Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[bpstudy] OWASP ZAP Vulnerable Assesment.
Search
Yuho Kameda
February 26, 2016
2
1.3k
[bpstudy] OWASP ZAP Vulnerable Assesment.
2016/2/26 #bpstudy OWASP ZAPに学ぶ、 Webアプリケーションに潜む 脆弱性の調査手法を紹介
Yuho Kameda
February 26, 2016
Tweet
Share
More Decks by Yuho Kameda
See All by Yuho Kameda
How to use OWASP ZAP & Vulnerabilities Slikmap
ykame
0
8.9k
Enjoy Daily Life by handy tool
ykame
0
94
Find Trust-Information -Public- 20170630 #ssmjp
ykame
1
2.4k
Intel CTF and Open xINT CTF 20161220
ykame
1
1.2k
Hey Siri! Hello Barbie! ssmjp
ykame
0
880
How to create the alert by script of ZAP
ykame
2
680
What is ZAP?
ykame
0
490
MINI Hardening #1.2 20分LT ZAPを使ったHardening対策術 2015/8/29
ykame
2
530
How to install VMwarePlayer and OWASP BWA
ykame
1
970
Featured
See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Unsuck your backbone
ammeep
669
57k
Become a Pro
speakerdeck
PRO
26
5k
Code Reviewing Like a Champion
maltzj
520
39k
Rails Girls Zürich Keynote
gr2m
94
13k
The Language of Interfaces
destraynor
154
24k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Practical Orchestrator
shlominoach
186
10k
Making Projects Easy
brettharned
116
5.9k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
28
2.1k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.1k
Transcript
OWASP ZAPʹֶͿɺ WebΞϓϦέʔγϣϯʹજΉ ੬ऑੑͷௐࠪख๏Λհ 2016/2/26 #bpstudy @YuhoKameda
ࣗݾհ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist ओͳۀ༰ WebΞϓϦέʔγϣϯ੬ऑੑஅ
ϓϥοτϑΥʔϜ੬ऑੑஅ SOC/CSIRTۀ ۓٸҊ݅ରԠཁһ…
ZAP Newsletter 2015/12 ZAPϓϩδΣΫτϦʔμ ͔ΒͷհͰߘ http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html
Agenda εΩϟφπʔϧൺֱ ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯ ͔Βൺֱͯ͠հ͠·͢ɻ OWASP ZAPΛͬͨ੬ऑੑͷௐࠪ ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ ΔͨΊͷແྉπʔϧΛ͍ɺௐࠪͷྲྀΕΛ հ͠·͢ɻ
؆୯ͳΞϯέʔτ 1. ੬ऑੑஅΛฉ͍ͨ͜ͱ͕͋Δਓ 2. ࣗͷձࣾͰɺ੬ऑੑஅͷαʔϏεΛґཔͨ͠Γड ͚͍ͯΔਓ 3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ
͚Α͏ͱͨ͜͠ͱ͕͋Δਓ 4. OWASP ZAPΛͬͨ͜ͱ͕͋Δਓ
(ຊ)ηΩϡϦςΟεΩϟφͱ ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪରʹଘࡏ͢Δ੬ऑੑΛݕग़͢ Δπʔϧ WebΞϓϦέʔγϣϯ੬ऑੑஅͷ߹… SQLΠϯδΣΫγϣϯ ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ ϓϥοτϑΥʔϜ੬ऑੑஅͷ߹… ϛυϧΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ
ηΩϡϦςΟεΩϟφհ
WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφհ WebInspect AppScan Vex OWASP ZAP Nikto w3af ༗ঈ
ແঈ
༗ঈ ແঈ ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφհ
