Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beginners CTF 2020で学ぶWebセキュリティ(入門編)

Tsubasa
October 18, 2020
11
4.3k

Beginners CTF 2020で学ぶWebセキュリティ(入門編)

2020/10/18 @ SECCON Beginners Live

Tsubasa

October 18, 2020
Tweet

More Decks by Tsubasa

See All by Tsubasa
コンテナとその実行基盤を取り巻くセキュリティの基礎と実践 (セキュリティ・ミニキャンプ オンライン 2021 講義資料) / Fundamentals and Practices of Security around Containers and their Execution Infrastructure
tsubasa_umeuchi
2
2.8k

Featured

See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
502
140k
Pencils Down: Stop Designing & Start Developing
hursman
118
11k
Statistics for Hackers
jakevdp
792
220k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
155
14k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
78
15k
From Idea to $5000 a Month in 5 Months
shpigford
377
46k
Being A Developer After 40
akosma
72
580k
Designing with Data
zakiwarfel
96
5k
4 Signs Your Business is Dying
shpigford
178
21k
Build your cross-platform service in a week with App Engine
jlugia
227
17k
Automating Front-end Workflow
addyosmani
1362
200k
Visualization
eitanlees
139
14k

Transcript

  1.          

    4&$$0/#FHJOOFST 5TVCBTB !4[SOZ #FHJOOFST$5'ͰֶͿ 8FCηΩϡϦςΟ ೖ໳ฤ 4&$$0/#FHJOOFST-JWF

  2. #ctf4b ക಺ཌྷ 6NFVDIJ5TVCBTB   !4[SOZ ॴଐ  4&$$0/#FHJOOFSTӡӦνʔϜ 

    ๺཮ઌ୺Պֶٕज़େֶӃେֶઌ୺Պֶٕज़ݚڀՊ  'MBUU4FDVSJUZ*OD ڵຯྖҬ  ΫϥΠΞϯταΠυͷ8FCηΩϡϦςΟ  N#BB4  Ծ૝Խɾίϯςφٕज़  $MPVE/BUJWF ͸͡Ίʹ ࣗݾ঺հ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 2 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  3. #ctf4b ͸͡Ίʹ ൃද಺༰ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 3 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ8FC໰୊ʹؔ͢Δ֓ཁ 4QZ 8FCαʔϏεʹ͓͚Δೝূͱύεϫʔυͷ҆શͳ؅ཧํ๏ٴͼλΠϛϯά߈ܸʹ͍ͭͯ

    QSPpMFS (SBQI2-"1*&YQMPJUBUJPO 4PNFO $POUFOU4FDVSJUZ1PMJDZͱͦͷ#ZQBTTJOHख๏ $PODMVTJPO ຊൃදͷ·ͱΊ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  4. #ctf4b Ұൠʹެ։͞Ε͍ͯΔ8FCΞϓϦέʔγϣϯʹରͯ͠ ຊൃදͰઆ໌͢Δ߈ܸख๏Λ࣮ߦ͠ͳ͍Ͱ͍ͩ͘͞  ର৅ͱͳΔαʔό΍8FCΞϓϦέʔγϣϯʹର͢Δ߈ܸ͕ڐՄ͞Ε͍ͯΔ͔Λ ֬ೝ্ͨ͠Ͱࢼ͢Α͏ʹ͍ͯͩ͘͠͞ ిࢠܭࢉػଛյ౳ۀ຿๦֐ࡑ  ۀ຿ʹ࢖༻͢Δిࢠܭࢉػʹڏِͷ৘ใए͘͠͸ෆਖ਼ͳࢦྩΛ༩͑ ਓͷۀ຿Λ๦֐ͨ͠ऀ͸

    ِܭۀ຿๦֐ࡑ  ِܭΛ༻͍ͯͦͷۀ຿Λ๦֐ͨ͠ऀ͸ ి࣓తه࿥ෆਖ਼࡞ग़ٴͼڙ༻ͷࡑ  ࣄ࣮ূ໌ʹؔ͢Δి࣓తه࿥Λෆਖ਼ʹ࡞ͬͨऀ͸ ͸͡Ίʹ ๏తɾྙཧతͳ஫ҙࣄ߲ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 4 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  5. #ctf4b ࣭໰ɾײ૝͸DUGC΁ʂ ͸͡Ίʹ ࣭໰ɾײ૝ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 5 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ

     4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  6. #ctf4b "HFOEB ൃද಺༰ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 6 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ8FC໰୊ʹؔ͢Δ֓ཁ 4QZ 8FCαʔϏεʹ͓͚Δೝূͱύεϫʔυͷ҆શͳ؅ཧํ๏ٴͼλΠϛϯά߈ܸʹ͍ͭͯ

    QSPpMFS (SBQI2-"1*&YQMPJUBUJPO 4PNFO $POUFOU4FDVSJUZ1PMJDZͱͦͷ#ZQBTTJOHख๏ $PODMVTJPO ຊൃදͷ·ͱΊ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  7. #ctf4b 8FC 8PSME8JEF8FC   Πϯλʔωοτ্ʹల։͞ΕͨϋΠύʔςΩετࢀরγεςϜ  ༷ʑͳϦιʔε͕)551 4 Λ௨ͯ͠΍ΓऔΓ͞ΕΔ

    w )5.-ɺ$44ɺ+BWB4DSJQUɺϚϧνϝσΟΞϑΝΠϧɺ 8FCηΩϡϦςΟ  8FCΞϓϦέʔγϣϯ΍8FCΫϥΠΞϯτ౳ʹର͢Δ߈ܸ͔Βର৅Λอޢ͢Δ͜ͱ  8FCΛߏ੒͢ΔΤίγεςϜʹର͢Δ߈ܸख๏͸ଟذʹ౉Δ w ΞϓϦέʔγϣϯ্Ͱൃੜ͢Δ߈ܸ42-J 04$J %JS5SBW 443' FUD w ΫϥΠΞϯτ্Ͱൃੜ͢Δ߈ܸ944 $43' 944FBSDI 94-FBLT FUD *OUSPEVDUJPO 8FCͱ8FCηΩϡϦςΟ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 7 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  8. #ctf4b $5'ʹ͓͚Δ8FC໰୊  ఏࣔ͞ΕΔ8FCΞϓϦέʔγϣϯʹଘࡏ͢Δ੬ऑੑʹରͯ͠߈ܸΛߦ͍ɺ'MBHΛऔಘ͢Δ 'MBH͕഑ஔ͞Ε͍ͯΔ৔ॴ  8FCαʔό্ʹଘࡏ͢Δຊདྷ͸ΞΫηεͰ͖ͳ͍͸ͣͷϑΝΠϧ  ؅ཧऀݖݶΛ࣋ͭΑ͏ͳϢʔβ͔͠ΞΫηεͰ͖ͳ͍͸ͣͷϖʔδ 

