すこしだけマクロな視点から捉える Web セキュリティ / Web Security from the Macro Perspective (Short Version)

ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡϦςΟɾϛχΩϟϯϓJOେࡕʢҰൠߨ࠲ʣ :0/&6$)* 5BLBTIJ !MNU@TXBMMPX IUUQTTIJGUKTJOGP ͚ͩ͢͜͠

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ຊߨٛࢿྉʹ͍ͭͯ 4QFBLFS%FDLެ։൛޲͚ͷิ଍ ຊࢿྉ͸ʮηΩϡϦςΟɾΩϟϯϓશࠃେձΦϯϥΠϯ#ʯͷߨٛͷ༷ࢠ΍ɺ ߨٛલ൒ͷ಺༰ΛΑΓଟ͘ͷํʹ͓ಧ͚͢΂͘ɺಉߨٛͷࢿྉΛ࠶ฤͨ͠΋ͷͰ͢ɻ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ XIPBNJ 4FFIUUQTTIJGUKTJOGP ถ಺وࢤ:0/&6$)* 5BLBTIJ !MNU@TXBMMPX גࣜձࣾ'MBUU4FDVSJUZʣ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ૉ๿ͳٙ໰ 28FCηΩϡϦςΟ8FCΞϓϦέʔγϣϯͷ࣮૷ͷηΩϡϦςΟʁ ੬ऑͳίʔυ͑͞ॻ͔ͳ͚Ε͹ηΩϡΞͱ͍͑ΔͷͩΖ͏͔ʁ <p>Hello, <?php echo $_GET['q'];
?></p> 944੬ऑੑͷ͋Δ1)1ίʔυ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ૉ๿ͳٙ໰΁ͷ౴͑ 28FCηΩϡϦςΟ8FCΞϓϦέʔγϣϯͷ࣮૷ͷηΩϡϦςΟʁ ੬ऑͳίʔυ͑͞ॻ͔ͳ͚Ε͹ηΩϡΞͱ͍͑ΔͷͩΖ͏͔ʁ "8FCηΩϡϦςΟ˦8FCΞϓϦέʔγϣϯͷ࣮૷ͷηΩϡϦςΟɻ 8FCηΩϡϦςΟΛߟ͑Δ্Ͱ͸ɺ΋͏গؔ͠৺Λ޿͛ͯ΍Δඞཁ͕͋Δɻ ͔ͭɺ͜ͷؔ৺ྖҬͷ֦େ͸ɺٕज़ελοΫͷมԽͱͱ΋ʹਐΈͭͭ͋Δɻ <p>Hello,
<?php echo $_GET['q']; ?></p> 944੬ऑੑͷ͋Δ1)1ίʔυ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ 8FCΛΈΘͨ͢ ‣ 8FCΞϓϦέʔγϣϯ͸ɺΫϥΠΞϯταΠυͷγεςϜʢFH8FCϒϥ΢ βʣͱαʔόαΠυͷγεςϜʢFH8FCαʔό΍ΞϓϦέʔγϣϯαʔόʣ ͕௨৴͠ɺڠௐಈ࡞͢Δ͜ͱʹΑΓ੒Γཱ͍ͬͯΔɻ αʔόαΠυ 8FCγεςϜ
ΫϥΠΞϯταΠυ 8FCγεςϜ ຊ୊ʹೖΔલʹ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ αʔόαΠυͷ8FCγεςϜ΋αʔόαΠυ8FCΞϓϦέʔγϣϯͱɺϛυ ϧ΢ΣΞʢσʔλετΞ΍ϩʔυόϥϯα౳ʣ͕͏·͘ڠௐಈ࡞͢Δ͜ͱʹΑΓ ࣮ݱ͞Ε͍ͯΔɻ αʔόαΠυ8FCγεςϜ ϛυϧ΢ΣΞ αʔόαΠυ8FCΞϓϦέʔγϣϯ
αʔόαΠυ8FCγεςϜ ຊ୊ʹೖΔલʹ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ αʔόαΠυͷ8FCγεςϜ΋αʔόαΠυ8FCΞϓϦέʔγϣϯͱɺϛυ ϧ΢ΣΞʢσʔλετΞ΍ϩʔυόϥϯα౳ʣ͕͏·͘ڠௐಈ࡞͢Δ͜ͱʹΑΓ ࣮ݱ͞Ε͍ͯΔɻ αʔόαΠυ8FCγεςϜ ϛυϧ΢ΣΞ αʔόαΠυ8FCΞϓϦέʔγϣϯ
αʔόαΠυ8FCγεςϜ ࣮૷Ҏ֎ʹ΋ߟ͑Δ΂͖͜ͱ͕୔ࢁ͋Δ ຊ୊ʹೖΔલʹ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ 8FCϒϥ΢βͳͲ͸αʔόαΠυ͔Βಧ͚ΒΕͨϦιʔεΛॲཧ͢Δɻ ‣ ϦιʔεͷύʔεɾϨϯμϦϯά ‣ +BWB4DSJQUͷ࣮ߦ ‣
‣ ଟ͘ͷϦιʔε͕ಉ࣌ฒߦͰ؅ཧɾॲཧ͞ΕΔ৔Ͱ͋Δɻ ΫϥΠΞϯταΠυ8FCγεςϜ 8FCϒϥ΢β ຊ୊ʹೖΔલʹ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ 8FCϒϥ΢βͳͲ͸αʔόαΠυ͔Βಧ͚ΒΕͨϦιʔεΛॲཧ͢Δɻ ‣ ϦιʔεͷύʔεɾϨϯμϦϯά ‣ +BWB4DSJQUͷ࣮ߦ ‣
‣ ଟ͘ͷϦιʔε͕ಉ࣌ฒߦͰ؅ཧɾॲཧ͞ΕΔ৔Ͱ͋Δɻ ΫϥΠΞϯταΠυ8FCγεςϜ 8FCϒϥ΢β ϒϥ΢βͷ༷࣋ͭʑͳηΩϡϦςΟػೳɾ࢓༷Λ஌Βͳ͍ͱɺ ΞϓϦέʔγϣϯʹࢥΘ͵໰୊͕ൃੜ͠͏Δ ຊ୊ʹೖΔલʹ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ຊηογϣϯͷ֓ཁ ‣ 8FCηΩϡϦςΟʹؔ͢ΔϛΫϩͳࢹ఺͔ΒҰาҾ͖ɺ͚ͩ͢͜͠ϚΫϩͳࢹ ఺͔Β8FCηΩϡϦςΟΛߟ͑ΔͨΊͷώϯτΛఏڙ͠·͢ɻ ࠓ೔͸ͬͪ͜ͷ࿩