༗ঈπʔϧͱແঈπʔϧ ͷҧ͍
ηΩϡϦςΟεΩϟφͷಛྫ ߲ ༗ঈεΩϟφ ແঈεΩϟφ ݕ߲ࠪ ଟ͍ গͳ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍
Ϩϙʔτग़ྗ ॆ࣮ ؆қ ޡݕ ൺֱతগͳ͍ ൺֱతଟ͍ ݴޠ ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ྉۚ ඇৗʹߴ͍ ແঈ ެ։ใ جຊతʹແ͍ ͱͯଟ͍ ιʔείʔυ ඇެ։ ެ։͋Γ ಈ࡞ڥ πʔϧʹґଘ πʔϧʹґଘ ※πʔϧʹΑͬͯ༰ҧ͏ͨΊɺࢀߟఔͱ͓ߟ͍͑ͩ͘͞ɻ
༗ঈπʔϧͱແঈπʔϧͱ ZAPͷҧ͍
ηΩϡϦςΟεΩϟφͷಛྫ ߲ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP ݕ߲ࠪ ଟ͍ গͳ͍ ଟ͍
αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍) ޡݕ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍ ݴޠ ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ຊޠରԠ͋Γ ྉۚ ඇৗʹߴ͍ ແঈ ແঈ ެ։ใ جຊతʹແ͍ ͱͯଟ͍ ଟ͍ ιʔείʔυ ඇެ։ ެ։͋Γ ެ։ ಈ࡞ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac ※πʔϧʹΑͬͯ༰ҧ͏ͨΊɺࢀߟఔͱ͓ߟ͍͑ͩ͘͞ɻ
੬ऑੑͷݟ͚ͭํ
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠ ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε Λੳͯ͠੬ऑੑͷ༗ແΛఆ ᶃ௨ৗͷϦΫΤετ ϒϥβͰɺWebϖʔδΛӾཡ ᶅProxyʹΑΓ վ͟Μ͞ΕͨϦΫΤετ ᶆαʔό͔ΒͷϨεϙϯε ᶇϩάͷه
ඞཁʹΑΓɺϨεϙϯεͷ վ͟ΜΛߦ͏ Proxy ݕࠪର ᶄProxyʹΑΔվ͟Μ GET/POST/Cookieଞɺ ϔομΛෆਖ਼ͳʹมߋ͢Δ ᶈProxyΛ௨աͨ͠Ϩεϙϯε
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php?q=word
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛੳ ʙུʙ <p class=“id”> word </p> ʙུʙ
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php? q=“><script>alert(document.cookie);</script>word
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛੳ ʙུʙ <p class=“id”> “><script>alert(document.cookie);</script>word </p> ʙུʙ
ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/
ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛੳ
ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ αʔό/αʔϏεͷઃఆɺ όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ ϨεϙϯεΛੳ
੬ऑੑͷཧղ
੬ऑੑΛମݧ֮ͯ͑͠Α͏ https://www.ipa.go.jp/security/vuln/appgoat/
੬ऑੑΛମݧ֮ͯ͑͠Α͏ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP
/ PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
OWASP TOP 10 - 2013 https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf
੬ऑੑͷհ
None
ݕࠪͷྲྀΕ
WebΞϓϦέʔγϣϯͷݕࠪ அ͍ͨ͠Webϖʔδͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ
ϓϥοτϑΥʔϜͷݕࠪ அ͍ͨ͠IPΞυϨεͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ
ZAPΛͬͨݕࠪͷྲྀΕ
ҙࣄ߲ ຊεϥΠυʹهࡌͷߦҝΛɺࣗͷཧԼʹͳ͍ωο τϫʔΫ/ίϯϐϡʔλʹߦͬͨ߹ɺ߈ܸߦҝͱ அ͞ΕΔ߹͕͋Γ·͢ɻ ࣗͷཧԼʹ͋ΔωοτϫʔΫαʔόʹରͯ͠ ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ
ڥ४උ OWASP ZAPͷΠϯετʔϧ OWASP ZAP 2.4.3(2015/12/4 released) அπʔϧ OWASP BWAͷΠϯετʔϧ
