Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Twilio と Web アプリ
連携におけるセキュリティ

Ca17a082a30f4cbfed1d0a6dacbe3af2?s=47 shin1x1
March 09, 2016
Technology
1
540

Twilio と Web アプリ
連携におけるセキュリティ

2016/02/27 TwilioJP-UG大阪&AWScean合同勉強会

Ca17a082a30f4cbfed1d0a6dacbe3af2?s=128

shin1x1

March 09, 2016
Tweet

More Decks by shin1x1

See All by shin1x1
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
0
900
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
3
2.7k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
0
1.8k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
2
3.6k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
1
4.3k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
5
4.7k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
23
4.7k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
4
1.1k
Ca17a082a30f4cbfed1d0a6dacbe3af2?s=48 shin1x1
5
8.9k

Other Decks in Technology

See All in Technology
6500a96a5f0786d7ff0c53429d691ae6?s=48 kazuhiro4949
1
190
7ff130a0c1a4966472a4bdfaaf05e791?s=48 chandi
0
100
462feb0fe0493c40d55650da664e8773?s=48 clustervr
PRO
0
160
1fbd94fe0e6c61f43710f4fbb7e1ecdf?s=48 hashiyaman
0
410
Cdf97a1b1b132c56582773c3ba09a3a6?s=48 rakus_dev
0
320
Cd891a89dfec6ca7bd278b5f5bd87c90?s=48 tzkoba
10
2.8k
F3358acf3b3f8423f2db7718b51b5022?s=48 pei0804
10
2.6k
2c51cbf972b0de2e0696c8a26c7d1f4b?s=48 matsuihidetoshi
2
930
7e20183342a040a32924a41343603286?s=48 konabuta
0
320
Dc20c893cac0daddd607dfc9a5855d27?s=48 amarelo_n24
0
170
462feb0fe0493c40d55650da664e8773?s=48 clustervr
PRO
0
150
646a01801bac1886ddf86aee2de913ed?s=48 miyukki
0
1k

Featured

See All Featured
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
587
210k
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
347
20k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
29
1k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
30
1.5k
Ae14cc4491ac334f9cd23f9f93b4305e?s=48 orderedlist
PRO
331
36k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
101
11k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
30
3.6k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
8
960
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
245cee81a9c424266e5e401d844ea881?s=48 lara
591
61k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
221
15k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
73
1.5k

Transcript

  1. ɹ@shin1x1 2016/02/27 TwilioJP-UG大阪&AWScean合同勉強会 5XJMJPͱ8FCΞϓϦ
 ࿈ܞʹ͓͚ΔηΩϡϦςΟ

  2. https://github.com/shin1x1/twilio-api-security-demo

  3. 5XJMJPͱ8FCΞϓϦͷ࿈ܞ

  4. αϯϓϧΞϓϦέʔγϣϯ D .BTBTIJ4IJOCBSB!TIJOY wձһ޲͚ϙΠϯτ؅ཧγεςϜ wి࿩Λ͔͚ΔͱݱࡏͷϙΠϯτ͕ฉ͚Δ wి࿩൪߸Ͱೝূ

  5. D .BTBTIJ4IJOCBSB!TIJOY ి࿩Λ͔͚Δ 図 図 - twilio 図 図 -

    twilio Twilio Webαʔό ձһ YYYYYYYY

  6. D .BTBTIJ4IJOCBSB!TIJOY ి࿩൪߸͕ૹΒΕΔ 図 図 - twilio 図 図 -

    twilio )551ϦΫΤετ
 'SPNYYYYYYYY ʢൃ৴ݩి࿩൪߸ʣ

  7. D .BTBTIJ4IJOCBSB!TIJOY ձһೝূ 図 図 - twilio 図 図 -

    twilio YYYYYYͰ%#Λࢀরͯ͠ ձһΛಛఆ͢Δ

  8. D .BTBTIJ4IJOCBSB!TIJOY ৘ใΛ9.-Ͱฦ͢ 図 図 - twilio 図 図 -

    twilio 5XJ.-ʢ9.-ʣΛฦ͢

  9. D .BTBTIJ4IJOCBSB!TIJOY ৘ใΛ5XJ.-Ͱฦ͢ 図 図 - twilio 図 図 -

    twilio 5XJ.-ʢ9.-ʣΛฦ͢  YNMWFSTJPOFODPEJOH65'  3FTQPOTF 4BZWPJDFXPNBOMBOHVBHFKB+1
 ླ໦͞ΜͷϙΠϯτ͸ϙΠϯτͰ͢ɻ 4BZ 3FTQPOTF

  10. D .BTBTIJ4IJOCBSB!TIJOY Ի੠Λྲྀ͢ 図 図 - twilio 図 図 -

    twilio Ի੠࠶ੜ

  11. D .BTBTIJ4IJOCBSB!TIJOY σϞ

  12. D .BTBTIJ4IJOCBSB!TIJOY ى͜Γ͏Δ໰୊

  13. D .BTBTIJ4IJOCBSB!TIJOY )551ͷੈք 図 図 - twilio 図 図 -

    twilio Twilio Webαʔό ձһ

  14. D .BTBTIJ4IJOCBSB!TIJOY ِ૷ϦΫΤετ 図 図 - twilio 図 図 -

    twilio ి࿩൪߸Λ 1045

  15. D .BTBTIJ4IJOCBSB!TIJOY ِ૷ϦΫΤετ 図 図 - twilio 図 図 -

    twilio 5XJ.-Λ औಘ

  16. D .BTBTIJ4IJOCBSB!TIJOY ِ૷ϦΫΤετ 図 図 - twilio 図 図 -

    twilio Twilio Webαʔό ձһ DVSME'SPN#
 IUUQTFYBNQMFDPNBQJDBMMJOH  YNMWFSTJPOFODPEJOH65'  3FTQPOTF 4BZWPJDFXPNBOMBOHVBHFKB+1
 ాத͞ΜͷϙΠϯτ͸ϙΠϯτͰ͢ɻ 4BZ 3FTQPOTF

