Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSについて説明します
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
hirari123
March 18, 2021
Programming
88
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
XSSについて説明します
非エンジニアがXSS(クロスサイトスクリプティング)について調べてみて説明しました。
hirari123
March 18, 2021
Other Decks in Programming
See All in Programming
dRuby over BLE
makicamel
2
390
TSKaigi Night Talks 2026_TypeScriptでサプライチェーンの整合性を型に閉じ込める
geekplus_tech
0
400
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
120
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
110
Make SRE Operations Easier with Azure SRE Agent
kkamegawa
0
7.8k
鹿野さんに聞く!『TypeScriptコードレシピ集』で磨く実践力
tonkotsuboy_com
2
700
Spec Driven Development | AI Summit Lisbon
danielsogl
PRO
0
210
Agentic UI
manfredsteyer
PRO
0
190
AI 時代のソフトウェア設計の学び方
masuda220
PRO
29
13k
Language Server 使ってる? 〜VSCode と Zed の場合〜 / Are you using a Language Server? ~For VS Code and Zed~
handlename
0
800
Contextとはなにか
chiroruxx
1
370
Performance Engineering for Everyone
elenatanasoiu
0
210
Featured
See All Featured
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
200
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.8k
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
480
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Crafting Experiences
bethany
1
190
Producing Creativity
