3 2 2010 4 IPA Web http://www.ipa.go.jp/security/awareness/vendor/programming Copyright 2010 IPA 1 2-1 2-1-1 (CSRF) 2-1-2 ID 2-1-3 ID 2-1-4 https: 2-1-5 ID 2-1-6 2-1-7 2-2 2-2-1 2-2-2 2-3 2 2-3-1 Web Copyright 2010 IPA 2
2-1 2-1-1 (CSRF) 2-1-2 ID 2-1-3 ID 2-1-4 https: 2-1-5 ID 2-1-6 2-1-7 Copyright 2010 IPA 3 2-1-1 (CSRF) Copyright 2010 IPA 4
(CSRF) CSRF Cross-site Request Forgery Web Copyright 2010 IPA 5 (CSRF) Web Cookie ID Web Basic Web Digest Web Web Web Copyright 2010 IPA 6
(CSRF) Cookie Web Cookie HTTP HTTP Web HTTP Cookie HTTP Web HTTP HTTP HTTP Copyright 2010 IPA 7 (CSRF) HTTP Web Web hidden Copyright 2010 IPA 8
2-1-2 ID Copyright 2010 IPA 9 ID ID HTTP Hypertext Transfer Protocol Web Web Web ID Copyright 2010 IPA 10
ID ID Cookie URL hidden Copyright 2010 IPA 11 1: Cookie Cookie ID Set-Cookie Cookie Cookie ID Cookie domain={cookie } path={ } max-age={ ( )} expires={ } secure Copyright 2010 IPA 12 -s-
2: URL URL ID HTML URL ID URL URL ID Referer: URL Cookie Copyright 2010 IPA 13 3: hidden hidden ID hidden ID Cookie URL JavaScript Copyright 2010 IPA 14 -s- -s-
ID ID ID Web ID 3 ID ID ID Copyright 2010 IPA 15 1: ID ID Copyright 2010 IPA 16
2: ID ID Copyright 2010 IPA 17 3: ID ID Copyright 2010 IPA 18
2-1-3 ID Copyright 2010 IPA 19 ID ID ID Web ( ) Copyright 2010 IPA 20
ID ID ID ID 00001 00002... Copyright 2010 IPA 21 ID 10 ID (26+26+10)^10 8.39!10 17 1 ID Web 100 / ID 1 2 ID ID Copyright 2010 IPA 22
ID Java Servlet ID JSESSIONID Cookie ASP ID ASPSESSIONIDxxxxxx Cookie PHP ID PHPSESSID Cookie Copyright 2010 IPA 23 -s- 2-1-4 https: Copyright 2010 IPA 24
https: https: SSL (Secure Socket Layer) TLS (Transport Layer Security) http: https: URL Copyright 2010 IPA 25 ID Web ID ID ID Copyright 2010 IPA 26
ID ID https: ID 1 http: https: https: Cookie http: https: Cookie secure 2 http: ID ID ID ID http: ID ID ID Copyright 2010 IPA 27 https: https: https: http: https: https: http: http: https: SSL TLS SSL 3.0 TLS 1.0 Web Web Cookie secure Copyright 2010 IPA 28 -s-
2-1-5 ID Copyright 2010 IPA 29 ID ID ID (session fixation) Copyright 2010 IPA 30
ID (1) Web ID Web Web Web Web ID ID PHP URL PHPSESSID http://foo/bar.php?phpsessid=3333 Set-Cookie: PHPSESSID=3333; ID ID ID Copyright 2010 IPA 31 ID (2) ID ID ID Web ID ID Cookie Web Web Cookie <script>document.cookie="sessionid=foobar"</script> Copyright 2010 IPA 32
ID ID ID ID ID ID Web ID ID 2004 9 Macromedia JRun ID JRun ID JSESSION CVE-2004-0646 Web ID Copyright 2010 IPA 33 2-1-6 Copyright 2010 IPA 34 -s-
Web Copyright 2010 IPA 35 2-1-7 Copyright 2010 IPA 36 -s- -s-
2-2 2-2-1 2-2-2 Copyright 2010 IPA 37 2-2-1 Copyright 2010 IPA 38
Web 2 1. 2. Copyright 2010 IPA 39 Web Copyright 2010 IPA 40
ID 10 ID ID ID Copyright 2010 IPA 41 ID ID 8 Copyright 2010 IPA 42
ID 1 ID 2 3 ID 1 3 ID 2 ID ID Copyright 2010 IPA 43 ID Copyright 2010 IPA 44
2-2-2 Copyright 2010 IPA 45 (1) IP (2) URL Copyright 2010 IPA 46
Copyright 2010 IPA 47 Web Copyright 2010 IPA 48
Web Web Web 1. 2. 3. Web Copyright 2010 IPA 49 Web Web Copyright 2010 IPA 50
(1) (2) URL (3) Referer: Referer: (4) GET POST POST Copyright 2010 IPA 51 2-3 2 2-3-1 Web Copyright 2010 IPA 52
2-3-1 Web Copyright 2010 IPA 53 Web Web 7 Copyright 2010 IPA 54
(1) PHP Java.Net (2) API DB SQL SQL DB API Copyright 2010 IPA 55 http: https: http: https: https: Cookie Copyright 2010 IPA 56
2 Copyright 2010 IPA 57 (1) ID ID ID ID ID ID Copyright 2010 IPA 58
2 (2) 1) HTTP HTTP https: 2) ID ID ID Web ID https: 3) ID 3 Cookie hidden https: Copyright 2010 IPA 59 3 (3) (CSRF) a. CSRF b. c. b. c. Copyright 2010 IPA 60
4 (4) https: https: 1) HTTP https: 2) ID ID https: 3) ID ID 2 ID https: (5) ID Copyright 2010 IPA 61 Copyright 2010 IPA 62 -s-
(1) HTTP (2) 1) 2) Copyright 2010 IPA 63 2 (3) 1) HTML Copyright 2010 IPA 64 -s- -s-
Q & A Copyright 2010 IPA 65 n