Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
脆弱性発見者が注目する近年のWeb技術
Search
MUNEAKI NISHIMURA
February 03, 2017
Technology
29
13k
脆弱性発見者が注目する近年のWeb技術
RECRUIT Technologies NIGHT vol.3の発表資料です。
MUNEAKI NISHIMURA
February 03, 2017
Tweet
Share
More Decks by MUNEAKI NISHIMURA
See All by MUNEAKI NISHIMURA
Brave Browserの脆弱性を見つけた話(iOS編)
nishimunea
3
2.1k
ブラウザの脆弱性とそのインパクト
nishimunea
26
9.5k
脆弱性発見者の目から見た、脆弱性対応の最前線
nishimunea
15
2.6k
Slack Team for Security Testers and Bug Hunters
nishimunea
1
730
Finding Vulnerabilities in Firefox for iOS
nishimunea
3
8.2k
SWIFT Code for Mozilla Bank
nishimunea
1
860
次世代プラットフォームのセキュリティモデル考察
nishimunea
6
5.1k
Other Decks in Technology
See All in Technology
ギークの理想が7つ集まるエムスリーで夢を叶えよう - エムスリー株式会社
m3_engineering
1
260
AWSサービスメニュー開発をしていてAWSを好きだ!と感じた瞬間
toru_kubota
0
130
dxd2024-生成AIに振り回された3か月間の成功と失敗/dxd2024-link-and-motivation
lmi
2
260
[I/O Extended Android 2024] What`s new in Android 2024
kyeongwan
0
220
推薦システムを本番導入する上で一番優先すべきだったこと~NewsPicks記事推薦機能の改善事例を元に~
morinota
0
120
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
expajp
4
1.3k
年間一億円削減した時系列データベースのアーキテクチャ改善~不確実性の高いプロジェクトへの挑戦~
lycorptech_jp
PRO
3
2.9k
データ分析基盤を作ってみよう~設計編~
nrinetcom
PRO
1
110
フルリモートワークはエンジニアの夢を叶えたか? #cm_odyssey
mamohacy
2
600
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
Azure AI ことはじめ
tsubakimoto_s
0
130
AIアシスタントの活用で品質の向上と開発ワークフローのスピードアップ
nagix
1
200
Featured
See All Featured
How GitHub (no longer) Works
holman
305
140k
Testing 201, or: Great Expectations
jmmastey
33
6.9k
Docker and Python
trallard
37
2.9k
Being A Developer After 40
akosma
72
580k
The World Runs on Bad Software
bkeepers
PRO
63
11k
The Language of Interfaces
destraynor
151
23k
Building Applications with DynamoDB
mza
89
5.8k
From Idea to $5000 a Month in 5 Months
shpigford
377
46k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Designing for humans not robots
tammielis
247
25k
RailsConf 2023
tenderlove
16
720
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
36
9.1k
Transcript
੬ऑੑൃݟऀ͕͢Δۙͷ8FCٕज़ 3&$36*55FDIOPMPHJFT/*()5WPM ݄
ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃܞଳిϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦ݄ͯΑΓݱ৬ɻϦΫϧʔτͷ*%ཧج ൫ͷηΩϡϦςΟอकϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯϒϥβͷ੬ऑੑΛ୳͢͜ ͱɻʹใࠂͨ͠੬ऑੑ݅Λ͑Δɻஶॻʹ
ϒϥβϋοΫʢ༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ
੬ऑੑΛൃݟ͢ΔਓͷࢹͰ ͍ͯ͠Δ8FCٕज़Λհ͠·͢
Server Push
• ʹΓٞͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ4FSWFS4FOU&WFOUT8FC4PDLFU • *&5'Ͱ)551QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ)JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹɺϒϥβͰ1VTI௨Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC1VTIϓϩτίϧ1VTI"1*ͷ༷ࡦఆ͕ߦͳΘΕ͍ͯΔ
• ͦΜͳதɺݸਓతʹ͍ͯ͠Δͷʜ 4FSWFS1VTI
multipart / x-mixed-replace
http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html
• ɺ/FUTDBQFʹࡌ͞Εͨ࠷ݹͷ4FSWFS1VTI • .+1&(PWFS)551ͷ৴खஈͱͯ͠༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻ • ݱࡏͰɺ'JSFGPY͘Β͍͔͠·ͱʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜ͰΘΕ͍ͯΔͷ͔
NVMUJQBSUYNJYFESFQMBDF
#VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea
3*$0)5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY
Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδͷσʔλ ϖʔδͷσʔλ
Կނ͍ͯ͠Δ͔ͱ͍͏ͱ
ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'
<script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-
·ͩͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471
https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮͕ෆશͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕Δ͜ͱͷํ͕େͩͱஅ͠ɺ .P[JMMBະमਖ਼ͷ੬ऑੑใΛ։ࣔ
HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a
href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ
https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPYͰઌिमਖ਼͞Εͨ
৽͍͠ϔομ͕ొ͢Δͨͼָ͠ΊΔ
HTTP/2
• ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱհͨ͠ +YDL͞Μͱͷग़ձ͍ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/
ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification
੬ऑੑͷݪҼ5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session
Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠
• )551$POOFDUJPO3FVTF 3'$ - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Εɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551"MUFSOBUJWF4FSWJDFT 3'$ -
ಉ͡ϦιʔεΛఏڙ͢Δସαʔόͷ༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯཧͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";
flickr.com ෳυϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection
flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &
flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ
flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)
Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘ ࣮࣭తͳڴҖ͋·Γͳ͍ͷͰʁ
ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱݶΒͳ͍ • ྫ͑ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏
͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ
)551"MUFSOBUJWF4FSWJDF "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:
h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate
"MU4WDͷਖ਼͍࣮͜͠͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ
࣮ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"
Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ͚Δ͜ͱ͕Ͱ͖Δ
͜ͷ࣮ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight
(OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ
https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲڻ͍͍ͯΔɻ͜Ε"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ
ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙग़͖ͯͦ͏
FlyWeb
https://flyweb.github.io/#showcase
• .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ·࣮ͩݧஈ֊ - 'JSFGPY/JHIUMZʹͷΈσϑΥϧτແޮͰࡌ - BCPVUDPOGJH
Ͱ EPNGMZXFCFOBCMFEUSVFʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC
• ෳͷεϚϗΛଓ͠ɺϒϥβ্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC(1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4
'MZ8FCͷΈ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞͷ͕ͦͷαʔόʹΞΫηε
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });
navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers
= {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢
αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX4FSWFSʯΛબ͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ
ϩʔΧϧΤϦΞʹ͋Δผͷ͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ
#POKPVSରԠΦϑΟεϓϦϯλͷཧը໘։͚Δ • 'JSFGPYͷ'MZ8FCΟϯυ@IUUQUDQʹରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢ΔػثʹΞΫηεͰ͖Δ
'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /
JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ཧը໘ʹͳΓ͢·͢ ཧը໘ʹΞΫηεͨ͠ʹ ϚϧΣΞ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ
navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var
h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠ʹ TFUVQCBU Λ
͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ
(PPHMF༁ܦ༝Ͱ։͚ͦΕͬΆ͍υϝΠϯʹ
ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ
None
͜ͷ··ͷ༷ͩͱຊʹѱ༻͞Εͦ͏
• 4FSWFS1VTI NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ͍ͯ͠Δ8FCٕज़Λͭհ͠·ͨ͠