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ͔͜͜Βͷ࿩ͷ֓ཁ ‣ ͔͜͜Β͸ҎԼͷͭͷมԽʹؔͯ͠੔ཧ͢Δ ‣ αʔόαΠυ8FCΞϓϦέʔγϣϯͷΞʔΩςΫνϟͷมԽ ‣ αʔόαΠυ8FCγεςϜͷߏ੒ɾ࣮ߦ؀ڥͷมԽ ‣
ͦͷ্ͰɺҎԼͷ఺Λٞ࿦͢Δ ‣ ͦΕΒͷมԽͷʢηΩϡϦςΟతͳࢹ఺͔ΒݟͨʣϙΠϯτ͸Կ͔ ‣ ͦΕΒͷมԽ͕Ͳ͏8FCηΩϡϦςΟͷؔ৺ྖҬΛ޿͛Δ͔ ‣ ొ৔͢ΔΩʔϫʔυ͸ͭ ‣ ηΩϡΞʹͭ͘Δ ‣ ηΩϡΞʹͭͳ͛Δ ‣ ηΩϡΞʹ͏͔͢͝

αʔόαΠυ8FCΞϓϦέʔγϣϯͷ ΞʔΩςΫνϟͷมԽ $IBQUFS

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ Ͳ͏࡞Δʁ αʔόαΠυ8FCΞϓϦέʔγϣϯ ϛυϧ΢ΣΞ αʔόαΠυ8FCΞϓϦέʔγϣϯ αʔόαΠυ8FCγεςϜ ‣ αʔόαΠυ8FCΞϓϦέʔγϣϯ։ൃͷࣗ༝౓͸ߴ͍ɻ
‣ ʮͲ͏͍͏ߏ଄ͷ૊৫ͰɺͲ͏͍͏ߏ੒ͷ΋ͷΛɺͲ͏͍͏ۀ຿ϑϩʔͰ࡞Δͱ ޮ཰త͔ʯ͸௕೥ٞ࿦͞Ε͖͍ͯͯΔςʔϚͰ͋Δɻ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ ෳ਺ͷػೳ͕ͭͷΞϓϦέʔγϣϯʹ٧Ί͜·ΕΔΞʔΩςΫνϟͷ͜ͱɻ .POPMJUIJD"SDIJUFDUVSF ػೳ ػೳ ػೳ ػೳ
ػೳ ػೳ αʔόαΠυ8FCΞϓϦέʔγϣϯ ‣ ༷ʑͳཁૉ͔ΒͳΔ ‣ ϓϨθϯςʔγϣϯ૚ ‣ ϏδωεϩδοΫ૚ ‣ σʔλετΞΛऔΓѻ͏૚ ‣ ʜ

ػೳ ػೳ αʔόαΠυ8FCΞϓϦέʔγϣϯ ‣ ༷ʑͳཁૉ͔ΒͳΔ ‣ ϓϨθϯςʔγϣϯ૚ ‣ ϏδωεϩδοΫ૚ ‣ σʔλετΞΛऔΓѻ͏૚ ‣ ʜ ✘ίʔυϕʔε͕༰қʹංେԽ͕ͪ͠ ✘ٕज़બ୒ͷ෯͕ڱ·Δ

ػೳ ػೳ αʔόαΠυ8FCΞϓϦέʔγϣϯ ‣ ༷ʑͳཁૉ͔ΒͳΔ ‣ ϓϨθϯςʔγϣϯ૚ ‣ ϏδωεϩδοΫ૚ ‣ σʔλετΞΛऔΓѻ͏૚ ‣ ʜ ✘εέʔϧΞοϓ࣌ͷϦιʔεফඅޮ཰ ✘ෳࡶͳϘτϧωοΫͷൃੜ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ .JDSPTFSWJDFT"SDIJUFDUVSF ‣ ۀ຿ػೳ΍νʔϜΛ୯Ґͱͯ͠ಠཱͨ͠αʔϏεʢ.JDSPTFSWJDFʣΛ࡞Γɺͦ ΕΒͷ૯ମͱͯ͠ΞϓϦέʔγϣϯΛߏ੒͢Δɺͱ͍͏ΞʔΩςΫνϟͷ͜ͱɻ ‣ Ͳ͏෼ׂʢ%FDPNQPTFʣ͢Δͷ͕࠷ద͔͸ॾઆ͋Δ͕ʜ .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF .JDSPTFSWJDF .JDSPTFSWJDF