    σʔλϕʔε಺ͷϨίʔυ  αΠτ؅ཧऀͷΫϥΠΞϯτΛ໛ͨ͠Ϋϩʔϥͷ$PPLJF *OUSPEVDUJPO $5'ʹ͓͚Δ8FC໰୊ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 8 ߈ܸ ᠘ϖʔδʹ༠ಋ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  9. #ctf4b 8FC໰୊ʹର͢ΔΞϓϩʔν  ιʔείʔυ͕഑෍͞Ε͍ͯΔ͔൱͔ʹΑͬͯେ͖͘ҟͳΔ ιʔείʔυ͕഑෍͞Ε͍ͯΔ৔߹  ιʔείʔυΛಡΜͰ੬ऑͳ࣮૷͕ߦΘΕ͍ͯΔՕॴΛ୳͢  ൃݟͨ͠੬ऑੑΛΤΫεϓϩΠτͰ͖ΔΑ͏ͳ߈ܸख๏Λߟ͑ͯ ௐ΂ͯ

    ࣮ߦ͢Δ ιʔείʔυ͕഑෍͞Ε͍ͯͳ͍৔߹  ༷ʑͳϦΫΤετΛૹ৴͢Δ͜ͱͰ৘ใऩूΛߦ͏ w ͲͷΑ͏ͳαʔόͰΞϓϦέʔγϣϯ͕ಈ࡞͍ͯ͠Δͷ͔ w ϑΥʔϜͷσʔλ͸Ͳ͜ʹૹ৴͞ΕɺͲͷΑ͏ʹॲཧ͞ΕΔͷ͔ w ߈ܸ༻ͷσʔλ͕ૹ৴Ͱ͖ͦ͏ͳ৔ॴ͸Ͳ͔͜  ੬ऑͳ࣮૷͕ߦΘΕ͍ͯΔ ͱߟ͑ΒΕΔ ػೳΛΤΫεϓϩΠτͰ͖ΔΑ͏ͳ ߈ܸख๏Λߟ͑ͯ ௐ΂ͯʣ࣮ߦ͢Δ *OUSPEVDUJPO 8FC໰୊ʹର͢ΔΞϓϩʔν 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 9 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  10. #ctf4b )551 4   )ZQFS5FYU5SBOTGFS1SPUPDPM w ओʹόʔδϣϯ )551 

    w DG3'$3'$  8FCʹ͓͚Δίϯςϯπͷ΍ΓऔΓ͸ ΄ͱΜͲ )551্ͰߦΘΕΔ  ϦΫΤετ΍Ϩεϙϯεͷߏ଄ɺϔομʔͷछྨͱҙຯʹ͍ͭͯͷ஌͕ࣝॏཁ ίϯςϯπ  )5.- $44 +BWB4DSJQU FUD  ఏڙ͞ΕΔίϯςϯπ͕ಡղͰ͖Ε͹0, w ಛʹ+BWB4DSJQUʹؔͯ͠͸ɺ࣮૷·ͰͰ͖Δͱͳ͓ྑ͍Ͱ͢ αʔόɾΞϓϦέʔγϣϯɾΠϯϑϥ  ༷ʑͳݴޠ FH1ZUIPO 1)1 (P /PEFKT Ͱ࣮૷͞ΕͨΞϓϦέʔγϣϯίʔυͷಡղ ո͍࣮͠૷ʹؾͮ͘ᄿ֮   42-ʹΑΔΫΤϦͷߏங  8FCαʔό FHOHJOY ΍Πϯϑϥ FH%PDLFS ͷίϯϑΟάϨʔγϣϯͷಡղ πʔϧ  ϩʔΧϧϓϩΩγ FH#VSQ4VJUF ΍3&45ΫϥΠΞϯτɺ%FW5PPMT౳Λ࢖͍͜ͳͤΔͱศརͰ͢ *OUSPEVDUJPO 8FC໰୊Λղͨ͘Ίʹඞཁͳ஌ࣝɾٕज़ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 10 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  11. #ctf4b *OUSPEVDUJPO #FHJOOFST$5'ͷ݁Ռ 8FC 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 11 ໰୊໊ ૝ఆ೉қ౓ ಘ఺

    ղ౴਺ ςʔϚ Spy Beginner 55pts 441solves ೝূ λΠϛϯά߈ܸ Tweetstore Easy 150pts 150solves SQL Injeciton unzip Easy 188pts 118solves Zip Slip DirTrav profiler Medium 301pts 59solves GraphQL Somen Hard 421pts 20solves CSP Bypassing *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  12. #ctf4b *OUSPEVDUJPO #FHJOOFST$5'ͷ݁Ռ 8FC 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 12 ໰୊໊ ૝ఆ೉қ౓ ಘ఺

    ղ౴਺ શνʔϜ ςʔϚ Spy Beginner 55pts 441solves ೝূ λΠϛϯά߈ܸ Tweetstore Easy 150pts 150solves SQL Injeciton unzip Easy 188pts 118solves Zip Slip DirTrav profiler Medium 301pts 59solves GraphQL Somen Hard 421pts 20solves CSP Bypassing *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  13. #ctf4b ͸͡Ίʹ ൃද಺༰ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 13 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ8FC໰୊ʹؔ͢Δ֓ཁ 4QZ 8FCαʔϏεʹ͓͚Δೝূͱύεϫʔυͷ҆શͳ؅ཧํ๏ٴͼλΠϛϯά߈ܸʹ͍ͭͯ

