Upgrade to Pro — share decks privately, control downloads, hide ads and more …

情報セキュリティ勉強会 実践編

Avatar for Yusuke Saito Yusuke Saito
August 30, 2017
Technology
1
790

 情報セキュリティ勉強会 実践編

Webアプリの脆弱性対策について

Avatar for Yusuke Saito

Yusuke Saito

August 30, 2017
Tweet

More Decks by Yusuke Saito

See All by Yusuke Saito
情報セキュリティ勉強会 基礎編
Avatar for Yusuke Saito yusuke_saito
2
1.2k
せっかくのグローバルイベントだから海外のエンジニアと話そう!
Avatar for Yusuke Saito yusuke_saito
0
600
RFCから読むHTTP/2の仕組みと速さの秘密
Avatar for Yusuke Saito yusuke_saito
0
390

Other Decks in Technology

See All in Technology
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
340
「アウトプット脳からユーザー価値脳へ」がそんなに簡単にできたら苦労しない #RSGT2026
Avatar for Aki / @LoveIdahoBurger aki_iinuma
7
3.7k
投資戦略を量産せよ 2 - マケデコセミナー(2025/12/26)
Avatar for tomo gamella
1
610
善意の活動は、なぜ続かなくなるのか ーふりかえりが"構造を変える判断"になった半年間ー
Avatar for matsukurou matsukurou
0
230
AI with TiDD
Avatar for Shiraji shiraji
1
340
ルネサンス開発者を育てる 1on1支援AIエージェント
Avatar for Yusuke Shimizu yusukeshimizu
0
130
Sansan Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
1
3.6k
ハッカソンから社内プロダクトへ AIエージェント ko☆shi 開発で学んだ4つの重要要素
Avatar for Tech Leverages leveragestech
0
550
Oracle Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
1
820
戰略轉變:從建構 AI 代理人到發展可擴展的技能生態系統
Avatar for Bo-Yi Wu appleboy
0
180
Eight Engineering Unit 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
6.1k
複雑さを受け入れるか、拒むか? - 事業成長とともに育ったモノリスを前に私が考えたこと #RSGT2026
Avatar for bayashi murabayashi
1
1.2k

Featured

See All Featured
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
Avatar for Tech SEO Connect techseoconnect
PRO
0
36
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
408
66k
Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge
Avatar for UX Y'all uxyall
0
130
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
34
2.6k
The Curse of the Amulet
Avatar for Matthew Lei leimatthew05
0
6.7k
Marketing Yourself as an Engineer | Alaka | Gurzu
Avatar for Gurzu gurzu
0
110
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
463
34k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
Collaborative Software Design: How to facilitate domain modelling decisions
Avatar for Kenny Baas-Schwegler baasie
0
110
The Language of Interfaces
Avatar for Des Traynor destraynor
162
26k
The Cost Of JavaScript in 2023
Avatar for Addy Osmani addyosmani
55
9.4k
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
0
2.3k

Transcript

  1. ηΩϡϦςΟษڧձ ࣮ફฤ 2017/08/30

  2. ໨࣍ 1. ྫͷΞϨ 2. WebγεςϜ͕ड͚Δ߈ܸͱ͸ 3. ΍Δ΂͖ରࡦͱ͸ 4. ੬ऑੑͷݟ͚ͭํͱ͸

  3. ྫͷΞϨ

  4. IUUQXXXTPGUJDPSKQTFNJ@PQQEG

  5. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  6. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  7. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  8. SQLΠϯδΣΫγϣϯରࡦΛࢪͨ͠ ϓϩάϥϜΛఏڙ͢΂͖࠴຿

  9. ಉ࣌ʹɺ

  10. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  11. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  12. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  13. ͯ͞ɺԿ͕΍Δඞཁͷ ͋Δରࡦͳͷ͔

  14. None
  15. None
  16. None

  17. ෮श͠·͠ΐ͏ɻ

  18. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ

  19. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ

  20. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ

  21. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ

  22. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ ۀքஂମͷΨΠυϥΠϯ

  23. WebγεςϜ͕ड͚Δ ߈ܸͱ͸

  24. ৘ใηΩϡϦςΟ10େڴҖ

  25. ৘ใηΩϡϦςΟ10େڴҖ

  26. OWASP Top10 OWASP (The Open Web Application Security Project) ͕ൃද͢Δɺॏ

    ཁͳڴҖΛ·ͱΊͨυΩϡϝϯτɻϦεΫͷߴ͞΍߈ܸγφϦΦ΋·ͱ ·͍ͬͯΔͷͰɺඇৗʹࢀߟʹͳΔɻ https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

