ã©ã®ãããªãµãŒãã¹ãæ§ç¯ããå Žåã§ããã»ãã¥ãªãã£ã«å¯Ÿããç¶ç¶çãªåãçµã¿ãå¿ ãå«ãŸããŸãã ã»ãã¥ãªãã£ã¯ã補åã»ãã¥ãªãã£ã®ç¶ç¶çãªåæãšæ¹åãè匱æ§ã«é¢ãããã¥ãŒã¹ã®ç£èŠãªã©ãå«ãç¶ç¶çãªããã»ã¹ã§ãã ç£æ»ãå«ããŠã ç£æ»ã¯ç€Ÿå ãšå€éšã®å°é家ã«ãã£ãŠå®è¡ãããŸããå°é家ã¯ãããžã§ã¯ãã«æ²¡é ããŠããããåºãå¿ãæã£ãŠãããããã»ãã¥ãªãã£ã培åºçã«æ¯æŽã§ããŸãã
ãã®èšäºã¯ãMail.ru ã¯ã©ãŠã ãœãªã¥ãŒã·ã§ã³ (MCS) ããŒã ã®ã¯ã©ãŠã ãµãŒãã¹ã®ãã¹ããæ¯æŽããå€éšå°é家ã®æãççŽãªèŠè§£ãšã圌ããçºèŠããå
容ã«ã€ããŠèª¬æããŠããŸãã MCSã¯ãå€éšå¢åããšããŠãæ
å ±ã»ãã¥ãªãã£åéã§é«ãå°éç¥èãæã€ããžã¿ã«ã»ãã¥ãªãã£ç€Ÿãéžãã ã ãããŠãã®èšäºã§ã¯ãç¬èªã®ã¯ã©ãŠã ãµãŒãã¹ãäœæãããšãã«åã被害ãé¿ããããã«ãå€éšç£æ»ã®äžç°ãšããŠèŠã€ãã£ãããã€ãã®èå³æ·±ãè匱æ§ãåæããŸãã
ÐпОÑаМОепÑПЎÑкÑа
- ä»®æ³åç°å¢ã®ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ä¿è·: ãã€ããŒãã€ã¶ãŒãã«ãŒãã£ã³ã°ããã¡ã€ã¢ãŠã©ãŒã«ã
- 顧客ã®ä»®æ³ã€ã³ãã©ã¹ãã©ã¯ãã£ã®ä¿è·: SDN ã®ãããã¯ãŒã¯ããã©ã€ããŒã ãããã¯ãŒã¯ãå«ãçžäºã®åé¢ã
- OpenStack ãšãã®ãªãŒãã³ ã³ã³ããŒãã³ãã
- åœç€Ÿç¬èªã®èšèšã®S3ã
- IAM: ããŒã«ã¢ãã«ãåãããã«ãããã³ã ãããžã§ã¯ãã
- ããžã§ã³ (ã³ã³ãã¥ãŒã¿ãŒ ããžã§ã³): ç»åãæäœããå Žåã® API ãšè匱æ§ã
- Web ã€ã³ã¿ãŒãã§ãŒã¹ãšå€å žç㪠Web æ»æã
- PaaS ã³ã³ããŒãã³ãã®è匱æ§ã
- ãã¹ãŠã®ã³ã³ããŒãã³ãã® APIã
ããããããã¯ããããªãæŽå²ã«ãšã£ãŠéèŠãªããšã®ãã¹ãŠã§ãã
ã©ã®ãããªäœæ¥ãè¡ããããªããããå¿ èŠã ã£ãã®ã§ãããã?
