Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

情報セキュリティ勉強会 実践編

Avatar for Yusuke Saito Yusuke Saito
August 30, 2017
Technology
1
790

 情報セキュリティ勉強会 実践編

Webアプリの脆弱性対策について

Avatar for Yusuke Saito

Yusuke Saito

August 30, 2017
Tweet

More Decks by Yusuke Saito

See All by Yusuke Saito
情報セキュリティ勉強会 基礎編
Avatar for Yusuke Saito yusuke_saito
2
1.2k
せっかくのグローバルイベントだから海外のエンジニアと話そう!
Avatar for Yusuke Saito yusuke_saito
0
600
RFCから読むHTTP/2の仕組みと速さの秘密
Avatar for Yusuke Saito yusuke_saito
0
390

Other Decks in Technology

See All in Technology
[CMU-DB-2025FALL] Apache Fluss - A Streaming Storage for Real-Time Lakehouse
Avatar for Jark Wu jark
0
120
LLM-Readyなデータ基盤を高速に構築するためのアジャイルデータモデリングの実例
Avatar for Kashira kashira
0
240
Databricks向けJupyter Kernelでデータサイエンティストの開発環境をAI-Readyにする / Data+AI World Tour Tokyo After Party
Avatar for GENDA genda
1
110
生成AI時代におけるグローバル戦略思考
Avatar for Takaaki Yayoi taka_aki
0
170
Fashion×AI「似合う」を届けるためのWEARのAI戦略
Avatar for ZOZO Developers zozotech
PRO
2
250
コミューンのデータ分析AIエージェント「Community Sage」の紹介
Avatar for Yusuke Fukasawa fufufukakaka
0
490
モダンデータスタック (MDS) の話とデータ分析が起こすビジネス変革
Avatar for suto sutotakeshi
0
480
AWSセキュリティアップデートとAWSを育てる話
Avatar for cm-usuda-keisuke cmusudakeisuke
0
260
Power of Kiro : あなたの㌔はパワステ搭載ですか?
Avatar for r3_yamauchi r3_yamauchi
PRO
0
120
AIと二人三脚で育てた、個人開発アプリグロース術
Avatar for ZOZO Developers zozotech
PRO
1
720
Debugging Edge AI on Zephyr and Lessons Learned
Avatar for misoji engineer iotengineer22
0
180
Microsoft Agent 365 についてゆっくりじっくり理解する!
Avatar for skmkzyk skmkzyk
0
300

Featured

See All Featured
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
273
27k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
73
11k
Making Projects Easy
Avatar for Brett Harned brettharned
120
6.5k
Side Projects
Avatar for Sacha Greif sachag
455
43k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
231
22k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
254
22k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
52
3.5k
What’s in a name? Adding method to the madness
Avatar for Product Marketing Alliance productmarketing
PRO
24
3.8k
Building Applications with DynamoDB
Avatar for Matt Wood mza
96
6.8k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
127
17k

Transcript

  1. ηΩϡϦςΟษڧձ ࣮ફฤ 2017/08/30

  2. ໨࣍ 1. ྫͷΞϨ 2. WebγεςϜ͕ड͚Δ߈ܸͱ͸ 3. ΍Δ΂͖ରࡦͱ͸ 4. ੬ऑੑͷݟ͚ͭํͱ͸

  3. ྫͷΞϨ

  4. IUUQXXXTPGUJDPSKQTFNJ@PQQEG

  5. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  6. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  7. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  8. SQLΠϯδΣΫγϣϯରࡦΛࢪͨ͠ ϓϩάϥϜΛఏڙ͢΂͖࠴຿

  9. ಉ࣌ʹɺ

  10. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  11. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  12. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  13. ͯ͞ɺԿ͕΍Δඞཁͷ ͋Δରࡦͳͷ͔

  14. None
  15. None
  16. None

  17. ෮श͠·͠ΐ͏ɻ

  18. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ

  19. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ

  20. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ

  21. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ

  22. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ ۀքஂମͷΨΠυϥΠϯ

  23. WebγεςϜ͕ड͚Δ ߈ܸͱ͸

  24. ৘ใηΩϡϦςΟ10େڴҖ

  25. ৘ใηΩϡϦςΟ10େڴҖ

  26. OWASP Top10 OWASP (The Open Web Application Security Project) ͕ൃද͢Δɺॏ

    ཁͳڴҖΛ·ͱΊͨυΩϡϝϯτɻϦεΫͷߴ͞΍߈ܸγφϦΦ΋·ͱ ·͍ͬͯΔͷͰɺඇৗʹࢀߟʹͳΔɻ https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

