Web Application Hardening (Boot Camp 2019) Day 2 環境編

8FC"QQMJDBUJPO)BSEFOJOH #PPU$BNQ %BZ؀ڥฤ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ ϓϩμΫςΟϏςΟΤϯδχΞϦϯά෦ ϓϥοτϑΥʔϜηΩϡϦςΟάϧʔϓ ฏদ ߞี ੢ଜ फߊ

ԋशͷ؀ڥ

1SPKFDUSUDCPPUDBNQTFDVSJUZB νʔϜ" νʔϜ# νʔϜ$ νʔϜ% 1SPKFDUSUDCPPUDBNQTFDVSJUZC 1SPKFDUSUDCPPUDBNQTFDVSJUZD 1SPKFDUSUDCPPUDBNQTFDVSJUZE $MPVE4PVSDF
3FQPTJUPSJFT $MPVE#VJME $POUBJOFS 3FHJTUSZ $PNQVUF &OHJOF σϓϩΠ ߨࢣ ࣗಈ Ϗϧυ ίϯςφ ֨ೲ HJUQVTI 5$1ʹ߈ܸ

1SPKFDUSUDCPPUDBNQTFDVSJUZB νʔϜ" νʔϜ# νʔϜ$ νʔϜ% 1SPKFDUSUDCPPUDBNQTFDVSJUZC 1SPKFDUSUDCPPUDBNQTFDVSJUZD 1SPKFDUSUDCPPUDBNQTFDVSJUZE $MPVE4PVSDF
3FQPTJUPSJFT $MPVE#VJME $POUBJOFS 3FHJTUSZ $PNQVUF &OHJOF σϓϩΠ 5$1ʹ߈ܸ ߨࢣ ࣗಈ Ϗϧυ ίϯςφ ֨ೲ HJUQVTI ʜࣗಈతʹΠϝʔδ͕Ϗϧυ ͞Εɺ($&Πϯελϯε΁ ίϯςφ͕σϓϩΠ͞ΕΔʂ HJUͰϦϙδτϦͷ NBTUFSϒϥϯν΁ ίϛοτΛQVTI͢Δͱʜ

σϓϩΠ·Ͱͷखॱ

- $ - - -- ͜Ε͸"νʔϜͷ৔߹ खॱ($1ϓϩδΣΫτͷ੾Γସ͑ • HDMPVEίϚϯυΛ࢖༻ͯ͠σϑΥϧτϓϩδΣΫτΛࣗνʔϜͷϓϩ
δΣΫτʹมߋ͠·͢ • ϓϩδΣΫτ໊຤ඌͷΞϧϑΝϕοτΛࣗ෼ͷνʔϜͷ΋ͷʹมߋͯͩ͘͠ ͍͞ • ͜ͷखॱ͸࠷ॳʹ౓͚ͩߦ͑͹0,Ͱ͢

खॱ$MPVE4PVSDF3FQPTJUPSZ͔ΒιʔείʔυΛऔಘ 2 0 2 0 01 • $43্ͷϦϙδτϦҰཡΛ֬ೝ͠·͢ •
CBETOT͕ຊԋश༻ϦϙδτϦ • ϦϙδτϦΛΫϩʔϯ͠·͢ • ιʔείʔυͷฤू • ͓޷ΈͷΤσΟλͰฤू͍ͯͩ͘͠͞ • (JUίϚϯυͰιʔείʔυΛ؅ཧͰ͖·͢ • $43͸(JU)VCͷ($1൛ͷΑ͏ͳ΋ͷͰ͢ɻࣗ༝ʹϒϥϯν੾ͬͨΓͯ͠0,Ͱ͢ 2 0 2 0 $ 0 0