orderedlist
PRO
348
40k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
31
10k
A designer walks into a library…
pauljervisheath
211
24k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Mobile First: as difficult as doing things right
swwweet
225
10k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
450
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
370
Transcript
ฏɹଠ XSSʹ͍ͭͯઆ໌͠·͢ɻ
XSSͬͯԿͧ🤔 • XSS(ΫϩεαΠτεΫϦϓςΟϯά) ܝࣔ൘αΠτTwitterͷΑ͏ͳɺϢʔβʔ͔Βͷೖྗ༰ʹΑͬͯද͕ࣔಈతʹมΘΔ WebϖʔδWebΞϓϦέʔγϣϯʹ͓͍ͯɺWebαΠτʢඪతαΠτʣͷ੬ऑੑ ʢXSS੬ऑੑʣΛར༻ͨ͠߈ܸख๏Λࢦ͢ɻ
߈ܸͷྲྀΕ ᶄϢʔβʔ͕ܝࣔ൘αΠτBΛӾཡ͢Δɻ ᶃ߈ܸऀC͕XSSʹରͯ͠੬ऑੑͷ͋ΔAࣾΛൃݟ͠ɺAࣾʹ ڵຯΛ࣋ͪͦ͏ͳϢʔβʔͷ͍Δܝࣔ൘αΠτBʹ᠘Λֻ͚Δ (ྫɿεΫϦϓτ͖ϦϯΫΛషΔͳͲ) ᶅܝࣔ൘αΠτBͰεΫϦϓτ࣮ߦ ᶆϢʔβʔεΫϦϓτใΛ࣋ͬͨ··AࣾͷϖʔδʹҠಈ ʢΫϩεαΠτʣ͢Δɻ ᶇεΫϦϓτͷޮՌʹΑΓʮAࣾͷαΠτͱͯ͠ʯදࣔ͞Εͨ ِαΠτʹδϟϯϓ͢Δɻὃ͞ΕͨϢʔβʔ͕ใΛೖྗͨ͠
݁ՌɺεΫϦϓτ͕ѱ͞Λ͢Δ ᶈ߈ܸऀCͷखʹΑΓɺϢʔβʔʹର༷ͯ͠ʑͳඃ͕ൃੜ ʢϚϧΣΞײછɾ߈ܸऀCͷใ࿙ӮͳͲʣ ࣹܕXSS
߈ܸͷݪҼ XSSͷࠜຊతͳݪҼɺ߈ܸऀ͕ෆਖ਼ͳεΫϦϓτΛૠೖ͢Δ͜ ͱ͕Ͱ͖ΔڥΛ༩͑ͯ͠·͏͜ͱʹ͋Δɻ XSSʹରͯ͠੬ऑੑΛ࣋ͭಈతαΠτͷ์ஔͰ͋Δɻ ͜ͷεΫϦϓτจষʹɺΤϯυϢʔβʔଆ͕อ༗͢Δݸਓใ ΛඪతαΠτͱผͷαΠτʹૹ৴͢ΔΑ͏ʹઃఆ͞Ε͓ͯΓɺ ͜Ε͕తͳඃΛੜΈग़͢ݪҼͱͳ͍ͬͯΔɻ
߈ܸඃͷӨڹ XSSʹΑΔ߈ܸɺඪతαΠτͷΤϯυϢʔβʔ͕ඃΛड͚Δ͜ ͱͰൃੜ͢Δɻදతͳඃྫͱͯ͠ɺ •CookieใΛར༻ͨ͠ɺͳΓ͢·͠ͷෆਖ਼ΞΫηε (ηογϣϯϋΠδϟοΫ) •HTMLλάΛͬͨೖྗϑΥʔϜʹΑΔใऩू •ِαΠτΛͬͨϑΟογϯάٗ
ඃࣄྫ YouTubeෆਖ਼ΞΫηεࣄ݅ (2010/7/4ʙ7/5) ถYouTubeΛૂͬͨ߈ܸ͕ൃੜ͠ɺγϣοΫͳ σϚ͕ྲྀΕͨΓɺίϝϯτ͕දࣔ͞Εͳ͘ͳΔ ͳͲͷӨڹ͕͕ͬͨɻ χϡʔεใ!! ՎखͷδϟεςΟϯɾϏʔόʔ͕ ަ௨ࣄނͰࢮ
