Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
OWT2017JP - OWASP BWA
Search
OWASP Japan
September 30, 2017
Technology
9
3.5k
OWT2017JP - OWASP BWA
#OWT2017JP
Training Course using OWASP BWA
by 松浦知史, 東京工業大学
OWASP Japan
September 30, 2017
Tweet
Share
More Decks by OWASP Japan
See All by OWASP Japan
OWASP Night 2019.03 Tokyo
owaspjapan
0
340
OWASP SAMMを活用したセキュア開発の推進
owaspjapan
0
1k
20190107_AbuseCaseCheatSheet
owaspjapan
0
180
セキュリティ要求定義で使える非機能要求グレードとASVS
owaspjapan
5
1k
AWSクラスタに捧ぐウェブを衛っていく方法論と死なない程度の修羅場の価値
owaspjapan
9
3.3k
Shifting Left Like a Boss
owaspjapan
2
290
OWASP Top 10 and Your Web Apps
owaspjapan
2
380
OWASP Japan Proposal: Encouraging Japanese Translation
owaspjapan
1
240
elegance_of_OWASP_Top10_2017
owaspjapan
2
530
Other Decks in Technology
See All in Technology
5min GuardDuty Extended Threat Detection EKS
takakuni
0
180
解析の定理証明実践@Lean 4
dec9ue
1
210
CursorによるPMO業務の代替 / Automating PMO Tasks with Cursor
motoyoshi_kakaku
2
870
生成AI時代 文字コードを学ぶ意義を見出せるか?
hrsued
1
760
Witchcraft for Memory
pocke
1
710
Geminiとv0による高速プロトタイピング
shinya337
0
220
マネジメントって難しい、けどおもしろい / Management is tough, but fun! #em_findy
ar_tama
1
220
Zephyr RTOSを使った開発コンペに参加した件
iotengineer22
1
180
Backlog ユーザー棚卸しRTA、多分これが一番早いと思います
__allllllllez__
1
120
FrankenPHPでLaravelを動かしてみよう
yousaku
0
100
LangSmith×Webhook連携で実現するプロンプトドリブンCI/CD
sergicalsix
1
180
KubeCon + CloudNativeCon Japan 2025 Recap by CA
ponkio_o
PRO
0
270
Featured
See All Featured
The Invisible Side of Design
smashingmag
301
51k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.7k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
Site-Speed That Sticks
csswizardry
10
680
For a Future-Friendly Web
brad_frost
179
9.8k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
30
2.1k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.5k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