खॱΞϓϦͷσϓϩΠ • (JUίϚϯυΛ࢖ͬͯ$43ͷNBTUFSϒϥϯν΁QVTI͢Ε͹ࣗಈతʹ($& Πϯελϯε΁ίϯςφ͕σϓϩΠ͞Ε·͢ • σϓϩΠʹ͔͔Δ࣌ؒ͸Ϗϧυ࣌ʹͲΕ͚ͩΩϟογϡΛޮ͔ͤΒΕΔ ͔ʹΑͬͯҟͳΓ·͢ • ໨҆
• ιʔείʔυͷΈͷมߋʙ෼ఔ౓ • (FNGJMFͷมߋ෼ఔ౓ • BQUHFUपΓͷมߋ෼ఔ౓ • ϕʔεΠϝʔδͷมߋ෼ఔ౓ - $ -

खॱ($&ΠϯελϯεΛ֬ೝ • ($&ΠϯελϯεͷҰཡΛ֬ೝ͠·͢ • CBETOTWN͕ຊԋश༻Πϯελϯε • CBETOTWNͷ&95&3/"-@*1Λ63-ͱͯ͠ϒϥ΢βʹೖྗ͠ɺࣗνʔϜ ͷ#BE4/4΁ΞΫηε͢Ε͹σϓϩΠ͞ΕͨΞϓϦΛ֬ೝͰ͖·͢ •
. • ϒϥ΢βͰ($1ίϯιʔϧ͔ΒΞΫηε͢Ε͹44)Ͱ௚઀தʹೖΔ͜ͱ ΋Ͱ͖·͢ • ./ $ / $ $ $ . / $ / $ $ . / $ / /

5JQT$POUBJOFS3FHJTUSZ͔Β%PDLFSΠϝʔδΛऔಘ - 1 9 9 . /-9 0 •
%PDLFSʹ($1ೝূઃఆΛ௥Ճ͠·͢ • $3্ͷ%PDLFSΠϝʔδҰཡΛ֬ೝ͠·͢ • HDSJPSUDCPPUDBNQTFDVSJUZ CBETOT͕ຊԋशͷΠϝʔδ • %PDLFSΠϝʔδΛQVMM͠·͢ - 1 9 / /2 - 1/ 0 911 - / 2 9 / $

5JQTϩʔΧϧͰͷΠϝʔδϏϧυˍಈ࡞֬ೝ • ιʔείʔυΛมߋͨ͠ΒσϓϩΠ͢ΔલʹϩʔΧϧͰಈ࡞֬ೝΛߦ͏͜ͱ Λڧ͘ਪ঑͠·͢ʂ • ιʔείʔυมߋޙɺEPDLFSίϚϯυͰΠϝʔδΛϏϧυ͠ͳ͓͠ɺίϯς φΛ࡞Γ௚ͤ͹σϓϩΠ͞ΕΔίϯςφͱಉ͡ঢ়ଶͰಈ࡞͕֬ೝͰ͖·͢ • ίϯςφͷىಈ΍ऴྃͳͲ͸ݕࠪͷࡍͱಉ༷Ͱ͢ʢΠϝʔδ໊Ҏ֎ʣ
$ 0- 9/1 8 . / 8 8 2 - 9 /8 $ 0- 9 /:/1-.- 2 $ 2- $ . / 8 8 2 - 9 /8 $

ԋशͷਐΊํ

ԋशʹ͍ͭͯ • νʔϜԋश • νʔϜͰڠྗͯ͠੬ऑੑΛमਖ਼͠ɺΞϓϦέʔγϣϯΛ ($&ΠϯελϯεʹσϓϩΠ͍ͯͩ͘͠͞ • ߨࢣਞ͕ॱ࣍($&Πϯελϯεʹ߈ܸΛ࢓ֻ͚ɺमਖ਼ঢ় گΛνΣοΫ͍͖ͯ͠·͢ •
ٳܜ͸֤νʔϜͰࣗ༝ͳ࣌ؒʹऔͬͯ΋Βͬͯ0,Ͱ͢ • ੬ऑੑɾରࡦͷղઆ • ܭݸͷ੬ऑੑʹ͍ͭͯɺ۩ମతͳ߈ܸํ๏ͱରࡦํ๏ ͷղઆΛߦ͍·͢ 3 1 0 3 1