ඃࣄྫ ͜ͷ߈ܸͰYouTubeͷίϝϯτγεςϜʹଘࡏ͢ΔXSSͷ੬ऑੑ͕ ѱ༻͞Εͨɻ ۩ମతʹɺίϝϯτΞϓϦέʔγϣϯͷग़ྗσʔλͷ҉߸Խॲཧʹ ͕ଘࡏ͓ͯ͠Γɺ͜ΕΛಥ͍ͯ߈ܸऀ͕CookieΛ౪Έɺ JavaScriptίʔυΛࠐΜͰϢʔβʔͷWebϒϥβͰ࣮ߦ͞ΕΔ͜ ͱ͕Ͱ͖ͯ͠·ͬͨͱݟΒΕΔɻ ͦͷଞʹෆਖ਼ͳϙοϓΞοϓ͕ग़ͨΓɺѱझຯͳWEBαΠτʹϦμ ΠϨΫτ͞ΕͨΓ͢Δέʔε͕૬͍࣍Ͱ͍ͨͱݴΘΕ͍ͯΔɻ
WebαΠτͷ੬ऑੑͷछྨผͷಧग़ঢ়گ 2019ୈ4࢛ظ(10݄ʙ12݄)
߈ܸ͞Εͳ͍ͨΊͷରࡦ 1.ೖྗͷ੍ݶ ྫɿIDύεϫʔυΛೖྗ͢ΔϑΥʔϜͰʮ֯ӳࣈ◦จࣈ·Ͱʯ ͳͲ੍ݶ͢Δ αʔόʔଆͰͷೖྗͷ੍ݶΛ͢ΔͨΊʹJavaScriptΛͬͯϢʔβʔଆͷ ϒϥβͰߦΘͤΔํ๏͋Δ͕ɺϢʔβʔ͕JavaScriptΛແޮʹ͍ͯ͠Ε ೖྗͷ੍ݶ͕ߦΘΕͳ͍ͷͰXSS߈ܸͷରʹͳΒͳ͍ɻ
߈ܸ͞Εͳ͍ͨΊͷରࡦ 2.αχλΠδϯά(Τεέʔϓ) αΠτͷϑΥʔϜͳͲεΫϦϓτͷߏʹඞཁͱͳΔจࣈ͕ೖྗ͞Εͨ߹ʹɺ ͦͷจࣈΛผͷจࣈॻ͖͑ͯ͠·͏ख๏ͷ͜ͱɻ ͜ΕʹΑΓɺԾʹ߈ܸऀ͕εΫϦϓτΛຒΊࠐ͏ͱͯ͠ແޮԽ͢Δ͜ͱ͕Ͱ͖ Δɻ ରͷจࣈ ฦؐޙͷจࣈྻ < <
> > & & “ " ‘ #39; αχλΠδϯά͖͢จࣈڥʹΑͬͯҟͳΔ͕ɺ ӈͷද͕දతͳྫͰ͢ɻ
߈ܸ͞Εͳ͍ͨΊͷରࡦ 3.WAF(Web Application Firewall)ͷઃఆ WebΞϓϦέʔγϣϯઐ༻ͷϑΝΠΞΥʔϧͰ͋Δɻ ϑΝΠΞΥʔϧͱ͍͏ͱɺϙʔτ൪߸IPΞυϨεͳͲʹΑΓ߈ܸΛޚ͢Δ ωοτϫʔΫϨϕϧͷํ͕Α͘ΒΕ͍ͯΔɻ͕ͩɺܝࣔ൘ͳͲͰೖྗ͞Εͨ ༰·ͰνΣοΫ͠ͳ͍ɻͦ͜Ͱ͜ͷWAF͕ඞཁʹͳΔɻ WAFɺWebΞϓϦέʔγϣϯʹର͢Δ௨৴༰ΛνΣοΫ͠ɺٙΘ͍͠༰͕ ͋ΕϒϩοΫ͢Δ͜ͱ͕ՄೳͰ͋Δɻ
੬ऑੑΛѲ͓ͯ͜͠͏ • XSSͷ੬ऑੑɺ։ൃऀଆ͕ιʔείʔυΛ֬ೝ͢Δ͜ͱͰ੬ऑੑΛνΣοΫ͢Δ͜ ͱՄೳͰ͋Δɻ • ੬ऑੑΛ࡞Γࠐ·ͳ͍Α͏։ൃ͢ΔͨΊʹɺIPA(ಠཱߦ๏ਓɹใॲཧਪਐػߏ) ͕ެ։͍ͯ͠Δʮ҆શͳΣϒαΠτͷ࡞ΓํʯʮIPA ISEC ηΩϡΞɾϓϩάϥ ϛϯάߨ࠲ʯΛࢀߟʹ্ͨ͠ɺඞཁͳ҆શରࡦΛ࣮ࢪͯ͠ɺ։ൃΛҕୗ͢Δ߹ʹ
ࣗࣾͰ։ൃ͢Δ߹ͱಉ༷ʹ͜ΕΒͷରࡦΛ࣮ࢪ͢Δ͜ͱΦεεϝͰ͢ɻ
·ͱΊ • XSS͕ඇৗʹةݥͳαʔόʔ߈ܸͰ͋Δ͜ͱɺաڈͷେنͳෆਖ਼ΞΫηεࣄ͔݅ Β໌Β͔Ͱ͋Δɻ • ݸਓใͷऩूΛతͱͨ͠߈ܸऀʹΑΓ࣮ߦ͞ΕΔͱɺଟେͳΔඃΛٴ΅͢͜ͱ ʹͳͬͯ͠·͏ɻ • ࠜຊతͳରࡦઃܭ࣌ͷεΫϦϓτ͔Βݟ͢ඞཁ͕͋ΔͨΊʹඇৗʹ͍͠ͳ ͷͰɺαΠτͷ੍࡞ऀ͔ͬ͠ΓͱใΛௐ͔ࠪͯ͠Βͷ࡞͕ඞཁͰ͋Δɻ
• ϢʔβʔଆΤϯυϙΠϯτͷηΩϡϦςΟιϑτΛಋೖ͢ΔͳͲɺجຊతͳηΩϡ ϦςΟରࡦߦ͓ͬͯ͘͜ͱ͕ॏཁͰ͋Δɻ
ࢀߟʹͨ͠αΠτɾॻ੶ • αΠτ ɹCyber security.com ʮΫϩεαΠτεΫϦϓςΟϯάͱ?ʯΈࣄྫ͔Βߟ͑Δରࡦ • ॻ੶ ʰ҆શͳWebΞϓϦέʔγϣϯͷ࡞Γํʱ120ʙ149ϖʔδ
🙇͝੩ௌ͋Γ͕ͱ͏͍͟͝·ͨ͠🙇