Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[bpstudy] OWASP ZAP Vulnerable Assesment.

F9b27b006dc2c4f3ca6613073c661834?s=47 Yuho Kameda
February 26, 2016
1k

[bpstudy] OWASP ZAP Vulnerable Assesment.

2016/2/26 #bpstudy OWASP ZAPに学ぶ、 Webアプリケーションに潜む 脆弱性の調査手法を紹介

F9b27b006dc2c4f3ca6613073c661834?s=128

Yuho Kameda

February 26, 2016
Tweet

Transcript

  1. OWASP ZAPʹֶͿɺ WebΞϓϦέʔγϣϯʹજΉ ੬ऑੑͷௐࠪख๏Λ঺հ 2016/2/26 #bpstudy @YuhoKameda

  2. ࣗݾ঺հ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist ओͳۀ຿಺༰ WebΞϓϦέʔγϣϯ੬ऑੑ਍அ

    ϓϥοτϑΥʔϜ੬ऑੑ਍அ SOC/CSIRTۀ຿ ۓٸҊ݅ରԠཁһ…
  3. ZAP Newsletter 2015/12 ZAPϓϩδΣΫτϦʔμ ͔Βͷ঺հͰ౤ߘ http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html

  4. Agenda εΩϟφπʔϧൺֱ ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯౓ ͔Βൺֱͯ͠঺հ͠·͢ɻ OWASP ZAPΛ࢖ͬͨ੬ऑੑͷௐࠪ ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ ΔͨΊͷແྉπʔϧΛ࢖͍ɺௐࠪͷྲྀΕΛ঺ հ͠·͢ɻ

  5. ؆୯ͳΞϯέʔτ 1. ੬ऑੑ਍அΛฉ͍ͨ͜ͱ͕͋Δਓ 
 2. ࣗ਎ͷձࣾͰɺ੬ऑੑ਍அͷαʔϏεΛґཔͨ͠Γड ͚͍ͯΔਓ 
 3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ

    ͚Α͏ͱͨ͜͠ͱ͕͋Δਓ
 4. OWASP ZAPΛ࢖ͬͨ͜ͱ͕͋Δਓ
  6. (ຊ୊)ηΩϡϦςΟεΩϟφͱ͸ ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪର৅ʹଘࡏ͢Δ੬ऑੑΛݕग़͢ Δπʔϧ WebΞϓϦέʔγϣϯ੬ऑੑ਍அͷ৔߹… SQLΠϯδΣΫγϣϯ ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ ϓϥοτϑΥʔϜ੬ऑੑ਍அͷ৔߹… ϛυϧ΢ΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ

  7. ηΩϡϦςΟεΩϟφ঺հ

  8. WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφ঺հ WebInspect AppScan Vex OWASP ZAP Nikto w3af ༗ঈ

    ແঈ
  9. ༗ঈ ແঈ ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφ঺հ

  10. ༗ঈπʔϧͱແঈπʔϧ ͷҧ͍

  11. ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ ݕ߲ࠪ໨ ଟ͍ গͳ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍

    Ϩϙʔτग़ྗ ॆ࣮ ؆қ ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ྉۚ ඇৗʹߴ͍ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ
  12. ༗ঈπʔϧͱແঈπʔϧͱ ZAPͷҧ͍

  13. ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP ݕ߲ࠪ໨ ଟ͍ গͳ͍ ଟ͍

    αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍) ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ೔ຊޠରԠ͋Γ ྉۚ ඇৗʹߴ͍ ແঈ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ެ։ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ
  14. ੬ऑੑͷݟ͚ͭํ

  15. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠ ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε Λ෼ੳͯ͠੬ऑੑͷ༗ແΛ൑ఆ ᶃ௨ৗͷϦΫΤετ ϒϥ΢β౳ͰɺWebϖʔδΛӾཡ ᶅProxyʹΑΓ վ͟Μ͞ΕͨϦΫΤετ ᶆαʔό͔ΒͷϨεϙϯε ᶇϩάͷه࿥

    ඞཁʹΑΓɺϨεϙϯεͷ վ͟ΜΛߦ͏ Proxy ݕࠪର৅ ᶄProxyʹΑΔվ͟Μ GET/POST/Cookieଞɺ ϔομΛෆਖ਼ͳ஋ʹมߋ͢Δ ᶈProxyΛ௨աͨ͠Ϩεϙϯε
  16. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php?q=word

  17. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ <p class=“id”> word </p> ʙུʙ

  18. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php? q=“><script>alert(document.cookie);</script>word

  19. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ <p class=“id”> “><script>alert(document.cookie);</script>word </p> ʙུʙ

  20. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/

  21. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ

  22. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ αʔό/αʔϏεͷઃఆ΍ɺ όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ਺ ϨεϙϯεΛ෼ੳ

  23. ੬ऑੑͷཧղ

  24. ੬ऑੑΛମݧ֮ͯ͑͠Α͏ https://www.ipa.go.jp/security/vuln/appgoat/

  25. ੬ऑੑΛମݧ֮ͯ͑͠Α͏ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP

    / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
  26. OWASP TOP 10 - 2013 https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

  27. ੬ऑੑͷ঺հ

  28. None
  29. ݕࠪͷྲྀΕ

  30. WebΞϓϦέʔγϣϯͷݕࠪ ਍அ͍ͨ͠Webϖʔδͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

  31. ϓϥοτϑΥʔϜͷݕࠪ ਍அ͍ͨ͠IPΞυϨεͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

