Upgrade to Pro — share decks privately, control downloads, hide ads and more …

情報セキュリティ勉強会 実践編

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Yusuke Saito Yusuke Saito
August 30, 2017
Technology
820
1

 情報セキュリティ勉強会 実践編

Webアプリの脆弱性対策について

Avatar for Yusuke Saito

Yusuke Saito

August 30, 2017

More Decks by Yusuke Saito

See All by Yusuke Saito
情報セキュリティ勉強会 基礎編
Avatar for Yusuke Saito yusuke_saito
2
1.3k
せっかくのグローバルイベントだから海外のエンジニアと話そう!
Avatar for Yusuke Saito yusuke_saito
0
620
RFCから読むHTTP/2の仕組みと速さの秘密
Avatar for Yusuke Saito yusuke_saito
0
400

Other Decks in Technology

See All in Technology
プラットフォームエンジニア ワークショップ/ platform-workshop
Avatar for Databricks Japan databricksjapan
1
260
AI と創る新たな世界 / A New World Created with AI
Avatar for Kenji Saito ks91
PRO
0
110
Databricks 月刊サービスアップデート 2026年05月号
Avatar for ちょし tyosi1212
0
200
新規ゲーム開発におけるAI駆動開発のリアル
Avatar for ENSAPIA Engineering株式会社 202409e2
0
2.4k
Dario Amodi『Policy on the AI Exponential』を理解する
Avatar for 長津孝輔 nagatsu
0
110
生成 AI × MCP で切り拓く次世代 SRE!自律型運用への挑戦と開発者体験の進化
Avatar for _awache _awache
0
140
トークン数だけでは測れない — Claude Code 組織展開の効果検証から学んだこと
Avatar for Masaki Kubota makikub
0
120
サプライチェーンセキュリティの空白地帯 - 信頼できる”依存性”の未来を考える
Avatar for Hiroki Suezawa (@rung) rung
PRO
2
670
価格.comをAI駆動で全面刷新する ー 30年分の技術的負債を返し、次の30年の土台をつくる ー / AI Engineering Summit Tokyo 2026
Avatar for tkyowa tkyowa
46
50k
マーケットプレイス版Oracle WebCenter Content For OCI
Avatar for oracle4engineer oracle4engineer
PRO
5
1.8k
BigQuery の Cross-cloud Lakehouse への歩み
Avatar for Tomonori Hayashi / ぴーはや phaya72
2
540
AIガバナンス実践 - 生成AIコネクタのデータ漏洩リスクと実務対策
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
0
180

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
62k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.7k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.7k
How To Speak Unicorn (iThemes Webinar)
Avatar for Michelle Schulp Hunt marktimemedia
1
480
How to Align SEO within the Product Triangle To Get 
Buy-In & Support - #RIMC
Avatar for Aleyda Solis aleyda
2
1.5k
More Than Pixels: Becoming A User Experience Designer
Avatar for Michelle Schulp Hunt marktimemedia
3
430
Unlocking the hidden potential of vector embeddings in international SEO
Avatar for Frank van Dijk frankvandijk
0
830
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
Avatar for Marco Roth marcoroth
1
140
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
2
210
Into the Great Unknown - MozCon
Avatar for Noah Learner thekraken
41
2.5k
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
260
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
Avatar for Liv Day livdayseo
0
130

Transcript

  1. ηΩϡϦςΟษڧձ ࣮ફฤ 2017/08/30

  2. ໨࣍ 1. ྫͷΞϨ 2. WebγεςϜ͕ड͚Δ߈ܸͱ͸ 3. ΍Δ΂͖ରࡦͱ͸ 4. ੬ऑੑͷݟ͚ͭํͱ͸

  3. ྫͷΞϨ

  4. IUUQXXXTPGUJDPSKQTFNJ@PQQEG

  5. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  6. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  7. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  8. SQLΠϯδΣΫγϣϯରࡦΛࢪͨ͠ ϓϩάϥϜΛఏڙ͢΂͖࠴຿

  9. ಉ࣌ʹɺ

  10. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  11. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  12. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  13. ͯ͞ɺԿ͕΍Δඞཁͷ ͋Δରࡦͳͷ͔

