Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[bpstudy] OWASP ZAP Vulnerable Assesment.

Avatar for Yuho Kameda Yuho Kameda
February 26, 2016
2
1.4k

[bpstudy] OWASP ZAP Vulnerable Assesment.

2016/2/26 #bpstudy OWASP ZAPに学ぶ、 Webアプリケーションに潜む 脆弱性の調査手法を紹介

Avatar for Yuho Kameda

Yuho Kameda

February 26, 2016
Tweet

More Decks by Yuho Kameda

See All by Yuho Kameda
How to use OWASP ZAP & Vulnerabilities Slikmap
Avatar for Yuho Kameda ykame
0
9.1k
Enjoy Daily Life by handy tool
Avatar for Yuho Kameda ykame
0
120
Find Trust-Information -Public- 20170630 #ssmjp
Avatar for Yuho Kameda ykame
1
2.5k
Intel CTF and Open xINT CTF 20161220
Avatar for Yuho Kameda ykame
1
1.3k
Hey Siri! Hello Barbie! ssmjp
Avatar for Yuho Kameda ykame
0
950
How to create the alert by script of ZAP
Avatar for Yuho Kameda ykame
2
760
What is ZAP?
Avatar for Yuho Kameda ykame
0
540
MINI Hardening #1.2 20分LT ZAPを使ったHardening対策術 2015/8/29
Avatar for Yuho Kameda ykame
2
560
How to install VMwarePlayer and OWASP BWA
Avatar for Yuho Kameda ykame
1
1k

Featured

See All Featured
The Invisible Side of Design
Avatar for Vitaly Friedman smashingmag
302
51k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
353
21k
Navigating Team Friction
Avatar for Lara Hogan lara
190
15k
Learning to Love Humans: Emotional Interface Design
Avatar for Aarron Walter aarron
274
41k
Improving Core Web Vitals using Speculation Rules API
Avatar for Sergey Chernyshev sergeychernyshev
21
1.2k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.8k
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
246
12k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
232
18k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k

Transcript

  1. OWASP ZAPʹֶͿɺ WebΞϓϦέʔγϣϯʹજΉ ੬ऑੑͷௐࠪख๏Λ঺հ 2016/2/26 #bpstudy @YuhoKameda

  2. ࣗݾ঺հ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist ओͳۀ຿಺༰ WebΞϓϦέʔγϣϯ੬ऑੑ਍அ

    ϓϥοτϑΥʔϜ੬ऑੑ਍அ SOC/CSIRTۀ຿ ۓٸҊ݅ରԠཁһ…

  3. ZAP Newsletter 2015/12 ZAPϓϩδΣΫτϦʔμ ͔Βͷ঺հͰ౤ߘ http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html

  4. Agenda εΩϟφπʔϧൺֱ ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯౓ ͔Βൺֱͯ͠঺հ͠·͢ɻ OWASP ZAPΛ࢖ͬͨ੬ऑੑͷௐࠪ ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ ΔͨΊͷແྉπʔϧΛ࢖͍ɺௐࠪͷྲྀΕΛ঺ հ͠·͢ɻ

  5. ؆୯ͳΞϯέʔτ 1. ੬ऑੑ਍அΛฉ͍ͨ͜ͱ͕͋Δਓ 
 2. ࣗ਎ͷձࣾͰɺ੬ऑੑ਍அͷαʔϏεΛґཔͨ͠Γड ͚͍ͯΔਓ 
 3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ

    ͚Α͏ͱͨ͜͠ͱ͕͋Δਓ
 4. OWASP ZAPΛ࢖ͬͨ͜ͱ͕͋Δਓ

  6. (ຊ୊)ηΩϡϦςΟεΩϟφͱ͸ ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪର৅ʹଘࡏ͢Δ੬ऑੑΛݕग़͢ Δπʔϧ WebΞϓϦέʔγϣϯ੬ऑੑ਍அͷ৔߹… SQLΠϯδΣΫγϣϯ ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ ϓϥοτϑΥʔϜ੬ऑੑ਍அͷ৔߹… ϛυϧ΢ΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ

  7. ηΩϡϦςΟεΩϟφ঺հ

  8. WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφ঺հ WebInspect AppScan Vex OWASP ZAP Nikto w3af ༗ঈ

    ແঈ

  9. ༗ঈ ແঈ ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφ঺հ

  10. ༗ঈπʔϧͱແঈπʔϧ ͷҧ͍

  11. ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ ݕ߲ࠪ໨ ଟ͍ গͳ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍

    Ϩϙʔτग़ྗ ॆ࣮ ؆қ ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ྉۚ ඇৗʹߴ͍ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

  12. ༗ঈπʔϧͱແঈπʔϧͱ ZAPͷҧ͍

  13. ηΩϡϦςΟεΩϟφͷಛ௃ྫ ߲໨ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP ݕ߲ࠪ໨ ଟ͍ গͳ͍ ଟ͍

    αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍) ޡݕ஌ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍ ݴޠ ೔ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ೔ຊޠରԠ͋Γ ྉۚ ඇৗʹߴ͍ ແঈ ແঈ ެ։৘ใ جຊతʹແ͍ ͱͯ΋ଟ͍ ଟ͍ ιʔείʔυ ඇެ։ ެ։΋͋Γ ެ։ ಈ࡞؀ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac ※πʔϧʹΑͬͯ಺༰͸ҧ͏ͨΊɺࢀߟఔ౓ͱ͓ߟ͍͑ͩ͘͞ɻ

  14. ੬ऑੑͷݟ͚ͭํ

  15. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠ ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε Λ෼ੳͯ͠੬ऑੑͷ༗ແΛ൑ఆ ᶃ௨ৗͷϦΫΤετ ϒϥ΢β౳ͰɺWebϖʔδΛӾཡ ᶅProxyʹΑΓ վ͟Μ͞ΕͨϦΫΤετ ᶆαʔό͔ΒͷϨεϙϯε ᶇϩάͷه࿥

    ඞཁʹΑΓɺϨεϙϯεͷ վ͟ΜΛߦ͏ Proxy ݕࠪର৅ ᶄProxyʹΑΔվ͟Μ GET/POST/Cookieଞɺ ϔομΛෆਖ਼ͳ஋ʹมߋ͢Δ ᶈProxyΛ௨աͨ͠Ϩεϙϯε

  16. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php?q=word

  17. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ <p class=“id”> word </p> ʙུʙ

  18. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php? q=“><script>alert(document.cookie);</script>word

  19. WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ ʙུʙ <p class=“id”> “><script>alert(document.cookie);</script>word </p> ʙུʙ

  20. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/

  21. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛ෼ੳ

  22. ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ αʔό/αʔϏεͷઃఆ΍ɺ όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ਺ ϨεϙϯεΛ෼ੳ

  23. ੬ऑੑͷཧղ

  24. ੬ऑੑΛମݧ֮ͯ͑͠Α͏ https://www.ipa.go.jp/security/vuln/appgoat/

  25. ੬ऑੑΛମݧ֮ͯ͑͠Α͏ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP

    / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

  26. OWASP TOP 10 - 2013 https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

  27. ੬ऑੑͷ঺հ

  28. None

  29. ݕࠪͷྲྀΕ

  30. WebΞϓϦέʔγϣϯͷݕࠪ ਍அ͍ͨ͠Webϖʔδͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

  31. ϓϥοτϑΥʔϜͷݕࠪ ਍அ͍ͨ͠IPΞυϨεͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ

  32. ZAPΛ࢖ͬͨݕࠪͷྲྀΕ

  33. ஫ҙࣄ߲ ຊεϥΠυʹهࡌͷߦҝΛɺࣗ਎ͷ؅ཧԼʹͳ͍ωο τϫʔΫ/ίϯϐϡʔλʹߦͬͨ৔߹ɺ߈ܸߦҝͱ൑ அ͞ΕΔ৔߹͕͋Γ·͢ɻ ࣗ਎ͷ؅ཧԼʹ͋ΔωοτϫʔΫ΍αʔόʹରͯ͠ ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ

  34. ؀ڥ४උ OWASP ZAPͷΠϯετʔϧ OWASP ZAP 2.4.3(2015/12/4 released) ਍அπʔϧ OWASP BWAͷΠϯετʔϧ

    OWASP BWA 1.2 (2015/8/3 released) ਍அର৅ͱͳΔΞϓϦέʔγϣϯ ࣮ࡍʹؼ୐͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ ४උͷৄࡉ͸ɺԼهͰɻ http://zapjp.blogspot.jp/ https://www.owasp.org/index.php/User:Yuho_Kameda

  35. OWASP ZAPͱ͸ʁ OWASP ZAP (Zed Attack Proxy) WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ਍ அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ ϩʔΧϧϓϩΩγπʔϧ

    https://code.google.com/p/zaproxy/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