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ .JDSPTFSWJDFT"SDIJUFDUVSF ‣ ۀ຿ػೳ΍νʔϜΛ୯Ґͱͯ͠ಠཱͨ͠αʔϏεʢ.JDSPTFSWJDFʣΛ࡞Γɺͦ ΕΒͷ૯ମͱͯ͠ΞϓϦέʔγϣϯΛߏ੒͢Δɺͱ͍͏ΞʔΩςΫνϟɻ ‣ Ͳ͏෼ׂʢ%FDPNQPTFʣ͢Δͷ͕࠷ద͔͸ॾઆ͋Δɻ .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF .JDSPTFSWJDF .JDSPTFSWJDF ίʔυϕʔε͕શମతʹૄ݁߹ʹ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ .JDSPTFSWJDFT"SDIJUFDUVSF ‣ ۀ຿ػೳ΍νʔϜΛ୯Ґͱͯ͠ಠཱͨ͠αʔϏεʢ.JDSPTFSWJDFʣΛ࡞Γɺͦ ΕΒͷ૯ମͱͯ͠ΞϓϦέʔγϣϯΛߏ੒͢Δɺͱ͍͏ΞʔΩςΫνϟɻ ‣ Ͳ͏෼ׂʢ%FDPNQPTFʣ͢Δͷ͕࠷ద͔͸ॾઆ͋Δ͕ʜ .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF .JDSPTFSWJDF .JDSPTFSWJDF খ͍͞୯ҐͷσϓϩΠ͕ ͠΍͘͢ͳΔ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ .JDSPTFSWJDFT"SDIJUFDUVSF "1*(BUFXBZ1BUUFSOʹΑΔߏ੒ͷΠϝʔδ αʔόαΠυ8FCγεςϜ ڞ༗σʔλετΞ ήʔτ΢ΣΠ .JDSPTFSWJDF .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF ͏·͘΍Ε͹.JDSPTFSWJDF ୯ҐͰεέʔϧͤ͞ΒΕΔ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡϦςΟతʹ͸ʁ ΞʔΩςΫνϟͷมԽ͕ڧௐ͢Δ՝୊ 🤔 ͜ͷΞʔΩςΫνϟͷมԽʹΑΓɺηΩϡϦςΟʹؔͯ͠ಛผʹҙࣝ͠ͳ͍ͱ͍͚ͳ ͍͜ͱ΋ɺมԽͯ͠͸͍ͳ͍ͩΖ͏͔ʁ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ϙΠϯτ੹຿ͷ෼ࢄ ΞʔΩςΫνϟͷมԽ͕ڧௐ͢Δ՝୊ αʔόαΠυ8FCγεςϜ ڞ༗σʔλετΞ ήʔτ΢ΣΠ .JDSPTFSWJDF .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF ྫσʔλͷݕূ΍੔߹ੑͷҡ࣋ʹؔ͢Δػೳͷ෼ࢄ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ੹຿ͷ෼ࢄʹΑΔݕ౼࿙Εͷ૿Ճ .JDSPTFSWJDF .JDSPTFSWJDF σʔλ"͸޲͜͏͕উखʹݕূͯ͘͠Ε ͯΔΜͩΖ͏ɻͦͷ··࢖ͬͪΌ͑ʂ σʔλ"͸ະݕূ͚ͩͲɺ͕͢͞ʹ౉͠ ͨઌͰ͸ͦͷ··͸࢖ΘΕͳ͍ͩΖ͏ɻ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ϙΠϯτ࿈ܞͷ૿Ճ ΞʔΩςΫνϟͷมԽ͕ڧௐ͢Δ՝୊ αʔόαΠυ8FCγεςϜ ڞ༗σʔλετΞ ήʔτ΢ΣΠ .JDSPTFSWJDF .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF ௨৴͸౪ௌ͞ΕΔ͔΋ʜ Ұ؏ੑ่͕Ε΍͘͢ͳΔ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࿈ܞͷ૿ՃʹΑΔҰ؏ੑͷܽམ .JDSPTFSWJDF .JDSPTFSWJDF σʔλͷ۠੾Γ͸aOͩΑͶʁ σʔλͷ۠੾Γ͸aSaOͩΑͶʁ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ ͜͜Ͱ͸.POPMJUIJD"SDIJUFDUVSFର.JDSPTFSWJDFT"SDIJUFDUVSFͷมભʢཐ ટʁʣΛ΋ͱʹɺૄ݁߹ͳΞʔΩςΫνϟͷҎԼͷଆ໘Λڧௐͨ͠ ‣ ੹຿ͷ෼ࢄʹΑΔݕ౼࿙Εͷ૿Ճ ‣ ࿈ܞͷ૿ՃʹΑΔܦ࿏΁ͷෆ҆ɾҰ؏ੑͷܽམ
‣ ͳ͓ɺ͜ΕΒ͸ଟ͘ͷૄ݁߹ͳΞʔΩςΫνϟʹڞ௨ͨ͠՝୊ʹݟ͑Δ ‣ 8FCΞϓϦέʔγϣϯʹݶͬͨ࿩Ͱ͸ͳ͍ ‣ ૄ݁߹ͳΞʔΩςΫνϟ͸ؔ৺ͷ෼཭Λॿ͚Δ͕ɺ෼཭͞Εͨ΋ͷΛ·͕ͨͬͨؔ৺Λ ࣋ͭͷΛ೉͘͢͠ΔͷͰɺઃܭ͕ద౰Ͱͳ͍ͱ༷ʑͳ໰୊͕ى͜Γ͕ͪ খ·ͱΊ

