Upgrade to Pro — share decks privately, control downloads, hide ads and more …

情報セキュリティ勉強会 実践編

Avatar for Yusuke Saito Yusuke Saito
August 30, 2017
Technology
1
780

 情報セキュリティ勉強会 実践編

Webアプリの脆弱性対策について

Avatar for Yusuke Saito

Yusuke Saito

August 30, 2017
Tweet

More Decks by Yusuke Saito

See All by Yusuke Saito
情報セキュリティ勉強会 基礎編
Avatar for Yusuke Saito yusuke_saito
2
1.2k
せっかくのグローバルイベントだから海外のエンジニアと話そう!
Avatar for Yusuke Saito yusuke_saito
0
590
RFCから読むHTTP/2の仕組みと速さの秘密
Avatar for Yusuke Saito yusuke_saito
0
390

Other Decks in Technology

See All in Technology
M5製品で作るポン置きセルラー対応カメラ
Avatar for Hisaya OKADA sayacom
0
170
やる気のない自分との向き合い方/How to Deal with Your Unmotivated Self
Avatar for Genki Sano sanogemaru
0
450
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
Avatar for Sansan R&D sansan_randd
0
130
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
Avatar for you(@youtoy) you
PRO
0
240
KMP の Swift export
Avatar for Koki Hirokawa kokihirokawa
0
350
研究開発部メンバーの働き⽅ / Sansan R&D Profile
Avatar for Sansan, Inc. sansan33
PRO
3
20k
職種別ミートアップで社内から盛り上げる アウトプット文化の醸成と関係強化/ #DevRelKaigi
Avatar for Ichiro Nishiuma nishiuma
2
160
How to achieve interoperable digital identity across Asian countries
Avatar for Naohiro Fujie fujie
0
140
能登半島災害現場エンジニアクロストーク 【JAWS FESTA 2025 in 金沢】
Avatar for Masakatsu Sugii ditccsugii
0
230
AIツールでどこまでデザインを忠実に実装できるのか
Avatar for Oikon oikon48
6
3.1k
能登半島地震で見えた災害対応の課題と組織変革の重要性
Avatar for Masakatsu Sugii ditccsugii
0
250
SwiftUIのGeometryReaderとScrollViewを基礎から応用まで学び直す:設計と活用事例
Avatar for Fumiya Sakai fumiyasac0921
0
150

Featured

See All Featured
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
303
21k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
900
Fireside Chat
Avatar for paigeccino paigeccino
40
3.7k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
43
7.7k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
2.8k
Building Adaptive Systems
Avatar for Chris Keathley keathley
43
2.8k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
232
18k
Building Flexible Design Systems
Avatar for Yesenia Perez-Cruz yeseniaperezcruz
329
39k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
271
21k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.5k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
96
6.3k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k

Transcript

  1. ηΩϡϦςΟษڧձ ࣮ફฤ 2017/08/30

  2. ໨࣍ 1. ྫͷΞϨ 2. WebγεςϜ͕ड͚Δ߈ܸͱ͸ 3. ΍Δ΂͖ରࡦͱ͸ 4. ੬ऑੑͷݟ͚ͭํͱ͸

  3. ྫͷΞϨ

  4. IUUQXXXTPGUJDPSKQTFNJ@PQQEG

  5. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  6. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  7. ηΩϡϦςΟରࡦ͸΍ͬͯ౰ͨΓલ SQLΠϯδΣΫγϣϯ͕ݪҼͰΧʔυ৘ใ͕ྲྀग़ͨ͠ࣄ݅Ͱ͢ɻ ൑ܾͷϙΠϯτ͸ɺ

  8. SQLΠϯδΣΫγϣϯରࡦΛࢪͨ͠ ϓϩάϥϜΛఏڙ͢΂͖࠴຿

  9. ಉ࣌ʹɺ

  10. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  11. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  12. ʮ๬·͍͠ʯ͸ඞਢͰ͸ͳ͍

  13. ͯ͞ɺԿ͕΍Δඞཁͷ ͋Δରࡦͳͷ͔

  14. None
  15. None
  16. None

  17. ෮श͠·͠ΐ͏ɻ

  18. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ

  19. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ

  20. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ

  21. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ

  22. ࡋ൑Ͱෛ͚ͳ͍ͨΊͷ౒ྗ ʮࡋ൑ରࡦʯͱͯ͠͸ɺԼهͷΑ͏ͳυΩϡϝϯτʹॻ͍ͯ ͋Δ͜ͱ͸ɺʮ΍ͬͯ౰ͨΓલʯͱ͍͏ѻ͍Λड͚·͢ɻ ๏཯ɾ੓ྩɾলྩ ܦࡁ࢈ۀলͷΨΠυϥΠϯ *1"ͷΨΠυϥΠϯ ۀքஂମͷΨΠυϥΠϯ

