Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
[bpstudy] OWASP ZAP Vulnerable Assesment.
Search
Yuho Kameda
February 26, 2016
2
1.4k
[bpstudy] OWASP ZAP Vulnerable Assesment.
2016/2/26 #bpstudy OWASP ZAPに学ぶ、 Webアプリケーションに潜む 脆弱性の調査手法を紹介
Yuho Kameda
February 26, 2016
Tweet
Share
More Decks by Yuho Kameda
See All by Yuho Kameda
How to use OWASP ZAP & Vulnerabilities Slikmap
ykame
0
9.1k
Enjoy Daily Life by handy tool
ykame
0
120
Find Trust-Information -Public- 20170630 #ssmjp
ykame
1
2.5k
Intel CTF and Open xINT CTF 20161220
ykame
1
1.3k
Hey Siri! Hello Barbie! ssmjp
ykame
0
960
How to create the alert by script of ZAP
ykame
2
770
What is ZAP?
ykame
0
540
MINI Hardening #1.2 20分LT ZAPを使ったHardening対策術 2015/8/29
ykame
2
560
How to install VMwarePlayer and OWASP BWA
ykame
1
1k
Featured
See All Featured
KATA
mclloyd
PRO
32
15k
Gamification - CAS2011
davidbonilla
81
5.5k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
54k
How GitHub (no longer) Works
holman
315
140k
Balancing Empowerment & Direction
lara
5
750
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Rails Girls Zürich Keynote
gr2m
95
14k
Faster Mobile Websites
deanohume
310
31k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.1k
Intergalactic Javascript Robots from Outer Space
tanoku
273
27k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.2k
Transcript
OWASP ZAPʹֶͿɺ WebΞϓϦέʔγϣϯʹજΉ ੬ऑੑͷௐࠪख๏Λհ 2016/2/26 #bpstudy @YuhoKameda
ࣗݾհ ُా ༐า : ykame (@YuhoKameda) ZAP Evangelist ओͳۀ༰ WebΞϓϦέʔγϣϯ੬ऑੑஅ
ϓϥοτϑΥʔϜ੬ऑੑஅ SOC/CSIRTۀ ۓٸҊ݅ରԠཁһ…
ZAP Newsletter 2015/12 ZAPϓϩδΣΫτϦʔμ ͔ΒͷհͰߘ http://zaproxy.blogspot.jp/2015/12/zap-newsletter-2015-december.html