    QSPpMFS (SBQI2-"1*&YQMPJUBUJPO 4PNFO $POUFOU4FDVSJUZ1PMJDZͱͦͷ#ZQBTTJOHख๏ $PODMVTJPO ຊൃදͷ·ͱΊ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  14. #ctf4b 4QZ  ೉қ౓#FHJOOFS  QUTTPMWFT w 8FMDPNF FNPFNPFODPEFͷ࣍ʹਖ਼౴ͷଟ͔ͬͨ໰୊Ͱͨ͠ ໰୊ͷ֓ཁ

     ΞϓϦέʔγϣϯͷιʔείʔυͱैۀһͷ໊લ͕ॻ͔ΕͨςΩετϑΝΠϧ͕഑෍͞ΕΔ  ΞϓϦέʔγϣϯ͸ϩάΠϯϖʔδͱճ౴ϖʔδ͔Βߏ੒͞ΕΔ  ճ౴ϖʔδ͔ΒΞϓϦέʔγϣϯʹొ࿥͞Ε͍ͯΔैۀһΛྻڍͰ͖Ε͹ΫϦΞ ࡞໰ͷഎܠ  8FCΞϓϦέʔγϣϯʹ͓͚Δ҆શͳೝূ৘ใͷอ؅ͷͨΊͷख๏Λཧղ͍ͯ͠Δ͔  ॲཧͷ࣌ؒࠩʹىҼ͢Δ੬ऑੑΛൃݟ͢Δ͜ͱ͕Ͱ͖Δ͔  ϩάΠϯܥͷ໰୊͸ͨ͘͞Μ͋ΔͷͰɺ͋͑ͯϩάΠϯͰ͖ͳͯ͘΋ղ͚Δ໰୊Λ 4QZ ໰୊ͷ֓ཁ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 14 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  15. #ctf4b 4QZ εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 15 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  16. #ctf4b 4QZ εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 16 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  17. #ctf4b 4QZ ໰୊ͷιʔείʔυ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 17 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  18. #ctf4b ೝূ৘ใ  8FCΞϓϦέʔγϣϯ͸ԟʑʹͯ͠ೝূ ͢ͳΘͪϩάΠϯ Λඞཁͱ͢Δ  *%ٴͼύεϫʔυʹΑΔೝূ͕ओྲྀ ΋͠ύεϫʔυΛฏจͰσʔλϕʔεʹอଘ͍ͯ͠Δͱ 

    ύεϫʔυ࿙Ӯͷࡍʹෆਖ਼ͳϩάΠϯ͕ߦΘΕΔةݥੑ  ଞαʔϏεʹύεϫʔυΛ࢖͍·Θ͍ͯ͠Δ৔߹ɺ ύεϫʔυϦετ߈ܸ͕੒ޭͯ͠͠·͏ ରࡦ  ύεϫʔυอଘ࣌ʹϋογϡؔ਺ʹΑΔϋογϡԽΛߦ͏  ϋογϡԽͷࡍʹɺύεϫʔυʹϥϯμϜͳ஋ 4BMU ΛՃ͑Δ w ಉ͡ύεϫʔυͰ΋ϋογϡ஋͕ҟͳΔΑ͏ʹ͢ΔͨΊ  ϋογϡԽΛෳ਺ճߦ͏ 4USFUDIJOH  w ϒϧʔτϑΥʔε߈ܸ΁ͷ଱ੑΛ࣋ͨͤΔͨΊ 4QZ 8FCΞϓϦέʔγϣϯʹ͓͚Δೝূ৘ใͷ؅ཧ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 18 ID Password Alice p455w0rd Bob qwerty ... QXSE :JS)% ύεϫʔυ 4BMU ϋογϡؔ਺ FH4)" CFGDCGCDC ࣮ࡍʹ֨ೲ͢Δ஋ ˞ෳ਺ճ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  19. #ctf4b 4QZ 4USFUDIJOHͱλΠϛϯά߈ܸ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 19 4USFUDIJOHͱॲཧ࣌ؒ  ϋογϡؔ਺Λෳ਺ճ࣮ߦ͢ΔͷͰ͋Δఔ౓͕͔͔࣌ؒΔ 

    FH4)"ͷ৔߹ w ճTFD w ճTFD w ճTFD w ճTFD λΠϛϯά߈ܸ  αΠυνϟωϧ߈ܸͷҰछ  ͋Δॲཧͷಈ࡞͔࣌ؒΒຊདྷղੳͰ͖ͳ͍͸ͣͷ৘ใΛղੳ͢Δ w ༨ஊ944FBSDI΍94-FBLT΋͜ΕͷҰछ DGIUUQTHJUIVCDPNYTMFBLTYTMFBLT *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  20. #ctf4b 4QZ ໰୊ͷιʔείʔυ ࠶ܝ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 20 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ

     4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  21. #ctf4b 4QZ ໰୊ͷιʔείʔυͱ஫໨͢΂͖ϙΠϯτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 21 ΞΧ΢ϯτ͕ ଘࡏ͢Δʁ 4BMU 

    4USFUIJOH ݁Ռ͕Ұக ͍ͯ͠Ε͹ ϩάΠϯ੒ޭ ଘࡏ͠ͳ͚Ε͹ ऴྃ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  22. #ctf4b 4QZ ໰୊ͷιʔείʔυ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 22 auth.calc_password_hash ؔ਺͕ॏΊͷॲཧΛߦ͍ͬͯΔ  ͨͩ͠ɺ͜ͷؔ਺͕࣮ߦ͞ΕΔͷ͸if

    exists ͷ࣌ͷΈ w ͢ͳΘͪɺ8FCΞϓϦέʔγϣϯʹΞΧ΢ϯτ͕ଘࡏ͢Δ࣌ͷΈ  ͜ͷ࣌ͷॲཧͷ࣌ؒࠩΛར༻ͯ͠ଘࡏ͢ΔΞΧ΢ϯτΛྻڍՄೳ w શһͷ໊લͱద౰ͳύεϫʔυͰϩάΠϯΛࢼߦͯ͠ɺ૬ରతʹ͕͔͔࣌ؒΔ͔Ͳ͏͔Λௐ΂Ε͹ྑ͍ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  23. #ctf4b 4QZ ͓ΘΓʹ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 23 ໰୊ͷ·ͱΊ  ΞϓϦέʔγϣϯ͸ϩάΠϯ࣌ʹ4BMU 4USFUDIJOHΛߦ͍ͬͯͨ

