'Securing Web Apps with Modern Platform Features' を意訳してみる / Translate Securing Web Apps with Modern Platform Features

Transcript

1. Securing Web Apps with Modern Platform Features Securing Web Apps

   with Modern Platform Features @sunecosuri Date: 2019-06-19
 Google I/O’19 ͷWebΛ·ͱΊΔձ Λ·ͱΊͯΈΔ

2. Securing Web Apps with Modern Platform Features ஫ҙ ·ͱΊͯΈΔɺͱॻ͍ͨ΋ͷͷ
 Ұ෦Λ୺ં͍ͬͯΔՕॴ͕͋ΔͨΊશͯ·ͱΊΒΕ͍ͯ·ͤΜ


   ৄࡉ͸ݩͷಈըʹͳΔηογϣϯΛ͝ཡ͍ͩ͘͞
 
 https://www.youtube.com/watch?v=DDtM9caQ97I

3. GMOϖύϘ ΤϯδχΞ ϗεςΟϯάࣄۀ෦ϗεςΟϯάάϧʔϓ
 ໐ւ ߂ً / @sunecosuri ϚωʔδυΫϥ΢υνʔϜ

4. Overview Overview XSS΍CSRFͳͲͷ͋Γ͕ͪͳ੬ऑੑ͸௕͖ʹ౉ͬͯWebΛ೰·ͤɺ·ͨGoogleͷ Vulnerability Reward ProgramͰ΋සൟʹใࠂ͞Ε͍ͯ·͢ɻ࠷৽ͷWebϓϥοτϑΥʔϜʹ ͓͚ΔηΩϡϦςΟͷ࢓૊ΈΛֶΜͰɺ͋ͳͨͷαʔϏεΛΠϯδΣΫγϣϯ͔Β๷͍Ͱةݥͳ αΠτ͔Βִ཭͠·͠ΐ͏ɻ
 ·ͨɺWebͰ΋ͬͱ΋ηϯγςΟϒͳΞϓϦΛक͍ͬͯΔGoogleͷηΩϡϦςΟνʔϜͷܦݧ ʹΑͬͯಘΒΕͨϒϥ΢βͷ৽ػೳʹΑͬͯɺ͋ͳͨͷΞϓϦέʔγϣϯΛकΔͨΊͷνΣοΫ

   ϦετΛ஌Γ·͠ΐ͏ɻ ͜ ͷ η ο γ ϣ ϯ ʹ ͭ ͍ ͯ

5. όάใࠂใ঑੍ۚ౓ͷڈ೥ͷׂ߹

6. Cross-site scripting Cross-site scripting (XSS) I n j e c

   t i o n s 1. ϩάΠϯϢʔβʔ͕߈ܸऀͷϖʔδΛ๚໰ 2. ߈ܸऀ͕ϢʔβʔΛ੬ऑͳURLʹ༠ಋ͢Δ
 https://test.example/?query=<script src=“//evil/” > 3. εΫϦϓτ͕࣮ߦ͞Εɺ߈ܸऀ͕ϢʔβʔͷઃఆʹΞΫηε͢Δ

7. XSS is turai ͜ΕΒͷΠϯδΣΫγϣϯ߈ܸ
 ʹରͯ͠XSS͸ۀքશମͰେ͖ ͳ໰୊ͱͳ͍ͬͯΔ

8. Let’s start CSP ·ͣɺίϯςϯπηΩϡϦςΟ ϙϦγʔ͔Β࢝Ί·͠ΐ͏

9. Content Security Policy Content Security Policy Level3 Ϧ ι ʔε

   ୯ Ґ Ͱ s c r i p t ͷ ࣮ ߦ Λ ੍ ޚ Ͱ ͖ Δ ػ ߏ ΞϓϦέʔγϣϯͷεΫϦϓτ࣮ߦʹؔ͢Δ͖Ίࡉ͔͘ ੍ޚ͢Δ࢓૊ΈΛಋೖͯ͠XSS͔Β๷ޚ͢Δ
 scriptͷ࣮ߦ΍ϓϥάΠϯͷಡΈࠐΈΛίϯτϩʔϧ͢Δ ͜ͱ͕Ͱ͖Δ CSP͸ɺద੾ͳΤεέʔϓ·ͨ͸XSSΛڐ༰͢ΔόάΛमਖ਼͢Δ΋ͷͰ͸͋Γ·ͤΜ