  27. OWASP Top10 (2013)

  28. OWASP Top10 (2013)

  29. OWASP Top10 (2013)

  30. OWASP Top10 (2013)

  31. ΍Δ΂͖ରࡦͱ͸

  32. ҆શͳ΢ΣϒαΠτͷ࡞Γํ http://www.ipa.go.jp/security/vuln/websecurity.html

  33. ҆શͳ΢ΣϒαΠτͷ࡞Γํ ։ൃ࣌ʹ࣮ࢪ͢΂͖ηΩϡϦςΟରࡦʹ͍ͭ ͯ·ͱΊΒΕ͍ͯ·͢ɻ

  34. ҆શͳ΢ΣϒαΠτͷ࡞ΓํɹνΣοΫϦετ

  35. ੬ऑੑͷݟ͚ͭํ

  36. ΢Σϒ݈߁਍அ࢓༷ ΢ΣϒΞϓϦͷ੬ऑੑݕࠪͷํ๏ʹ͍ͭͯ· ͱΊΒΕ͍ͯ·͢ɻ

  37. ੬ऑͳαΠτͰ੬ऑੑΛݟ͚ͭͯΈΑ͏

  38. WebGoat IUUQTHJUIVCDPN8FC(PBU8FC(PBU ͓खܰʹ੬ऑੑΛࢼͤΔ 8FCΞϓϦέʔγϣϯɻ ͱͬͯ΋੬ऑʂ

  39. ੬ऑ͗ͯ͢֎ʹཱͯΔͷ͸ ጨΒΕΔͷͰ

  40. Φεεϝ͸DockerͰʂ docker run -p 8080:8080 webgoat/webgoat-7.1

  41. IUUQMPDBMIPTU8FC(PBU HVFTUHVFTUͰϩάΠϯͨ͠Β

  42. ϝχϡʔ͔Βࢼ͍ͨ͠੬ऑੑΛ୳ͯ͠༡΅͏ʂ

  43. ੬ऑੑνΣοΫπʔϧ 08"41;"1 08"41͕ఏڙ͢Δπʔϧɻ IUUQTXXXPXBTQPSHJOEFYQIQ08"41@;FE@"UUBDL@1SPYZ@1SPKFDU

  44. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̍ʣ ;"1ͷΦϓγϣϯ͔ΒɺʮϩʔΧϧɾ ϓϩΩγʯΛઃఆ͢Δɻ ઌఔͷ8FC(PBU͕Ͱಈ͍͍ͯ Δͱࢥ͏ͷͰɺॏͳΒͳ͍ϙʔτͰಈ ͔͠·͠ΐ͏ʂʢྫͰ͸ʣ

  45. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̎ʣ ωοτϫʔΫઃఆ͔Β8FCϓϩ ΩγΛઃఆɻઌఔͷ;"1Ͱઃఆ ͨ͠ϙʔτΛࢦఆͯ͠Լ͍͞ɻ

  46. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  47. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  48. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̐ʣ ϒϥ΢β͔Β ΞΫηεΛ࣮ߦ

  49. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̑ʣ ΞΫηεΛั֫ʂ

  50. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ

  51. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ

  52. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ (0

  53. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ

  54. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ ଓ͖Λ(0ʂ

  55. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̔ʣ ϒϥ΢βʹϨεϙϯε͕දࣔ͞ΕΔʂ

  56. ͓खܰʹ͍ΖΜͳ੬ऑੑΛπʔϧͰ νΣοΫͯ͘͠ΕͨΒ͍͍ͷʹʂ

  57. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ

  58. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β

  59. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠

  60. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠ (0

  61. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̎ʣ ࣌ؒ͸݁ߏ͔͔Δɻ ʢ౰વαΠτن໛ʹΑΔʣ ͜Ε͸SVCZHPBUͱ͍͏ผͷ(PBUͰͷ݁Ռɻ ໿෼ɻ