  32. ZAPΛ࢖ͬͨݕࠪͷྲྀΕ

  33. ஫ҙࣄ߲ ຊεϥΠυʹهࡌͷߦҝΛɺࣗ਎ͷ؅ཧԼʹͳ͍ωο τϫʔΫ/ίϯϐϡʔλʹߦͬͨ৔߹ɺ߈ܸߦҝͱ൑ அ͞ΕΔ৔߹͕͋Γ·͢ɻ ࣗ਎ͷ؅ཧԼʹ͋ΔωοτϫʔΫ΍αʔόʹରͯ͠ ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ

  34. ؀ڥ४උ OWASP ZAPͷΠϯετʔϧ OWASP ZAP 2.4.3(2015/12/4 released) ਍அπʔϧ OWASP BWAͷΠϯετʔϧ

    OWASP BWA 1.2 (2015/8/3 released) ਍அର৅ͱͳΔΞϓϦέʔγϣϯ ࣮ࡍʹؼ୐͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ ४උͷৄࡉ͸ɺԼهͰɻ http://zapjp.blogspot.jp/ https://www.owasp.org/index.php/User:Yuho_Kameda
  35. OWASP ZAPͱ͸ʁ OWASP ZAP (Zed Attack Proxy) WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ਍ அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ ϩʔΧϧϓϩΩγπʔϧ

    https://code.google.com/p/zaproxy/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
  36. OWASP BWAͱ͸ʁ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java /

    ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
  37. WebΞϓϦͷ੬ऑੑΛ୳͢ BWAͷதʹ͋Δɺݹ͍WordpressΛର৅ Wordpress 2.0.0 ࠷৽͸4.4.2 (2016/2/2)

  38. WebΞϓϦͷ੬ऑੑΛ୳͢ ϓϩΩγπʔϧ࢖༻࣌ͷϒϥ΢βઃఆ(IEྫ)

  39. WebΞϓϦͷ੬ऑੑΛ୳͢ ਍அର৅ൣғΛܾఆ Include In Context ಛఆσΟϨΫτϦ഑Լ͚ͩ਍அ͕Մೳ

  40. WebΞϓϦͷ੬ऑੑΛ୳͢ ର৅ΛΫϩʔϦϯά(εύΠμʔ) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

  41. WebΞϓϦͷ੬ऑੑΛ୳͢ ݁Ռ… େྔʹநग़Ͱ͖ͨʂ

  42. WebΞϓϦͷ੬ऑੑΛ୳͢ ಈతεΩϟϯ(֤ύϥϝʔλ΁ݕࠪ஋Λૹ৴) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

  43. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ

  44. WebΞϓϦͷ੬ऑੑΛ୳͢ ݹ͗ͯ͢ŗŽŖŪେྔ

  45. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ݕ஌ͨ͠৘ใΛΞϥʔτͰ֬ೝ ૹ৴࣌ͷϦΫΤετ΋ ࠶ݱՄೳʂ

  46. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ όʔδϣϯ͕ݹ͍… ࠷৽όʔδϣϯΛ֬ೝ όʔδϣϯΞοϓ΍ύονΛద༻͠Α͏ʂ ίʔυ͕ϘϩϘϩ… ίʔυΛमਖ਼͠Α͏ʂ ઃఆ͕σϑΥϧτͷ··… ద੾ʹઃఆ͠Α͏ʂ

  47. ZAPίϛϡχςΟͷ঺հ

  48. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • OWASP ZAP Developer Group – ϝϯόʔ਺ɿ434ਓ – ։࢝೔ɿ2010/08/17

    – ओͳ಺༰ • ZAP։ൃʹؔ͢Δ͜ͱ • Extensionͷ։ൃ • όάमਖ਼ • OWASP ZAP User Group – ϝϯόʔ਺ɿ431ਓ – ։࢝೔ɿ2012/05/22 – ओͳ಺༰ • ࢖͍ํͷ࣭໰ • ࣮૷ͯ͠΄͍͠ϦΫΤε τ
  49. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • ZAP຋༁ϓϩδΣΫτ • ೔ຊޠ຋༁౓͸30% (2015/2/10ݱࡏ) • ͩΕͰ΋ࢀՃՄೳ • http://crowdin.com/owasp-zap/

  50. ·ͱΊ ·ͣ͸։ൃ؀ڥͷαʔό΍WebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ ͏ ςετ޻ఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛ࢖ͬͨ؆қ਍அΛߦ ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ ͏ ࣄલʹ؅ཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛ೺Ѳ͠ɺରࡦΛ ݕ౼͠·͠ΐ͏ ࣗલͰWebΞϓϦΛ਍அ ਍அαʔϏεΛ׆༻

  51. ηΩϡϦςΟνΣοΫ ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ http://www.slideshare.net/zaki4649/free-securitycheck

  52. ηΩϡϦςΟνΣοΫ ੬ऑੑ਍அͷجຊख๏ ແྉͰख͕͔͔ؒΒͳ͍ʂ Πϯϑϥฤ ϙʔτεΩϟϯ ੬ऑੑεΩϟϯ WebΞϓϦέʔγϣϯฤ ࣗಈ਍அ ZAPͷػೳ঺հ ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ

  53. ੬ऑੑΛݟ͚ͭΔ࢓ࣄ΁ ੬ऑੑ਍அ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ ϓϩδΣΫτ 2014 OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG

    ੬ऑੑ਍அ࢜ʹඞཁͳೳྗͷϚοϐϯά ϓϩάϥϚ͔ΒωοτϫʔΫ஌ࣝɺྙཧ؍·Ͱ 2014/12/24 ʮ੬ऑੑ਍அ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։ https://www.owasp.org/index.php/Japan http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf
  54. Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail yuho.kameda@owasp.org