Upgrade to Pro — share decks privately, control downloads, hide ads and more …

実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to ...

mala
September 26, 2016

実例に学ぶXSS脆弱性の発見と修正方法/line_dm 16 20160916 how to find and fix xss

LINE Developer Meetup in Fukuoka #16
http://connpass.com/event/38413/

mala

September 26, 2016
Tweet

More Decks by mala

Other Decks in Programming

Transcript

  1. Persistent DOM XSS • DOM based XSSͷӬଓԽ͕Մೳ • cookie /

    localStorageʹ߈ܸ༻ͷίʔυΛอଘ • දࣔ͢Δͨͼʹ࣮ߦ͞ΕΔΑ͏ͳέʔε • → ࣗࣾͰͷࣄྫ΍ɺ޿ࠂωοτϫʔΫͷiframeͰ࣮ྫ͋Γ
  2. ಛʹ cookie ͷ৔߹ • αϒυϝΠϯ͔ΒͰ΋ઃఆ͕Մೳ • vuln.example.com → .example.com •

    ੬ऑੑͷ͋ΔαϒυϝΠϯ͔ΒcookieΛset
 • ߈ܸର৅ͷυϝΠϯͰ cookie ىҼͷ DOM based XSS
 • MITM attackͰ΋cookieͷઃఆ͕Մೳ
  3. CookieΛ࢖ͬͨ߈ܸ (XSS or ServerSide) • ͦͷαʔϏεͰ͸৴༻Ͱ͖Δ஋͔͠ग़ྗ͠ͳ͍৔߹Ͱ΋XSSՄೳ • MITMͰͷcookieઃఆ → HSTS

    include subdomainΛ࢖Θͳ͍ͱ๷͛ͳ͍ • JS Ͱ΋serverͰ΋৴པͰ͖ͳ͍஋͕ೖΔ͜ͱΛલఏʹઃܭ͢Δඞཁ͕͋Δ
 • ࡉ޻ͨ͠cookieΛ࢖ͬͨremote code executionͷࣄྫ͍͔ͭ͋͘Γ
  4. JavaScriptͷม਺ग़ྗ • ͦ΋ͦ΋ආ͚Δ • data-xxx="html escaped value" ͰຒΊࠐΈΛਪ঑ • ಉ͡escape

    ruleͰରԠՄೳɺίϯςΩετΛҙࣝ͠ͳ͍͍ͯ͘ • Ͳ͏ͯ͠΋ඞཁͰ͋Ε͹ɺhtml escapeͰ͸ͳ͘js escape
  5. URLΛग़ྗ͢Δ৔߹ • javascript: xxx ͕ೖͬͯ͸͍͚ͳ͍ • ̋ validation ruleΛ࡞ͬͯద༻͢Δ •

    HTML Escape / JS escape ͚ͩͰ͸ෆे෼ • URLΛೖग़ྗ͢ΔΑ͏ͳՕॴ͸ɺͲͷΈͪvalidation͕͋Δ͸ͣ
  6. HTMLΛग़ྗ͢Δ৔߹ • innerHTMLΛͳΔ΂͘࢖Θͳ͍(࠷ऴతͳग़ྗ࣌ͷΈ) • ࣗಈescapeՄೳͳtemplate engine࢖͏ → mustache ͳͲ •

    jQuery ͷ html() → ෆཁͰ͋Ε͹ text() ʹஔ͖׵͑Δ • html() ͷଟ༻͸ϨϏϡʔͷෛ୲ʹͳΔ
  7. ۩ମྫ var keyword = '[% param.keyword | html %]'; //

    ͜Ε͕
 ↓
 var keyword = ''; alert(1); ''; // ͜͏ͳΔ • ౰࣌࢖͍ͬͯͨςϯϓϨʔτΤϯδϯ͕ɺγϯάϧΫΦʔτΛΤεέʔ ϓ͠ͳ͔ͬͨ • ࠓͰ͸͋·ΓΈͳ͍ • ϦϑΝϥ͔Βऔಘ͢Δ΋ͷ͸ → DOM based XSSʹ
  8. ࣄྫ: HTML EntityͷղऍΛ͍ͨ͠ • $(el).text() Λ࢖ͬͯද͍ࣔͯͨ͠Β HTML࣮ମࢀরɺ਺஋ࢀরจࣈ͕ද ࣔ͞Εͳ͘ͳͬͨ • ͜͏͍͏ͷͶ

    B'z → B'z • → $(el).html() ʹมߋ΍ɺࣗಈΤεέʔϓ֎͢ॲཧΛೖΕͯ͠·͏ • Ϣʔβʔೖྗ͕ೖΒͳ͍͔Ͳ͏͔֬ೝ͕ඞཁ • ҆શͳೖྗՕॴͰ͋ͬͯ΋ϨϏϡʔ͕େมʹͳΔ
  9. escapeํࣜมߋʹ൐͏໰୊ • A: ̋ js escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ

    • B: ˚ html escapeͰม਺ຒΊࠐΈ → js templateͰauto escapeͰදࣔ → 
 ೋॏescape • C: ☓ js escapeͰม਺ຒΊࠐΈ → innerHTML ΍ $() html() Ͱग़ྗՕॴ͕͋Δ
  10. Կ͕໰୊͔ʁ • ೋॏΤεέʔϓ͸όά͚ͩͲ XSS ͸੬ऑੑ • B → C ʹѱԽ͢ΔՄೳੑ͕͋Δ

    (όάΛ௚ͯ͠੬ऑੑ͕ൃݱ) • पลՕॴͷϨϏϡʔ΋ηοτͰߦΘͳ͍ͱμϝ
  11. // Λ࢖͏έʔε • վߦͰಥഁՄೳ // var keyword = '
 alert(1)//‘

    • U+2028 / U+2029 Ͱ΋ಥഁՄೳ • վߦΛϑΟϧλͳΜͯத్൒୺ͳ͜ͱ͸͠ͳ͍Α͏ʹɻ
  12. ࣄྫ: ίϯςϯπͷಈతͳϩʔυ • HTMLஅยΛදࣔ͢ΔΑ͏ͳέʔε • Single page appͷྲྀߦͰଟ͘ͳͬͨ → router͕ͪΌΜͱॻ͔Ε͍ͯ

    Ε͹੬ऑੑ͸গͳ͍ • ͪΐͬͱલʹ࡞ΒΕͨΑ͏ͳαΠτɺlocation.hash ͔Βऔಘ • ΞχϝެࣜαΠτ΍ϥϯσΟϯάϖʔδͳͲͰΑ͘ݟΔ
  13. ϥΠϒϥϦͰͷ໰୊ • ಉҰυϝΠϯͷίϯςϯπ͸҆શͰ͋Δɺͱ͍͏ࢥ͍ࠐΈ • jQuery mobile → ϋογϡࢦఆͰಉҰυϝΠϯ಺ϩʔυ • Rails

    ͷ turbolinks → ϦϯΫઌΛAjaxͰಡΈࠐΜͰߴ଎Խ • ύονॻ͍ͨΓͨ͠ (ಈతϩʔυΛߦͳ͏content-typeͷ੍ݶ)