  14. None
  15. None
  16. None

  17. ෮श͠·͠ΐ͏ɻ

  18. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ

  19. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ

  20. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ

  21. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ

  22. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ ۀքஂମͷΨΠυϥΠϯ

  23. WebγεςϜ͕ड͚Δ ߈ܸͱ͸

  24. ৘ใηΩϡϦςΟ10େڴҖ

  25. ৘ใηΩϡϦςΟ10େڴҖ

  26. OWASP Top10 OWASP (The Open Web Application Security Project) ͕ൃද͢Δɺॏ

    ཁͳڴҖΛ·ͱΊͨυΩϡϝϯτɻϦεΫͷߴ͞΍߈ܸγφϦΦ΋·ͱ ·͍ͬͯΔͷͰɺඇৗʹࢀߟʹͳΔɻ https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

  27. OWASP Top10 (2013)

  28. OWASP Top10 (2013)

  29. OWASP Top10 (2013)

  30. OWASP Top10 (2013)

  31. ΍Δ΂͖ରࡦͱ͸

  32. ҆શͳ΢ΣϒαΠτͷ࡞Γํ http://www.ipa.go.jp/security/vuln/websecurity.html

  33. ҆શͳ΢ΣϒαΠτͷ࡞Γํ ։ൃ࣌ʹ࣮ࢪ͢΂͖ηΩϡϦςΟରࡦʹ͍ͭ ͯ·ͱΊΒΕ͍ͯ·͢ɻ

  34. ҆શͳ΢ΣϒαΠτͷ࡞ΓํɹνΣοΫϦετ

  35. ੬ऑੑͷݟ͚ͭํ

  36. ΢Σϒ݈߁਍அ࢓༷ ΢ΣϒΞϓϦͷ੬ऑੑݕࠪͷํ๏ʹ͍ͭͯ· ͱΊΒΕ͍ͯ·͢ɻ

  37. ੬ऑͳαΠτͰ੬ऑੑΛݟ͚ͭͯΈΑ͏

  38. WebGoat IUUQTHJUIVCDPN8FC(PBU8FC(PBU ͓खܰʹ੬ऑੑΛࢼͤΔ 8FCΞϓϦέʔγϣϯɻ ͱͬͯ΋੬ऑʂ

  39. ੬ऑ͗ͯ͢֎ʹཱͯΔͷ͸ ጨΒΕΔͷͰ

  40. Φεεϝ͸DockerͰʂ docker run -p 8080:8080 webgoat/webgoat-7.1

  41. IUUQMPDBMIPTU8FC(PBU HVFTUHVFTUͰϩάΠϯͨ͠Β

  42. ϝχϡʔ͔Βࢼ͍ͨ͠੬ऑੑΛ୳ͯ͠༡΅͏ʂ

  43. ੬ऑੑνΣοΫπʔϧ 08"41;"1 08"41͕ఏڙ͢Δπʔϧɻ IUUQTXXXPXBTQPSHJOEFYQIQ08"41@;FE@"UUBDL@1SPYZ@1SPKFDU

  44. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̍ʣ ;"1ͷΦϓγϣϯ͔ΒɺʮϩʔΧϧɾ ϓϩΩγʯΛઃఆ͢Δɻ ઌఔͷ8FC(PBU͕Ͱಈ͍͍ͯ Δͱࢥ͏ͷͰɺॏͳΒͳ͍ϙʔτͰಈ ͔͠·͠ΐ͏ʂʢྫͰ͸ʣ

  45. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̎ʣ ωοτϫʔΫઃఆ͔Β8FCϓϩ ΩγΛઃఆɻઌఔͷ;"1Ͱઃఆ ͨ͠ϙʔτΛࢦఆͯ͠Լ͍͞ɻ

  46. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  47. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  48. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̐ʣ ϒϥ΢β͔Β ΞΫηεΛ࣮ߦ

  49. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̑ʣ ΞΫηεΛั֫ʂ

  50. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ

  51. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ

  52. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ (0

  53. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ

  54. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ ଓ͖Λ(0ʂ

  55. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̔ʣ ϒϥ΢βʹϨεϙϯε͕දࣔ͞ΕΔʂ

  56. ͓खܰʹ͍ΖΜͳ੬ऑੑΛπʔϧͰ νΣοΫͯ͘͠ΕͨΒ͍͍ͷʹʂ

  57. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ

  58. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β

  59. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠

  60. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠ (0

  61. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̎ʣ ࣌ؒ͸݁ߏ͔͔Δɻ ʢ౰વαΠτن໛ʹΑΔʣ ͜Ε͸SVCZHPBUͱ͍͏ผͷ(PBUͰͷ݁Ռɻ ໿෼ɻ