Slide 1
Slide 1 text
L a r a v e l Ͱ ͑ ͯ ࢼ ͢
੬ ऑ ੑ ͷ ͋ Δ ॻ ͖ ํ
ླ ೭
P H P Χ ϯ ϑ Ν Ϩ ϯ ε ւ ಓ
Slide 2
Slide 2 text
ࣗݾհɾձࣾհ
੬ऑੑͱʁ
-BSBWFMͰ੬ऑੑͷ͋ΔίʔυΛॻ͍ͯΈΔ
ɾ944
ɾ$43'
ɾ42-ΠϯδΣΫγϣϯ
ɾ04ίϚϯυΠϯδΣΫγϣϯ
ΞδΣϯμ
Slide 3
Slide 3 text
Copyright Re:Build.inc All Rights Reserved.
ࣗݾհ
1
◆໊લ
ླ ೭(ΧϯϘ@ԭೄ)
◆ࣗݾհ
ɾגࣜձࣾRe:Build ද
ɾΤϯδχΞˠϑϦʔϥϯεˠԭೄͰىۀ
ɾPHPΧϯϑΝϨϯεԭೄ࣮ߦҕһ
ɾϑϩϯτΤϯυΧϯϑΝϨϯεԭೄ࣮ߦҕһ
◆झຯ
ίεϓϨɺԻָϥΠϒɺϚϥιϯେձʹग़Δɺٿ؍ઓ
BDD(Ϗʔνۦಈ։ൃ)
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
ԭೄͷϊϦͰαϯμϧͰདྷͨΒɺ
͕ࢮʹ·ͨ͠w
Slide 6
Slide 6 text
ձ໊ࣾ גࣜձࣾRe:Build
දऀ ླ೭
ઃཱ ฏ2911݄28
ࣄۀ༰
ࣗࣾαʔϏε։ൃɾӡӦɺWebγεςϜ։ൃɺΤϯδ
χΞڭҭɺσβΠϯ੍࡞
ࢿຊۚ 2,600ສԁ
ॴࡏ ˟900-0015 ԭೄݝಹࢢٱໜ2-2-2 λΠϜεϏϧ
ి൪߸ 050-5408-4501
ैۀһ ໊̍̎
ձ ࣾ ֓ ཁ
6
Slide 7
Slide 7 text
7
ର ऀ ʹ ͭ ͍ ͯ
ɾ੬ऑੑͷجૅΛཧղ͍ͯ͠Δਓ
ɾLaravelͷॻ͖ํΛ࠷ݶɺཧղ͍ͯ͠Δਓ
Slide 8
Slide 8 text
2 . ੬ ऑ ੑ ͱ ʁ
Slide 9
Slide 9 text
9
੬ ऑ ੑ ͱ ʁ
੬ऑੑʢ͍ͥ͡Ό͍ͤ͘ʣͱɺίϯϐϡʔλͷOSιϑτΣ
Ξʹ͓͍ͯɺϓϩάϥϜͷෆ۩߹ઃܭ্ͷϛε͕ݪҼͱͳͬͯൃ
ੜͨ͠αΠόʔηΩϡϦςΟ্ͷܽؕͷ͜ͱΛݴ͍·͢ɻ੬ऑੑ
ɺηΩϡϦςΟϗʔϧͱݺΕ·͢ɻ੬ऑੑ͕͞Εͨঢ়ଶͰ
ίϯϐϡʔλΛར༻͍ͯ͠Δͱɺෆਖ਼ΞΫηεʹར༻͞ΕͨΓɺ
Πϧεʹײછͨ͠Γ͢Δةݥੑ͕͋Γ·͢ɻ
૯লHPΑΓҾ༻
https://www.soumu.go.jp/main_sosiki/cybersecurity/kokumin/basic/basic_risk_11.html
Slide 10
Slide 10 text
3 . L a r a v e l Ͱ ੬ ऑ ੑ ͷ ͋
Δ ί ʔ υ Λ ॻ ͍ ͯ Έ Δ
Slide 11
Slide 11 text
11
S Q L Π ϯ δ Σ Ϋ γ ϣ ϯ ͱ ʁ
https://www.ipa.go.jp/security/vuln/websecurity/sql.html
IPAใॲཧਪਐػߏ HPΑΓҾ༻
Slide 12
Slide 12 text
12
S Q L Π ϯ δ Σ Ϋ γ ϣ ϯ ͷ ྫ
https://chigusa-web.com/blog/laravel-sql-injection/
͜ͷίʔυͷͲ͜ʹ੬ऑੑ͕જΜͰ
͍ΔͰ͠ΐ͏͔ʁ
Slide 13
Slide 13 text
13
S Q L Π ϯ δ Σ Ϋ γ ϣ ϯ ͷ ྫ
https://chigusa-web.com/blog/laravel-sql-injection/
͑͜ͷwhereRaw()ͷՕॴʹSQL
ΠϯδΣΫγϣϯʹͳΓಘΔίʔυ
ؚ͕·Ε͍ͯ·͢ɻ
select exists(select * from `accounts` where login_id = 'login-user' and password = '' or 1 = 1 or '') as `exists`
ʮor 1 = 1 orʯ͕ೖྗ͞ΕͨΒɺ
ԼهͷΑ͏ͳ੬ऑੑͷ͋ΔSQLจ͕
ൃߦ͞Εͯ͠·͍·͢ɻ
Slide 14
Slide 14 text
14
S Q L Π ϯ δ Σ Ϋ γ ϣ ϯ ͷ ର ࡦ
ରࡦͱͯ͠ɺwhereϝιουΛ
͍·͠ΐ͏ʂ
͠ɺwhereRawϝιουΛ͏ͳ
ΒɺόΠϯυ͠·͠ΐ͏ʂ
Slide 15
Slide 15 text
15
X S S ͱ ʁ
https://www.ipa.go.jp/security/vuln/websecurity/cross-site-scripting.html
