Laravelで敢えて試す脆弱性のある書き方

Transcript

1. L a r a v e l Ͱ ׶ ͑

   ͯ ࢼ ͢ ੬ ऑ ੑ ͷ ͋ Δ ॻ ͖ ํ ླ ໦ ޹ ೭ P H P Χ ϯ ϑ Ν Ϩ ϯ ε ๺ ւ ಓ

2. 
   ࣗݾ঺հɾձࣾ঺հ
   
   
   ੬ऑੑͱ͸ʁ
   
   -BSBWFMͰ੬ऑੑͷ͋ΔίʔυΛॻ͍ͯΈΔ
   ɾ944
   ɾ$43'
   ɾ42-ΠϯδΣΫγϣϯ
   ɾ04ίϚϯυΠϯδΣΫγϣϯ ΞδΣϯμ

3. Copyright Re:Build.inc All Rights Reserved. ࣗݾ঺հ 1 ◆໊લ ླ໦ ޹೭(ΧϯϘ@ԭೄ)

   ◆ࣗݾ঺հ ɾגࣜձࣾRe:Build ୅ද ɾΤϯδχΞˠϑϦʔϥϯεˠԭೄͰىۀ ɾPHPΧϯϑΝϨϯεԭೄ࣮ߦҕһ௕ ɾϑϩϯτΤϯυΧϯϑΝϨϯεԭೄ࣮ߦҕһ௕ ◆झຯ ίεϓϨɺԻָϥΠϒɺϚϥιϯେձʹग़Δɺ໺ٿ؍ઓ BDD(Ϗʔνۦಈ։ൃ)
4. None

5. ԭೄͷϊϦͰαϯμϧͰདྷͨΒɺ ଍͕ࢮʹ·ͨ͠w

6. ձ໊ࣾ גࣜձࣾRe:Build ୅දऀ ླ໦޹೭ ઃཱ ฏ੒29೥11݄28೔ ࣄۀ಺༰ ࣗࣾαʔϏε։ൃɾӡӦɺWebγεςϜ։ൃɺΤϯδ χΞڭҭɺσβΠϯ੍࡞ ࢿຊۚ

   2,600ສԁ ॴࡏ஍ ˟900-0015 ԭೄݝಹ೼ࢢٱໜ஍2-2-2 λΠϜεϏϧ ి࿩൪߸ 050-5408-4501 ैۀһ਺ ໊̍̎ ձ ࣾ ֓ ཁ 6

7. 7 ର ৅ ऀ ʹ ͭ ͍ ͯ ɾ੬ऑੑͷجૅΛཧղ͍ͯ͠Δਓ ɾLaravelͷॻ͖ํΛ࠷௿ݶɺཧղ͍ͯ͠Δਓ

8. 2 . ੬ ऑ ੑ ͱ ͸ ʁ

9. 9 ੬ ऑ ੑ ͱ ͸ ʁ ੬ऑੑʢ͍ͥ͡Ό͍ͤ͘ʣͱ͸ɺίϯϐϡʔλͷOS΍ιϑτ΢Σ Ξʹ͓͍ͯɺϓϩάϥϜͷෆ۩߹΍ઃܭ্ͷϛε͕ݪҼͱͳͬͯൃ ੜͨ͠αΠόʔηΩϡϦςΟ্ͷܽؕͷ͜ͱΛݴ͍·͢ɻ੬ऑੑ

   ͸ɺηΩϡϦςΟϗʔϧͱ΋ݺ͹Ε·͢ɻ੬ऑੑ͕࢒͞Εͨঢ়ଶͰ ίϯϐϡʔλΛར༻͍ͯ͠Δͱɺෆਖ਼ΞΫηεʹར༻͞ΕͨΓɺ΢ Πϧεʹײછͨ͠Γ͢Δةݥੑ͕͋Γ·͢ɻ ૯຿লHPΑΓҾ༻ https://www.soumu.go.jp/main_sosiki/cybersecurity/kokumin/basic/basic_risk_11.html

10. 3 . L a r a v e l Ͱ

    ੬ ऑ ੑ ͷ ͋ Δ ί ʔ υ Λ ॻ ͍ ͯ Έ Δ

11. 11 S Q L Π ϯ δ Σ Ϋ γ

    ϣ ϯ ͱ ͸ ʁ https://www.ipa.go.jp/security/vuln/websecurity/sql.html IPA৘ใॲཧਪਐػߏ HPΑΓҾ༻

12. 12 S Q L Π ϯ δ Σ Ϋ γ

    ϣ ϯ ͷ ྫ https://chigusa-web.com/blog/laravel-sql-injection/ ͜ͷίʔυͷͲ͜ʹ੬ऑੑ͕જΜͰ ͍ΔͰ͠ΐ͏͔ʁ

13. 13 S Q L Π ϯ δ Σ Ϋ γ

    ϣ ϯ ͷ ྫ https://chigusa-web.com/blog/laravel-sql-injection/ ౴͑͸͜ͷwhereRaw()ͷՕॴʹSQL ΠϯδΣΫγϣϯʹͳΓಘΔίʔυ ؚ͕·Ε͍ͯ·͢ɻ select exists(select * from `accounts` where login_id = 'login-user' and password = '' or 1 = 1 or '') as `exists` ʮor 1 = 1 orʯ͕ೖྗ͞ΕͨΒɺ ԼهͷΑ͏ͳ੬ऑੑͷ͋ΔSQLจ͕ ൃߦ͞Εͯ͠·͍·͢ɻ

