Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OWT2017JP - OWASP BWA
Search
OWASP Japan
September 30, 2017
Technology
9
3.4k
OWT2017JP - OWASP BWA
#OWT2017JP
Training Course using OWASP BWA
by 松浦知史, 東京工業大学
OWASP Japan
September 30, 2017
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
310
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
920
20190107_AbuseCaseCheatSheet
owaspjapan
0
150
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
870
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.1k
Shifting Left Like a Boss
owaspjapan
2
270
OWASP Top 10 and Your Web Apps
owaspjapan
2
360
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
220
elegance_of_OWASP_Top10_2017
owaspjapan
2
500
Other Decks in Technology
See All in Technology
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
650
「最高のチューニング」をしないために / hack@delta 24.10
fujiwara3
21
3.4k
新卒1年目が向き合う生成AI事業の開発を加速させる技術選定 / ai-web-launcher
cyberagentdevelopers
PRO
7
1.5k
30万人が利用するチャットをFirebase Realtime DatabaseからActionCableへ移行する方法
ryosk7
5
350
Gradle: The Build System That Loves To Hate You
aurimas
2
150
CyberAgent 生成AI Deep Dive with Amazon Web Services / genai-aws
cyberagentdevelopers
PRO
1
480
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k
ガバメントクラウド先行事業中間報告を読み解く
sugiim
1
1.3k
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
120
一休.comレストランにおけるRustの活用
kymmt90
3
580
pandasはPolarsに性能面で追いつき追い越せるのか
vaaaaanquish
4
4.6k
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
Featured
See All Featured
Producing Creativity
orderedlist
PRO
341
39k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Testing 201, or: Great Expectations
jmmastey
38
7k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
Ruby is Unlike a Banana
tanoku
96
11k
Adopting Sorbet at Scale
ufuk
73
9k
Typedesign – Prime Four
hannesfritz
39
2.4k
Fontdeck: Realign not Redesign
paulrobertlloyd
81
5.2k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Six Lessons from altMBA
skipperchong
26
3.5k
GitHub's CSS Performance
jonrohan
1030
460k
Transcript
08"41#8"Λ༻ֶ͍ͨੜ ͓Αͼ৬һ͚τϨʔχϯά ౦ژۀେֶɹֶज़ࠃࡍใηϯλʔɹ দӜ࢙ (
[email protected]
)
2 দӜ ࢙ (MATSUURA Satoshi) ౦ژۀେֶ ֶज़ࠃࡍใηϯλʔ ।ڭत ౦େCERT ౷ׅऀ
http://cert.titech.ac.jp ▪ ηΩϡϦςΟڭҭ • αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜ (౦େɾम࢜ର) • IT-Keys / SecCap (ෳͷ࢈ֶ৫ɾम࢜ର) ▪ ݚڀ׆ಈ • geographical overlay network, େنηϯαωοτϫʔΫ, ࢄPub/ Sub, DTN, ηΩϡϦςΟϩάੳͱػցֶश
ίʔεΛ௨ͯ͠Կֶ͕Δ͔ • OWASP BWA(Broken Web Application)ͱԿ͔ • ԋश࣮ࢪऀ͓Αͼडߨऀʹର͢ΔڭҭޮՌ • OWASP
BWAΛར༻ͨ͠ԋशڥͷߏஙํ๏ • ۩ମతͳ߈ܸγφϦΦͷ࡞खॱ • ۩ମతͳԋश࣮ࢪखॱ(ͷग़͠ํ) – डߨऀ͕ཧղ͍͢͠ͷཻͱॱ൪Λߟྀ • ۩ମతͳԋश࣮ࢪྫͱTips – OWASP TOP10Ճֶ͑ͨੜ/৬һ͚ͷԋश࣮ࢪྫ 3
OWASP BWA(Broken Web Application) 4 ɾηΩϡϦςΟֶश༻ͷ੬ऑͳΞϓϦΛؚΉLinux͕ϕʔεͱͳͬͨVMΠϝʔδ ) ઈରʹάϩʔόϧͳڥʹଓͤͣɺִ͞ΕͨNATڥͰར༻ͯ͠Լ͞ ͍ OWASP
BWAτοϓϖʔδ ଟछଟ༷ͳΞϓϦ͕༻ҙ͞Ε͍ͯΔ τϨʔχϯάΞϓϦ ੬ऑੑΛ๊͑ͨΞϓϦͳͲ
BWAͷରऀ • WEBΞϓϦέʔγϣϯͷηΩϡϦςΟΛֶͼ͍ͨํ • ϦεΫධՁٕज़(ϖωτϨɺ੬ऑੑஅͳͲ)ΛखಈͰࢼ͍ͨ͠ํ • ࣗಈԽπʔϧΛςετ͍ͨ͠ํ • ιʔείʔυ͕ηΩϡΞ͔Ͳ͏͔ੳ͍ͨ͠ํ •
WEBʹର͢Δ߈ܸΛࢹ͍ͨ͠ํ • WAFͷٕज़Λςετ͍ͨ͠ํ 5 ใηΩϡϦςΟͷॳֶऀ͔ΒΞϓϦέʔγϣϯ։ൃऀɺηΩϡϦςΟػثͷӡ༻୲ ऀ·Ͱɺతʹ߹Θͤͯ෯͍ٕज़ऀ͕ར༻Ͱ͖Δɻ໊લͷ௨ΓWEB͕த৺ɻ!