     ΞΧ΢ϯτ͕ଘࡏ͢Δͱ͖ʹͷΈ౰֘ॲཧΛ࣮ߦ͍ͯͨͨ͠Ί ΞΧ΢ϯτ͕ଘࡏ͢Δ͔൱͔Ͱॲཧ࣌ؒʹࠩҟ͕ൃੜ͍ͯͨ͠  ॲཧ࣌ؒͷࠩҟΛ؍ଌ͢Δ͜ͱͰɺଘࡏ͢ΔΞΧ΢ϯτΛྻڍͰ͖ͨ ڭ܇  ηΩϡΞʹ͢Δͭ΋ΓͰߦ͍࣮ͬͯͨ૷͕ͱ͖ʹ੬ऑੑΛੜΉ͜ͱ͕͋Δ  ߈ܸऀʹରͯ͠ɺؒ઀తʹώϯτΛ༩͑ΔΑ͏ͳ࣮૷ΛߦΘͳ͍ ࢀߟࢿྉ  0ODFVQPOBUJNFBOBDDPVOUFOVNFSBUJPO w IUUQTTJEFDIBOOFMUFNQFTUTJDPNPODFVQPOBUJNFUIFSFXBTBOBDDPVOUFOVNFSBUJPODGDBDED  94-FBLT w IUUQTHJUIVCDPNYTMFBLTYTMFBLT *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  24. #ctf4b "HFOEB ൃද಺༰ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 24 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ8FC໰୊ʹؔ͢Δ֓ཁ 4QZ 8FCαʔϏεʹ͓͚Δೝূͱύεϫʔυͷ҆શͳ؅ཧํ๏ٴͼλΠϛϯά߈ܸʹ͍ͭͯ

    QSPpMFS (SBQI2-"1*&YQMPJUBUJPO 4PNFO $POUFOU4FDVSJUZ1PMJDZͱͦͷ#ZQBTTJOHख๏ $PODMVTJPO ຊൃදͷ·ͱΊ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  25. #ctf4b QSPpMFS  ೉қ౓NFEJVN  QUTTPMWFT ໰୊ͷ֓ཁ  ΞϓϦέʔγϣϯͷ63-͕ఏࣔ͞ΕΔ ιʔείʔυ഑෍ͳ͠

      ΞϓϦέʔγϣϯ͸ҎԼͷϖʔδ͔Βߏ੒͞ΕΔ w ΞΧ΢ϯτొ࿥ɾϩάΠϯϖʔδ w ϓϩϑΝΠϧߋ৽ϖʔδ  Ϣʔβ͸ΞΧ΢ϯτొ࿥࣌ʹ഑෍͞ΕΔϢʔβݻ༗ͷτʔΫϯΛ༻͍ͯϓϩϑΝΠϧΛߋ৽Ͱ͖Δ ࡞໰ͷഎܠ  (SBQI2-"1*ʹର͢Δ߈ܸख๏Λ஌͍ͬͯΔ͔ɺ·ͨɺΫΤϦΛ࢖͍͜ͳͤΔ͔  ͋·Γ(SBQI2-ͷ໰୊Λݟ͔͚ͨ͜ͱ͕ͳ͍ͷͰ QSPpMFS ໰୊ͷ֓ཁ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 25 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  26. #ctf4b QSPpMFS εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 26 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  27. #ctf4b QSPpMFS εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 27 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  28. #ctf4b QSPpMFS εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 28 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  29. #ctf4b QSPpMFS εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 29 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  30. #ctf4b QSPpMFS εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 30 ໰୊ͷղ๏  'MBHΛऔಘ͢ΔͨΊʹ͸BENJOͷUPLFO͕ࣗΞΧ΢ϯτʹઃఆ͞Ε͍ͯΔඞཁ͕͋Δ 

    ͦͷͨΊʹ͸ w BENJOͷUPLFOΛ஌Δඞཁ͕͋Δ w औಘͨ͠BENJOͷUPLFOΛࣗΞΧ΢ϯτͷUPLFOʹઃఆ͢Δඞཁ͕͋Δ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  31. #ctf4b %FW5PPMTͰΞϓϦέʔγϣϯͷ௨৴Λ؍ଌͯ͠ΈΔͱ  "1*ʹ+40/ܗࣜͷϦΫΤετΛසൟʹૹ৴͍ͯ͠Δ  ಛ௃తͳΩʔϫʔυ͕ϦΫΤετͷϖΠϩʔυʹ༻͍ΒΕ͍ͯΔ w RVFSZ NVUBUJPO ʮRVFSZNVUBUJPOBQJʯ౳Ͱݕࡧͯ͠ΈΔͱ

     (SBQI2- QSPpMFS ໰୊ͷ͖͔͚ͬͷݟ͚ͭํ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 31 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  32. #ctf4b (SBQI2-  'BDFCPPL͕։ൃͨ͠"1*ͷن֨ͷҰछ  ैདྷͷ8FC"1* ͢ͳΘͪ3&45"1* ͱ͸ҟͳΓɺ ୯ҰͷΤϯυϙΠϯτʹରͯ͠ΫΤϦΛૹ৴͢Δ͜ͱͰσʔλΛૢ࡞͢Δ QSPpMFS

    (SBQI2-ͷ֓ཁ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 32 VTFST OPUFT (&5 1045 3&45 ૢ࡞ର৅ͷϦιʔε͸63-Ͱࣝผ͢Δ ૢ࡞ͷํ๏͸)551ϝιουͰࣔ͢ (SBQI2- ΤϯυϙΠϯτ͸Ұ͚ͭͩ ૢ࡞ର৅΍ͦͷํ๏͸ΫΤϦͰදݱ͢Δ query { user { ... } } mutation { note { ... } } *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  33. #ctf4b (SBQI2-  'BDFCPPL͕։ൃͨ͠"1*ͷاըͷҰछ  ैདྷͷ8FC"1* ͢ͳΘͪ3&45"1* ͱ͸ҟͳΓɺ ୯ҰͷΤϯυϙΠϯτʹରͯ͠ΫΤϦΛૹ৴͢Δ͜ͱͰσʔλΛૢ࡞͢Δ "1*ͷ࣮૷