αʔόαΠυ8FCγεςϜͷ ߏ੒ɾ࣮ߦ؀ڥͷมԽ $IBQUFS

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ ࡞ͬͨΞϓϦέʔγϣϯ͸ɺಈ͔ͯ͠Α͏΍͘໾ʹཱͭɻ ‣ ಈ͔ͨ͢Ίʹඞཁͳ΋ͷͨͪ ‣ ಈ͔ͨ͢Ίͷ౔୆ʢҎ࣮߱ߦج൫ͱݺͿʣ ‣ ಈ͔ͨ͢Ίʹඞཁͳϛυϧ΢ΣΞ
‣ ͔͜͜Β͸ɺ͜ΕΒʹىͬͨ͜มԽΛ੔ཧͯ͠Έ·͠ΐ͏ɻ ΞϓϦέʔγϣϯΛಈ͔ͨ͢Ίʹ ϛυϧ΢ΣΞ αʔόαΠυ8FCΞϓϦέʔγϣϯ αʔόαΠυ8FCγεςϜ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࣮ߦج൫Λ͔Β४උ͢Δͷ͸େม ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ ؔ਺ ؔ਺
‣ αʔϏεΛӡ༻͢ΔͨΊʹϋʔυ΢ΣΞ͔Β༻ҙ͢Δ৔߹ʜ ‣ ૿΍͢ͷʹ΋ݮΒ͢ͷʹ΋ʹؾ߹͕ඞཁʹͳΔɻ ‣ ૿΍ͦ͏ʹ΋ߪೖʹ͕͔͔࣌ؒΔ ‣ ݮΒͨ͢Ίʹ͸ద੾ʹഇغ͢Δඞཁ͕͋Δ ‣ ʮյΕ͏Δʯͱ͍͏ҙࣝΛڧ࣋ͨ͘Ͷ͹ͳΒͳ͍ɻ ‣ ؒҧͬͯػثʹίʔώʔΛ͜΅͢ͱյΕΔ ‣ ಈ͔͠ଓ͚͍ͯΔ͚ͩͰ΋յΕΔ ‣ ͏·͘΍͍ͬͯ͘ʹ͸े෼ͳઐ໳ੑͱܦݧ͕ඞཁͰ͋Δɻ ‣ ͭΒ͍😫 ˞Ϋϥ΢υ؀ڥʹ΋େن໛ো֐͸ͨ·ʹ͋ΔͷͰɺʮյΕΔʯ͜ͱΛҙࣝ͠ͳͯ͘͸͍͚ͳ͍ͷ͸ ෺ཧػثΛऔΓѻ͏৔߹ಛ༗ͷͭΒ͞ɺͱ͍͏Θ͚Ͱ͸ͳ͍͕ʜ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࣗ୐ʹϒϨʔυαʔόΛൖೖ͢Δ༷ࢠ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࣮ߦج൫ͷԾ૝Խɾந৅Խͷਐߦ ‣ ௕೥ʹ౉ͬͯΞϓϦέʔγϣϯͷ࣮ߦج൫ͷԾ૝Խɾந৅Խ͕ਐΊΒΕ͖ͯͨɻ ‣ *OGSBTUSVDUVSFBTB4FSWJDF *BB4 ‣
1MBUGPSNBTB4FSWJDF 1BB4 ‣ $POUBJOFSBTB4FSWJDFʢ$BB4ʣ ‣ 'VODUJPOBTB4FSWJDF 'BB4 ‣ ࠓͰ͸ඇৗʹखܰʹ࣮ߦج൫͕࡞੒ɾഁغͰ͖ΔΑ͏ʹͳ͍ͬͯΔɻ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ 9BB4͕ఏڙ͢ΔൣғʢΠϝʔδʣ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ *BB4͕ఏڙ͢Δج൫ ؔ਺
ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ $BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ 1BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ 'BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࣮ߦج൫ͷԾ૝Խɾந৅Խͷਐߦ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ *BB4͕ఏڙ͢Δج൫ ؔ਺
ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ $BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ 1BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ 'BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ͸9BB4ఏڙଆ͕ ؅ཧͯ͘͠ΕΔˠخ͍͠ʂ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࣮ߦج൫ͷԾ૝Խɾந৅Խͷਐߦ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ *BB4͕ఏڙ͢Δج൫ ؔ਺
ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ $BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ 1BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ϋʔυ΢ΣΞ 04 ϥϯλΠϜ ΞϓϦέʔγϣϯ 'BB4͕ఏڙ͢Δج൫ ؔ਺ ؔ਺ ͍Ζ͍Ζ؅ཧͯ͘͠ΕΔͷͰɺࣗ ෼͕औΓѻ͏΂͖ϨΠϠ͚ͩʹؔ ৺ΛڱΊΒΕΔˠخ͍͠ʂ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ΠϯϑϥετϥΫνϟͷίʔυԽ ‣ Ծ૝Խɾந৅Խ͞Εɺϋʔυ΢ΣΞͷ ΍Γ͘Γ͕Ӆṭ͞ΕͨΞϓϦέʔγϣ ϯ࣮ߦج൫͸ɺ΄΅७ਮͳιϑτ΢Σ Ξͱಉ౳ʹऔΓѻ͑ΔΑ͏ʹɻ ‣ ίϚϯυҰͭͰԾ૝ϚγϯΠϯελϯε
Λ֬อͨ͠Γʜ ‣ ίʔυʹΑΓΠϯϑϥετϥΫνϟͷߏ ੒Λهड़ɾ؅ཧͨ͠Γʜ ‣ ॴҦ*OGSBTUSVDUVSFBT$PEFʢ*B$ʣ resource "google_container_cluster" "challenge_cluster" { name = "challenges" location = "asia-northeast1" initial_node_count = 1 cluster_autoscaling { enabled = true resource_limits { resource_type = "cpu" minimum = 3 maximum = 32 } resource_limits { resource_type = "memory" minimum = 3 maximum = 32 } } ...

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ෺ཧػث͔Βͷந৅Խ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ந৅Խ͞ΕͨϦιʔεͷ$PEFԽ resource "google_container_cluster" "challenge_cluster" { name =
"challenges" location = "asia-northeast1" initial_node_count = 1 cluster_autoscaling { enabled = true resource_limits { resource_type = "cpu" minimum = 3 maximum = 32 } resource_limits { resource_type = "memory" minimum = 3 maximum = 32 } } ...