ã»ãã¥ãªãã£ç£æ»ã¯ãå人ããŒã¿ã®æŒæŽ©ãæ©å¯æ å ±ã®å€æŽããµãŒãã¹ã®å¯çšæ§ã®äžæã«ã€ãªããå¯èœæ§ã®ããè匱æ§ãæ§æãšã©ãŒãç¹å®ããããšãç®çãšããŠããŸãã
å¹³å 1 ïœ 2 ãæããããã®äœæ¥äžãç£æ»äººã¯æœåšçãªæ»æè ã®è¡åãç¹°ãè¿ããéžæãããµãŒãã¹ã®ã¯ã©ã€ã¢ã³ãéšåãšãµãŒããŒéšåã®è匱æ§ãæ¢ããŸãã MCS ã¯ã©ãŠã ãã©ãããã©ãŒã ã®ç£æ»ã®èŠ³ç¹ããã次ã®ç®æšãç¹å®ãããŸããã
- ãµãŒãã¹ã«ãããèªèšŒã®åæã ãã®ã³ã³ããŒãã³ãã®è匱æ§ã¯ãä»ã®äººã®ã¢ã«ãŠã³ãã«å³åº§ã«äŸµå ¥ããã®ã«åœ¹ç«ã¡ãŸãã
- ç°ãªãã¢ã«ãŠã³ãéã®ããŒã«ã¢ãã«ãšã¢ã¯ã»ã¹å¶åŸ¡ãç 究ããŠããŸãã æ»æè ã«ãšã£ãŠãä»äººã®ä»®æ³ãã·ã³ã«ã¢ã¯ã»ã¹ã§ããããšã¯æãŸããç®æšã§ãã
- ã¯ã©ã€ã¢ã³ãåŽã®è匱æ§ã XSS/CSRF/CRLF/ãªã©æªæã®ãããªã³ã¯ãéããŠä»ã®ãŠãŒã¶ãŒãæ»æããããšã¯å¯èœã§ãã?
- ãµãŒããŒåŽã®è匱æ§: RCE ããã³ããããçš®é¡ã®ã€ã³ãžã§ã¯ã·ã§ã³ (SQL/XXE/SSRF ãªã©)ã ãµãŒããŒã®è匱æ§ã¯äžè¬ã«çºèŠããã®ãããå°é£ã§ãããäžåºŠã«å€ãã®ãŠãŒã¶ãŒã®äŸµå®³ã«ã€ãªãããŸãã
- ãããã¯ãŒã¯ã¬ãã«ã§ã®ãŠãŒã¶ãŒã»ã°ã¡ã³ãåé¢ã®åæã æ»æè ã«ãšã£ãŠãåé¢ãæ¬ ããŠãããšãä»ã®ãŠãŒã¶ãŒã«å¯Ÿããæ»æ察象é åãå€§å¹ ã«å¢å ããŸãã
- ããžãã¹ããžãã¯åæã äŒæ¥ãéšããŠç¡æã§ä»®æ³ãã·ã³ãäœæããããšã¯å¯èœã§ãããã?
ãã®ãããžã§ã¯ãã§ã¯ãäœæ¥ã¯ãã°ã¬ãŒããã¯ã¹ãã¢ãã«ã«åŸã£ãŠå®è¡ãããŸãããç£æ»äººã¯äžè¬ãŠãŒã¶ãŒã®æš©éã§ãµãŒãã¹ãšå¯Ÿè©±ããŸããããAPI ã®ãœãŒã¹ã³ãŒããéšåçã«ææããéçºè ãšè©³çŽ°ãæ確ã«ããæ©äŒããããŸããã ããã¯éåžžãæã䟿å©ã§ãããšåæã«ãéåžžã«çŸå®çãªäœæ¥ã¢ãã«ã§ããå éšæ å ±ã¯äŸç¶ãšããŠæ»æè ã«ãã£ãŠåéãããå¯èœæ§ããããããã¯æéã®åé¡ã§ãã
èŠã€ãã£ãè匱æ§
ç£æ»äººãããŸããŸãªãã€ããŒã (æ»æã®å®è¡ã«äœ¿çšããããã€ããŒã) ãã©ã³ãã ãªå Žæã«éä¿¡ãå§ããåã«ãç©äºãã©ã®ããã«æ©èœããã©ã®ãããªæ©èœãæäŸãããããç解ããå¿ èŠããããŸãã 調æ»å¯Ÿè±¡ã®å Žæã®ã»ãšãã©ã«ã¯è匱æ§ããªããããããã¯ç¡é§ãªäœæ¥ã§ãããšæããããããããŸããã ãã ããã¢ããªã±ãŒã·ã§ã³ã®æ§é ãšãã®åäœããžãã¯ãç解ããããšã«ãã£ãŠã®ã¿ãæãè€éãªæ»æãã¯ãã«ãèŠã€ããããšãå¯èœã«ãªããŸãã