     "1*͕ѻ͏σʔλͷܕ΍ΫΤϦͷεΩʔϚΛࣄલʹఆ͓ٛͯ͘͠  ֤ΫΤϦ͝ͱʹ࣮ࡍͷॲཧΛߦ͏3FTPMWFSΛ࣮૷͢Δ (SBQI2-ͷΫΤϦ  RVFSZσʔλΛऔಘ͢ΔͨΊͷΦϖϨʔγϣϯ w JOUSPTQFDUJPO"1*ͷεΩʔϚ৘ใΛऔಘ͢ΔRVFSZ  NVUBUJPOσʔλΛॻ͖ࠐΉࡍʹ༻͍ΒΕΔΦϖϨʔγϣϯ  TVCTDSJQUJPOσʔλΛϦΞϧλΠϜʹ؍ଌ͢ΔͨΊʹ༻͍ΒΕΔΦϖϨʔγϣϯ w ಺෦తʹ͸8FC4PDLFUʹΑΔ௨৴͕༻͍ΒΕΔ QSPpMFS (SBQI2-ͷ֓ཁ ߋʹৄ͘͠ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 33 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  34. #ctf4b QSPpMFS εΩʔϚఆٛͷྫ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 34 εΩʔϚఆٛ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ

     4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  35. #ctf4b QSPpMFS 3FTPMWFS࣮૷ͷྫ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 35 RVFSZͷ࣮૷ NVUBUJPOͷ࣮૷ DG"SJBEOFu1ZUIPO(SBQI2-4DIFNBpSTU 

    IUUQTBSJBEOFHSBQIRMPSH *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  36. #ctf4b *OUSPTQFDUJPO2VFSZʹΑΔεΩʔϚ৘ใͷऔಘ  ຊདྷ͸ศརͳ࢓༷ w ΫϥΠΞϯταΠυ͔Βݺͼग़ͤΔΫΤϦ΍औಘՄೳͳσʔλͷܕΛϦΞϧλΠϜʹ֬ೝͰ͖Δ  ҎԼͷΑ͏ͳ৔߹ʹɺεΩʔϚ৘ใΛऔಘ͞ΕΔͱ߈ܸʹ׆༻͞ΕΔڪΕ͕͋Δ w σʔλܕͷఆٛʹෆཁͳϑΟʔϧυؚ͕·Ε͍ͯΔ

    FHϢʔβͷύεϫʔυ  w ݺͼग़ͤΔ΂͖Ͱ͸ͳ͍ΫΤϦ͕ެ։͞Ε͍ͯΔ *%03  *OTFDVSF%JSFDU0CKFDU3FGFSFODF  FHΫΤϦͷҾ਺ʹෆਖ਼ͳ஋Λࢦఆ͢Δ͜ͱͰɺຊདྷऔಘͰ͖ͳ͍͸ͣͷσʔλ͕औಘͰ͖Δ %P4  ॲཧྔ͕ലେʹͳΔΑ͏ͳΫΤϦΛૹ৴͠ɺ"1*ଆͷϦιʔεΛރׇͤ͞Δ /P 42-*OKFDUJPO  എޙʹσʔλϕʔε͕ଘࡏ͍ͯ͠Δ৔߹ɺೖྗ஋͕ద੾ʹॲཧ͞Ε͍ͯͳ͍ͱ ΫΤϦʹಛघจࣈ౳Λૠೖ͢Δ͜ͱͰ /P 42-*OKFDUJPO͕Մೳͳ৔߹͕͋Δ QSPpMFS (SBQI2-ʹର͢Δ߈ܸख๏ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 36 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  37. #ctf4b *OUSPTQFDUJPO2VFSZͷྫ  DG(SBQI2-Š$PNNPOWVMOFSBCJMJUJFTIPXUPFYQMPJUUIFN w IUUQTNFEJVNDPN!UIFCJMBMSJ[XBOHSBQIRMDPNNPOWVMOFSBCJMJUJFTIPXUPFYQMPJU UIFNGGEDF  "1*ʹ͓͍ͯ*OUSPTQFDUJPO2VFSZͷ࣮ߦ͕ڋ൱͞Ε͍ͯͳ͍৔߹ɺ εΩʔϚ৘ใ͕֨ೲ͞Εͨ+40/͕Ϩεϙϯε͞ΕΔ

     ͜ͷ+40/͸ɺHSBQIRMWPZBHFS౳ͰՄࢹԽ͢Δ͜ͱ͕Ͱ͖Δ w DGIUUQTHJUIVCDPN"1*THVSVHSBQIRMWPZBHFS QSPpMFS *OUSPTQFDUJPO2VFSZ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 37 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  38. #ctf4b εΩʔϚ৘ใͷՄࢹԽ  HSBQIRMWPZBHFSͷ݁Ռ 2VFSZ  εΩʔϚ৘ใͷղੳ  ҎԼͷΑ͏ͳRVFSZͱNVUBUJPO͕ఆٛ͞Ε͍ͯΔ͜ͱ͕෼͔Δ QSPpMFS

    εΩʔϚ৘ใͷՄࢹԽͱղੳ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 38 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  39. #ctf4b ໰୊ͷղ๏ ࠶ܝ   'MBHΛऔಘ͢ΔͨΊʹ͸BENJOͷUPLFO͕ࣗΞΧ΢ϯτʹઃఆ͞Ε͍ͯΔඞཁ͕͋Δ  ͦͷͨΊʹ͸ w BENJOͷUPLFOΛ஌Δඞཁ͕͋Δ