BWAͷத • Training Applications – ੬ऑੑຖʹίʔε͕༻ҙ͞Ε͓ͯΓɺΛղ͖ͳ͕ΒֶΔWEBΞϓϦ • Realistic, Intentionally Vulnerable
Applications – ଟछଟ༷ͳ੬ऑੑ͕ҙਤతʹ࡞Γࠐ·ΕͨWEBΞϓϦ • Old Versions of Real Applications – WordPressͳͲ࣮ࡏ͢ΔΞϓϦ(੬ऑੑͷ͋Δݹ͍όʔδϣϯ) • Applications for Testing Tools • Demonstration Pages / Small Applications • OWASP Demonstration Applications 6 ࠷ॳ͔Β੬ऑੑΛ๊༷͑ͨʑͳΞϓϦؚ͕·Ε͓ͯΓɺԋश࣮ࢪऀԋशڥͷߏங γφϦΦͷ࡞ʹूதग़དྷΔɻ·ͨVMͰ͞Ε͍ͯΔͷͰڥߏங༰қɻ! ֤ʑ10छྨ΄Ͳ! ༻ҙ͞Ε͍ͯΔ!
ࠓճԋशΛߦͬͨର(౦େੜ/౦େ৬һ) • ౦େੜ (ओʹमֶ࢜ੜ) – αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜΛडߨ – CSͷجૅཧدΓͷߨ͕ٛଟ͍(ྑ͍ࣄ) – جૅྗΛԠ༻͢Δ࣮ફతͳ(ߨٛ)Λఏڙ͍ͨ͠!
• ౦େCERT (ओʹࣄһ+ٕज़৬һ) – ৫CSIRTۀΛ୲ – ʑηΩϡϦςΟͷʹ৮ΕΔ͕ৄࡉΛΔػձ͕ແ͍ – ΈΛΓɺۀͰͷஅྗΛ্͍ͤͨ͞! 7
࠲ֶͱԋश 8 ԋशڥ͕Γ͍ͯͳ͍ঢ়گͰ͋ͬͨͷͰɺͰ͖ΔݶΓߏஙίετΛ͑ͳ͕Βԋश Λߦ͏ͨΊʹOWASP BWAΛ࠾༻ͨ͠ɻ! ࣝͷར༻/Ԡ༻! ࣝͷशಘ!
9 ۩ମతͳγφϦΦͷ ࡞खॱΛհ͠·͢
ԋशڥ/γφϦΦͷ࡞ϙϦγʔ • डߨऀ͕ແཧͳ͘४උ͠ࢀՃͰ͖Δԋशڥ • ݱ࣮ͷڥʹஔ͖͑ͯ૾Մೳͳԋशڥ • ग़དྷΔ͚ͩडߨऀ͕ࣗྗͰղ͚Δͷཻ/ • ղ͖ਐΊΔͱࣗવͱ߈ܸγφϦΦ͕ཧղͰ͖Δߏ 10
੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ෳࡶͳXSSΛडߨऀʹͲ͏ཧղͯ͠͏͔ 11
XSSશମͷγφϦΦΛղ • ΫοΩʔใΛ֬ೝ͠ɺมߋ͢Δ (1,6) – ϒϥβΛར༻͠ΫοΩʔͷૢ࡞ΛΔ • ੬ऑੑͷ֬ೝͱނҙͷใ࿙Ӯ (1,4,5) –
ݕࡧϑΥʔϜΛར༻͠ΫοΩʔใΛૹ৴ • ߈ܸίʔυͷ࡞/ઃஔ (2,3,4) – ΫοΩʔใΛૹ৴͢ΔίʔυΛؚΜͩURLͷੜ 12 Λখ͘͞ղ͢Δ͜ͱͰͷқ͕Լ͢ΔɻώϯτΛՃ͑Δ͜ͱͰଟ͘ͷ डߨऀ͕ࣗྗͰղ͢Δࣄ͕Մೳɻ্ه̏ͭΛΈ߹ΘͤΔͱશମͷγφϦΦʹɻ!