48
5.4k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
35
2.4k
Adopting Sorbet at Scale
ufuk
77
9.4k
Transcript
08"41#8"Λ༻ֶ͍ͨੜ ͓Αͼ৬һ͚τϨʔχϯά ౦ژۀେֶɹֶज़ࠃࡍใηϯλʔɹ দӜ࢙ (
[email protected]
)
2 দӜ ࢙ (MATSUURA Satoshi) ౦ژۀେֶ ֶज़ࠃࡍใηϯλʔ ।ڭत ౦େCERT ౷ׅऀ
http://cert.titech.ac.jp ▪ ηΩϡϦςΟڭҭ • αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜ (౦େɾम࢜ର) • IT-Keys / SecCap (ෳͷ࢈ֶ৫ɾम࢜ର) ▪ ݚڀ׆ಈ • geographical overlay network, େنηϯαωοτϫʔΫ, ࢄPub/ Sub, DTN, ηΩϡϦςΟϩάੳͱػցֶश
ίʔεΛ௨ͯ͠Կֶ͕Δ͔ • OWASP BWA(Broken Web Application)ͱԿ͔ • ԋश࣮ࢪऀ͓Αͼडߨऀʹର͢ΔڭҭޮՌ • OWASP
BWAΛར༻ͨ͠ԋशڥͷߏஙํ๏ • ۩ମతͳ߈ܸγφϦΦͷ࡞खॱ • ۩ମతͳԋश࣮ࢪखॱ(ͷग़͠ํ) – डߨऀ͕ཧղ͍͢͠ͷཻͱॱ൪Λߟྀ • ۩ମతͳԋश࣮ࢪྫͱTips – OWASP TOP10Ճֶ͑ͨੜ/৬һ͚ͷԋश࣮ࢪྫ 3
OWASP BWA(Broken Web Application) 4 ɾηΩϡϦςΟֶश༻ͷ੬ऑͳΞϓϦΛؚΉLinux͕ϕʔεͱͳͬͨVMΠϝʔδ ) ઈରʹάϩʔόϧͳڥʹଓͤͣɺִ͞ΕͨNATڥͰར༻ͯ͠Լ͞ ͍ OWASP
BWAτοϓϖʔδ ଟछଟ༷ͳΞϓϦ͕༻ҙ͞Ε͍ͯΔ τϨʔχϯάΞϓϦ ੬ऑੑΛ๊͑ͨΞϓϦͳͲ
BWAͷରऀ • WEBΞϓϦέʔγϣϯͷηΩϡϦςΟΛֶͼ͍ͨํ • ϦεΫධՁٕज़(ϖωτϨɺ੬ऑੑஅͳͲ)ΛखಈͰࢼ͍ͨ͠ํ • ࣗಈԽπʔϧΛςετ͍ͨ͠ํ • ιʔείʔυ͕ηΩϡΞ͔Ͳ͏͔ੳ͍ͨ͠ํ •
WEBʹର͢Δ߈ܸΛࢹ͍ͨ͠ํ • WAFͷٕज़Λςετ͍ͨ͠ํ 5 ใηΩϡϦςΟͷॳֶऀ͔ΒΞϓϦέʔγϣϯ։ൃऀɺηΩϡϦςΟػثͷӡ༻୲ ऀ·Ͱɺతʹ߹Θͤͯ෯͍ٕज़ऀ͕ར༻Ͱ͖Δɻ໊લͷ௨ΓWEB͕த৺ɻ!
BWAͷத • Training Applications – ੬ऑੑຖʹίʔε͕༻ҙ͞Ε͓ͯΓɺΛղ͖ͳ͕ΒֶΔWEBΞϓϦ • Realistic, Intentionally Vulnerable
Applications – ଟछଟ༷ͳ੬ऑੑ͕ҙਤతʹ࡞Γࠐ·ΕͨWEBΞϓϦ • Old Versions of Real Applications – WordPressͳͲ࣮ࡏ͢ΔΞϓϦ(੬ऑੑͷ͋Δݹ͍όʔδϣϯ) • Applications for Testing Tools • Demonstration Pages / Small Applications • OWASP Demonstration Applications 6 ࠷ॳ͔Β੬ऑੑΛ๊༷͑ͨʑͳΞϓϦؚ͕·Ε͓ͯΓɺԋश࣮ࢪऀԋशڥͷߏங γφϦΦͷ࡞ʹूதग़དྷΔɻ·ͨVMͰ͞Ε͍ͯΔͷͰڥߏங༰қɻ! ֤ʑ10छྨ΄Ͳ! ༻ҙ͞Ε͍ͯΔ!
ࠓճԋशΛߦͬͨର(౦େੜ/౦େ৬һ) • ౦େੜ (ओʹमֶ࢜ੜ) – αΠόʔηΩϡϦςΟಛผઐֶमϓϩάϥϜΛडߨ – CSͷجૅཧدΓͷߨ͕ٛଟ͍(ྑ͍ࣄ) – جૅྗΛԠ༻͢Δ࣮ફతͳ(ߨٛ)Λఏڙ͍ͨ͠!
• ౦େCERT (ओʹࣄһ+ٕज़৬һ) – ৫CSIRTۀΛ୲ – ʑηΩϡϦςΟͷʹ৮ΕΔ͕ৄࡉΛΔػձ͕ແ͍ – ΈΛΓɺۀͰͷஅྗΛ্͍ͤͨ͞! 7
࠲ֶͱԋश 8 ԋशڥ͕Γ͍ͯͳ͍ঢ়گͰ͋ͬͨͷͰɺͰ͖ΔݶΓߏஙίετΛ͑ͳ͕Βԋश Λߦ͏ͨΊʹOWASP BWAΛ࠾༻ͨ͠ɻ! ࣝͷར༻/Ԡ༻! ࣝͷशಘ!