14. 14 S Q L Π ϯ δ Σ Ϋ γ

    ϣ ϯ ͷ ର ࡦ ରࡦͱͯ͠͸ɺwhereϝιουΛ࢖ ͍·͠ΐ͏ʂ ΋͠ɺwhereRawϝιουΛ࢖͏ͳ ΒɺόΠϯυ͠·͠ΐ͏ʂ

15. 15 X S S ͱ ͸ ʁ https://www.ipa.go.jp/security/vuln/websecurity/cross-site-scripting.html IPA৘ใॲཧਪਐػߏ HPΑΓҾ༻

16. 16 X S S ͷ ྫ ͜ͷίʔυͷͲ͜ʹ੬ऑੑ͕જΜͰ ͍ΔͰ͠ΐ͏͔ʁ https://readouble.com/laravel/7.x/ja/blade.html

17. 17 X S S ͷ ྫ ౴͑͸͜͜Ͱ͢ɻ <script>ѱҙͷ͋ΔεΫϦϓτ</script> ͕ೖΔͱ߈ܸʹͳΔ σϑΥϧτͰϒϨʔυͷ{{

    }}จ͸XSS߈ܸΛ๷͙ͨΊʹɺPHPͷ htmlspecialcharsؔ਺Λࣗಈతʹ௨͞Ε·͢ɻ͔͠͠ɺ͜ͷॻ͖ํ {{!! !!}}Λ͢ΔͱσʔλͷΤεέʔϓ͕͞Ε·ͤΜɻ

18. 18 C S R F ͱ ͸ ʁ https://www.ipa.go.jp/security/vuln/websecurity/csrf.html IPA৘ใॲཧਪਐػߏ

    HPΑΓҾ༻

19. 19 C S R F ͷ ྫ https://turningp.jp/network_and_security/csrf-laravel ͜ͷίʔυͷͲ͜ʹ੬ऑੑ͕જΜͰ ͍ΔͰ͠ΐ͏͔ʁ

20. 20 C S R F ͷ ྫ https://turningp.jp/network_and_security/csrf-laravel ɾ͜ͷ@csrf͸ԼهͷinputཁૉΛੜ੒͍ͯ͠·͢ɻ <input

    type="hidden" name="_token" value=“ϥϯμϜͳจࣈྻ"> ɾ͜Εʹରͯ͠ͷτʔΫϯݕূ͸ ʮApp\Http\Middleware\Veri f icationCsrfTokenʯϛυϧ΢ΣΞͰ ߦΘΕ͓ͯΓɺLaravelͷσϑΥϧτઃఆͰ༗ޮʹͳ͍ͬͯ·͢ɻ ౴͑͸͜͜Ͱ͢ɻ @csrfͷهड़͕͋Γ·ͤΜɻ

21. 21 O S ί Ϛ ϯ υ Π ϯ δ

    Σ Ϋ γ ϣ ϯ ͱ ͸ ʁ https://www.ipa.go.jp/security/vuln/websecurity/os-command.html IPA৘ใॲཧਪਐػߏ HPΑΓҾ༻

22. 22 O S ί Ϛ ϯ υ Π ϯ δ

    Σ Ϋ γ ϣ ϯ ͷ ྫ ͜͜Ͱ͸dirίϚϯυʹରͯ͠ΫΤϦ ৘ใparamͷ஋Λύϥϝʔλͱͯ͠ Ҿ͖౉ͦ͏ͱ͍ͯ͠·͕͢ɺ੬ऑੑ ΛؚΜͰ͍·͢ɻ https://qiita.com/oouaioi/items/98f1572208328ae5710d

23. 23 O S ί Ϛ ϯ υ Π ϯ δ

    Σ Ϋ γ ϣ ϯ ͷ ྫ https://qiita.com/oouaioi/items/98f1572208328ae5710d ྫ͑͹ɺԼهͷΑ͏ͳύϥϝʔλΛೖΕΔͱʁ ~shell.php?param=|%20rm%20-rf $ dir | rm -rf ࢮͷίϚϯυ͕࣮ߦ͞Εͯ͠·͍ ·͢ɺɺɺ

24. 24 O S ί Ϛ ϯ υ Π ϯ δ

    Σ Ϋ γ ϣ ϯ ͷ ର ࡦ ͜͜ʹೖΔҾ਺ʹରͯ͠ඞͣόϦ σʔγϣϯΛ͔͚·͠ΐ͏ʂ

25. 25 ࢀ ߟ จ ݙ ɾ૯຿লHP https://www.soumu.go.jp/main_sosiki/cybersecurity/kokumin/basic/basic_risk_11.html ɾLaravelެࣜυΩϡϝϯτ https://readouble.com/laravel/10.x/ja/ ɾCSRFͷجຊతͳରࡦͱLaravelʹ͓͚ΔCSRFରࡦͷ࣮૷ʹ͍ͭͯ

    https://turningp.jp/network_and_security/csrf-laravel ɾPHPͷηΩϡϦςΟରࡦ https://qiita.com/oouaioi/items/98f1572208328ae5710d

26. 26 · ͱ Ί ɾϑϨʔϜϫʔΫΛ࢖͑͹ɺେମͷ੬ऑੑ͸ճආͰ͖·͕͢ɺ੬ऑੑ͕ى͜ΔݪҼ Λཧղ͍ͯ͠ͳ͍ͱةݥ͕͋Γ·͢ɻ ɾͳͷͰɺͦΕͧΕͷ੬ऑੑΛཧղ্ͨ͠ͰίʔυΛॻ͖·͠ΐ͏ʂ

27. 27 ࣌ ؒ ͕ ༨ ͬ ͨ Β ɺ ࿩

    ͢ ࠓ೥΋PHPΧϯϑΝϨϯεԭೄΛ΍Δ͔΋͠Ε·ͤΜʂʂʂ ΍ΔͳΒɺ9݄͘Β͍Ͱ͢ʂ