ϢʔβʹΑΔΫοΩʔͷฤू 13 ɾϒϥβͷΞυϨεόʔͰJavaScriptΛ࣮ߦՄೳ ɾΫοΩʔͷදࣔ - javascript:alert(document.cookie); ɾΫοΩʔͷՃɾฤू - javascript:void(document.cookie=”id=abcd1234”); αΠτΛ๚Εͨ࣌Ͱcookieແ͠
ΞυϨεόʔΑΓcookieΛՃ ΞυϨεόʔΑΓcookieΛฤू
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) 14 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻
߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 15 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
BWAΛར༻͠ɺγφϦΦΛ࣮͢Δ 16 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ ChromeXSS੬ऑੑ͕͋ΔϑΥʔϜͰͷεΫϦϓτ࣮ߦ ͕ݫ੍͘͠ݶ͞Ε͍ͯΔɻFirefoxܯࠂͷΈɻWin/Mac
ͱडߨऀڥ͕·ͪ·ͪͰ͋ΔࣄΛߟ͑FirefoxΛ࠾༻ɻ डߨऀPC্ͷ Firefox BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA͕ىಈग़དྷΕɺޙFirefoxΛडߨऀʹΠϯετʔϧ͖ͯͯ͠͏ࣄͱผ్ ApacheͳͲhttpdΛ४උ͠ɺΞΫηεϩά͕ݟΒΕΔ༷ʹ͓͚ͯͩ͘͠Ͱ४උྃɻ!
ʔɺ ·͔ͬ͢͡ʔ ࣮ࡍͷ४උաఔ ͬͺΓ ԋशΛ Γ͍ͨ ʂʂ Ғ͍ਓ ͱʹ͔͘
Δ͔͠ͳ͍ ୲ऀ 2िؒఔͷ४උظؒ • ձٞͰ४උίετͷߴ͔͞Βԋशஅ೦͢Δํʹ͔͏͕ɺͷҰ͕ • 2िؒఔͰۀͷ߹ؒʹԋशڥΛ࡞ΓࠐΉࣄʹ(தʑʹେมɻBWAʹײँ) • ࣮ࡍʹBWAͷΞϓϦΛར༻͠ࢼߦࡨޡ͠ͳ͕ΒγφϦΦΛ࡞ɻ͜͜·Ͱͷ આ໌ͷ༷ʹશͯτοϓμϯͱ͍͏༁ʹதʑ͍͔ͳ͍ɻ • ԋश୲ऀXSSͳͲԋशʹ݁͢Δ͚ࣝͩͰແ͘ɺγφϦΦͷ࡞ೳ ྗɺHTTPͷཧղɺԾڥͷߏஙೳྗͳͲ෯͍ࣝೳྗ͕ʹ͘ɻ 17
18 ࣮ࡍͷΛݟͯɺ γφϦΦΛḷͬͯΈ·͠ΐ͏
੬ऑੑ͕͋ΔݕࡧϑΥʔϜ @ BWA WackoPicko 19 1. ௨ৗͷݕࡧ! 2. HTMLλάΛؚΜͩݕࡧ! 3.