9 ۩ମతͳγφϦΦͷ ࡞खॱΛհ͠·͢
ԋशڥ/γφϦΦͷ࡞ϙϦγʔ • डߨऀ͕ແཧͳ͘४උ͠ࢀՃͰ͖Δԋशڥ • ݱ࣮ͷڥʹஔ͖͑ͯ૾Մೳͳԋशڥ • ग़དྷΔ͚ͩडߨऀ͕ࣗྗͰղ͚Δͷཻ/ • ղ͖ਐΊΔͱࣗવͱ߈ܸγφϦΦ͕ཧղͰ͖Δߏ 10
੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ෳࡶͳXSSΛडߨऀʹͲ͏ཧղͯ͠͏͔ 11
XSSશମͷγφϦΦΛղ • ΫοΩʔใΛ֬ೝ͠ɺมߋ͢Δ (1,6) – ϒϥβΛར༻͠ΫοΩʔͷૢ࡞ΛΔ • ੬ऑੑͷ֬ೝͱނҙͷใ࿙Ӯ (1,4,5) –
ݕࡧϑΥʔϜΛར༻͠ΫοΩʔใΛૹ৴ • ߈ܸίʔυͷ࡞/ઃஔ (2,3,4) – ΫοΩʔใΛૹ৴͢ΔίʔυΛؚΜͩURLͷੜ 12 Λখ͘͞ղ͢Δ͜ͱͰͷқ͕Լ͢ΔɻώϯτΛՃ͑Δ͜ͱͰଟ͘ͷ डߨऀ͕ࣗྗͰղ͢Δࣄ͕Մೳɻ্ه̏ͭΛΈ߹ΘͤΔͱશମͷγφϦΦʹɻ!
ϢʔβʹΑΔΫοΩʔͷฤू 13 ɾϒϥβͷΞυϨεόʔͰJavaScriptΛ࣮ߦՄೳ ɾΫοΩʔͷදࣔ - javascript:alert(document.cookie); ɾΫοΩʔͷՃɾฤू - javascript:void(document.cookie=”id=abcd1234”); αΠτΛ๚Εͨ࣌Ͱcookieແ͠
ΞυϨεόʔΑΓcookieΛՃ ΞυϨεόʔΑΓcookieΛฤू
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) 14 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻
߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 15 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
BWAΛར༻͠ɺγφϦΦΛ࣮͢Δ 16 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ ChromeXSS੬ऑੑ͕͋ΔϑΥʔϜͰͷεΫϦϓτ࣮ߦ ͕ݫ੍͘͠ݶ͞Ε͍ͯΔɻFirefoxܯࠂͷΈɻWin/Mac
ͱडߨऀڥ͕·ͪ·ͪͰ͋ΔࣄΛߟ͑FirefoxΛ࠾༻ɻ डߨऀPC্ͷ Firefox BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA͕ىಈग़དྷΕɺޙFirefoxΛडߨऀʹΠϯετʔϧ͖ͯͯ͠͏ࣄͱผ్ ApacheͳͲhttpdΛ४උ͠ɺΞΫηεϩά͕ݟΒΕΔ༷ʹ͓͚ͯͩ͘͠Ͱ४උྃɻ!
ʔɺ ·͔ͬ͢͡ʔ ࣮ࡍͷ४උաఔ ͬͺΓ ԋशΛ Γ͍ͨ ʂʂ Ғ͍ਓ ͱʹ͔͘
Δ͔͠ͳ͍ ୲ऀ 2िؒఔͷ४උظؒ • ձٞͰ४උίετͷߴ͔͞Βԋशஅ೦͢Δํʹ͔͏͕ɺͷҰ͕ • 2िؒఔͰۀͷ߹ؒʹԋशڥΛ࡞ΓࠐΉࣄʹ(தʑʹେมɻBWAʹײँ) • ࣮ࡍʹBWAͷΞϓϦΛར༻͠ࢼߦࡨޡ͠ͳ͕ΒγφϦΦΛ࡞ɻ͜͜·Ͱͷ આ໌ͷ༷ʹશͯτοϓμϯͱ͍͏༁ʹதʑ͍͔ͳ͍ɻ • ԋश୲ऀXSSͳͲԋशʹ݁͢Δ͚ࣝͩͰແ͘ɺγφϦΦͷ࡞ೳ ྗɺHTTPͷཧղɺԾڥͷߏஙೳྗͳͲ෯͍ࣝೳྗ͕ʹ͘ɻ 17
18 ࣮ࡍͷΛݟͯɺ γφϦΦΛḷͬͯΈ·͠ΐ͏
੬ऑੑ͕͋ΔݕࡧϑΥʔϜ @ BWA WackoPicko 19 1. ௨ৗͷݕࡧ! 2. HTMLλάΛؚΜͩݕࡧ! 3.