æªãããšæãããå ŽæããŸãã¯äœããã®ç¹ã§ä»ã®å Žæãšå€§ããç°ãªãå ŽæãèŠã€ããããšãéèŠã§ãã ããããŠæåã®å±éºãªè匱æ§ãçºèŠãããŸããã
ã¢ã€ãã«
IDOR (Insecure Direct Object Reference) è匱æ§ã¯ãããžãã¹ ããžãã¯ã§æãäžè¬çãªè匱æ§ã® XNUMX ã€ã§ãããå®éã«ã¯ã¢ã¯ã»ã¹ãèš±å¯ãããŠããªããªããžã§ã¯ãã«èª°ããã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã IDOR ã®è匱æ§ã«ãããããŸããŸãªã¬ãã«ã®éèŠåºŠã®ãŠãŒã¶ãŒã«é¢ããæ å ±ãååŸãããå¯èœæ§ãçããŸãã
IDOR ãªãã·ã§ã³ã® XNUMX ã€ã¯ãã·ã¹ãã ãªããžã§ã¯ã (ãŠãŒã¶ãŒãéè¡å£åº§ãã·ã§ããã³ã° ã«ãŒãå ã®åå) ãžã®ã¢ã¯ã»ã¹èå¥åãæäœããããšã«ãã£ãŠããããã®ãªããžã§ã¯ãã«å¯Ÿããã¢ã¯ã·ã§ã³ãå®è¡ããããšã§ãã ããã¯æãäºæž¬äžå¯èœãªçµæãââãããããŸãã ããšãã°ãè³éã®éä¿¡è ã®ã¢ã«ãŠã³ãã眮ãæããå¯èœæ§ãããããããéããŠä»ã®ãŠãŒã¶ãŒããè³éãçãããšãã§ããŸãã
MCS ã®å Žåãç£æ»äººã¯å®å šã§ãªãèå¥åã«é¢é£ãã IDOR è匱æ§ãçºèŠãããšããã§ãã ãŠãŒã¶ãŒã®å人ã¢ã«ãŠã³ãã§ã¯ããªããžã§ã¯ããžã®ã¢ã¯ã»ã¹ã« UUID èå¥åã䜿çšãããŠããŸããããã»ãã¥ãªãã£å°é家ãèšãããã«ãããã¯éåžžã«å®å šã§ã¯ãªã (ã€ãŸãããã«ãŒã ãã©ãŒã¹æ»æããä¿è·ãããŠãã) ããã«èŠããŸããã ããããç¹å®ã®ãšã³ãã£ãã£ã§ã¯ãã¢ããªã±ãŒã·ã§ã³ã®ãŠãŒã¶ãŒã«é¢ããæ å ±ãååŸããããã«éåžžã®äºæž¬å¯èœãªæ°å€ã䜿çšãããŠããããšãå€æããŸããã ãŠãŒã¶ãŒ ID ã XNUMX ã€å€æŽããŠå床ãªã¯ãšã¹ããéä¿¡ããããšã§ãACL (ã¢ã¯ã»ã¹å¶åŸ¡ãªã¹ããããã»ã¹ãšãŠãŒã¶ãŒã®ããŒã¿ ã¢ã¯ã»ã¹ ã«ãŒã«) ãåé¿ããŠæ å ±ãååŸã§ããããšãæšæž¬ã§ãããšæããŸãã
ãµãŒããŒåŽèŠæ±åœé ïŒSSRFïŒ
ãªãŒãã³ãœãŒã¹è£œåã®è¯ãç¹ã¯ãçºçããåé¡ã®è©³çŽ°ãªæè¡ç説æãšãéãè¯ããã°è§£æ±ºçã®èª¬æãåããèšå€§ãªæ°ã®ãã©ãŒã©ã ãããããšã§ãã ãããããã®ã³ã€ã³ã«ã¯è£è¿ãããããæ¢ç¥ã®è匱æ§ã詳现ã«èª¬æãããŠããŸãã ããšãã°ãOpenStack ãã©ãŒã©ã ã«ã¯è匱æ§ã«é¢ããçŽ æŽããã説æããããŸãã
ã¢ããªã±ãŒã·ã§ã³ã®äžè¬çãªæ©èœã¯ããŠãŒã¶ãŒããµãŒããŒã«ãªã³ã¯ãéä¿¡ãããµãŒããŒãã¯ãªãã¯ããæ©èœã§ã (ããšãã°ãæå®ããããœãŒã¹ããç»åãããŠã³ããŒããã)ã ã»ãã¥ãªã㣠ããŒã«ããªã³ã¯èªäœããŸãã¯ãµãŒããŒãããŠãŒã¶ãŒã«è¿ãããå¿çããã£ã«ã¿ãªã³ã°ããªãå Žåããã®ãããªæ©èœã¯æ»æè ã«ãã£ãŠç°¡åã«äœ¿çšãããå¯èœæ§ããããŸãã