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ͦͷଞͷզʑΛࢧ͑Δଘࡏ ‣ ΞϓϦέʔγϣϯ͸ଟ͘ͷϛυϧ΢ΣΞʹࢧ͑ΒΕͯಈ࡞͢Δɻ ‣ σʔλετΞʢ,743%#ʣ ‣ ϩʔυόϥϯα ‣
FUD ‣ ϚωʔδυͳܗͰఏڙ͞Ε͍ͯΔϛυϧ΢ΣΞ΋୔ࢁ͋Δɻ ϛυϧ΢ΣΞ αʔόαΠυ8FCΞϓϦέʔγϣϯ αʔόαΠυ8FCγεςϜ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ʮ૊Έ߹ΘͤΔ͜ͱͰ࡞Δʯ ‣ ΞϓϦέʔγϣϯͷ࣮ߦج൫΍ϛυϧ΢ΣΞ͸ʜ ‣ ϋʔυ΢ΣΞͷ੍໿͕ʢΫϥ΢υϕϯμʹΑΓʣ͏·͘Ӆṭ͞ΕΔΑ͏ʹͳͬͨɻ ‣ ༰қʹมߋ΍औࣺબ୒͕Ͱ͖ΔΑ͏ʹͳͬͨɻ ‣
ΞϓϦέʔγϣϯ։ൃͱ͍ۙํ๏Ͱߏ੒Ͱ͖ΔΑ͏ʹͳͬͨɻ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ʮ૊Έ߹ΘͤΔ͜ͱͰ࡞Δʯ ‣ ΞϓϦέʔγϣϯͷ࣮ߦج൫΍ϛυϧ΢ΣΞ͸ʜ ‣ ϋʔυ΢ΣΞͷ੍໿͕ʢΫϥ΢υϕϯμʹΑΓʣ͏·͘Ӆṭ͞ΕΔΑ͏ʹͳͬͨɻ ‣ ༰қʹมߋ΍औࣺબ୒͕Ͱ͖ΔΑ͏ʹͳͬͨɻ ‣
ΞϓϦέʔγϣϯ։ൃͱ͍ۙํ๏Ͱߏ੒Ͱ͖ΔΑ͏ʹͳͬͨɻ ‣ ݁Ռɺʮ૊Έ߹ΘͤΔ͜ͱͰ࡞ΔʯతΞϓϩʔν͕औΓ΍͘͢ͳͬͨɻ ‣ ݱ୅ͷ8FCΞϓϦέʔγϣϯʹٻΊΒΕ͍ͯΔʮ౰ͨΓલ඼࣭ʯʢDGङ໺Ϟσϧʣ͸ߴ͍ɻ ‣ ྫෳࡶͳػೳཁ݅ ߴՄ༻ੑ ߴ଎ͳಈ࡞ ‣ શ෦͔Β࡞ΕΔͷ͸͔͍͍͕ͬ͜ɺߴ͍ʮ౰ͨΓલ඼࣭ʯΛୡ੒͢Δͷ͸ࠔ೉ɻ ‣ ৴པͰ͖Δ΋ͷΛ૊Έ߹ΘͤΔ͜ͱͰɺϕʔεͷʮ౰ͨΓલ඼࣭ʯΛఈ্͛͠ͳ͕Βɺ ࣗ෼͕࣮ݱ͢Δ΂͖͜ͱʹ஫ྗ͢Δ͜ͱ͕Ͱ͖Δʢخ͍͠ʂʣ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ʮܗͰߟ͑ΔαʔόʔϨεઃܭʯ IUUQTBXTBNB[PODPNKQTFSWFSMFTTQBUUFSOTTFSWFSMFTTQBUUFSO

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡϦςΟతʹ͸ʁ ߏ੒ɾ࣮ߦ؀ڥͷมԽ͕ڧௐ͢Δ՝୊ 🤔 ͜ͷ࣮ߦ؀ڥͷมԽʹΑΓɺηΩϡϦςΟʹؔͯ͠ಛผʹҙࣝ͠ͳ͍ͱ͍͚ͳ͍͜ͱ ΋ɺมԽͯ͠͸͍ͳ͍ͩΖ͏͔ʁ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ ΞϓϦέʔγϣϯͷ࣮ߦج൫΍ϛυϧ΢ΣΞ͸ʜ ‣ ϋʔυ΢ΣΞͷ੍໿͕ʢΫϥ΢υϕϯμʹΑΓʣ͏·͘Ӆṭ͞ΕΔΑ͏ʹͳͬͨɻ ‣ ༰қʹมߋ΍औࣺબ୒͕Ͱ͖ΔΑ͏ʹͳͬͨɻ ‣ ΞϓϦέʔγϣϯ։ൃͱ͍ۙํ๏Ͱߏ੒Ͱ͖ΔΑ͏ʹͳͬͨɻ
‣ ݁Ռɺʮ૊Έ߹ΘͤΔ͜ͱͰ࡞ΔʯతΞϓϩʔν͕औΓ΍͘͢ͳͬͨʂ ‣ ݱ୅ͷ8FCΞϓϦέʔγϣϯʹٻΊΒΕ͍ͯΔʮ౰ͨΓલ඼࣭ʯ͸ߴ͍ɻ ‣ ྫෳࡶͳػೳཁ݅ ߴՄ༻ੑ ߴ଎ͳಈ࡞ ‣ ࢀߟङ໺Ϟσϧ ‣ શ෦͔Β࡞ΕΔͷ͸͔͍͍͕ͬ͜ɺߴ͍ʮ౰ͨΓલ඼࣭ʯΛୡ੒͢Δͷ͸ࠔ೉ɻ ‣ ৴པͰ͖Δ΋ͷΛ૊Έ߹ΘͤΔ͜ͱͰɺϕʔεͷʮ౰ͨΓલ඼࣭ʯΛఈ্͛͠ͳ͕Βɺ ࣗ෼͕࣮ݱ͢Δ΂͖͜ͱʹ஫ྗ͢Δ͜ͱ͕Ͱ͖Δɻ ϙΠϯτ੹೚ڥքͷଟ༷Խ ߏ੒ɾ࣮ߦ؀ڥͷมԽ͕ڧௐ͢Δ՝୊ ͦͷϛυϧ΢ΣΞͷ੹೚ྖҬ͸ʁ ͦͷಈ࡞ج൫ͷ੹೚ྖҬ͸ʁ

‣ ݁Ռɺʮ૊Έ߹ΘͤΔ͜ͱͰ࡞ΔʯతΞϓϩʔν͕औΓ΍͘͢ͳͬͨʂ ‣ ݱ୅ͷ8FCΞϓϦέʔγϣϯʹٻΊΒΕ͍ͯΔʮ౰ͨΓલ඼࣭ʯ͸ߴ͍ɻ ‣ ྫෳࡶͳػೳཁ݅ ߴՄ༻ੑ ߴ଎ͳಈ࡞ ‣ ࢀߟङ໺Ϟσϧ ‣ શ෦͔Β࡞ΕΔͷ͸͔͍͍͕ͬ͜ɺߴ͍ʮ౰ͨΓલ඼࣭ʯΛୡ੒͢Δͷ͸ࠔ೉ɻ ‣ ৴པͰ͖Δ΋ͷΛ૊Έ߹ΘͤΔ͜ͱͰɺϕʔεͷʮ౰ͨΓલ඼࣭ʯΛఈ্͛͠ͳ͕Βɺ ࣗ෼͕࣮ݱ͢Δ΂͖͜ͱʹ஫ྗ͢Δ͜ͱ͕Ͱ͖Δɻ ϙΠϯτಛผͳߟྀࣄ߲ͷ૿Ճ ߏ੒ɾ࣮ߦ؀ڥͷมԽ͕ڧௐ͢Δ՝୊ Ұൠੑͷߴ͍ίϯϙʔωϯτΛ࠾༻͢Δ৔߹ɺར༻͠ ͳ͍ػೳͷதʹมͳ΋ͷ͕ͳ͍͔ʁ ࣮ߦ؀ڥͷதʹ͸ͦΕͦͷ΋ͷ͕ಛผͳ"1*Λ࣋ͭ ৔߹΋͋Δ͕ɺͦΕ͸ಛผʹอޢ͠ͳͯ͘େৎ෉͔ʁ