OWASP BWA 1.2 (2015/8/3 released) அରͱͳΔΞϓϦέʔγϣϯ ࣮ࡍʹؼ͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ ४උͷৄࡉɺԼهͰɻ http://zapjp.blogspot.jp/ https://www.owasp.org/index.php/User:Yuho_Kameda
OWASP ZAPͱʁ OWASP ZAP (Zed Attack Proxy) WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ ϩʔΧϧϓϩΩγπʔϧ
https://code.google.com/p/zaproxy/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
OWASP BWAͱʁ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java /
ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
WebΞϓϦͷ੬ऑੑΛ୳͢ BWAͷதʹ͋Δɺݹ͍WordpressΛର Wordpress 2.0.0 ࠷৽4.4.2 (2016/2/2)
WebΞϓϦͷ੬ऑੑΛ୳͢ ϓϩΩγπʔϧ༻࣌ͷϒϥβઃఆ(IEྫ)
WebΞϓϦͷ੬ऑੑΛ୳͢ அରൣғΛܾఆ Include In Context ಛఆσΟϨΫτϦԼ͚ͩஅ͕Մೳ
WebΞϓϦͷ੬ऑੑΛ୳͢ ରΛΫϩʔϦϯά(εύΠμʔ) ։͍࢝ͨ͠ϖʔδΛબ εΩϟϯ։࢝ʂ
WebΞϓϦͷ੬ऑੑΛ୳͢ ݁Ռ… େྔʹநग़Ͱ͖ͨʂ
WebΞϓϦͷ੬ऑੑΛ୳͢ ಈతεΩϟϯ(֤ύϥϝʔλݕࠪΛૹ৴) ։͍࢝ͨ͠ϖʔδΛબ εΩϟϯ։࢝ʂ
ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ
WebΞϓϦͷ੬ऑੑΛ୳͢ ݹ͗ͯ͢ŗŽŖŪେྔ
ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ݕͨ͠ใΛΞϥʔτͰ֬ೝ ૹ৴࣌ͷϦΫΤετ ࠶ݱՄೳʂ
ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ όʔδϣϯ͕ݹ͍… ࠷৽όʔδϣϯΛ֬ೝ όʔδϣϯΞοϓύονΛద༻͠Α͏ʂ ίʔυ͕ϘϩϘϩ… ίʔυΛमਖ਼͠Α͏ʂ ઃఆ͕σϑΥϧτͷ··… దʹઃఆ͠Α͏ʂ
ZAPίϛϡχςΟͷհ
ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • OWASP ZAP Developer Group – ϝϯόʔɿ434ਓ – ։࢝ɿ2010/08/17
– ओͳ༰ • ZAP։ൃʹؔ͢Δ͜ͱ • Extensionͷ։ൃ • όάमਖ਼ • OWASP ZAP User Group – ϝϯόʔɿ431ਓ – ։࢝ɿ2012/05/22 – ओͳ༰ • ͍ํͷ࣭ • ࣮ͯ͠΄͍͠ϦΫΤε τ
ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • ZAP༁ϓϩδΣΫτ • ຊޠ༁30% (2015/2/10ݱࡏ) • ͩΕͰࢀՃՄೳ • http://crowdin.com/owasp-zap/
·ͱΊ ·ͣ։ൃڥͷαʔόWebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ ͏ ςετఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛͬͨ؆қஅΛߦ ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ ͏ ࣄલʹཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛѲ͠ɺରࡦΛ ݕ౼͠·͠ΐ͏ ࣗલͰWebΞϓϦΛஅ அαʔϏεΛ׆༻
ηΩϡϦςΟνΣοΫ ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ http://www.slideshare.net/zaki4649/free-securitycheck
ηΩϡϦςΟνΣοΫ ੬ऑੑஅͷجຊख๏ ແྉͰख͕͔͔ؒΒͳ͍ʂ Πϯϑϥฤ ϙʔτεΩϟϯ ੬ऑੑεΩϟϯ WebΞϓϦέʔγϣϯฤ ࣗಈஅ ZAPͷػೳհ ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ
੬ऑੑΛݟ͚ͭΔࣄ ੬ऑੑஅ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ ϓϩδΣΫτ 2014 OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG
੬ऑੑஅ࢜ʹඞཁͳೳྗͷϚοϐϯά ϓϩάϥϚ͔ΒωοτϫʔΫࣝɺྙཧ؍·Ͱ 2014/12/24 ʮ੬ऑੑஅ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։ https://www.owasp.org/index.php/Japan http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf
Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail
[email protected]