    w औಘͨ͠BENJOͷUPLFOΛࣗΞΧ΢ϯτͷUPLFOʹઃఆ͢Δඞཁ͕͋Δ  ΞϓϦέʔγϣϯ্͔Β͸ͦͷΑ͏ͳػೳ͸؍ଌͰ͖ͳ͍ TPNFPOF VJE*% 6TFS  VJEΛҾ਺ͱͯ͠6TFSͷσʔλΛऔಘ͢ΔΫΤϦ  6TFSͷεΩʔϚʹ͸UPLFOؚ͕·Ε͍ͯΔ    BENJOͷVJE͸BENJOͰ͋Δ͜ͱ͕(FU'MBHͷϖʔδʹࣔ͞Ε͍ͯΔ   VQEBUF5PLFO UPLFO4USJOH #PPMFBO  ࣗΞΧ΢ϯτͷUPLFOΛߋ৽͢Δϛϡʔςʔγϣϯ  BENJOͷUPLFO͕෼͔͍ͬͯΕ͹ɺࣗΞΧ΢ϯτͷUPLFOΛBENJOͷUPLFOͰ্ॻ͖Ͱ͖Δ  QSPpMFS ໰୊ͷΞϓϩʔν 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 39 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  40. #ctf4b  someoneΫΤϦͰBENJOͷUPLFOΛऔಘ͢Δ     updateTokenϛϡʔςʔγϣϯͰࣗΞΧ΢ϯτͷUPLFOΛ্ॻ͖  

     qBHΫΤϦͰ'MBHΛऔಘ QSPpMFS ղ๏ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 40 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  41. #ctf4b QSPpMFS ͓ΘΓʹ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 41 ໰୊ͷ·ͱΊ  ΞϓϦέʔγϣϯʹ͸(SBQI2-"1*͕࣮૷͞Ε͍ͯͨ 

    "1*͸*OUSPTQFDUJPO2VFSZΛڋ൱͍ͯ͠ͳ͔ͬͨ  "1*͸ػඍͳσʔλ͕֨ೲ͞ΕͨϑΟʔϧυ JFUPLFO ΛσʔλܕʹؚΊ͍ͯͨ  "1*͸ݺͼग़ͤΔ΂͖Ͱ͸ͳ͍ΫΤϦ JFVQEBUF5PLFO Λެ։͍ͯͨ͠  *OUSPTQFDUJPO2VFSZΛૹ৴͢Δ͜ͱͰ͜ΕΒͷ৘ใ͕ಘΒΕɺ߈ܸ͕Մೳͩͬͨ ڭ܇  ػඍͳσʔλ͕֨ೲ͞ΕͨϑΟʔϧυΛσʔλܕʹؚΊͯެ։͠ͳ͍  ݺͼग़ͤΔ΂͖Ͱ͸ͳ͍ΫΤϦΛެ։͠ͳ͍  ΫϥΠΞϯταΠυʹ"1*ͷεΩʔϚΛެද͢Δҙਤ͕ͳ͍ͱ͖͸*OUSPTQFDUJPO2VFSZΛڋ൱͢Δ ࢀߟࢿྉ  (SBQI2-c"RVFSZMBOHVBHFGPSZPVS"1* w IUUQTHSBQIRMPSH  (SBQI2-Š$PNNPOWVMOFSBCJMJUJFTIPXUPFYQMPJUUIFN w IUUQTNFEJVNDPN!UIFCJMBMSJ[XBOHSBQIRMDPNNPOWVMOFSBCJMJUJFTIPXUPFYQMPJUUIFNGGEDF *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  42. #ctf4b "HFOEB ൃද಺༰ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 42 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ8FC໰୊ʹؔ͢Δ֓ཁ 4QZ 8FCαʔϏεʹ͓͚Δೝূͱύεϫʔυͷ҆શͳ؅ཧํ๏ٴͼλΠϛϯά߈ܸʹ͍ͭͯ

    QSPpMFS (SBQI2-"1*&YQMPJUBUJPO 4PNFO $POUFOU4FDVSJUZ1PMJDZͱͦͷ#ZQBTTJOHख๏ $PODMVTJPO ຊൃදͷ·ͱΊ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  43. #ctf4b 4PNFO  ೉қ౓)BSE  QUTTPMWFT ໰୊ͷ֓ཁ  ΞϓϦέʔγϣϯ 1)1

    ͱ8PSLFS Ϋϩʔϥ ͷ࣮૷͕഑෍͞ΕΔ  ໊લΛೖྗ͢Δཝͱɺೖྗͨ͠ϖʔδΛ"ENJOͷΫϩʔϥʹ։͔ͤΔػೳ͕ଘࡏ͢Δ  "ENJOͷΫϩʔϥͷ$PPLJFʹ'MBH͕֨ೲ͞Ε͍ͯΔ w 944ͷ༧ײ ճ౴ʹඞཁͳ஌ࣝ  944 3FqFDUFE944%0.CBTFE944   $41ͷجૅ w TDSJQUTSD TUSJDUEZOBNJD  CBTFVSJ  $41#ZQBTTJOH 4PNFO ໰୊ͷ֓ཁ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 43 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  44. #ctf4b 4PNFO εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 44 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  45. #ctf4b 4PNFO εΫϦʔϯγϣοτ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 45 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ 

    4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  46. #ctf4b ΞϓϦέʔγϣϯͷ࣮૷ ॏཁͳͱ͜Ζ͚ͩநग़ 4PNFO ࣮૷ΛݟͯΈΔ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 46 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ

    8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  47. #ctf4b ΞϓϦέʔγϣϯͷ࣮૷ ॏཁͳͱ͜Ζ͚ͩநग़ 4PNFO ࣮૷ΛݟͯΈΔ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 47 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ

    8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  48. #ctf4b $41 $POUFOU4FDVSJUZ1PMJDZ   944΍σʔλΠϯδΣΫγϣϯ߈ܸͷϦεΫΛܰݮͤ͞ΔηΩϡϦςΟϨΠϠʔ  ಛఆͷ8FCϖʔδʹ͓͍ͯɺಡΈࠐΈ΍࣮ߦΛڐՄ͢ΔϦιʔεΛ໌ࣔతʹࢦఆͰ͖Δ w ద༻͍ͨ͠ϙϦγʔͷछผΛࣔ͢σΟϨΫςΟϒͱͦΕʹଓ͘஋Ͱࢦఆ͢Δ

     Content-Security-PolicyϔομʔͰ഑৴͢Δ 4PNFO $41ͷ֓ཁ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 48 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  49. #ctf4b σΟϨΫςΟϒ  ద༻͍ͨ͠ϙϦγʔͷछผΛࣔ͢ ۩ମతͳ஋͸σΟϨΫςΟϒ໊ʹଓ͍ͯࢦఆ͢Δ 4PNFO $41ͷσΟϨΫςΟϒ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 49

