[bpstudy] OWASP ZAP Vulnerable Assesment.

Transcript

1. OWASP ZAPʹֶͿɺ WebΞϓϦέʔγϣϯʹજΉ ੬ऑੑͷௐࠪख๏Λ঺հ 2016/2/26 #bpstudy @YuhoKameda

2. ࣗݾ঺հ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist ओͳۀ຿಺༰ WebΞϓϦέʔγϣϯ੬ऑੑ਍அ

   ϓϥοτϑΥʔϜ੬ऑੑ਍அ SOC/CSIRTۀ຿ ۓٸҊ݅ରԠཁһ…

3. ZAP Newsletter 2015/12 ZAPϓϩδΣΫτϦʔμ ͔Βͷ঺հͰ౤ߘ http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html

4. Agenda εΩϟφπʔϧൺֱ ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯౓ ͔Βൺֱͯ͠঺հ͠·͢ɻ OWASP ZAPΛ࢖ͬͨ੬ऑੑͷௐࠪ ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ ΔͨΊͷແྉπʔϧΛ࢖͍ɺௐࠪͷྲྀΕΛ঺ հ͠·͢ɻ

5. ؆୯ͳΞϯέʔτ 1. ੬ऑੑ਍அΛฉ͍ͨ͜ͱ͕͋Δਓ 
 2. ࣗ਎ͷձࣾͰɺ੬ऑੑ਍அͷαʔϏεΛґཔͨ͠Γड ͚͍ͯΔਓ 
 3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ

   ͚Α͏ͱͨ͜͠ͱ͕͋Δਓ
 4. OWASP ZAPΛ࢖ͬͨ͜ͱ͕͋Δਓ

6. (ຊ୊)ηΩϡϦςΟεΩϟφͱ͸ ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪର৅ʹଘࡏ͢Δ੬ऑੑΛݕग़͢ Δπʔϧ WebΞϓϦέʔγϣϯ੬ऑੑ਍அͷ৔߹… SQLΠϯδΣΫγϣϯ ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ ϓϥοτϑΥʔϜ੬ऑੑ਍அͷ৔߹… ϛυϧ΢ΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ

7. ηΩϡϦςΟεΩϟφ঺հ

8. WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφ঺հ WebInspect AppScan Vex OWASP ZAP Nikto w3af ༗ঈ

   ແঈ

9. ༗ঈ ແঈ ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφ঺հ

10. ༗ঈπʔϧͱແঈπʔϧ ͷҧ͍

11. ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ ݕ߲ࠪ໨ ଟ͍ গͳ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍

    Ϩϙʔτग़ྗ ॆ࣮ ؆қ ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ྉۚ ඇৗʹߴ͍ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

12. ༗ঈπʔϧͱແঈπʔϧͱ ZAPͷҧ͍

13. ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP ݕ߲ࠪ໨ ଟ͍ গͳ͍ ଟ͍

    αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍) ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ೔ຊޠରԠ͋Γ ྉۚ ඇৗʹߴ͍ ແঈ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ެ։ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

14. ੬ऑੑͷݟ͚ͭํ

15. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠ ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε Λ෼ੳͯ͠੬ऑੑͷ༗ແΛ൑ఆ ᶃ௨ৗͷϦΫΤετ ϒϥ΢β౳ͰɺWebϖʔδΛӾཡ ᶅProxyʹΑΓ վ͟Μ͞ΕͨϦΫΤετ ᶆαʔό͔ΒͷϨεϙϯε ᶇϩάͷه࿥

    ඞཁʹΑΓɺϨεϙϯεͷ վ͟ΜΛߦ͏ Proxy ݕࠪର৅ ᶄProxyʹΑΔվ͟Μ GET/POST/Cookieଞɺ ϔομΛෆਖ਼ͳ஋ʹมߋ͢Δ ᶈProxyΛ௨աͨ͠Ϩεϙϯε

16. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php?q=word

17. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ <p class=“id”> word </p> ʙུʙ

18. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php? q=“><script>alert(document.cookie);</script>word

19. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ <p class=“id”> “><script>alert(document.cookie);</script>word </p> ʙུʙ

20. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/

21. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ

22. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ αʔό/αʔϏεͷઃఆ΍ɺ όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ਺ ϨεϙϯεΛ෼ੳ

23. ੬ऑੑͷཧղ

24. ੬ऑੑΛମݧ֮ͯ͑͠Α͏ https://www.ipa.go.jp/security/vuln/appgoat/

25. ੬ऑੑΛମݧ֮ͯ͑͠Α͏ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP

    / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

26. OWASP TOP 10 - 2013 https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

27. ੬ऑੑͷ঺հ

28. None

29. ݕࠪͷྲྀΕ

30. WebΞϓϦέʔγϣϯͷݕࠪ ਍அ͍ͨ͠Webϖʔδͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

31. ϓϥοτϑΥʔϜͷݕࠪ ਍அ͍ͨ͠IPΞυϨεͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

32. ZAPΛ࢖ͬͨݕࠪͷྲྀΕ

33. ஫ҙࣄ߲ ຊεϥΠυʹهࡌͷߦҝΛɺࣗ਎ͷ؅ཧԼʹͳ͍ωο τϫʔΫ/ίϯϐϡʔλʹߦͬͨ৔߹ɺ߈ܸߦҝͱ൑ அ͞ΕΔ৔߹͕͋Γ·͢ɻ ࣗ਎ͷ؅ཧԼʹ͋ΔωοτϫʔΫ΍αʔόʹରͯ͠ ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ

34. ؀ڥ४උ OWASP ZAPͷΠϯετʔϧ OWASP ZAP 2.4.3(2015/12/4 released) ਍அπʔϧ OWASP BWAͷΠϯετʔϧ

    OWASP BWA 1.2 (2015/8/3 released) ਍அର৅ͱͳΔΞϓϦέʔγϣϯ ࣮ࡍʹؼ୐͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ ४උͷৄࡉ͸ɺԼهͰɻ http://zapjp.blogspot.jp/ https://www.owasp.org/index.php/User:Yuho_Kameda

35. OWASP ZAPͱ͸ʁ OWASP ZAP (Zed Attack Proxy) WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ਍ அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ ϩʔΧϧϓϩΩγπʔϧ

    https://code.google.com/p/zaproxy/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

36. OWASP BWAͱ͸ʁ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java /

    ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

37. WebΞϓϦͷ੬ऑੑΛ୳͢ BWAͷதʹ͋Δɺݹ͍WordpressΛର৅ Wordpress 2.0.0 ࠷৽͸4.4.2 (2016/2/2)

38. WebΞϓϦͷ੬ऑੑΛ୳͢ ϓϩΩγπʔϧ࢖༻࣌ͷϒϥ΢βઃఆ(IEྫ)

39. WebΞϓϦͷ੬ऑੑΛ୳͢ ਍அର৅ൣғΛܾఆ Include In Context ಛఆσΟϨΫτϦ഑Լ͚ͩ਍அ͕Մೳ

40. WebΞϓϦͷ੬ऑੑΛ୳͢ ର৅ΛΫϩʔϦϯά(εύΠμʔ) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

41. WebΞϓϦͷ੬ऑੑΛ୳͢ ݁Ռ… େྔʹநग़Ͱ͖ͨʂ

42. WebΞϓϦͷ੬ऑੑΛ୳͢ ಈతεΩϟϯ(֤ύϥϝʔλ΁ݕࠪ஋Λૹ৴) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

43. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ

44. WebΞϓϦͷ੬ऑੑΛ୳͢ ݹ͗ͯ͢ŗŽŖŪେྔ

45. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ݕ஌ͨ͠৘ใΛΞϥʔτͰ֬ೝ ૹ৴࣌ͷϦΫΤετ΋ ࠶ݱՄೳʂ

46. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ όʔδϣϯ͕ݹ͍… ࠷৽όʔδϣϯΛ֬ೝ όʔδϣϯΞοϓ΍ύονΛద༻͠Α͏ʂ ίʔυ͕ϘϩϘϩ… ίʔυΛमਖ਼͠Α͏ʂ ઃఆ͕σϑΥϧτͷ··… ద੾ʹઃఆ͠Α͏ʂ

47. ZAPίϛϡχςΟͷ঺հ

48. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • OWASP ZAP Developer Group – ϝϯόʔ਺ɿ434ਓ – ։࢝೔ɿ2010/08/17

    – ओͳ಺༰ • ZAP։ൃʹؔ͢Δ͜ͱ • Extensionͷ։ൃ • όάमਖ਼ • OWASP ZAP User Group – ϝϯόʔ਺ɿ431ਓ – ։࢝೔ɿ2012/05/22 – ओͳ಺༰ • ࢖͍ํͷ࣭໰ • ࣮૷ͯ͠΄͍͠ϦΫΤε τ

49. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • ZAP຋༁ϓϩδΣΫτ • ೔ຊޠ຋༁౓͸30% (2015/2/10ݱࡏ) • ͩΕͰ΋ࢀՃՄೳ • http://crowdin.com/owasp-zap/

50. ·ͱΊ ·ͣ͸։ൃ؀ڥͷαʔό΍WebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ ͏ ςετ޻ఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛ࢖ͬͨ؆қ਍அΛߦ ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ ͏ ࣄલʹ؅ཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛ೺Ѳ͠ɺରࡦΛ ݕ౼͠·͠ΐ͏ ࣗલͰWebΞϓϦΛ਍அ ਍அαʔϏεΛ׆༻

51. ηΩϡϦςΟνΣοΫ ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ http://www.slideshare.net/zaki4649/free-securitycheck

52. ηΩϡϦςΟνΣοΫ ੬ऑੑ਍அͷجຊख๏ ແྉͰख͕͔͔ؒΒͳ͍ʂ Πϯϑϥฤ ϙʔτεΩϟϯ ੬ऑੑεΩϟϯ WebΞϓϦέʔγϣϯฤ ࣗಈ਍அ ZAPͷػೳ঺հ ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ

53. ੬ऑੑΛݟ͚ͭΔ࢓ࣄ΁ ੬ऑੑ਍அ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ ϓϩδΣΫτ 2014 OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG

    ੬ऑੑ਍அ࢜ʹඞཁͳೳྗͷϚοϐϯά ϓϩάϥϚ͔ΒωοτϫʔΫ஌ࣝɺྙཧ؍·Ͱ 2014/12/24 ʮ੬ऑੑ਍அ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։ https://www.owasp.org/index.php/Japan http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf

54. Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail yuho.kameda@owasp.org