javascriptΛؚΜͩݕࡧ! ɾݕࡧจࣈྻ ɹ1.ɿhouse ɹ2.ɿ<s>house</s> ɹ3.ɿ<script>alert('hello');</script>
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ߈ܸίʔυΛؚΜͩΞΫηε
(߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ) 20
ԋश՝̍ 21 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛ֎෦αʔό(192.168.7.100)ʹ ɹɹૹ৴͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛΞΫηεϩάΑΓ֬ೝ͠ͳ͍͞ άάΔ KBWBTDSJQUΛར༻͢Δ JNHTSDz63-zΛར༻ͯ͠ɺ֎෦αʔόʹϝοηʔδΛૹΔ 'JSFGPYͷ։ൃπʔϧΛ׆༻͢Δ πʔϧˠ8&#։ൃˠ։ൃπʔϧΛදࣔ
ώϯτ
FirefoxͷWEB։ൃπʔϧ 22 ཁૉͷௐࠪ (HTMLͷதΛ͏)! ௨৴ͷௐࠪ (HTTPͷதΛ͏)! - WEB։ൃʹ͔ܽͤͳ͍πʔϧɻChrome / Safariʹඪ४Ͱଐ
- πʔϧ→WEB։ൃ→։ൃπʔϧͷදࣔͱḷΔ (Mac: Cmd + Opt + i)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 23 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
ԋश՝̎ 24 ̍ɽcookieͷதΛදࣔͯ͠͠·͏ϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠Լਤͷ༷ͳuser/passͷೖྗΛٻΊΔϑΥʔϜΛ࡞͠ͳ͍͞ ̏ɽϘλϯ͕ԡ͞Εͨ࣌ʹೖྗ͞ΕͨใΛ(ෆਖ਼ͳ)֎෦αʔόʹૹ৴͢ΔΑ͏ʹ͠ͳ͍͞ ̐ɽ্ه̎ͭͷػೳΛ࣋ͬͨϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̑ɽܝࣔ൘ʹ্ه(4.)ͷURLʹ༠ಋ͢ΔϦϯΫΛॻ͖ࠐΈͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A
#8"8BDLP1JDLP 'JSFGPY #8":B[E "QBDIF ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε
੬ऑͳαΠτͷϦϯΫPOST (߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ԋशΛ௨ͯ͠શମͷγφϦΦΛཧղͯ͠͏ 25 ܝࣔ൘αΠτΛ๚Εෆ༻ҙʹURLΛΫϦοΫͨ͠ॴɺଞͰϩάΠϯ͍ͯͨ͠ը૾ڞ༗αΠτ ʹෆਖ਼ʹ৵ೖ͞Εͯ͠·͍ɺϓϥΠϕʔτͳࣸਅΛݟΒΕΔͷةݥੑ͕͋ΔࣄΛ࣮ײͯ͠ ͏ɻଞͷαʔϏεؚΊͯͲΜͳඃ͕ൃੜ͢Δ͔डߨऀʹߟ͑ͯ͏ɻ!
26 ͋ͬ͞Γͱղ͚ͨडߨੜ͚ʹ Ճͨ͠(͓·͚)
GETةݥɺPOST҆શʁʁ 27 ɾGETͰͳ͘POSTΛ͏͖(ͱ͍͏ਓ͕͍Δ) URLʹ߈ܸίʔυΛຒΊΒΕͳ͍ͷͰɺ҆શͩͱצҧ͍͍ͯ͠Δ ݕࡧϑΥʔϜɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Phishing with XSS ͜͜ͷݕࡧϑΥʔϜPOSTΛར༻͍ͯ͠Δɻຊʹ҆શͰ͠ΐ͏͔ʁ
ԋश՝̏ 28 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛෆਖ਼ͳWEBαʔόʹૹ৴͠ͳ͍͞ ̏ɽԼهͷ༷ͳೝূใΛೖྗ͢ΔϑΥʔϜΛ࡞Γͳ͍͞ ̐ɽೝূใΛೖྗ͠ɺͦͷ༰Λෆਖ਼WEBαʔόʹૹ৴͠ͳ͍͞