  17. D .BTBTIJ4IJOCBSB!TIJOY 5XJMJPΛِͬͨϦΫΤετ wِ૷ͨ͠ϦΫΤετΛ8FCΞϓϦʹૹ৴ w৘ใऔಘɺૢ࡞ͳͲͷෆਖ਼ར༻ͷՄೳੑ

  18. D .BTBTIJ4IJOCBSB!TIJOY ରࡦ

  19. ِ૷ϦΫΤετରࡦ D .BTBTIJ4IJOCBSB!TIJOY  ௨৴ܦ࿏ͷ҉߸Խ  ௨৴ݩΛ੍ݶ  ϦΫΤετΛݕূ

  20. D .BTBTIJ4IJOCBSB!TIJOY ௨৴ܦ࿏ͷ҉߸Խ w)5514Λར༻͢Δ wࣗݾॺ໊ͷূ໌ॻ͸/( w5-4Λར༻ʢ44-W͸ɺഇࢭ༧ఆʣ

  21. D .BTBTIJ4IJOCBSB!TIJOY 8FCΞϓϦέʔγϣϯͷΤϯυϙΠϯτ IUUQTʹ͢Δ

  22. D .BTBTIJ4IJOCBSB!TIJOY ௨৴ݩΛ੍ݶ w)551#BTJDೝূ%JHFTUೝূ wϢʔβɺύεϫʔυΛ63-ʹؚΊΔ wIUUQTVTFSQBTT!FYBNQMFDPN

  23. D .BTBTIJ4IJOCBSB!TIJOY *1ΞυϨεʹΑΔ੍ݶ͸ʁ https://www.twilio.com/help/faq/twilio-basics/which-ip-addresses-will-twilios-requests-come- from w5XJMJPͷૹ৴ݩ*1ΞυϨε͸ඇެ։ w୅ΘΓʹϦΫΤετͷݕূΛߦ͏ wͲ͏ͯ͠΋ඞཁͳΒ૬ஊ

  24. D .BTBTIJ4IJOCBSB!TIJOY ϦΫΤετͷݕূ ɾ5XJMJP͔ΒͷϦΫΤετͰ͋Δ͜ͱΛ֬ೝ wଥ౰Ͱ͋Ε͹ॲཧΛ࣮ߦ wͦ͏Ͱͳ͚Ε͹ॲཧΛதஅʢΤϥʔʣ

  25. D .BTBTIJ4IJOCBSB!TIJOY )."$4)"ॺ໊ʹΑΔݕূ ɾ95XJMJP4JHOBUVSFϔομ wॴఆͷΞϧΰϦζϜͰॺ໊Λࢉग़ w্هɺ̎ͭΛൺֱͯ͠߹க͢Ε͹PL

  26. 95XJMJP4JHOBUVSFϔομ 95XJMJP4JHOBUVSF TOEGBQB2 N11;6MO-L)X

  27. ॺ໊ࢉग़ ɾ63-IUUQTFYBNQMFDPNDBMMJOH ɾ1045ύϥϝʔλʢΩʔͰιʔτʣ
 ,FZWBMVF ,FZWBMVF 'SPN  IUUQTFYBNQMFDPNDBMMJOH
 'SPN ,FZWBMVF,FZWBMVF

  28. ॺ໊ࢉग़ ɾ"VUI5PLFOΛΩʔʹͯ͠ɺ)."$4)"ॺ໊ ɾCBTFͰΤϯίʔυ TOEGBQB2 N11;6MO-L)X IUUQTFYBNQMFDPNDBMMJOH
 ,FZWBMVF,FZWBMVF'SPN 

  29. ॺ໊͕Ұக͢Δ͔ ੜ੒ͨ͠ॺ໊ TOEGBQB2 N11;6MO-L)X 95XJMJP4JHOBUVSF TOEGBQB2 N11;6MO-L)X ߹க͢ΔͷͰɺ5XJMJP͔ΒͷϦΫΤετͱΈͳ͢

  30. UXJMJPTELʹΑΔݕূ $validator = new Services_Twilio_RequestValidator($authToken);
 
 // ϔομ͔Βॺ໊औಘ $signature =

    $request->header('X-Twilio-Signature');
 
 // URL औಘ Request::setTrustedProxies([$request->getClientIp()]);
 $url = $request->getUri();
 
 // POST ύϥϝʔλऔಘ $postParameters = $request->input();
 
 // ॺ໊ݕূ if (!$validator->validate($signature, $url, $postParameters)) {
 // OK
 } else {
 // NG
 }

  31. ·ͱΊ D .BTBTIJ4IJOCBSB!TIJOY w5XJMJPͱ8FCΞϓϦέʔγϣϯ͸
 )551 4 Ͱ࿈ܞ wِ૷ϦΫΤετ͕ૹ৴͞ΕΔ͜ͱΛҙࣝ w5XJMJPެࣜυΩϡϝϯτΛࢀߟʹ https://jp.twilio.com/docs/api/security