Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[bpstudy] OWASP ZAP Vulnerable Assesment.

Yuho Kameda
February 26, 2016
1.3k

[bpstudy] OWASP ZAP Vulnerable Assesment.

2016/2/26 #bpstudy OWASP ZAPに学ぶ、 Webアプリケーションに潜む 脆弱性の調査手法を紹介

Yuho Kameda

February 26, 2016
Tweet

Transcript

  1. OWASP ZAPʹֶͿɺ
    WebΞϓϦέʔγϣϯʹજΉ
    ੬ऑੑͷௐࠪख๏Λ঺հ
    2016/2/26 #bpstudy @YuhoKameda

    View full-size slide

  2. ࣗݾ঺հ
    ُా ༐า : ykame (@YuhoKameda)
    ZAP Evangelist
    ओͳۀ຿಺༰
    WebΞϓϦέʔγϣϯ੬ऑੑ਍அ
    ϓϥοτϑΥʔϜ੬ऑੑ਍அ
    SOC/CSIRTۀ຿
    ۓٸҊ݅ରԠཁһ…

    View full-size slide

  3. ZAP Newsletter 2015/12
    ZAPϓϩδΣΫτϦʔμ
    ͔Βͷ঺հͰ౤ߘ
    http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html

    View full-size slide

  4. Agenda
    εΩϟφπʔϧൺֱ
    ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯౓
    ͔Βൺֱͯ͠঺հ͠·͢ɻ
    OWASP ZAPΛ࢖ͬͨ੬ऑੑͷௐࠪ
    ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ
    ΔͨΊͷແྉπʔϧΛ࢖͍ɺௐࠪͷྲྀΕΛ঺
    հ͠·͢ɻ

    View full-size slide

  5. ؆୯ͳΞϯέʔτ
    1. ੬ऑੑ਍அΛฉ͍ͨ͜ͱ͕͋Δਓ

    2. ࣗ਎ͷձࣾͰɺ੬ऑੑ਍அͷαʔϏεΛґཔͨ͠Γड
    ͚͍ͯΔਓ

    3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ
    ͚Α͏ͱͨ͜͠ͱ͕͋Δਓ

    4. OWASP ZAPΛ࢖ͬͨ͜ͱ͕͋Δਓ

    View full-size slide

  6. (ຊ୊)ηΩϡϦςΟεΩϟφͱ͸
    ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪର৅ʹଘࡏ͢Δ੬ऑੑΛݕग़͢
    Δπʔϧ
    WebΞϓϦέʔγϣϯ੬ऑੑ਍அͷ৔߹…
    SQLΠϯδΣΫγϣϯ
    ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ
    ϓϥοτϑΥʔϜ੬ऑੑ਍அͷ৔߹…
    ϛυϧ΢ΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ
    SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ

    View full-size slide

  7. ηΩϡϦςΟεΩϟφ঺հ

    View full-size slide

  8. WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφ঺հ
    WebInspect AppScan Vex
    OWASP ZAP Nikto w3af
    ༗ঈ
    ແঈ

    View full-size slide

  9. ༗ঈ
    ແঈ
    ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφ঺հ

    View full-size slide

  10. ༗ঈπʔϧͱແঈπʔϧ
    ͷҧ͍

    View full-size slide

  11. ηΩϡϦςΟεΩϟφͷಛ௃ྫ
    ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ
    ݕ߲ࠪ໨ ଟ͍ গͳ͍
    αϙʔτମ੍ ॆ࣮ جຊతʹແ͍
    Ϩϙʔτग़ྗ ॆ࣮ ؆қ
    ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍
    ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍
    ྉۚ ඇৗʹߴ͍ ແঈ
    ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍
    ιʔείʔυ ඇެ։ ެ։΋͋Γ
    ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ
    ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

    View full-size slide

  12. ༗ঈπʔϧͱແঈπʔϧͱ
    ZAPͷҧ͍

    View full-size slide

  13. ηΩϡϦςΟεΩϟφͷಛ௃ྫ
    ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP
    ݕ߲ࠪ໨ ଟ͍ গͳ͍ ଟ͍
    αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮
    Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍)
    ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍
    ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ೔ຊޠରԠ͋Γ
    ྉۚ ඇৗʹߴ͍ ແঈ ແঈ
    ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ଟ͍
    ιʔείʔυ ඇެ։ ެ։΋͋Γ ެ։
    ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac
    ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

    View full-size slide

  14. ੬ऑੑͷݟ͚ͭํ

    View full-size slide

  15. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ
    Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠
    ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε
    Λ෼ੳͯ͠੬ऑੑͷ༗ແΛ൑ఆ
    ᶃ௨ৗͷϦΫΤετ
    ϒϥ΢β౳ͰɺWebϖʔδΛӾཡ
    ᶅProxyʹΑΓ
    վ͟Μ͞ΕͨϦΫΤετ
    ᶆαʔό͔ΒͷϨεϙϯε
    ᶇϩάͷه࿥
    ඞཁʹΑΓɺϨεϙϯεͷ
    վ͟ΜΛߦ͏
    Proxy
    ݕࠪର৅
    ᶄProxyʹΑΔվ͟Μ
    GET/POST/Cookieଞɺ
    ϔομΛෆਖ਼ͳ஋ʹมߋ͢Δ
    ᶈProxyΛ௨աͨ͠Ϩεϙϯε