javascriptΛؚΜͩݕࡧ! ɾݕࡧจࣈྻ ɹ1.ɿhouse ɹ2.ɿ<s>house</s> ɹ3.ɿ<script>alert('hello');</script>
ނҙͷใ࿙Ӯ(ϢʔβʹΑΔࣗര) ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ߈ܸίʔυΛؚΜͩΞΫηε
(߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ ϩάΠϯதʹ߈ܸίʔυΛ੬ऑͳݕࡧϑΥʔϜʹೖྗ͢Δͱɺ ߈ܸίʔυ͕࣮ߦ͞Εɺcookieͷใ͕࿙Ӯͯ͠͠·͏ ੬ऑͳ෦(ݕࡧϑΥʔϜ) 20
ԋश՝̍ 21 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛ֎෦αʔό(192.168.7.100)ʹ ɹɹૹ৴͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛΞΫηεϩάΑΓ֬ೝ͠ͳ͍͞ άάΔ KBWBTDSJQUΛར༻͢Δ JNHTSDz63-zΛར༻ͯ͠ɺ֎෦αʔόʹϝοηʔδΛૹΔ 'JSFGPYͷ։ൃπʔϧΛ׆༻͢Δ πʔϧˠ8&#։ൃˠ։ൃπʔϧΛදࣔ
ώϯτ
FirefoxͷWEB։ൃπʔϧ 22 ཁૉͷௐࠪ (HTMLͷதΛ͏)! ௨৴ͷௐࠪ (HTTPͷதΛ͏)! - WEB։ൃʹ͔ܽͤͳ͍πʔϧɻChrome / Safariʹඪ४Ͱଐ
- πʔϧ→WEB։ൃ→։ൃπʔϧͷදࣔͱḷΔ (Mac: Cmd + Opt + i)
߈ܸίʔυΛؚΜͩURLͷ࡞/ઃஔ 23 ੬ऑͳ8&#αΠτ ϒϥβ ᠘αΠτ ᠘αΠτͷΞΫηε ੬ऑͳαΠτͷϦϯΫPOST
(߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) ϝʔϧຊจதͷURL͔Β᠘αΠτ༠ಋ͞Εͯ͠·͍ɺ ੬ऑͳαΠτʹରͯ͠߈ܸίʔυΛؚΜͩΞΫηεΛͯ͠͠·͏
ԋश՝̎ 24 ̍ɽcookieͷதΛදࣔͯ͠͠·͏ϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠Լਤͷ༷ͳuser/passͷೖྗΛٻΊΔϑΥʔϜΛ࡞͠ͳ͍͞ ̏ɽϘλϯ͕ԡ͞Εͨ࣌ʹೖྗ͞ΕͨใΛ(ෆਖ਼ͳ)֎෦αʔόʹૹ৴͢ΔΑ͏ʹ͠ͳ͍͞ ̐ɽ্ه̎ͭͷػೳΛ࣋ͬͨϖʔδʹ༠ಋ͢ΔϦϯΫ(URL)Λ࡞͠ͳ͍͞ ̑ɽܝࣔ൘ʹ্ه(4.)ͷURLʹ༠ಋ͢ΔϦϯΫΛॻ͖ࠐΈͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A
#8"8BDLP1JDLP 'JSFGPY #8":B[E "QBDIF ϩάΠϯ͓Αͼ αΠτͷܧଓతར༻ ᠘αΠτͷΞΫηε
੬ऑͳαΠτͷϦϯΫPOST (߈ܸ༻HTML/javascriptΛؚΉ) ߈ܸίʔυΛؚΜͩΞΫηε (߈ܸऀʹcookieΛૹ৴͢Δίʔυ) cookieͷใΛૹ৴ cookie͔ΒηογϣϯIDΛऔಘ ϢʔβʹͳΓ͢·ͯ͠ΞΫηε ੬ऑͳ෦ ԋशΛ௨ͯ͠શମͷγφϦΦΛཧղͯ͠͏ 25 ܝࣔ൘αΠτΛ๚Εෆ༻ҙʹURLΛΫϦοΫͨ͠ॴɺଞͰϩάΠϯ͍ͯͨ͠ը૾ڞ༗αΠτ ʹෆਖ਼ʹ৵ೖ͞Εͯ͠·͍ɺϓϥΠϕʔτͳࣸਅΛݟΒΕΔͷةݥੑ͕͋ΔࣄΛ࣮ײͯ͠ ͏ɻଞͷαʔϏεؚΊͯͲΜͳඃ͕ൃੜ͢Δ͔डߨऀʹߟ͑ͯ͏ɻ!