SSRF ã®è匱æ§ã¯ãæ»æã®éçºãå€§å¹ ã«é²ããå¯èœæ§ããããŸãã æ»æè ã¯ä»¥äžãååŸããå¯èœæ§ããããŸãã
- æ»æãããããŒã«ã« ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ãå¶éãããŸããããšãã°ãç¹å®ã®ãããã¯ãŒã¯ ã»ã°ã¡ã³ãçµç±ã§ã®ã¿ãç¹å®ã®ãããã³ã«ã䜿çšããŸãã
- ã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ãããã©ã³ã¹ããŒã ã¬ãã«ãžã®ããŠã³ã°ã¬ãŒããå¯èœãªå Žåã¯ãããŒã«ã« ãããã¯ãŒã¯ãžã®å®å šãªã¢ã¯ã»ã¹ãå¯èœã«ãªãããã®çµæãã¢ããªã±ãŒã·ã§ã³ ã¬ãã«ã§ã®å®å šãªè² è·ç®¡çãå¯èœã«ãªããŸãã
- ãµãŒããŒäžã®ããŒã«ã« ãã¡ã€ã«ãèªã¿åãããã®ã¢ã¯ã»ã¹ (file:/// ã¹ããŒã ããµããŒããããŠããå Žå)ã
- ОЌМПгПеЎÑÑгПеã
OpenStack ã§ã¯ SSRF è匱æ§ã以åããç¥ãããŠããŸããããããã¯æ¬è³ªçã«ããã©ã€ã³ããã§ãããµãŒããŒã«æ¥ç¶ããŠãããµãŒããŒããã®å¿çã¯åä¿¡ãããŸãããããªã¯ãšã¹ãã®çµæã«å¿ããŠãããŸããŸãªçš®é¡ã®ãšã©ãŒ/é 延ãçºçããŸãã ã ããã«åºã¥ããŠãå éšãããã¯ãŒã¯äžã®ãã¹ãã§ããŒã ã¹ãã£ã³ãå®è¡ã§ããŸããããã®åŸã®ãã¹ãŠã®çµæãéå°è©äŸ¡ããŠã¯ãªããŸããã ããšãã°ã補åã«ã¯äŒæ¥ãããã¯ãŒã¯ããã®ã¿ã¢ã¯ã»ã¹ã§ããããã¯ãªãã£ã¹ API ãå«ãŸããŠããå ŽåããããŸãã ããã¥ã¡ã³ããããã° (å éšé¢ä¿è ã®ããšãå¿ããªãã§ãã ãã)ãæ»æè 㯠SSRF ã䜿çšããŠå éšã¡ãœããã«ã¢ã¯ã»ã¹ã§ããŸãã ããšãã°ãäœããã®æ¹æ³ã§æçšãª URL ã®ããããã®ãªã¹ããååŸã§ããå ŽåãSSRF ã䜿çšãããšãããããåç §ããŠãªã¯ãšã¹ããå®è¡ã§ããŸããæ¯èŒçèšãã°ãã¢ã«ãŠã³ãããã¢ã«ãŠã³ããžã®ééãå¶éã®å€æŽãªã©ã§ãã
OpenStack 㧠SSRF ã®è匱æ§ãçºèŠãããã®ã¯ãããåããŠã§ã¯ãããŸããã 以åã¯ãVM ISO ã€ã¡ãŒãžãçŽæ¥ãªã³ã¯ããããŠã³ããŒãããããšãã§ããŸãããããããåæ§ã®çµæãåŒãèµ·ãããŠããŸããã ãã®æ©èœã¯çŸåš OpenStack ããåé€ãããŠããŸãã ã©ãããã³ãã¥ããã£ã§ã¯ããããåé¡ã«å¯Ÿããæãç°¡åã§ä¿¡é Œã§ãã解決çã§ãããšèããããŠããŸããã
ãšã§
MCS ã§ã¯ãåæ§ã®æ©èœãæ〠XNUMX ãæ㧠SSRF è匱æ§ãçºèŠãããŸãããããã¡ã€ã¢ãŠã©ãŒã«ããã®ä»ã®ä¿è·ã«ããæªçšããããšã¯ã»ãšãã©äžå¯èœã§ããã ãããã«ãããMCS ããŒã ã¯ã³ãã¥ããã£ãåŸ ããã«ãã®åé¡ã解決ããŸããã
ã·ã§ã«ãããŒããã代ããã« XSS