είΞγʔτʹ͍ͭͯ • ֤νʔϜͷਐ௙ঢ়گΛϦΞϧλΠϜ࠾఺͠ ·͢ • ֤੬ऑੑʹ͍ͭͯɺ໰୊ͳ͘मਖ਼͞Ε͍ͯ ͨΒ఺ɺमਖ਼͞Ε͍ͯΔ͕ෆ׬શͳ৔߹͸ ఺ɺ੬ऑͳ··ͷ৔߹͸఺ͱͯ͠Χ΢ϯ τ
• ߨࢣਞ͸$43্ͷιʔείʔυͱ($&Πϯ ελϯεͷಈ࡞Λݩʹɺख࡞ۀͱ໨ࢹͰॱ ࣍࠾఺͍͖ͯ͠·͢ɻ൓ө·Ͱϥά͕͋Γ ·͕͓͢ڐ͍ͩ͘͠͞

मਖ਼࣌ͷ஫ҙ఺ • 8FCΞϓϦͷػೳ͕ݩͷ௨Γਖ਼ৗʹಈ࡞͢ΔΑ͏ʹ͍ͯͩ͘͠͞ • ਖ਼ৗʹಈ࡞͍ͯ͠ͳ͍ػೳ͸੬ऑੑ͕௚͍ͬͯͳ͍΋ͷͱΈͳ͠·͢ • %#ͷॳظσʔλ͸ফ͞ͳ͍Ͱ͍ͩ͘͞ • ࠾఺࣌ʹ͸ݩʑొ࿥͞Ε͍ͯΔϢʔβͱͯ͠ϩάΠϯ͠ɺݕࠪΛߦ͏ͨΊɺϩά
ΠϯͰ͖ͳ͍৔߹ʹ͸είΞͷߋ৽͕ࢭ·Γ·͢ • %#ʹؔ͢ΔมߋΛߦ͏৔߹͸੔߹ੑ͕յΕͳ͍Α͏ʹ஫ҙ͍ͯͩ͘͠͞ • *%OJTIJNVOFB 18ͰϩάΠϯͰ͖ͳ͍৔߹͸Կ͔͕ؒҧ͍ͬͯ·͢

આ໌͸Ҏ্Ͱ͢ ԋशɺؤு͍ͬͯͩ͘͞ʂ

Web Application Hardening (Boot Camp 2019) Day ...

Web Application Hardening (Boot Camp 2019) Day 2 環境編

Recruit Technologies

More Decks by Recruit Technologies

Other Decks in Technology

Featured

Transcript

8FC"QQMJDBUJPO)BSEFOJOH #PPU$BNQ %BZ؀ڥฤ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ ϓϩμΫςΟϏςΟΤϯδχΞϦϯά෦ ϓϥοτϑΥʔϜηΩϡϦςΟάϧʔϓ ฏদ ߞี ੢ଜ फߊ

ԋशͷ؀ڥ

1SPKFDUSUDCPPUDBNQTFDVSJUZB νʔϜ" νʔϜ# νʔϜ$ νʔϜ% 1SPKFDUSUDCPPUDBNQTFDVSJUZC 1SPKFDUSUDCPPUDBNQTFDVSJUZD 1SPKFDUSUDCPPUDBNQTFDVSJUZE $MPVE4PVSDF

1SPKFDUSUDCPPUDBNQTFDVSJUZB νʔϜ" νʔϜ# νʔϜ$ νʔϜ% 1SPKFDUSUDCPPUDBNQTFDVSJUZC 1SPKFDUSUDCPPUDBNQTFDVSJUZD 1SPKFDUSUDCPPUDBNQTFDVSJUZE $MPVE4PVSDF