    View full-size slide

  16. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ
    ݕࠪ༻ϦΫΤετΛૹ৴
    http://attack.local/search.php?q=word

    View full-size slide

  17. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ
    ϨεϙϯεΛ෼ੳ
    ʙུʙ
    word
    ʙུʙ

    View full-size slide

  18. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ
    ݕࠪ༻ϦΫΤετΛૹ৴
    http://attack.local/search.php?
    q=“>alert(document.cookie);word

    View full-size slide

  19. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ
    ϨεϙϯεΛ෼ੳ
    ʙུʙ

    “>alert(document.cookie);word

    ʙུʙ

    View full-size slide

  20. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ
    ݕࠪ༻ϦΫΤετΛૹ৴
    http://attack.local/

    View full-size slide

  21. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ
    ϨεϙϯεΛ෼ੳ

    View full-size slide

  22. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ
    αʔό/αʔϏεͷઃఆ΍ɺ
    όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ਺
    ϨεϙϯεΛ෼ੳ

    View full-size slide

  23. ੬ऑੑͷཧղ

    View full-size slide

  24. ੬ऑੑΛମݧ֮ͯ͑͠Α͏
    https://www.ipa.go.jp/security/vuln/appgoat/

    View full-size slide

  25. ੬ऑੑΛମݧ֮ͯ͑͠Α͏
    OWASP Broken Web Application (BWA)
    ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ
    Java / ASP / PHP / Ruby on Rails…
    https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

    View full-size slide

  26. OWASP TOP 10 - 2013
    https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

    View full-size slide

  27. ੬ऑੑͷ঺հ

    View full-size slide

  28. ݕࠪͷྲྀΕ

    View full-size slide

  29. WebΞϓϦέʔγϣϯͷݕࠪ
    ਍அ͍ͨ͠Webϖʔδͷબఆ
    ηΩϡϦςΟεΩϟφͷ࣮ߦ
    ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

    View full-size slide

  30. ϓϥοτϑΥʔϜͷݕࠪ
    ਍அ͍ͨ͠IPΞυϨεͷબఆ
    ηΩϡϦςΟεΩϟφͷ࣮ߦ
    ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

    View full-size slide

  31. ZAPΛ࢖ͬͨݕࠪͷྲྀΕ

    View full-size slide

  32. ஫ҙࣄ߲
    ຊεϥΠυʹهࡌͷߦҝΛɺࣗ਎ͷ؅ཧԼʹͳ͍ωο
    τϫʔΫ/ίϯϐϡʔλʹߦͬͨ৔߹ɺ߈ܸߦҝͱ൑
    அ͞ΕΔ৔߹͕͋Γ·͢ɻ
    ࣗ਎ͷ؅ཧԼʹ͋ΔωοτϫʔΫ΍αʔόʹରͯ͠
    ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ

    View full-size slide

  33. ؀ڥ४උ
    OWASP ZAPͷΠϯετʔϧ
    OWASP ZAP 2.4.3(2015/12/4 released)
    ਍அπʔϧ
    OWASP BWAͷΠϯετʔϧ
    OWASP BWA 1.2 (2015/8/3 released)
    ਍அର৅ͱͳΔΞϓϦέʔγϣϯ
    ࣮ࡍʹؼ୐͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ
    ४උͷৄࡉ͸ɺԼهͰɻ
    http://zapjp.blogspot.jp/
    https://www.owasp.org/index.php/User:Yuho_Kameda

    View full-size slide

  34. OWASP ZAPͱ͸ʁ
    OWASP ZAP (Zed Attack Proxy)
    WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ਍
    அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ
    ϩʔΧϧϓϩΩγπʔϧ
    https://code.google.com/p/zaproxy/
    https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

    View full-size slide

  35. OWASP BWAͱ͸ʁ
    OWASP Broken Web Application (BWA)
    ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ
    Java / ASP / PHP / Ruby on Rails…
    https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