ԋश՝̐ 29 ̍ɽܝࣔ൘(Yazd)ʹ᠘Λֻ͚ɺ՝̏ͷೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A ̎ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ ̏ɽܝࣔ൘(WebGoat)ʹ᠘Λֻ͚ɺೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site
Scripting(XSS)→Stored XSS Attacks ̐ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ :B[Eͷܝࣔ൘ຊޠʹରԠ͍ͯ͠ͳ͍ͷͰɺϝοηʔδӳޠͰྑ͍ 'JSFGPYͷ։ൃπʔϧͰ)551௨৴ͷ༰ΛѲ͢Δ 'PSN JOQVUλάͰ1045͕Մೳ )5.-ͷߏΛௐࠪ͠ɺѱҙ͋Δίʔυ͕Ͳͷ෦ʹө͞ΕΔ͔֬ೝ͢Δ ώϯτ
30 ηΩϡϦςΟԋशΛ࣮ࢪͨ͠ ༷ࢠΛ۩ମతʹհ͠·͢
౦େੜ͚ͷηΩϡϦςΟ߹॓ • ରऀɿ౦େੜ(ओʹम࢜) 10໊ఔ • ։࠵/ظؒɿശࠜͷϗςϧ / 2ധ3 • डߨऀͷϨϕϧɿཧܥֶੜͱͯ͠ߴ͍جૅྗΛ࣋ͭɻҰํͰHTML
JSɺHTTPͷWEBٕज़ͷجૅΛΒͳֶ͍ੜҰఆͷׂ߹ଘࡏ͢Δɻη ΩϡϦςΟٕज़ʹڵຯ͕͋ΔఔͰɺCTFࢀՃऀͳͲ͍ͳ͍ঢ়گɻ 31 Λղ༷͘ࢠ ԋशձͷ༷ࢠ
߹॓ʹ͓͚Δԋशڥͷ४උ • ߹॓લʹडߨऀ֤ࣗͷϚγϯʹOWASP BWAΛΠϯετʔϧ͖ͯͯ͠͏ • VMWare Player(Win) / VirtualBox(Win/Mac) /
VMWare fusion(Macɾ༗ঈ)ͰBWA͕ແ͘ىಈ • FirefoxซͤͯΠϯετʔϧͯ͘͠ΔΑ͏ʹࢦࣔ • ߦͷΠϯετʔϧղઆΛࣄલʹૹͬͨͷΈͰɺಛஈͷτϥϒϧແ͠ • ApacheͳͲԋशʹผ్ࢦࣔͯ͠४උͯ͠͏ • VirtualBoxOWASP BWAͰGB͋ΔͷͰUSBϝϞϦೖΕ͓ͯ͘ͱτϥϒϧ࣌ʹཱͭ • ֤ࣗͷPCͰ݁ͯ͠ԋश͕ߦ͑Δঢ়ଶ (ձͷωοτϫʔΫڥ͕ಡΊͳ͍ͨΊ) 32 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko”
߹॓ͷϓϩάϥϜ • 1 (౦େ ߨࢣਞ) – ωοτϫʔΫ/ೝূ/WEB/OSʹؔ͢Δߨٛ – OWASP TOP
10ʹؔ͢Δௐࠪ(άϧʔϓϫʔΫ) • 2 (౦େ ߨࢣਞ) – OWASP TOP 10ʹؔ͢Δൃදͱٞ – OWASP BWAΛ༻͍ͨԋश • 3 (ָఱCERT ߨࢣਞ) – ָఱΛऔΓר͘ϦΞϧͳηΩϡϦςΟͷ – XSS / SQLi / RCEΛத৺ͱͨ͠ԋश – ιʔγϟϧΤϯδχΞϦϯάͷ 33 TOP 10άϧʔϓؒͰͷॏෳΛڐ̎͠ɼ̏ͷςʔϚΛௐ͓ࠪΑͼൃදɻ͕σϞΛ࡞͢ Δͱ͍͏ྗͷೖΕΑ͏Ͱ͋ͬͨɻBWAԋश4࣌ؒͷ༧ఆ͕ϓϩάϥϜ͕ԡͯ͠͠·͍2࣌ؒ ͷΈɻ͕࣌ؒΓͳ͍ͱͷҙݟ͕ଟग़͕ͨɺԋश՝̎·Ͱଟ͘ͷडߨऀ͕ղ͍͍ͯ ͨɻ!
౦େ৬һ͚ηΩϡϦςΟԋश • ରऀɿ౦େCERT(ओʹࣄ৬һʴٕज़৬һ) 5໊ • ։࠵/ظؒɿ౦େͷձٞࣨ / 2ϲ݄(1.5࣌ؒ/ि) • डߨऀͷϨϕϧɿʑηΩϡϦςΟͷʹ৮Ε
Δ͕ٕज़తͳৄࡉΛֶश͢Δػձແ͍ɻCSͷό οΫάϥϯυ͋·Γແ͍ɻ1໊ใܥग़Ͱ2 ճ(3࣌ؒ)΄ͲͰશͯऴྃɻ 34 Ώͬ͘ΓਐΊΔࣄ͕ॏཁɻֶੜʹࣄલߨٛͰWEBʹ͓͚ΔηογϣϯཧಉҰੜݩϙ ϦγʔͳͲʹݴٴ͕ͨ͠ɺ৬һ͚Ͱ͞ΒʹHTMLλά؆୯ͳJSͷ࣮ߦͷํͳͲؚ Ίͯेʹ࣌ؒΛऔͬͯਐΊͨɻ͔͔͕࣌ؒͬͨԋश՝̎·Ͱଟ͕͘ղͰ͖ͨɻ!