  27. OWASP Top10 (2013)

  28. OWASP Top10 (2013)

  29. OWASP Top10 (2013)

  30. OWASP Top10 (2013)

  31. ΍Δ΂͖ରࡦͱ͸

  32. ҆શͳ΢ΣϒαΠτͷ࡞Γํ http://www.ipa.go.jp/security/vuln/websecurity.html

  33. ҆શͳ΢ΣϒαΠτͷ࡞Γํ ։ൃ࣌ʹ࣮ࢪ͢΂͖ηΩϡϦςΟରࡦʹ͍ͭ ͯ·ͱΊΒΕ͍ͯ·͢ɻ

  34. ҆શͳ΢ΣϒαΠτͷ࡞ΓํɹνΣοΫϦετ

  35. ੬ऑੑͷݟ͚ͭํ

  36. ΢Σϒ݈߁਍அ࢓༷ ΢ΣϒΞϓϦͷ੬ऑੑݕࠪͷํ๏ʹ͍ͭͯ· ͱΊΒΕ͍ͯ·͢ɻ

  37. ੬ऑͳαΠτͰ੬ऑੑΛݟ͚ͭͯΈΑ͏

  38. WebGoat IUUQTHJUIVCDPN8FC(PBU8FC(PBU ͓खܰʹ੬ऑੑΛࢼͤΔ 8FCΞϓϦέʔγϣϯɻ ͱͬͯ΋੬ऑʂ

  39. ੬ऑ͗ͯ͢֎ʹཱͯΔͷ͸ ጨΒΕΔͷͰ

  40. Φεεϝ͸DockerͰʂ docker run -p 8080:8080 webgoat/webgoat-7.1

  41. IUUQMPDBMIPTU8FC(PBU HVFTUHVFTUͰϩάΠϯͨ͠Β

  42. ϝχϡʔ͔Βࢼ͍ͨ͠੬ऑੑΛ୳ͯ͠༡΅͏ʂ

  43. ੬ऑੑνΣοΫπʔϧ 08"41;"1 08"41͕ఏڙ͢Δπʔϧɻ IUUQTXXXPXBTQPSHJOEFYQIQ08"41@;FE@"UUBDL@1SPYZ@1SPKFDU

  44. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̍ʣ ;"1ͷΦϓγϣϯ͔ΒɺʮϩʔΧϧɾ ϓϩΩγʯΛઃఆ͢Δɻ ઌఔͷ8FC(PBU͕Ͱಈ͍͍ͯ Δͱࢥ͏ͷͰɺॏͳΒͳ͍ϙʔτͰಈ ͔͠·͠ΐ͏ʂʢྫͰ͸ʣ

  45. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̎ʣ ωοτϫʔΫઃఆ͔Β8FCϓϩ ΩγΛઃఆɻઌఔͷ;"1Ͱઃఆ ͨ͠ϙʔτΛࢦఆͯ͠Լ͍͞ɻ

  46. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  47. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  48. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̐ʣ ϒϥ΢β͔Β ΞΫηεΛ࣮ߦ

  49. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̑ʣ ΞΫηεΛั֫ʂ

  50. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ

  51. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ

  52. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ (0

  53. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ

  54. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ ଓ͖Λ(0ʂ

  55. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̔ʣ ϒϥ΢βʹϨεϙϯε͕දࣔ͞ΕΔʂ

  56. ͓खܰʹ͍ΖΜͳ੬ऑੑΛπʔϧͰ νΣοΫͯ͘͠ΕͨΒ͍͍ͷʹʂ

  57. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ

  58. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β

  59. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠

  60. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠ (0

  61. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̎ʣ ࣌ؒ͸݁ߏ͔͔Δɻ ʢ౰વαΠτن໛ʹΑΔʣ ͜Ε͸SVCZHPBUͱ͍͏ผͷ(PBUͰͷ݁Ռɻ ໿෼ɻ