Agenda εΩϟφπʔϧൺֱ ੬ऑੑΛݟ͚ͭΔͨΊͷπʔϧΛ༷ʑͳ֯ ͔Βൺֱͯ͠հ͠·͢ɻ OWASP ZAPΛͬͨ੬ऑੑͷௐࠪ ओʹWebΞϓϦέʔγϣϯͷ੬ऑੑΛݟ͚ͭ ΔͨΊͷແྉπʔϧΛ͍ɺௐࠪͷྲྀΕΛ հ͠·͢ɻ
؆୯ͳΞϯέʔτ 1. ੬ऑੑஅΛฉ͍ͨ͜ͱ͕͋Δਓ 2. ࣗͷձࣾͰɺ੬ऑੑஅͷαʔϏεΛґཔͨ͠Γड ͚͍ͯΔਓ 3. Քಇ͍ͯ͠Δαʔό/WebΞϓϦʹରͯ͠੬ऑੑΛݟͭ
͚Α͏ͱͨ͜͠ͱ͕͋Δਓ 4. OWASP ZAPΛͬͨ͜ͱ͕͋Δਓ
(ຊ)ηΩϡϦςΟεΩϟφͱ ༷ʑͳݕࠪख๏Λ༻͍ͯɺݕࠪରʹଘࡏ͢Δ੬ऑੑΛݕग़͢ Δπʔϧ WebΞϓϦέʔγϣϯ੬ऑੑஅͷ߹… SQLΠϯδΣΫγϣϯ ΫϩεαΠτɾεΫϦϓςΟϯάɹͳͲ ϓϥοτϑΥʔϜ੬ऑੑஅͷ߹… ϛυϧΣΞͷόʔδϣϯʹଘࡏ͢Δ੬ऑੑ SSL/TLSͷ҉߸ํࣜɺόʔδϣϯʹґଘ͢Δ੬ऑੑɹͳͲ
ηΩϡϦςΟεΩϟφհ
WebΞϓϦέʔγϣϯ ηΩϡϦςΟεΩϟφհ WebInspect AppScan Vex OWASP ZAP Nikto w3af ༗ঈ
ແঈ
༗ঈ ແঈ ϓϥοτϑΥʔϜ ηΩϡϦςΟεΩϟφհ
༗ঈπʔϧͱແঈπʔϧ ͷҧ͍
ηΩϡϦςΟεΩϟφͷಛྫ ߲ ༗ঈεΩϟφ ແঈεΩϟφ ݕ߲ࠪ ଟ͍ গͳ͍ αϙʔτମ੍ ॆ࣮ جຊతʹແ͍
Ϩϙʔτग़ྗ ॆ࣮ ؆қ ޡݕ ൺֱతগͳ͍ ൺֱతଟ͍ ݴޠ ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ྉۚ ඇৗʹߴ͍ ແঈ ެ։ใ جຊతʹແ͍ ͱͯଟ͍ ιʔείʔυ ඇެ։ ެ։͋Γ ಈ࡞ڥ πʔϧʹґଘ πʔϧʹґଘ ※πʔϧʹΑͬͯ༰ҧ͏ͨΊɺࢀߟఔͱ͓ߟ͍͑ͩ͘͞ɻ
༗ঈπʔϧͱແঈπʔϧͱ ZAPͷҧ͍
ηΩϡϦςΟεΩϟφͷಛྫ ߲ ༗ঈεΩϟφ ແঈεΩϟφ OWASP ZAP ݕ߲ࠪ ଟ͍ গͳ͍ ଟ͍
αϙʔτମ੍ ॆ࣮ جຊతʹແ͍ ίϛϡχςΟ͕ॆ࣮ Ϩϙʔτग़ྗ ॆ࣮ ؆қ ॆ࣮(ӳޠ͕ଟ͍) ޡݕ ൺֱతগͳ͍ ൺֱతଟ͍ ൺֱతগͳ͍ ݴޠ ຊޠରԠ͋Γ ӳޠ͕ଟ͍ ຊޠରԠ͋Γ ྉۚ ඇৗʹߴ͍ ແঈ ແঈ ެ։ใ جຊతʹແ͍ ͱͯଟ͍ ଟ͍ ιʔείʔυ ඇެ։ ެ։͋Γ ެ։ ಈ࡞ڥ πʔϧʹґଘ πʔϧʹґଘ Windows/Linux/Mac ※πʔϧʹΑͬͯ༰ҧ͏ͨΊɺࢀߟఔͱ͓ߟ͍͑ͩ͘͞ɻ
੬ऑੑͷݟ͚ͭํ
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ Քಇ͍ͯ͠ΔWebΞϓϦέʔγϣϯʹର͠ ༷ͯʑͳϦΫΤετΛૹ৴͠ɺϨεϙϯε Λੳͯ͠੬ऑੑͷ༗ແΛఆ ᶃ௨ৗͷϦΫΤετ ϒϥβͰɺWebϖʔδΛӾཡ ᶅProxyʹΑΓ վ͟Μ͞ΕͨϦΫΤετ ᶆαʔό͔ΒͷϨεϙϯε ᶇϩάͷه
ඞཁʹΑΓɺϨεϙϯεͷ վ͟ΜΛߦ͏ Proxy ݕࠪର ᶄProxyʹΑΔվ͟Μ GET/POST/Cookieଞɺ ϔομΛෆਖ਼ͳʹมߋ͢Δ ᶈProxyΛ௨աͨ͠Ϩεϙϯε
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php?q=word
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛੳ ʙུʙ <p class=“id”> word </p> ʙུʙ
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/search.php? q=“><script>alert(document.cookie);</script>word
WebΞϓϦͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛੳ ʙུʙ <p class=“id”> “><script>alert(document.cookie);</script>word </p> ʙུʙ
ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ݕࠪ༻ϦΫΤετΛૹ৴ http://attack.local/
ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ ϨεϙϯεΛੳ
ϓϥοτϑΥʔϜͷ੬ऑੑͷݟ͚ͭํ αʔό/αʔϏεͷઃఆɺ όʔδϣϯʹىҼ͢Δ੬ऑੑ͕େଟ ϨεϙϯεΛੳ
੬ऑੑͷཧղ
੬ऑੑΛମݧ֮ͯ͑͠Α͏ https://www.ipa.go.jp/security/vuln/appgoat/
੬ऑੑΛମݧ֮ͯ͑͠Α͏ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java / ASP
/ PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
OWASP TOP 10 - 2013 https://www.owasp.org/images/7/79/OWASP_Top_10_2013_JPN.pdf
੬ऑੑͷհ
None
ݕࠪͷྲྀΕ
WebΞϓϦέʔγϣϯͷݕࠪ அ͍ͨ͠Webϖʔδͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ
ϓϥοτϑΥʔϜͷݕࠪ அ͍ͨ͠IPΞυϨεͷબఆ ηΩϡϦςΟεΩϟφͷ࣮ߦ ݕग़݁Ռͷ֬ೝɾਫ਼ࠪ
ZAPΛͬͨݕࠪͷྲྀΕ
ҙࣄ߲ ຊεϥΠυʹهࡌͷߦҝΛɺࣗͷཧԼʹͳ͍ωο τϫʔΫ/ίϯϐϡʔλʹߦͬͨ߹ɺ߈ܸߦҝͱ அ͞ΕΔ߹͕͋Γ·͢ɻ ࣗͷཧԼʹ͋ΔωοτϫʔΫαʔόʹରͯ͠ ͷΈߦ͏Α͏ʹ͍ͯͩ͘͠͞ɻ
ڥ४උ OWASP ZAPͷΠϯετʔϧ OWASP ZAP 2.4.3(2015/12/4 released) அπʔϧ OWASP BWAͷΠϯετʔϧ
OWASP BWA 1.2 (2015/8/3 released) அରͱͳΔΞϓϦέʔγϣϯ ࣮ࡍʹؼ͔ͯ͠Βࢼͯ͠Έ͍ͯͩ͘͞ʂ ४උͷৄࡉɺԼهͰɻ http://zapjp.blogspot.jp/ https://www.owasp.org/index.php/User:Yuho_Kameda
OWASP ZAPͱʁ OWASP ZAP (Zed Attack Proxy) WebΞϓϦέʔγϣϯΛ؆୯ʹʮ੬ऑੑ அʯ͢Δ͜ͱ͕Ͱ͖Δπʔϧ ϩʔΧϧϓϩΩγπʔϧ
https://code.google.com/p/zaproxy/ https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
OWASP BWAͱʁ OWASP Broken Web Application (BWA) ੬ऑͳWebΞϓϦέʔγϣϯͷ٧Ί߹Θͤ Java /
ASP / PHP / Ruby on Rails… https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project
WebΞϓϦͷ੬ऑੑΛ୳͢ BWAͷதʹ͋Δɺݹ͍WordpressΛର Wordpress 2.0.0 ࠷৽4.4.2 (2016/2/2)
WebΞϓϦͷ੬ऑੑΛ୳͢ ϓϩΩγπʔϧ༻࣌ͷϒϥβઃఆ(IEྫ)
WebΞϓϦͷ੬ऑੑΛ୳͢ அରൣғΛܾఆ Include In Context ಛఆσΟϨΫτϦԼ͚ͩஅ͕Մೳ
WebΞϓϦͷ੬ऑੑΛ୳͢ ରΛΫϩʔϦϯά(εύΠμʔ) ։͍࢝ͨ͠ϖʔδΛબ εΩϟϯ։࢝ʂ
WebΞϓϦͷ੬ऑੑΛ୳͢ ݁Ռ… େྔʹநग़Ͱ͖ͨʂ
WebΞϓϦͷ੬ऑੑΛ୳͢ ಈతεΩϟϯ(֤ύϥϝʔλݕࠪΛૹ৴) ։͍࢝ͨ͠ϖʔδΛબ εΩϟϯ։࢝ʂ
ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ϙʔτεΩϟϯͰΦʔϓϯϙʔτΛಛఆ
WebΞϓϦͷ੬ऑੑΛ୳͢ ݹ͗ͯ͢ŗŽŖŪେྔ
ϓϥοτϑΥʔϜͷ੬ऑੑΛ୳͢ ݕͨ͠ใΛΞϥʔτͰ֬ೝ ૹ৴࣌ͷϦΫΤετ ࠶ݱՄೳʂ
ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ όʔδϣϯ͕ݹ͍… ࠷৽όʔδϣϯΛ֬ೝ όʔδϣϯΞοϓύονΛద༻͠Α͏ʂ ίʔυ͕ϘϩϘϩ… ίʔυΛमਖ਼͠Α͏ʂ ઃఆ͕σϑΥϧτͷ··… దʹઃఆ͠Α͏ʂ
ZAPίϛϡχςΟͷհ
ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • OWASP ZAP Developer Group – ϝϯόʔɿ434ਓ – ։࢝ɿ2010/08/17
– ओͳ༰ • ZAP։ൃʹؔ͢Δ͜ͱ • Extensionͷ։ൃ • όάमਖ਼ • OWASP ZAP User Group – ϝϯόʔɿ431ਓ – ։࢝ɿ2012/05/22 – ओͳ༰ • ͍ํͷ࣭ • ࣮ͯ͠΄͍͠ϦΫΤε τ
ݟ͚ͭͨ੬ऑੑΛ֬ೝʂ • ZAP༁ϓϩδΣΫτ • ຊޠ༁30% (2015/2/10ݱࡏ) • ͩΕͰࢀՃՄೳ • http://crowdin.com/owasp-zap/
·ͱΊ ·ͣ։ൃڥͷαʔόWebΞϓϦʹݕࠪΛߦͬͯΈ·͠ΐ ͏ ςετఔஈ֊ͰɺηΩϡϦςΟεΩϟφΛͬͨ؆қஅΛߦ ͍ɺ੬ऑੑ͕͋Δঢ়ଶͰϦϦʔε͠ͳ͍ମ੍࡞ΓΛݕ౼͠·͠ΐ ͏ ࣄલʹཧ͢ΔαʔόɾWebΞϓϦͷ੬ऑੑΛѲ͠ɺରࡦΛ ݕ౼͠·͠ΐ͏ ࣗલͰWebΞϓϦΛஅ அαʔϏεΛ׆༻
ηΩϡϦςΟνΣοΫ ແྉͷπʔϧͰηΩϡϦςΟΛҙ͍ࣝͨ͠ʂ http://www.slideshare.net/zaki4649/free-securitycheck
ηΩϡϦςΟνΣοΫ ੬ऑੑஅͷجຊख๏ ແྉͰख͕͔͔ؒΒͳ͍ʂ Πϯϑϥฤ ϙʔτεΩϟϯ ੬ऑੑεΩϟϯ WebΞϓϦέʔγϣϯฤ ࣗಈஅ ZAPͷػೳհ ࣮ࡍʹݕग़͢Δ੬ऑੑͷࣄྫ
੬ऑੑΛݟ͚ͭΔࣄ ੬ऑੑஅ࢜ʢWeb ΞϓϦέʔγϣϯʣεΩϧϚοϓ ϓϩδΣΫτ 2014 OWASP Japan / JNSAͷISOG-J ʹΑΔڞಉWG
੬ऑੑஅ࢜ʹඞཁͳೳྗͷϚοϐϯά ϓϩάϥϚ͔ΒωοτϫʔΫࣝɺྙཧ؍·Ͱ 2014/12/24 ʮ੬ऑੑஅ࢜(WebΞϓϦέʔγϣϯ)εΩϧϚοϓʯެ։ https://www.owasp.org/index.php/Japan http://isog-j.org/output/2014/about-pentester-web-skillmap-201412.pdf
Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail
[email protected]
ykame
mclloyd
davidbonilla
geoffreycrofte
aki_iinuma
holman
lara
lynnandtonic
gr2m
deanohume
addyosmani
tanoku
tammyeverts
![Social Account Twitter : @YuhoKameda URL https://www.owasp.org/index.php/ User:Yuho_Kameda E-mail [email protected]](https://files.speakerdeck.com/presentations/8414762eaa064b51a29176c3bec5a091/slide_53.jpg){kind=link}