XSS + CSRF JPNIC JPCERT/CC 2005 Web 2005 10 6 IS Copyright 2005 SECOM Co., Ltd. All rights reserved. 1
XSS + CSRF Web Web Web (Web, DB, ) Copyright 2005 SECOM Co., Ltd. All rights reserved. 2
SQL XSS Copyright 2005 SECOM Co., Ltd. All rights reserved. 3
XSS < < > > PHP htmlspecialchars() HttpOnly JavaScript document.cookie IE6sp1 Set-Cookie: value=72w3er64twefs0; expires=wednesday, 09-Nov-99 23:12:40 GMT; HttpOnly Copyright 2005 SECOM Co., Ltd. All rights reserved. 4
CSRF Web GET POST CAPTCHA Copyright 2005 SECOM Co., Ltd. All rights reserved. 5
CSRF POST JavaScript POST Ver.3 http:///cgi-bin/1.cgi?n= &m= &v=1 <body <body onload="document.commit.submit.click();"> <form <form name= commit" name= commit" method="post" method="post" action="http:///cgi-bin/1.cgi"> <input <input name= n name= n type= hidden type= hidden value= value= ></td> ></td> <input <input name= m name= m type= hidden type= hidden value= value= ></td> ></td> <input <input name= v name= v type= hidden type= hidden value= 1 ></td> value= 1 ></td> <input <input type="submit" type="submit" name="submit"> name="submit"> </form> </form> GET POST Copyright 2005 SECOM Co., Ltd. All rights reserved. 6
CSRF Referer (1) A.html A Cookie POST POST /B.php /B.phpHTTP/1.1 Referer: Referer: http:///a.html Accept-Language: Accept-Language: ja ja Content-Type: Content-Type: application/x-www-form-urlencoded Accept-Encoding: Accept-Encoding: gzip, gzip, deflate deflate User-Agent: User-Agent: Mozilla/4.0 Mozilla/4.0 Host: Host: A Referer www.evil.com B.php C.html Cookie B Referer: Referer: http://www.evil.com/c.html Copyright 2005 SECOM Co., Ltd. All rights reserved. 7
CSRF Referer (2) IE6 IE6 HTTP HTTP Request Request (2005/09/27 (2005/09/27 INTERNET INTERNET Watch Watch )) IE IE -- -- (2005/09/29 CNET (2005/09/29 CNET Japan Japan )) Secunia Microsoft Internet Explorer "XMLHTTP" HTTP Request Injection websecurity@webappsec.org 2005/09/25 Exploiting the XmlHttpRequest object in IE www.evil.com C.html XMLHTTP Cookie B.php B Referer: Referer: http:///a.html Copyright 2005 SECOM Co., Ltd. All rights reserved. 8
CSRF <input type= hidden name= sessionid value= "> Web A.html A Cookie B.php B www.evil.com C.html Cookie Copyright 2005 SECOM Co., Ltd. All rights reserved. 9
CSRF CAPTCHA (1) Completed Automated Public Turing tests to tell Computers and Humans Apart http://www.captcha.net/ http://en.wikipedia.org/wiki/image:captcha.jpg SMWM http://edit.yahoo.co.jp/config/eval_register?.src=event&. done=http://yidpromo.yahoo.co.jp/ Copyright 2005 SECOM Co., Ltd. All rights reserved. 10
CSRF CAPTCHA (2) CAPTCHA Web A.html A Cookie B.php B www.evil.com C.html Cookie Copyright 2005 SECOM Co., Ltd. All rights reserved. 11
CSRF CSRF Copyright 2005 SECOM Co., Ltd. All rights reserved. 12
Web OWASP Guide WASC Threat Classification Web Web WAF WASF OWASP WebAppSec PC Web Copyright 2005 SECOM Co., Ltd. All rights reserved. 13
OWASP Guide http://www.owasp.org/documentation/guide.html WASC Threat Classification( ) http://www.webappsec.org/projects/threat/v1/was C_TC-1.0.jpn.pdf http://www.ipa.go.jp/security/vuln/20050623_webse curity.html Copyright 2005 SECOM Co., Ltd. All rights reserved. 14
WASF(Web Application Security Forum) SQL http://www.wasf.net/wg-eval-sql200509.pdf OWASP http://www.owasp.org/local/tokyo.html WebAppSec https://www.webappsec.jp/ http://www.ipa.go.jp/security/vuln/report/index.html Copyright 2005 SECOM Co., Ltd. All rights reserved. 15