TIJGUKTJOGP ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ &EHF4JEF*ODMVEFTʢ&4*ʣ มͳ΋ͷͷྫ ‣ &EHF4JEF*ODMVEFTʢ&4*ʣʜ9.-ϕʔεͷϚʔΫΞοϓݴޠ ‣ <esi:include>౳ͷλάʹΑΓɺҎԼ͕දݱͰ͖Δɻ ‣ αϒϦιʔεͷಈతͳऔಘɾల։
‣ ؆୯ͳม਺ૢ࡞ ‣ 7BSOJTI 'BTUMZ ౳ͷ༷ʑͳιϑτ΢ΣΞ͕&4*ͷॲཧʹରԠ͍ͯ͠Δɻ <body> <h1>Foobar</h1> <esi:include src="/a?q=$(QUERY_STRING{param1})" /> <esi:include src="/b?q=$(HTTP_COOKIE{'TEST'})" /> </body> &4*ॲཧܥ͕͜ͷ ෦෼Λల։͢Δ

TIJGUKTJOGP ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ &EHF4JEF*ODMVEFT*OKFDUJPO มͳ΋ͷͷྫ ‣ &4**OKFDUJPOʜ&4*λάΛʢ944߈ܸͱಉ͡ཁྖͰʣόοΫΤϯυαʔό͔ ΒͷϨεϙϯεʹ஫ೖ͢Δ͜ͱͰɺ్தͷ&4*ॲཧܥΛૢ࡞͢Δ߈ܸɻ ‣ 443'߈ܸ΍)5510OMZϑϥά͕෇༩͞Εͨ$PPLJFͷϦʔΫʹར༻Ͱ͖Δɻ
ΫϥΠΞϯτ &4*Λղऍ͢Δ ϑϩϯτΤϯυαʔό όοΫΤϯυ αʔό <esi:include> ͸ Ṗͷλάͩͱࢥ͍ͬͯΔ <esi:include> ͸ &4*λάͩͱࢥ͍ͬͯΔ

TIJGUKTJOGP ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ࣮ߦ؀ڥݻ༗ͷػೳɾ"1*ͷྫ ‣ ଟ͘ͷΫϥ΢υϓϩόΠμʢྫ($1 "84 "[VSF ʣ͸ɺ࣮ߦ؀ڥʹؔ͢Δ ৘ใ΍ɺͦͷΞϓϦέʔγϣϯͷಈ࡞؀ڥʹඥ෇͚ΒΕͨݖݶΛߦ࢖͢ΔͨΊͷ τʔΫϯ৘ใͳͲΛฦ͢.FUBEBUB"1*Λ࣋ͭ
‣ ΞϓϦέʔγϣϯͷ࢓༷ʹʮ೚ҙͷ)551ϦΫΤετΛൃߦͰ͖ɺͦͷ݁ՌΛ ӾཡͰ͖Δʯͱ͍͏Α͏ͳ΋ͷؚ͕·Ε͍ͯͨΒʁ࣮૷͕੬ऑͩͬͨΒʁ ΞϓϦέʔγϣϯ .FUBEBUB"1* ؀ڥʹؔ͢Δ৘ใ΍ ଞ"1*΁ͷΞΫηετʔΫϯΛཁٻ ฦ٫

࠶ߟɾ8FCηΩϡϦςΟ $IBQUFS

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ 8FCηΩϡϦςΟ ‣ ͋ΒͨΊͯɺ͔͜͜Β͸ʮ8FCηΩϡϦςΟʯͱ͍͏ྖҬΛ෼ׂͯ͠ߟ͑Δ ‣ ΫϥΠΞϯταΠυ8FCγεςϜͷηΩϡϦςΟ ‣ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ
αʔόαΠυ 8FCγεςϜ ΫϥΠΞϯταΠυ 8FCγεςϜ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ 8FCηΩϡϦςΟ ‣ ٞ࿦ͷൣғΛ໌֬ʹ͢ΔͨΊɺҎޙ͸ʮ8FCηΩϡϦςΟʯͱ͍͏ྖҬΛɺҎ ԼͷྖҬʹ෼͚ͯߟ͑Δɻ ‣ ΫϥΠΞϯταΠυ8FCγεςϜͷηΩϡϦςΟ ‣ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ
αʔόαΠυ 8FCγεςϜ ΫϥΠΞϯταΠυ 8FCγεςϜ ͪ͜ΒΛηΩϡΞʹอͭʹ͸Ͳ͏͢Ε͹ʁ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ ΞϓϦέʔγϣϯΞʔΩςΫνϟͷมԽΛ࠶ߟ͢Δ αʔόαΠυ8FCγεςϜ ڞ༗σʔλετΞ ήʔτ΢ΣΠ .JDSPTFSWJDF .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF ϙΠϯτ੹຿ͷ෼ࢄ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ ΞϓϦέʔγϣϯΞʔΩςΫνϟͷมԽΛ࠶ߟ͢Δ αʔόαΠυ8FCγεςϜ ڞ༗σʔλετΞ ήʔτ΢ΣΠ .JDSPTFSWJDF .JDSPTFSWJDF
.JDSPTFSWJDF .JDSPTFSWJDF ϙΠϯτ࿈ܞͷ૿Ճ