  23. WebγεςϜ͕ड͚Δ ߈ܸͱ͸

  24. ৘ใηΩϡϦςΟ10େڴҖ

  25. ৘ใηΩϡϦςΟ10େڴҖ

  26. OWASP Top10 OWASP (The Open Web Application Security Project) ͕ൃද͢Δɺॏ

    ཁͳڴҖΛ·ͱΊͨυΩϡϝϯτɻϦεΫͷߴ͞΍߈ܸγφϦΦ΋·ͱ ·͍ͬͯΔͷͰɺඇৗʹࢀߟʹͳΔɻ https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf

  27. OWASP Top10 (2013)

  28. OWASP Top10 (2013)

  29. OWASP Top10 (2013)

  30. OWASP Top10 (2013)

  31. ΍Δ΂͖ରࡦͱ͸

  32. ҆શͳ΢ΣϒαΠτͷ࡞Γํ http://www.ipa.go.jp/security/vuln/websecurity.html

  33. ҆શͳ΢ΣϒαΠτͷ࡞Γํ ։ൃ࣌ʹ࣮ࢪ͢΂͖ηΩϡϦςΟରࡦʹ͍ͭ ͯ·ͱΊΒΕ͍ͯ·͢ɻ

  34. ҆શͳ΢ΣϒαΠτͷ࡞ΓํɹνΣοΫϦετ

  35. ੬ऑੑͷݟ͚ͭํ

  36. ΢Σϒ݈߁਍அ࢓༷ ΢ΣϒΞϓϦͷ੬ऑੑݕࠪͷํ๏ʹ͍ͭͯ· ͱΊΒΕ͍ͯ·͢ɻ

  37. ੬ऑͳαΠτͰ੬ऑੑΛݟ͚ͭͯΈΑ͏

  38. WebGoat IUUQTHJUIVCDPN8FC(PBU8FC(PBU ͓खܰʹ੬ऑੑΛࢼͤΔ 8FCΞϓϦέʔγϣϯɻ ͱͬͯ΋੬ऑʂ

  39. ੬ऑ͗ͯ͢֎ʹཱͯΔͷ͸ ጨΒΕΔͷͰ

  40. Φεεϝ͸DockerͰʂ docker run -p 8080:8080 webgoat/webgoat-7.1

  41. IUUQMPDBMIPTU8FC(PBU HVFTUHVFTUͰϩάΠϯͨ͠Β

  42. ϝχϡʔ͔Βࢼ͍ͨ͠੬ऑੑΛ୳ͯ͠༡΅͏ʂ

  43. ੬ऑੑνΣοΫπʔϧ 08"41;"1 08"41͕ఏڙ͢Δπʔϧɻ IUUQTXXXPXBTQPSHJOEFYQIQ08"41@;FE@"UUBDL@1SPYZ@1SPKFDU

  44. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̍ʣ ;"1ͷΦϓγϣϯ͔ΒɺʮϩʔΧϧɾ ϓϩΩγʯΛઃఆ͢Δɻ ઌఔͷ8FC(PBU͕Ͱಈ͍͍ͯ Δͱࢥ͏ͷͰɺॏͳΒͳ͍ϙʔτͰಈ ͔͠·͠ΐ͏ʂʢྫͰ͸ʣ

  45. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̎ʣ ωοτϫʔΫઃఆ͔Β8FCϓϩ ΩγΛઃఆɻઌఔͷ;"1Ͱઃఆ ͨ͠ϙʔτΛࢦఆͯ͠Լ͍͞ɻ

  46. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  47. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̏ʣ ϒϨʔΫઃఆΛ0/

  48. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̐ʣ ϒϥ΢β͔Β ΞΫηεΛ࣮ߦ

  49. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̑ʣ ΞΫηεΛั֫ʂ

  50. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ

  51. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ

  52. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̒ʣ ύϥϝʔλΛॻ͖׵͑ͯ (0

  53. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ

  54. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̓ʣ Ϩεϙϯε͕ฦͬͯ͘Δʂ ଓ͖Λ(0ʂ

  55. OWASP ZAPͷ࢖͍ํ ϩʔΧϧϓϩΩγฤʢ̔ʣ ϒϥ΢βʹϨεϙϯε͕දࣔ͞ΕΔʂ

  56. ͓खܰʹ͍ΖΜͳ੬ऑੑΛπʔϧͰ νΣοΫͯ͘͠ΕͨΒ͍͍ͷʹʂ

  57. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ

  58. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β

  59. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠

  60. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̍ʣ ΫΠοΫελʔτ͔Β 63-Λೖྗͯ͠ (0

  61. OWASP ZAPͷ࢖͍ํ ηΩϡϦςΟεΩϟϯฤʢ̎ʣ ࣌ؒ͸݁ߏ͔͔Δɻ ʢ౰વαΠτن໛ʹΑΔʣ ͜Ε͸SVCZHPBUͱ͍͏ผͷ(PBUͰͷ݁Ռɻ ໿෼ɻ