ԋशڥͷߏங ੬ऑͳ8&#αΠτ ใ࿙ӮઌͷαΠτ ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ
൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” • VMWare vSphere (ESXi)ͷڥʹBWAΛ४උ • ެࣜαΠτ͔Βऔಘͨ͠.vmxϑΝΠϧΛVMWare OVFToolΛར༻ͯ͠.ovaʹมͯ͠ར༻͢Δ • BWAެࣜͷOVA(ver 1.2 / 1.1.1)ىಈͤͣWEB্Ͱಉ༷ͷࢦఠ༗Γ • OVFToolίϚϯυWin/Mac/Linux൛͕༻ҙ͞Ε͍ͯΔʢMacͷ߹Լهͷ༷ʹม͢Δ) • /Applications/VMware\ OVF\ Tool/ovftool --acceptAllEulas path/to/vm/VM01.vmwarevm/VM01.vmx path/to/output/VM01.ova • vSphere client͔Β্هͰੜͨ͠.ovaϑΝΠϧΛσϓϩΠ͢ΕBWA͕ར༻Մೳ • ࣮ݧ༻ͷԾԽج൫্Ͱߦ͕ͬͨ҆શͷͨΊԋश࣌Ҏ֎BWAͷిݯOFFʹ (εφοϓγϣοτΛऔͬͯॳظԽ༗ޮ) • डߨऀFirefoxΛΠϯετʔϧͨ͠PCΛ࣋ࢀ͢Δ͚ͩ 35 vSphere 6.0 @ Mac mini 2012 (16GB MEM, 256GB SSDx2)
ֶੜ͚ / ৬һ͚ͷԋशΛ௨ͯ͠ͷࡶײ • جૅྗͷࠩͦ͋͜Εɺ࣌ؒΛֻ͚Εஈ֊Λͬͯղ͕Մೳ • खΛಈ͔͠ͳ͕Β͕ղ͚ͨ࣌ྸʹؔΘΒָͣͦ͠͏Ͱ͋Δ • ಛʹ৬һ۩ମతʹةݥͰ͋ΔͱॳΊͯ૾Ͱ͖Δέʔεଟ͍ •
ֶੜ͚ʹ༰Λॆ࣮͢Δඞཁ͕͋Δ(ଟ͘ΛֶΜͰཉ͍͠) • ಥग़ͯ͠ਐΉֶੜ͕͍ͯɺղ͖͘ࡐBWAʹ૬͋ΔͷͰ์ஔϓϨʔՄೳ • ৬һ͚ʹICTཧऀͳͲ෯͘ࢀՃ͍ͯ͠ɺҙ্ࣝΛਤΔࣄ͕ޮՌత • ڥߏஙBWAͷύοέʔδϯάͱVMͷ͓͔͛Ͱ૬ʹָͰ͋Δ(γφϦΦ࡞ʹूதग़དྷ Δ) • ԋश࣮ࢪऀ෯ֶ͘ΔɻηΩϡϦςΟΛֶͼ͍ͨ։ൃऀूஂͰ͋Εɺ֤ࣗͰςʔϚΛܾ Ίͯ1࣌ؒఔͷԋशΛॱ൪ʹ୲͢ΔͱޮతʹશମͷϨϕϧΞοϓ͕ਤΕΔͷͰͳ͍͔ 36 Δͱܾ·ͬͨ࣌४උʹෆ҆ײ͡·͕ͨ͠ɺBWAͷΞϓϦ͕ॆ࣮͍ͯ͠ΔͷͰ४උ͠ қ͔ͬͨͰ͢ɻडߨऀͷԠϙδςΟϒͰཧղਂ·ͬͨΑ͏Ͱɺͬͯྑ͔ͬͨͰ͢ɻ!
·ͱΊ • OWASP BWA(Broken Web Application)ͷհ • γφϦΦͷ࡞ϙϦγʔ / ࡞खॱ
• XSSʹؔ͢Δ۩ମతͳͷཻ/ॱ൪ • XSSʹؔ͢Δԋश՝1-4 • ֶੜ/৬һ͚ͷԋश༰(എܠ/ڥߏங)ͷհ 37 ηΩϡϦςΟԋशҎ֎ͱ؆୯ʹ࢝ΊΒΕ·͢ɻ·ͩͷํੋඇʂ!