Slide 92 text

ηΩϡϦςΟ΁ͷҙࣝ

Slide 93

Slide 93 text

https://www.amazon.co.jp/dp/4797393165

Slide 94

Slide 94 text

https://www.amazon.co.jp/dp/4797393165 “੬ऑੑͱ͸ɺʮѱ༻Ͱ͖Δόάʯ” ʰମܥతʹֶͿ ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํ ୈ̎൛ʱ ಙؙ ߒ (ஶ)

Slide 95

Slide 95 text

੬ऑੑ͸όάͰ͋Δͱ͍͏ҙࣝΛ࣋ͭ • ཁ݅ఆٛ΍࢓༷ࡦఆͰηΩϡϦςΟʹؔͯ͠FIX͢Δ • ػೳςετ͚ͩͰͳ͘ηΩϡϦςΟςετΛߦ͏ • ੬ऑੑ(όά)͕ݟ͔ͭΕ͹؅ཧͯ͠༏ઌ౓Λ͚ͭΔ

Slide 96

Slide 96 text

୭͠΋͕ ηΩϡϦςΟͷΤΩεύʔτͰ͸ͳ͍

Slide 97

Slide 97 text

ͲͷΑ͏ʹ੬ऑੑΛ֬ೝ͢Ε͹Α͍͔

Slide 98

Slide 98 text

https://www.ipa.go.jp/security/vuln/websecurity.html

Slide 99

Slide 99 text

ʰ҆શͳ΢ΣϒαΠτͷ࡞ΓํʱνΣοΫϦετͰ͸͡ΊΔ

Slide 100

Slide 100 text

• ֤੬ऑੑʹର͢Δʮࠜຊతղܾʯʮอݥతղܾʯ͕هࡌ͞Ε͍ͯΔ

Slide 101

Slide 101 text

ҎԼͷ੬ऑੑ͕هࡌ͞Ε͍ͯΔ • ̍ʣ SQL ΠϯδΣΫγϣϯ • ̎ʣ OS ίϚϯυɾΠϯδΣΫγϣϯ • ̏ʣ ύε໊ύϥϝʔλͷະνΣοΫʗ σΟϨΫτϦɾτϥόʔαϧ • ̐ʣ ηογϣϯ؅ཧͷෆඋ • ̑ʣ ΫϩεαΠτɾεΫϦϓςΟϯά • ̒ʣ CSRFʢΫϩεαΠτɾϦΫΤετɾ ϑΥʔδΣϦʣ • ̓ʣ HTTP ϔομɾΠϯδΣΫγϣϯ • ̔ʣ ϝʔϧϔομɾΠϯδΣΫγϣ ϯ • ̕ʣ ΫϦοΫδϟοΩϯά • ̍̌ʣόοϑΝΦʔόʔϑϩʔ • ̍̍ʣΞΫηε੍ޚ΍ೝՄ੍ޚͷܽ མ

Slide 102

Slide 102 text

ηΩϡϦςΟνΣοΫʹ࢖͑Δ΋ͷҰྫ • Ϧετ • ΢Σϒ݈߁਍அ࢓༷ • OWASP Cheat Sheet Series • HTML5 Security Cheat Sheet • πʔϧ • OWASP ZAP • Vuls • VAddy

Slide 103

Slide 103 text

جຊతͳ੬ऑੑͷ  νΣοΫ΍ରࡦ͸Ͱ͖Δ

Slide 104

Slide 104 text

όάΛະવʹ๷͗ɺ ൃݟͨ͠Β؅ཧ͠վम͠Α͏ “੬ऑੑͱ͸ɺʮѱ༻Ͱ͖Δόάʯ”

Slide 105

Slide 105 text

·ͱΊ • ࠷΋ଟ͍੬ऑੑ͸XSS • XSSରࡦʹ͸จࣈྻΛΤεέʔϓ͢Δ • ϒϥ΢β͸CSPͳͲ੬ऑੑରࡦͷػೳΛඋ͍͑ͯΔ • ੬ऑੑ͸όάͱ͍͏ҙࣝΛ࣋ͭ͜ͱ

Slide 106

Slide 106 text

ࢀߟ • ͦΖͦΖCSP Lv.2 nonce΍Ζ͏ - teppeis blog • Masato Kinugawa Security Blog: CVE-2018-5175: FirefoxͰCSPͷstrict-dynamic όΠύε • ҆શͳจࣈྻͰ͋ΔͱܕͰݕূ͢Δ Trusted Types ʹ͍ͭͯ - Jxck • Avoiding XSS in React is Still Hard - javascript-security - Medium • Securing Web Apps with Modern Platform Features (Google I/O ’19)

Slide 107

Slide 107 text

Thanks. @shisama_ shisama