26 ͋ͬ͞Γͱղ͚ͨडߨੜ͚ʹ Ճͨ͠(͓·͚)
GETةݥɺPOST҆શʁʁ 27 ɾGETͰͳ͘POSTΛ͏͖(ͱ͍͏ਓ͕͍Δ) URLʹ߈ܸίʔυΛຒΊΒΕͳ͍ͷͰɺ҆શͩͱצҧ͍͍ͯ͠Δ ݕࡧϑΥʔϜɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site Scripting(XSS)→Phishing with XSS ͜͜ͷݕࡧϑΥʔϜPOSTΛར༻͍ͯ͠Δɻຊʹ҆શͰ͠ΐ͏͔ʁ
ԋश՝̏ 28 ̍ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛදࣔͤ͞ͳ͍͞ ̎ɽݕࡧϑΥʔϜΛར༻ͯ͠cookieͷதΛෆਖ਼ͳWEBαʔόʹૹ৴͠ͳ͍͞ ̏ɽԼهͷ༷ͳೝূใΛೖྗ͢ΔϑΥʔϜΛ࡞Γͳ͍͞ ̐ɽೝূใΛೖྗ͠ɺͦͷ༰Λෆਖ਼WEBαʔόʹૹ৴͠ͳ͍͞
ԋश՝̐ 29 ̍ɽܝࣔ൘(Yazd)ʹ᠘Λֻ͚ɺ՝̏ͷೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→Yazd→Test Forum A ̎ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ ̏ɽܝࣔ൘(WebGoat)ʹ᠘Λֻ͚ɺೝূใೖྗϑΥʔϜΛදࣔͤ͞ͳ͍͞ ܝࣔ൘ɿBWAτοϓϖʔδ→OWASP WebGoat→Cross-Site
Scripting(XSS)→Stored XSS Attacks ̐ɽ্هͷϑΥʔϜʹuser/passΛೖྗ͠ɺใ͕࿙Ӯ͍ͯ͠ΔࣄΛ֬ೝ͠ͳ͍͞ :B[Eͷܝࣔ൘ຊޠʹରԠ͍ͯ͠ͳ͍ͷͰɺϝοηʔδӳޠͰྑ͍ 'JSFGPYͷ։ൃπʔϧͰ)551௨৴ͷ༰ΛѲ͢Δ 'PSN JOQVUλάͰ1045͕Մೳ )5.-ͷߏΛௐࠪ͠ɺѱҙ͋Δίʔυ͕Ͳͷ෦ʹө͞ΕΔ͔֬ೝ͢Δ ώϯτ
30 ηΩϡϦςΟԋशΛ࣮ࢪͨ͠ ༷ࢠΛ۩ମతʹհ͠·͢
౦େੜ͚ͷηΩϡϦςΟ߹॓ • ରऀɿ౦େੜ(ओʹम࢜) 10໊ఔ • ։࠵/ظؒɿശࠜͷϗςϧ / 2ധ3 • डߨऀͷϨϕϧɿཧܥֶੜͱͯ͠ߴ͍جૅྗΛ࣋ͭɻҰํͰHTML
JSɺHTTPͷWEBٕज़ͷجૅΛΒͳֶ͍ੜҰఆͷׂ߹ଘࡏ͢Δɻη ΩϡϦςΟٕज़ʹڵຯ͕͋ΔఔͰɺCTFࢀՃऀͳͲ͍ͳ͍ঢ়گɻ 31 Λղ༷͘ࢠ ԋशձͷ༷ࢠ
߹॓ʹ͓͚Δԋशڥͷ४උ • ߹॓લʹडߨऀ֤ࣗͷϚγϯʹOWASP BWAΛΠϯετʔϧ͖ͯͯ͠͏ • VMWare Player(Win) / VirtualBox(Win/Mac) /