IPAใॲཧਪਐػߏ HPΑΓҾ༻
Slide 16
Slide 16 text
16
X S S ͷ ྫ
͜ͷίʔυͷͲ͜ʹ੬ऑੑ͕જΜͰ
͍ΔͰ͠ΐ͏͔ʁ
https://readouble.com/laravel/7.x/ja/blade.html
Slide 17
Slide 17 text
17
X S S ͷ ྫ
͑͜͜Ͱ͢ɻ
ѱҙͷ͋ΔεΫϦϓτ
͕ೖΔͱ߈ܸʹͳΔ
σϑΥϧτͰϒϨʔυͷ{{ }}จXSS߈ܸΛ͙ͨΊʹɺPHPͷ
htmlspecialcharsؔΛࣗಈతʹ௨͞Ε·͢ɻ͔͠͠ɺ͜ͷॻ͖ํ
{{!! !!}}Λ͢ΔͱσʔλͷΤεέʔϓ͕͞Ε·ͤΜɻ
Slide 18
Slide 18 text
18
C S R F ͱ ʁ
https://www.ipa.go.jp/security/vuln/websecurity/csrf.html
IPAใॲཧਪਐػߏ HPΑΓҾ༻
Slide 19
Slide 19 text
19
C S R F ͷ ྫ
https://turningp.jp/network_and_security/csrf-laravel
͜ͷίʔυͷͲ͜ʹ੬ऑੑ͕જΜͰ
͍ΔͰ͠ΐ͏͔ʁ
Slide 20
Slide 20 text
20
C S R F ͷ ྫ
https://turningp.jp/network_and_security/csrf-laravel
ɾ͜ͷ@csrfԼهͷinputཁૉΛੜ͍ͯ͠·͢ɻ
ɾ͜Εʹରͯ͠ͷτʔΫϯݕূ
ʮApp\Http\Middleware\Veri
f
icationCsrfTokenʯϛυϧΣΞͰ
ߦΘΕ͓ͯΓɺLaravelͷσϑΥϧτઃఆͰ༗ޮʹͳ͍ͬͯ·͢ɻ
͑͜͜Ͱ͢ɻ
@csrfͷهड़͕͋Γ·ͤΜɻ
Slide 21
Slide 21 text
21
O S ί Ϛ ϯ υ Π ϯ δ Σ Ϋ γ ϣ ϯ ͱ ʁ
https://www.ipa.go.jp/security/vuln/websecurity/os-command.html
IPAใॲཧਪਐػߏ HPΑΓҾ༻
Slide 22
Slide 22 text
22
O S ί Ϛ ϯ υ Π ϯ δ Σ Ϋ γ ϣ ϯ ͷ ྫ
͜͜ͰdirίϚϯυʹରͯ͠ΫΤϦ
ใparamͷΛύϥϝʔλͱͯ͠
Ҿ͖ͦ͏ͱ͍ͯ͠·͕͢ɺ੬ऑੑ
ΛؚΜͰ͍·͢ɻ
https://qiita.com/oouaioi/items/98f1572208328ae5710d
Slide 23
Slide 23 text
23
O S ί Ϛ ϯ υ Π ϯ δ Σ Ϋ γ ϣ ϯ ͷ ྫ
https://qiita.com/oouaioi/items/98f1572208328ae5710d
ྫ͑ɺԼهͷΑ͏ͳύϥϝʔλΛೖΕΔͱʁ
~shell.php?param=|%20rm%20-rf
$ dir | rm -rf
ࢮͷίϚϯυ͕࣮ߦ͞Εͯ͠·͍
·͢ɺɺɺ
Slide 24
Slide 24 text
24
O S ί Ϛ ϯ υ Π ϯ δ Σ Ϋ γ ϣ ϯ ͷ ର ࡦ
͜͜ʹೖΔҾʹରͯ͠ඞͣόϦ
σʔγϣϯΛ͔͚·͠ΐ͏ʂ
Slide 25
Slide 25 text
25
ࢀ ߟ จ ݙ
ɾ૯লHP
https://www.soumu.go.jp/main_sosiki/cybersecurity/kokumin/basic/basic_risk_11.html
ɾLaravelެࣜυΩϡϝϯτ
https://readouble.com/laravel/10.x/ja/
ɾCSRFͷجຊతͳରࡦͱLaravelʹ͓͚ΔCSRFରࡦͷ࣮ʹ͍ͭͯ
https://turningp.jp/network_and_security/csrf-laravel
ɾPHPͷηΩϡϦςΟରࡦ
https://qiita.com/oouaioi/items/98f1572208328ae5710d
Slide 26
Slide 26 text
26
· ͱ Ί
ɾϑϨʔϜϫʔΫΛ͑ɺେମͷ੬ऑੑճආͰ͖·͕͢ɺ੬ऑੑ͕ى͜ΔݪҼ
Λཧղ͍ͯ͠ͳ͍ͱةݥ͕͋Γ·͢ɻ
ɾͳͷͰɺͦΕͧΕͷ੬ऑੑΛཧղ্ͨ͠ͰίʔυΛॻ͖·͠ΐ͏ʂ
Slide 27
Slide 27 text
27
࣌ ؒ ͕ ༨ ͬ ͨ Β ɺ ͢
ࠓPHPΧϯϑΝϨϯεԭೄΛΔ͔͠Ε·ͤΜʂʂʂ
ΔͳΒɺ9݄͘Β͍Ͱ͢ʂ