‣ ݁Ռɺʮ૊Έ߹ΘͤΔ͜ͱͰ࡞ΔʯతΞϓϩʔν͕औΓ΍͘͢ͳͬͨʂ ‣ ݱ୅ͷ8FCΞϓϦέʔγϣϯʹٻΊΒΕ͍ͯΔʮ౰ͨΓલ඼࣭ʯ͸ߴ͍ɻ ‣ ྫෳࡶͳػೳཁ݅ ߴՄ༻ੑ ߴ଎ͳಈ࡞ ‣ ࢀߟङ໺Ϟσϧ ‣ શ෦͔Β࡞ΕΔͷ͸͔͍͍͕ͬ͜ɺߴ͍ʮ౰ͨΓલ඼࣭ʯΛୡ੒͢Δͷ͸ࠔ೉ɻ ‣ ৴པͰ͖Δ΋ͷΛ૊Έ߹ΘͤΔ͜ͱͰɺϕʔεͷʮ౰ͨΓલ඼࣭ʯΛఈ্͛͠ͳ͕Βɺ ࣗ෼͕࣮ݱ͢Δ΂͖͜ͱʹ஫ྗ͢Δ͜ͱ͕Ͱ͖Δɻ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ ߏ੒ɾ࣮ߦ؀ڥͷมԽΛ࠶ߟ͢Δ ϙΠϯτ ੹೚ڥքͷଟ༷Խ ಛผͳߟྀࣄ߲ͷ૿Ճ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ มԽ͔Β࠶ߟ͢Δ ‣ ࡢࠓͷมԽ͕ڧௐ͢Δ8FCηΩϡϦςΟʹؔ͢Δ՝୊ ‣ ੹຿ͷ෼ࢄʜݩདྷαʔόαΠυ8FCΞϓϦέʔγϣϯͷ࣮૷தͰըҰత ʹऔΓѻΘΕ͍ͯͨηΩϡϦςΟ΁ͷ੹຿͕ɺ෼ࢄ͢ΔΑ͏ʹͳͬͨɻ ‣
࿈ܞͷ૿Ճʜͭͷૢ࡞ͷ࣮ݱͷͨΊʹɺෳ਺ͷιϑτ΢ΣΞ͕ؒ࿈ܞ͠ ͯಈ͘ػձ͕૿͖͑ͯͨɻܦ࿏͸҆શ͔ʁ࢓༷ͷҰ؏ੑ͸อͨΕ͍ͯΔ͔ʁ ‣ ੹೚ڥքͷଟ༷Խ ಛผͳߟྀࣄ߲ͷ૿Ճʜಈ࡞ج൫΍ϛυϧ΢ΣΞ͕ଟ ༷Խͨ݁͠ՌɺΞϓϦέʔγϣϯ։ൃऀӡ༻ऀ͕஫ҙ͢΂͖఺΋૿͑ͨɻ ‣ ͦ͜Ͱɺ͜ͷྖҬͷηΩϡϦςΟΛɺҎԼͷ؍఺ʹ෼ׂͯ͠ߟ͑ͯΈΑ͏ɻ ‣ ηΩϡΞʹͭ͘Δ ‣ ηΩϡΞʹͭͳ͛Δ ‣ ηΩϡΞʹ͏͔͢͝

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡΞʹͭ͘Δ ‣ ·ͣ͸ίϯϙʔωϯτͷ֤ʑ͕ηΩϡΞʹ࡞ΒΕ͍ͯΔ͜ ͱ͕ɺ͢΂ͯͷେલఏɻ ‣ 8FCΞϓϦέʔγϣϯΛ͜ͷΑ͏ͳϛΫϩͳࢹ఺ͰηΩϡ Ξʹ͢ΔͨΊʹ΋ɺ·ͣ͸࠷௿ݶͷ஌ࣝΛ਎ʹண͚Α͏ɻ ‣
ڭࡐ͸༷ʑଘࡏ͍ͯ͠Δ ‣ 08"41͕ϦϦʔε͍ͯ͠Δ֤छυΩϡϝϯτ ‣ 1PSU4XJHHFSͷ8FC4FDVSJUZ"DBEFNZ ‣ ʰମܥతʹֶͿ҆શͳ8FCΞϓϦέʔγϣϯͷ࡞Γํʱʢಙؙຊʣ .JDSPTFSWJDF ػೳ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡΞʹͭͳ͛Δ ‣ ࡞ͬͨίϯϙʔωϯτಉ࢜͸ηΩϡΞʹͭͳ͛ΒΕ͍ͯΔ͔Ͳ͏͔ɺͱ͍͏؍఺ ΋ඇৗʹॏཁʹͳ͖͍ͬͯͯΔɻ ‣ ʮηΩϡΞʹͭͳ͛Δʯͱ͍͏ߦҝΛɺ͞ΒʹҎԼͷͭʹϒϨΠΫμ΢ϯͯ͠ ߟ͑ΔͱΘ͔Γ΍͍͢ ‣
ηΩϡΞͳܦ࿏Ͱͭͳ͛Δ ‣ Ұ؏ੑΛอͪͳ͕Βͭͳ͛Δ .JDSPTFSWJDF .JDSPTFSWJDF ϛυϧ΢ΣΞ ΞϓϦέʔγϣϯ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡΞͳܦ࿏Ͱͭͳ͛Δ ʮηΩϡΞʹͭͳ͛Δʯͷཁૉ ‣ αʔϏεؒͷ௨৴ΛͲ͏ηΩϡΞʹߦ͏͔ɺ΋ඇৗʹॏཁͳ؍఺ɻ ‣ αʔϏεؒͷ௨৴ܦ࿏ʹ͸౪ௌɾվ͟ΜΛૂ͏߈ܸऀ͕͍Δ͔΋ʜ ‣ ͭͷίϯϙʔωϯτ͕৵֐͞ΕΔ͜ͱͰɺࢥΘ͵ͱ͜Ζ͔Β௨৴͕ߦͳΘ
ΕΔ͔΋͠Εͳ͍ʜ ‣ ༷ʑͳϓϨΠϠʔ͕ؤு͍ͬͯΔ ‣ ྫ*TUJPͳͲͷ4FSWJDF.FTIϓϩμΫτͳͲ ‣ ྫ41*'&&ͳͲͷαʔϏεؒ௨৴ʹ͓͚Δ*EFOUJUZ$POUSPMج൫