VMWare fusion(Macɾ༗ঈ)ͰBWA͕ແ͘ىಈ • FirefoxซͤͯΠϯετʔϧͯ͘͠ΔΑ͏ʹࢦࣔ • ߦͷΠϯετʔϧղઆΛࣄલʹૹͬͨͷΈͰɺಛஈͷτϥϒϧແ͠ • ApacheͳͲԋशʹผ్ࢦࣔͯ͠४උͯ͠͏ • VirtualBoxOWASP BWAͰGB͋ΔͷͰUSBϝϞϦೖΕ͓ͯ͘ͱτϥϒϧ࣌ʹཱͭ • ֤ࣗͷPCͰ݁ͯ͠ԋश͕ߦ͑Δঢ়ଶ (ձͷωοτϫʔΫڥ͕ಡΊͳ͍ͨΊ) 32 ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” ੬ऑͳ8&#αΠτ ϒϥβ ใ࿙ӮઌͷαΠτ डߨऀPC্ͷ Firefox ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ ൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko”
߹॓ͷϓϩάϥϜ • 1 (౦େ ߨࢣਞ) – ωοτϫʔΫ/ೝূ/WEB/OSʹؔ͢Δߨٛ – OWASP TOP
10ʹؔ͢Δௐࠪ(άϧʔϓϫʔΫ) • 2 (౦େ ߨࢣਞ) – OWASP TOP 10ʹؔ͢Δൃදͱٞ – OWASP BWAΛ༻͍ͨԋश • 3 (ָఱCERT ߨࢣਞ) – ָఱΛऔΓר͘ϦΞϧͳηΩϡϦςΟͷ – XSS / SQLi / RCEΛத৺ͱͨ͠ԋश – ιʔγϟϧΤϯδχΞϦϯάͷ 33 TOP 10άϧʔϓؒͰͷॏෳΛڐ̎͠ɼ̏ͷςʔϚΛௐ͓ࠪΑͼൃදɻ͕σϞΛ࡞͢ Δͱ͍͏ྗͷೖΕΑ͏Ͱ͋ͬͨɻBWAԋश4࣌ؒͷ༧ఆ͕ϓϩάϥϜ͕ԡͯ͠͠·͍2࣌ؒ ͷΈɻ͕࣌ؒΓͳ͍ͱͷҙݟ͕ଟग़͕ͨɺԋश՝̎·Ͱଟ͘ͷडߨऀ͕ղ͍͍ͯ ͨɻ!
౦େ৬һ͚ηΩϡϦςΟԋश • ରऀɿ౦େCERT(ओʹࣄ৬һʴٕज़৬һ) 5໊ • ։࠵/ظؒɿ౦େͷձٞࣨ / 2ϲ݄(1.5࣌ؒ/ि) • डߨऀͷϨϕϧɿʑηΩϡϦςΟͷʹ৮Ε
Δ͕ٕज़తͳৄࡉΛֶश͢Δػձແ͍ɻCSͷό οΫάϥϯυ͋·Γແ͍ɻ1໊ใܥग़Ͱ2 ճ(3࣌ؒ)΄ͲͰશͯऴྃɻ 34 Ώͬ͘ΓਐΊΔࣄ͕ॏཁɻֶੜʹࣄલߨٛͰWEBʹ͓͚ΔηογϣϯཧಉҰੜݩϙ ϦγʔͳͲʹݴٴ͕ͨ͠ɺ৬һ͚Ͱ͞ΒʹHTMLλά؆୯ͳJSͷ࣮ߦͷํͳͲؚ Ίͯेʹ࣌ؒΛऔͬͯਐΊͨɻ͔͔͕࣌ؒͬͨԋश՝̎·Ͱଟ͕͘ղͰ͖ͨɻ!