  36. OWASP BWAͱ͸ʁ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java /

    ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

  37. WebΞϓϦͷ੬ऑੑΛ୳͢ BWAͷதʹ͋Δɺݹ͍WordpressΛର৅ Wordpress 2.0.0 ࠷৽͸4.4.2 (2016/2/2)

  38. WebΞϓϦͷ੬ऑੑΛ୳͢ ϓϩΩγπʔϧ࢖༻࣌ͷϒϥ΢βઃఆ(IEྫ)

  39. WebΞϓϦͷ੬ऑੑΛ୳͢ ਍அର৅ൣғΛܾఆ Include In Context ಛఆσΟϨΫτϦ഑Լ͚ͩ਍அ͕Մೳ

  40. WebΞϓϦͷ੬ऑੑΛ୳͢ ର৅ΛΫϩʔϦϯά(εύΠμʔ) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

  41. WebΞϓϦͷ੬ऑੑΛ୳͢ ݁Ռ… େྔʹநग़Ͱ͖ͨʂ

  42. WebΞϓϦͷ੬ऑੑΛ୳͢ ಈతεΩϟϯ(֤ύϥϝʔλ΁ݕࠪ஋Λૹ৴) ։͍࢝ͨ͠ϖʔδΛબ୒ εΩϟϯ։࢝ʂ

  43. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ

  44. WebΞϓϦͷ੬ऑੑΛ୳͢ ݹ͗ͯ͢ŗŽŖŪେྔ

  45. ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ݕ஌ͨ͠৘ใΛΞϥʔτͰ֬ೝ ૹ৴࣌ͷϦΫΤετ΋ ࠶ݱՄೳʂ

  46. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ όʔδϣϯ͕ݹ͍… ࠷৽όʔδϣϯΛ֬ೝ όʔδϣϯΞοϓ΍ύονΛద༻͠Α͏ʂ ίʔυ͕ϘϩϘϩ… ίʔυΛमਖ਼͠Α͏ʂ ઃఆ͕σϑΥϧτͷ··… ద੾ʹઃఆ͠Α͏ʂ

  47. ZAPίϛϡχςΟͷ঺հ

  48. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • OWASP ZAP Developer Group – ϝϯόʔ਺ɿ434ਓ – ։࢝೔ɿ2010/08/17

    – ओͳ಺༰ • ZAP։ൃʹؔ͢Δ͜ͱ • Extensionͷ։ൃ • όάमਖ਼ • OWASP ZAP User Group – ϝϯόʔ਺ɿ431ਓ – ։࢝೔ɿ2012/05/22 – ओͳ಺༰ • ࢖͍ํͷ࣭໰ • ࣮૷ͯ͠΄͍͠ϦΫΤε τ

  49. ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • ZAP຋༁ϓϩδΣΫτ • ೔ຊޠ຋༁౓͸30% (2015/2/10ݱࡏ) • ͩΕͰ΋ࢀՃՄೳ • http://crowdin.com/owasp-zap/

  50. ·ͱΊ ·ͣ͸։ൃ؀ڥͷαʔό΍WebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ ͏ ςετ޻ఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛ࢖ͬͨ؆қ਍அΛߦ ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ ͏ ࣄલʹ؅ཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛ೺Ѳ͠ɺରࡦΛ ݕ౼͠·͠ΐ͏ ࣗલͰWebΞϓϦΛ਍அ ਍அαʔϏεΛ׆༻

  51. ηΩϡϦςΟνΣοΫ ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ http://www.slideshare.net/zaki4649/free-securitycheck

  52. ηΩϡϦςΟνΣοΫ ੬ऑੑ਍அͷجຊख๏ ແྉͰख͕͔͔ؒΒͳ͍ʂ Πϯϑϥฤ ϙʔτεΩϟϯ ੬ऑੑεΩϟϯ WebΞϓϦέʔγϣϯฤ ࣗಈ਍அ ZAPͷػೳ঺հ ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ

  53. ੬ऑੑΛݟ͚ͭΔ࢓ࣄ΁ ੬ऑੑ਍அ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ ϓϩδΣΫτ 2014 OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG

    ੬ऑੑ਍அ࢜ʹඞཁͳೳྗͷϚοϐϯά ϓϩάϥϚ͔ΒωοτϫʔΫ஌ࣝɺྙཧ؍·Ͱ 2014/12/24 ʮ੬ऑੑ਍அ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։ https://www.owasp.org/index.php/Japan http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf

  54. Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail [email protected]