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ‣ ͭͷγεςϜͷ࣮ݱʹؔΘΔʜ ‣ ࢓༷͕૿͑Δ΄ͲɺͦΕΒͷ࢓༷ؒͷҰ؏ੑ͕໰୊ʹͳΔ͜ͱ΋૿͑Δɻ ‣ ιϑτ΢ΣΞ͕૿͑Δ΄ͲɺͦΕΒͷ࣮૷ؒͷҰ؏ੑ͕໰୊ʹͳΔ͜ͱ΋૿͑Δɻ ‣ શࠃେձͰ͸ʢ8FCʹؔ࿈ͨ͠ʣҰ؏ੑͷܽ೗͕ট͘໰୊ͷྫͷ͏ͪɺҎԼΛऔΓ্͛ͨ
‣ )5513FRVFTU4NVHHMJOH ‣ Ωϟογϡʹؔ࿈ͨ͠߈ܸ ‣ ϨεϙϯεϘσΟͷੜ੒ʹؔΘΔॲཧܥͷ࢓༷ࠩΛར༻ͨ͠߈ܸ Ұ؏ੑΛอͪͳ͕Βͭͳ͛Δ ʮηΩϡΞʹͭͳ͛Δʯͷཁૉ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ηΩϡΞʹ͏͔͢͝ ‣ ಈ࡞ج൫ΛηΩϡΞʹอͭ͜ͱ͸͍ͭ΋Ͳ͓Γେࣄɻ ‣ DG؅ཧ͍ͯ͠Δϊʔυ΁ͷύονద༻ ؂ࢹܥͷ੔උ ‣
ͦͷಈ࡞ج൫ಛ༗ͷ੹೚ڥք΍ηΩϡϦςΟϦεΫΛ೺Ѳͭͭ͠ΞϓϦέʔγϣ ϯΛӡ༻ɾ։ൃ͢Δɺͱ͍͏ͷ΋ͭͷେࣄͳ؍఺Ͱ͋Δɻ ‣ ྫ.FUBEBUB&OEQPJOUTྨͷอޢ͸͞Ε͍ͯΔ͔ ‣ ྫա৒ͳݖݶ΍༨ܭͳ৘ใ͕ΞϓϦέʔγϣϯʹ&YQPTF͞Ε͍ͯͳ͍͔ ‣ ۙ೥͸͜ͷτϐοΫʹֶ͍ͭͯͿͨΊͷϚςϦΞϧ͕ͲΜͲΜ૿͖͍͑ͯͯΔ ‣ ྫ/*4541ͷΑ͏ͳΨΠυϥΠϯ ‣ ྫ#VTUB,VCFͷΑ͏ͳϋϯζΦϯϚςϦΞϧ ‣ ྫIUUQTDPOUBJOFSTFDVSJUZEFWͷΑ͏ͳจݙ ‣

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ΫϥΠΞϯτଆ͸ʁ ‣ ٞ࿦ͷൣғΛ໌֬ʹ͢ΔͨΊɺҎޙ͸ʮ8FCηΩϡϦςΟʯͱ͍͏ྖҬΛɺҎ ԼͷྖҬʹ෼͚ͯߟ͑Δɻ ‣ ΫϥΠΞϯταΠυ8FCγεςϜͷηΩϡϦςΟ ‣ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ
αʔόαΠυ 8FCγεςϜ ΫϥΠΞϯταΠυ 8FCγεςϜ ͪ͜Βͷ࿩͸ࠓ೔͸Ͱ͖·ͤΜͰ͕ͨ͠ʜ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ΫϥΠΞϯτଆ͸ʁ ‣ ٞ࿦ͷൣғΛ໌֬ʹ͢ΔͨΊɺҎޙ͸ʮ8FCηΩϡϦςΟʯͱ͍͏ྖҬΛɺҎ ԼͷྖҬʹ෼͚ͯߟ͑Δɻ ‣ ΫϥΠΞϯταΠυ8FCγεςϜͷηΩϡϦςΟ ‣ αʔόαΠυ8FCγεςϜͷηΩϡϦςΟ
αʔόαΠυ 8FCγεςϜ ΫϥΠΞϯταΠυ 8FCγεςϜ ͪ͜Βͷ࿩͸ࠓ೔͸Ͱ͖·ͤΜͰ͕ͨ͠ɺ ࠷ۙ͜ͷ࿩ʹؔͯ͠ͷॻ੶Λ্Ѹ͠·ͨ͠

͓ΘΓʹ 1PTUGBDF

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ૉ๿ͳٙ໰΁ͷ౴͑ʢ࠶ܝʣ 28FCηΩϡϦςΟ8FCΞϓϦέʔγϣϯͷ࣮૷ͷηΩϡϦςΟʁ ੬ऑͳίʔυ͑͞ॻ͔ͳ͚Ε͹ηΩϡΞͱ͍͑ΔͷͩΖ͏͔ʁ "8FCηΩϡϦςΟ˦8FCΞϓϦέʔγϣϯͷ࣮૷ͷηΩϡϦςΟɻ 8FCηΩϡϦςΟΛߟ͑Δ্Ͱ͸ɺ΋͏গؔ͠৺Λ޿͛ͯ΍Δඞཁ͕͋Δɻ ͔ͭɺ͜ͷؔ৺ྖҬͷ֦େ͸ɺٕज़ελοΫͷมԽͱͱ΋ʹਐΈͭͭ͋Δɻ <p>Hello,
<?php echo $_GET['q']; ?></p> 944੬ऑੑͷ͋Δ1)1ίʔυ

TIJGUKTJOGP ͚ͩ͢͜͠ϚΫϩͳࢹ఺͔Βଊ͑Δ8FCηΩϡϦςΟ ·ͱΊ ͍·ͷʮ8FCηΩϡϦςΟʯͱ͸ αʔόαΠυ 8FCγεςϜ ΫϥΠΞϯταΠυ 8FCγεςϜ ‣
͜ͷηΩϡϦςΟΛҎԼͷ̏؍఺͔Βߟ͑Α͏ ‣ ηΩϡΞʹͭ͘Δ ‣ ηΩϡΞʹͭͳ͛Δ ‣ ηΩϡΞʹ͏͔͢͝

すこしだけマクロな視点から捉える Web セキュリティ / Web Security from...

すこしだけマクロな視点から捉える Web セキュリティ / Web Security from the Macro Perspective (Short Version)

More Decks by Takashi Yoneuchi

Other Decks in Technology

Featured

Transcript