ԋशڥͷߏங ੬ऑͳ8&#αΠτ ใ࿙ӮઌͷαΠτ ApacheͳͲͷ httpd ᠘αΠτ BWA্ͷܝࣔ
൘”Yazd” BWA্ͷࣸਅڞ༗α Πτ”WackoPicko” • VMWare vSphere (ESXi)ͷڥʹBWAΛ४උ • ެࣜαΠτ͔Βऔಘͨ͠.vmxϑΝΠϧΛVMWare OVFToolΛར༻ͯ͠.ovaʹมͯ͠ར༻͢Δ • BWAެࣜͷOVA(ver 1.2 / 1.1.1)ىಈͤͣWEB্Ͱಉ༷ͷࢦఠ༗Γ • OVFToolίϚϯυWin/Mac/Linux൛͕༻ҙ͞Ε͍ͯΔʢMacͷ߹Լهͷ༷ʹม͢Δ) • /Applications/VMware\ OVF\ Tool/ovftool --acceptAllEulas path/to/vm/VM01.vmwarevm/VM01.vmx path/to/output/VM01.ova • vSphere client͔Β্هͰੜͨ͠.ovaϑΝΠϧΛσϓϩΠ͢ΕBWA͕ར༻Մೳ • ࣮ݧ༻ͷԾԽج൫্Ͱߦ͕ͬͨ҆શͷͨΊԋश࣌Ҏ֎BWAͷిݯOFFʹ (εφοϓγϣοτΛऔͬͯॳظԽ༗ޮ) • डߨऀFirefoxΛΠϯετʔϧͨ͠PCΛ࣋ࢀ͢Δ͚ͩ 35 vSphere 6.0 @ Mac mini 2012 (16GB MEM, 256GB SSDx2)
ֶੜ͚ / ৬һ͚ͷԋशΛ௨ͯ͠ͷࡶײ • جૅྗͷࠩͦ͋͜Εɺ࣌ؒΛֻ͚Εஈ֊Λͬͯղ͕Մೳ • खΛಈ͔͠ͳ͕Β͕ղ͚ͨ࣌ྸʹؔΘΒָͣͦ͠͏Ͱ͋Δ • ಛʹ৬һ۩ମతʹةݥͰ͋ΔͱॳΊͯ૾Ͱ͖Δέʔεଟ͍ •
ֶੜ͚ʹ༰Λॆ࣮͢Δඞཁ͕͋Δ(ଟ͘ΛֶΜͰཉ͍͠) • ಥग़ͯ͠ਐΉֶੜ͕͍ͯɺղ͖͘ࡐBWAʹ૬͋ΔͷͰ์ஔϓϨʔՄೳ • ৬һ͚ʹICTཧऀͳͲ෯͘ࢀՃ͍ͯ͠ɺҙ্ࣝΛਤΔࣄ͕ޮՌత • ڥߏஙBWAͷύοέʔδϯάͱVMͷ͓͔͛Ͱ૬ʹָͰ͋Δ(γφϦΦ࡞ʹूதग़དྷ Δ) • ԋश࣮ࢪऀ෯ֶ͘ΔɻηΩϡϦςΟΛֶͼ͍ͨ։ൃऀूஂͰ͋Εɺ֤ࣗͰςʔϚΛܾ Ίͯ1࣌ؒఔͷԋशΛॱ൪ʹ୲͢ΔͱޮతʹશମͷϨϕϧΞοϓ͕ਤΕΔͷͰͳ͍͔ 36 Δͱܾ·ͬͨ࣌४උʹෆ҆ײ͡·͕ͨ͠ɺBWAͷΞϓϦ͕ॆ࣮͍ͯ͠ΔͷͰ४උ͠ қ͔ͬͨͰ͢ɻडߨऀͷԠϙδςΟϒͰཧղਂ·ͬͨΑ͏Ͱɺͬͯྑ͔ͬͨͰ͢ɻ!
·ͱΊ • OWASP BWA(Broken Web Application)ͷհ • γφϦΦͷ࡞ϙϦγʔ / ࡞खॱ
• XSSʹؔ͢Δ۩ମతͳͷཻ/ॱ൪ • XSSʹؔ͢Δԋश՝1-4 • ֶੜ/৬һ͚ͷԋश༰(എܠ/ڥߏங)ͷհ 37 ηΩϡϦςΟԋशҎ֎ͱ؆୯ʹ࢝ΊΒΕ·͢ɻ·ͩͷํੋඇʂ!