10. How to implement Ͳ͏΍࣮ͬͯ૷͢Δͷ͔

11. Content Security Policy CSP͸HTTP Response Header Chrome dev tools ͷNetworkλϒ͔ΒͷΩϟϓνϟ

    ࢦఆͨ͠Ϩεϙϯεʹؔ͢ΔϙϦγʔΛɺϒϥ΢βଆͰ औಘ͠ɺࢦఆͨ͠ϙϦγʔΛಡΜͰ࣮ߦՄ൱Λ੍ޚ͢Δ

12. support for reports CSP͸Ϩϙʔτઐ༻Ϟʔυ΋α ϙʔτ͍ͯ͠·͢

13. support for reports

14. Content Security Policy Nonce-Based CSP ͷߟ͑ํ ͜ͷΑ͏ʹCSPΛઃఆ͢Δͱ nonce ͳ͠ͷscript͸ϒϥ΢βʹΑͬͯϒϩοΫ ༗ޮͳnonceΛ࣋ͭεΫϦϓτλάͰ͋Ε͹࣮ߦ

    ্هͷΑ͏ͳnonceΛϦΫΤετ͝ͱʹมߋ͢Ε͹߈ܸऀ͸༧ଌͰ͖ͳ͍

15. CDNͱ͔ͷଞͷ৔ॴͰ
 ϗετ͞Ε͍ͯΔJavaScript͸࣮ߦ
 ͞Εͳ͘ͳͬͯ͠·͏ͷͰ͸…ʁ

16. Content Security Policy ͦͷͨΊͷ ‘strict-dynamic’ strict-dynamic Λ࢖༻͢Δͱɺ͢Ͱʹ৴པ͞Ε͍ͯΔεΫϦϓτΛڐՄ͢Δ͜ͱͰɺ
 nonceͷ͍ͭͨεΫϦϓτ͔Βੜ੒͞ΕͨεΫϦϓτ͸࣮ߦՄೳʹͳΔ ࣮ߦ͞ΕΔ

17. Content Security Policy ͲͷΑ͏ʹಋೖ͢Δ͔ 1. onclick΍hrefͰࢦఆ͞ΕΔΠϯϥΠϯΠϕϯτϋϯυϥʔΛͳ͘͢ 2.αʔόʔαΠυςϯϓϨʔτʹͯnonceΛࢦఆ͢Δ 3.ϨεϙϯεϔομʔͰCSPΛࢦఆ͢Δ

18. Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ

    ੍ ໿ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ੒͞ΕΔ
 Trusted TypesΦϒδΣΫτͰͷΈɺDOMΛߋ৽Ͱ͖Δ 2.αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹू໿Ͱ͖Δ https://github.com/WICG/trusted-types ʹͯɺ 
 શͯͷϒϥ΢βͰػೳ͢Δ Polyfill ΋༻ҙ͞Ε͓ͯΓࢼͤΔΑ͏ʹͳ͍ͬͯΔ

19. 1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞੒͢Δ
 
 
 
 2. ϙϦγʔΛ࢖༻ͯ͠৴པͰ͖ΔܕͷΦϒδΣΫτΛ࡞੒͢Δ
 
 ͋

    3. ࡞੒ͨ͠ ”samplePolicy” Λ CSPheader ʹ௥Ճ͢Δ͜ͱͰར༻Ͱ͖Δ
 
 Trusted Types Trusted-types D o m ͷ ߋ ৽ ʹ ੍ ໿ Λ ઃ ͚ Δ ͜ ͱ ͕ Ͱ ͖ Δ ػ ߏ

20. Trusted Types Default Policy͸ String ͕ೖͬͨ࣌ͷ fallbackͱͯ͠ػೳ͢Δ 1. validation ruleΛఆٛͨ͠ϙϦγʔΛ࡞੒͢Δ

    2. CSP headerʹ௥Ճ͢Δ

21. Trusted
 Types 1. ݸผʹఆٛͨ͠Trusted Type Policies͔Βੜ੒͞ΕΔTrusted TypesΦϒδΣΫτͰͷΈɺ DOMΛߋ৽Ͱ͖Δ 2. αχλΠζͷॲཧΛϙϦγʔΦϒδΣΫτʹू໿Ͱ͖Δ

    ৄ͘͠͸ https://github.com/WICG/trusted-types ͳʹ͕خ͍͠ͷ͔ T r u s t e d T y p e s ͷ

22. cross-site request forgeries CSRFରࡦͷ࿩

23. cross-site request forgeries • same-origin: ಉ͡εΩʔϚɺϗετɺϙʔτΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ 
 - https://www.google.com/foo
 -

    https://www.google.com/bar • same-site: ಉ͡εΩʔϚͱυϝΠϯΛ࣋ͬͨαΠτಉ࢜ͷ͜ͱ 
 - https://mail.google.com
 - https://photos.google.com • cross-site: ͦͷଞ (https://www.youtube.com/, https://www.google.com/) Origin ͱ Site ͷҧ͍ʹ͍ͭͯ

24. Sec-Fetch-Site
 Sec-Fetch-Modeʹ͍ͭͯ কདྷతʹheaderͰಉҰorigin͔corsͳͲ൑ผͰ͖Δ

25. ͓͠·͍