    View full-size slide

  36. WebΞϓϦͷ੬ऑੑΛ୳͢
    BWAͷதʹ͋Δɺݹ͍WordpressΛର৅
    Wordpress 2.0.0
    ࠷৽͸4.4.2 (2016/2/2)

    View full-size slide

  37. WebΞϓϦͷ੬ऑੑΛ୳͢
    ϓϩΩγπʔϧ࢖༻࣌ͷϒϥ΢βઃఆ(IEྫ)

    View full-size slide

  38. WebΞϓϦͷ੬ऑੑΛ୳͢
    ਍அର৅ൣғΛܾఆ
    Include In Context
    ಛఆσΟϨΫτϦ഑Լ͚ͩ਍அ͕Մೳ

    View full-size slide

  39. WebΞϓϦͷ੬ऑੑΛ୳͢
    ର৅ΛΫϩʔϦϯά(εύΠμʔ)
    ։͍࢝ͨ͠ϖʔδΛબ୒
    εΩϟϯ։࢝ʂ

    View full-size slide

  40. WebΞϓϦͷ੬ऑੑΛ୳͢
    ݁Ռ…
    େྔʹநग़Ͱ͖ͨʂ

    View full-size slide

  41. WebΞϓϦͷ੬ऑੑΛ୳͢
    ಈతεΩϟϯ(֤ύϥϝʔλ΁ݕࠪ஋Λૹ৴)
    ։͍࢝ͨ͠ϖʔδΛબ୒
    εΩϟϯ։࢝ʂ

    View full-size slide

  42. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢
    ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ

    View full-size slide

  43. WebΞϓϦͷ੬ऑੑΛ୳͢
    ݹ͗ͯ͢ŗŽŖŪେྔ

    View full-size slide

  44. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢
    ݕ஌ͨ͠৘ใΛΞϥʔτͰ֬ೝ
    ૹ৴࣌ͷϦΫΤετ΋
    ࠶ݱՄೳʂ

    View full-size slide

  45. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ
    όʔδϣϯ͕ݹ͍…
    ࠷৽όʔδϣϯΛ֬ೝ
    όʔδϣϯΞοϓ΍ύονΛద༻͠Α͏ʂ
    ίʔυ͕ϘϩϘϩ…
    ίʔυΛमਖ਼͠Α͏ʂ
    ઃఆ͕σϑΥϧτͷ··…
    ద੾ʹઃఆ͠Α͏ʂ

    View full-size slide

  46. ZAPίϛϡχςΟͷ঺հ

    View full-size slide

  47. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ
    • OWASP ZAP
    Developer Group
    – ϝϯόʔ਺ɿ434ਓ
    – ։࢝೔ɿ2010/08/17
    – ओͳ಺༰
    • ZAP։ൃʹؔ͢Δ͜ͱ
    • Extensionͷ։ൃ
    • όάमਖ਼
    • OWASP ZAP User
    Group
    – ϝϯόʔ਺ɿ431ਓ
    – ։࢝೔ɿ2012/05/22
    – ओͳ಺༰
    • ࢖͍ํͷ࣭໰
    • ࣮૷ͯ͠΄͍͠ϦΫΤε
    τ

    View full-size slide

  48. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ
    • ZAP຋༁ϓϩδΣΫτ
    • ೔ຊޠ຋༁౓͸30% (2015/2/10ݱࡏ)
    • ͩΕͰ΋ࢀՃՄೳ
    • http://crowdin.com/owasp-zap/

    View full-size slide

  49. ·ͱΊ
    ·ͣ͸։ൃ؀ڥͷαʔό΍WebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ
    ͏
    ςετ޻ఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛ࢖ͬͨ؆қ਍அΛߦ
    ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ
    ͏
    ࣄલʹ؅ཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛ೺Ѳ͠ɺରࡦΛ
    ݕ౼͠·͠ΐ͏
    ࣗલͰWebΞϓϦΛ਍அ
    ਍அαʔϏεΛ׆༻

    View full-size slide

  50. ηΩϡϦςΟνΣοΫ
    ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ
    http://www.slideshare.net/zaki4649/free-securitycheck

    View full-size slide

  51. ηΩϡϦςΟνΣοΫ
    ੬ऑੑ਍அͷجຊख๏
    ແྉͰख͕͔͔ؒΒͳ͍ʂ
    Πϯϑϥฤ
    ϙʔτεΩϟϯ
    ੬ऑੑεΩϟϯ
    WebΞϓϦέʔγϣϯฤ
    ࣗಈ਍அ
    ZAPͷػೳ঺հ
    ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ

    View full-size slide

  52. ੬ऑੑΛݟ͚ͭΔ࢓ࣄ΁
    ੬ऑੑ਍அ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ
    ϓϩδΣΫτ 2014
    OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG
    ੬ऑੑ਍அ࢜ʹඞཁͳೳྗͷϚοϐϯά
    ϓϩάϥϚ͔ΒωοτϫʔΫ஌ࣝɺྙཧ؍·Ͱ
    2014/12/24 ʮ੬ऑੑ਍அ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։
    https://www.owasp.org/index.php/Japan
    http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf

    View full-size slide

  53. Social Account
    Twitter : @YuhoKameda
    URL
    https://www.owasp.org/index.php/
    User:Yuho_Kameda
    E-mail
    [email protected]

    View full-size slide