    σΟϨΫςΟϒछผ ֓ཁ ྫ Fetch Directives ϦιʔεͷಡΈࠐΈʹؔ͢Δ੍ݶ JavaScript (script-src) Document Directives υΩϡϝϯτͷঢ়ଶʹؔ͢Δ੍ݶ ૬ରURIͷى఺ (base-uri) Navigation Directives φϏήʔγϣϯίϯςΩετʹؔ͢Δ੍ݶ ຒΊࠐΈϑϨʔϜͷ਌ (frame-ancestors) Reporting Directives ϨϙʔτػೳΛఏڙ Ϩϙʔτૹ৴ઌ (report-to) *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  50. #ctf4b FHscript-srcσΟϨΫςΟϒʹઃఆՄೳͳ஋ 4PNFO $41ͷσΟϨΫςΟϒ TDSJQUTSD 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 50 ஋ ҙຯ

    'none' JavaScript ͷ࣮ߦΛશͯېࢭ 'self' ࢀরதͷWebϖʔδͱಉҰ Origin Ͱ഑৴͞Ε͍ͯΔ JavaScript ͷ࣮ߦΛڐՄ 'example.com' example.com ͔Β഑৴͞Ε͍ͯΔ JavaScript ͷ࣮ߦΛڐՄ 'nonce-<base64 value>' Nonce (࢖͍ࣺͯͷ஋) ͕Ұக͢Δ JavaScript ͷ࣮ߦΛڐՄ '<hash algo>-<base64 value>' ϋογϡ஋͕Ұக͢Δ JavaScript ͷ࣮ߦΛڐՄ 'strict-dynamic' Nonce ΍ϋογϡ஋Ͱ৴པ͞Εͨ JavaScript ͔Βಈతʹ 
 non-"parser-insrted" ͳํ๏ͰಡΈࠐ·Ε͍ͯΔ΋ͷΛڐՄ 'unsafe-inline' ΠϯϥΠϯεΫϦϓτͷ࣮ߦΛڐՄ (࣮࣭తʹ XSS ΁ͷରࡦʹͳΒͳ͍ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  51. #ctf4b TUSJDUEZOBNJD  /PODF΍ϋογϡ஋Ͱ৴པ͞Εͨ+BWB4DSJQU͔Βಈతʹ OPOQBSTFSJOTFSUFEͳํ๏ͰಡΈࠐ·Ε͍ͯΔ΋ͷΛڐՄ 4PNFO TUSJDUEZOBNJD 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 51

    *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  52. #ctf4b 3FqFDUFE944  ߈ܸऀ͕໨తͱ͢Δ+BWB4DSJQU͕Ϩεϙϯε͞ΕΔΑ͏ͳϦΫΤετΛૹͬͨࡍʹɺ ͦΕ͕൓ࣹͯ͠λʔήοτͷϒϥ΢β্Ͱ࣮ߦ͞ΕΔΑ͏ͳ944 ࠓճͷ৔߹  <title>ʹ$_GET["username"]ͷ಺༰Λͦͷ··μϯϓ͍ͯ͠Δ  FH

    username='</title><script>alert(1)</script>'  ࠓճͷ৔߹͸$41ʹΑΔ੍ݶ͕͋ΔͨΊɺ্هͷ߈ܸϖΠϩʔυͰ͸ൃՐ͠ͳ͍ w script-src: 'unsafe-inline' ͕ࢦఆ͞Ε͍ͯͳ͍ͨΊɺΠϯϥΠϯεΫϦϓτͷ࣮ߦ͸ڐՄ͞Εͳ͍ 4PNFO 3FqFDUFE944 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 52 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  53. #ctf4b %0.CBTFE944  +BWB4DSJQU͔Βಈతʹ)5.-Λߏங͍ͯ͠Δ৔߹ʹൃੜ͢Δ944  ಛఆͷཁૉʹର͢ΔinnerHTML΁ͷ୅ೖ౳Λى఺ͱͯ͠ൃੜ͢Δ ࠓճͷ৔߹  <p id="message"></p>ͷJOOFS)5.-ʹର͢Δ୅ೖ͕ଘࡏ͢Δ

     JF୅ೖ஋ʹϢʔβ͕ೖྗͨ͠஋͕ͦͷ··൓ө͞ΕΔ৔߹ɺ944͕Մೳ w FHusername = '</p><script>alert(1)</script><p>'  ࠓճͷ৔߹͸$41ʹΑΔ੍ݶ͕͋ΔͨΊɺ্هͷ߈ܸϖΠϩʔυͰ͸ൃՐ͠ͳ͍ w script-src: 'unsafe-inline' ͕ࢦఆ͞Ε͍ͯͳ͍ͨΊɺΠϯϥΠϯεΫϦϓτͷ࣮ߦ͸ڐՄ͞Εͳ͍ w <script>ϒϩοΫͷ࡞੒͕parser-insertedͰ͋ΔͨΊɺ'strict-dynamic' ͷ৚݅ʹҾ͔͔ͬΔ 4PNFO %0.CBTFE944 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 53 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  54. #ctf4b TFDVSJUZKT  <head>ϒϩοΫͷ๯಄ͰಡΈࠐ·Ε͍ͯΔ+BWB4DSJQU  usernameΫΤϦʹඇৗʹݫ͍͠৚݅ ^[a-zA-Z0-9]*$ Λ՝͠ɺ ҧ൓ͨ͠৔߹͸error.phpʹڧ੍తʹϦμΠϨΫτͤ͞Δ 4PNFO

    TFDVSJUZKT 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 54 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  55. #ctf4b TFDVSJUZKT͕͋Δͱ͏·͍͔͘ͳ͍  ͋·Γʹ΋ೖྗ஋ͷ৚͕݅ݫ͗͢͠ΔͨΊ  ͜Ε͕͏·࣮͘ߦ͞Εͳ͍Α͏ʹ͍ͨ͠ ΠϯϥΠϯεΫϦϓτͷ࣮ߦ͕ڐՄ͞Εͳ͍  script-src: 'unsafe-inline'