σϓϩΠ·Ͱͷखॱ

- $ - - -- ͜Ε͸"νʔϜͷ৔߹ खॱ($1ϓϩδΣΫτͷ੾Γସ͑ • HDMPVEίϚϯυΛ࢖༻ͯ͠σϑΥϧτϓϩδΣΫτΛࣗνʔϜͷϓϩ

खॱ$MPVE4PVSDF3FQPTJUPSZ͔ΒιʔείʔυΛऔಘ 2 0 2 0 01 • $43্ͷϦϙδτϦҰཡΛ֬ೝ͠·͢ •

खॱΞϓϦͷσϓϩΠ • (JUίϚϯυΛ࢖ͬͯ$43ͷNBTUFSϒϥϯν΁QVTI͢Ε͹ࣗಈతʹ($& Πϯελϯε΁ίϯςφ͕σϓϩΠ͞Ε·͢ • σϓϩΠʹ͔͔Δ࣌ؒ͸Ϗϧυ࣌ʹͲΕ͚ͩΩϟογϡΛޮ͔ͤΒΕΔ ͔ʹΑͬͯҟͳΓ·͢ • ໨҆

खॱ($&ΠϯελϯεΛ֬ೝ • ($&ΠϯελϯεͷҰཡΛ֬ೝ͠·͢ • CBETOTWN͕ຊԋश༻Πϯελϯε • CBETOTWNͷ&95&3/"-@*1Λ63-ͱͯ͠ϒϥ΢βʹೖྗ͠ɺࣗνʔϜ ͷ#BE4/4΁ΞΫηε͢Ε͹σϓϩΠ͞ΕͨΞϓϦΛ֬ೝͰ͖·͢ •

5JQT$POUBJOFS3FHJTUSZ͔Β%PDLFSΠϝʔδΛऔಘ - 1 9 9 . /-9 0 •

ԋशͷਐΊํ

ԋशʹ͍ͭͯ • νʔϜԋश • νʔϜͰڠྗͯ͠੬ऑੑΛमਖ਼͠ɺΞϓϦέʔγϣϯΛ ($&ΠϯελϯεʹσϓϩΠ͍ͯͩ͘͠͞ • ߨࢣਞ͕ॱ࣍($&Πϯελϯεʹ߈ܸΛ࢓ֻ͚ɺमਖ਼ঢ় گΛνΣοΫ͍͖ͯ͠·͢ •

είΞγʔτʹ͍ͭͯ • ֤νʔϜͷਐ௙ঢ়گΛϦΞϧλΠϜ࠾఺͠ ·͢ • ֤੬ऑੑʹ͍ͭͯɺ໰୊ͳ͘मਖ਼͞Ε͍ͯ ͨΒ఺ɺमਖ਼͞Ε͍ͯΔ͕ෆ׬શͳ৔߹͸ ఺ɺ੬ऑͳ··ͷ৔߹͸఺ͱͯ͠Χ΢ϯ τ

मਖ਼࣌ͷ஫ҙ఺ • 8FCΞϓϦͷػೳ͕ݩͷ௨Γਖ਼ৗʹಈ࡞͢ΔΑ͏ʹ͍ͯͩ͘͠͞ • ਖ਼ৗʹಈ࡞͍ͯ͠ͳ͍ػೳ͸੬ऑੑ͕௚͍ͬͯͳ͍΋ͷͱΈͳ͠·͢ • %#ͷॳظσʔλ͸ফ͞ͳ͍Ͱ͍ͩ͘͞ • ࠾఺࣌ʹ͸ݩʑొ࿥͞Ε͍ͯΔϢʔβͱͯ͠ϩάΠϯ͠ɺݕࠪΛߦ͏ͨΊɺϩά

આ໌͸Ҏ্Ͱ͢ ԋशɺؤு͍ͬͯͩ͘͞ʂ