    ͕ࢦఆ͞Ε͍ͯͳ͍ͨΊ  /PODFͰ৴པ͞Εͨ<script>ϒϩοΫ͔Β͏·͘+BWB4DSJQUΛྲྀ͠ࠐΜͰ΍Δඞཁ͕͋Δ %0.CBTFE944ΛൃՐ͍ͤͨ͞  id="message"ͳཁૉͷinnerHTML΁ͷ୅ೖΛ͏·͘׆༻͍ͨ͠  parser-insertedͳํ๏Ͱ<script>ϒϩοΫΛ࡞੒ͯ͠΋࣮ߦ͞Εͳ͍ w id="message" ͳཁૉ͕΋ͱ΋ͱ <script> ϒϩοΫͳΒ͹ɺnon-"parser-inserted" ͳͷͰ OK 4PNFO ํ਑ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 55 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  56. #ctf4b CBTFUBHJOKFDUJPO  CBTFλάΛૠೖ͢Δ͜ͱͰ૬ର63*ͷى఺Λແཧ΍Γ্ॻ͖͢Δ͜ͱ͕Ͱ͖Δɻ w FH <base href="http://hoge.example"> Λૠೖ͢Δͱ http://hoge.example/security.js

    ͕࣮ߦ͞ΕΔ w ࠓճͷ৔߹ɺଘࡏ͠ͳ͍υϝΠϯΛద౰ʹࢦఆͯ͠΍Ε͹ɺsecurity.js ͷ࣮ߦΛ્֐͢Δ͜ͱ͕Ͱ͖Δ ղ๏  ࠓճ͸UJUMFλά಺ͳͷͰɺ͜ΕΛҰ୴ดͯ͡΍Δඞཁ͕͋Δ  JF</title><base href="http://hoge.example"> 4PNFO TFDVSJUZKTΛ࣮ߦͤ͞ͳ͍Α͏ʹ͢Δ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 56 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  57. #ctf4b %0.$MPCCFSJOHͷ׆༻  id="message"ͳཁૉͷinnerHTML΁ͷ୅ೖΛ͏·͘׆༻͍ͨ͠ w ͏·͘׆༻Ͱ͖Ε͹ɺOPOQBSTFSJOTFSUFEͷ৚݅ΛΫϦΞͰ͖Δ  <script id="message"></script> Λ<p

    id="message"></p>ΑΓઌʹ͖࣋ͬͯͯ΍Ε͹ document.getElementById("message")͕<script>Λ޲͘Α͏ʹͳΔ ղ๏  <script id="message"></script>Λૠೖ͢Δ 4PNFO %0.CBTFE944Λ࣮ݱͤ͞Δ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 57 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  58. #ctf4b ղ౴ʹඞཁͳཁૉ  CBTFUBHJOKFDUJPOʹΑΔTFDVSJUZKT࣮ߦͷ્֐  %0.$MPCCFSJOHʹΑΔ%0.CBTFE944ͷൃՐ w 944ʹΑͬͯɺ"ENJOͷΫϩʔϥͷ$PPLJFΛ઄औ͢Δ ໰୊ͷ·ͱΊͱڭ܇ 

    $41ʹཔΓ͗͢ͳ͍ w ͋͘·Ͱ௥ՃతͳηΩϡϦςΟϨΠϠʔͰ͋Γɺద੾ͳΤεέʔϓॲཧ͸ෆՄܽͰ͋Δ ୅ସࡦͰ͸ͳ͍   $41ΛͪΌΜͱ࢖͏ w script-src͚ͩͰͳ͘ɺbase-uri΍connect-src౳΋ద੾ʹ૊Έ߹Θͤͯ࢖͏ඞཁ͕͋Δ w DG$41&WBMVBUPS IUUQTDTQFWBMVBUPSXJUIHPPHMFDPN 4PNFO ղ๏ͷ·ͱΊ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 58 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  59. #ctf4b ࠓճͷ໰୊ϖʔδΛ$41&WBMVBUPSͰݟͯΈΔͱ 4PNFO $41&WBMVBUPS 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 59 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ

     4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  60. #ctf4b "HFOEB ൃද಺༰ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 60 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ8FC໰୊ʹؔ͢Δ֓ཁ 4QZ 8FCαʔϏεʹ͓͚Δೝূͱύεϫʔυͷ҆શͳ؅ཧํ๏ٴͼλΠϛϯά߈ܸʹ͍ͭͯ

    QSPpMFS (SBQI2-"1*&YQMPJUBUJPO 4PNFO $POUFOU4FDVSJUZ1PMJDZͱͦͷ#ZQBTTJOHख๏ $PODMVTJPO ຊൃදͷ·ͱΊ *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ

  61. #ctf4b ຊ೔͓࿩ͨ͠಺༰  8FCηΩϡϦςΟͱ$5'ʹ͓͚Δ8FC໰୊ͷ֓ཁ  #FHJOOFST$5'8FCδϟϯϧͷ݁Ռ  ֤໰୊ͷղઆ w 4QZೝূ৘ใͷ؅ཧͱλΠϛϯά߈ܸ

    w QSPpMFS(SBQI2-&YQMPJUBUJPO w 4PNFO$41#ZQBTTJOH 8FC໰୊͸ָ͍͠  ࠓճ঺հͨ͠߈ܸͷςΫχοΫ΍໰୊ʹର͢ΔΞϓϩʔνͷ࢓ํ͸΄ΜͷҰ෦෼  8FCʹ͸ߋʹ໘നͯ͘ߴ౓ͳ߈ܸख๏΍ٕज़͕ͨ͘͞Μଘࡏ͠·͢  ΄΅ ຖि຤։࠵͞ΕΔ$5'ʹࢀઓɺόάό΢ϯςΟͰ࿹Λຏ͘౳ɺಓ͸ͨ͘͞Μ͋Γ·͢ 5SZ)BSEFS $PODMVTJPO ຊൃදͷ·ͱΊ 4&$$0/#FHJOOFST-JWFc5TVCBTB !4[SOZ 61 *OUSPEVDUJPO 8FCηΩϡϦςΟͱ 8FC໰୊ͷ֓ཁ  4QZ ೝূ৘ใͷ؅ཧͱ λΠϛϯά߈ܸ  QSPpMFS (SBQI2-"1* &YQMPJUBUJPO  4PNFO $41#ZQBTTJOH  $PODMVTJPO ຊൃදͷ·ͱΊ