äœçŸãã®ç 究ãæžãããŠããã«ãããããããæ¯å¹Ž XSS (ã¯ãã¹ãµã€ã ã¹ã¯ãªããã£ã³ã°) æ»æãæãå€ãçºçããŠããŸãã
ãã¡ã€ã«ã®ã¢ããããŒãã¯ãã»ãã¥ãªãã£ç 究è ã«ãšã£ãŠãæ°ã«å ¥ãã®å Žæã§ãã ä»»æã®ã¹ã¯ãªãã (asp/jsp/php) ãããŒãããŠããã³ãã¹ã¿ãŒã®çšèªã§ãããŒã ã·ã§ã«ããšåŒã°ãã OS ã³ãã³ããå®è¡ã§ããããšãããããããŸãã ãããããã®ãããªè匱æ§ã®äººæ°ã¯äž¡æ¹åã«äœçšããŠããããããã¯èšæ¶ãããããã«å¯ŸããææžçãéçºãããŠãããããæè¿ã§ã¯ãã·ã§ã«ãèªã¿èŸŒãŸãããå¯èœæ§ã¯ãŒãã«ãªãåŸåã«ãããŸãã
æ»æããŒã (ããžã¿ã« ã»ãã¥ãªãã£ã代衚) ã¯å¹žéã§ããã OKããµãŒããŒåŽã® MCS ã§ã¯ãããŠã³ããŒãããããã¡ã€ã«ã®å 容ããã§ãã¯ãããç»åã®ã¿ãèš±å¯ãããŸããã ããããSVG ãç»åã§ãã SVG ç»åã¯ã©ã®ããã«å±éºãªã®ã§ãããã? JavaScript ã¹ãããããåã蟌ãããšãã§ããããã§ãã
ããŠã³ããŒãããããã¡ã€ã«ã¯ MCS ãµãŒãã¹ã®ãã¹ãŠã®ãŠãŒã¶ãŒãå©çšã§ããããšãå€æããŸãããããã¯ãä»ã®ã¯ã©ãŠã ãŠãŒã¶ãŒãã€ãŸã管çè ãæ»æããå¯èœæ§ãããããšãæå³ããŸãã
ãã£ãã·ã³ã°ãã°ã€ã³ãã©ãŒã ã«å¯Ÿãã XSS æ»æã®äŸ
XSS æ»ææªçšã®äŸ:
- èªã¿èŸŒãŸããã¹ã¯ãªããããªãœãŒã¹ API ã«ããã«ã¢ã¯ã»ã¹ã§ããã®ã«ããªãã»ãã·ã§ã³ãçãããšããã®ã§ãããã (ç¹ã«ãçŸåšã§ã¯ HTTP ã®ã¿ã® Cookie ãã©ãã«ã§ããããjs ã¹ã¯ãªããã䜿çšããŠçé£ããä¿è·ãããŠãããã)ã ãã®å Žåããã€ããŒã㯠XHR ãªã¯ãšã¹ãã䜿çšããŠãµãŒããŒæ§æãå€æŽããããšãã§ããŸããããšãã°ãæ»æè ã®å ¬é SSH ããŒãè¿œå ãããµãŒããŒãžã® SSH ã¢ã¯ã»ã¹ãååŸããŸãã
- CSP ããªã·ãŒ (ã³ã³ãã³ãä¿è·ããªã·ãŒ) 㧠JavaScript ã®æ¿å ¥ãçŠæ¢ãããŠããå Žåãæ»æè 㯠JavaScript ã䜿çšããã«æžãå¯èœæ§ããããŸãã çŽç²ãª HTML ã䜿çšããŠããµã€ãçšã®åœã®ãã°ã€ã³ ãã©ãŒã ãäœæãããã®é«åºŠãªãã£ãã·ã³ã°ãéããŠç®¡çè ã®ãã¹ã¯ãŒããçã¿ãŸãããŠãŒã¶ãŒã®ãã£ãã·ã³ã° ããŒãžã¯æçµçã«åã URL ã«ãªãããããŠãŒã¶ãŒããããæ€åºããã®ã¯ããå°é£ã«ãªããŸãã
- æåŸã«ãæ»æè
ã¯ã
ã¯ã©ã€ã¢ã³ãã® DoS â Cookie ã 4 KB ãã倧ããèšå®ããŸãã ãŠãŒã¶ãŒã¯ãªã³ã¯ã XNUMX åéãã ãã§ããããŠãŒã¶ãŒãç¹ã«ãã©ãŠã¶ãã¯ãªãŒã³ã¢ããããããšèãããŸã§ããµã€ãå šäœã«ã¢ã¯ã»ã¹ã§ããªããªããŸããã»ãšãã©ã®å ŽåãWeb ãµãŒããŒã¯ãã®ãããªã¯ã©ã€ã¢ã³ãã®åãå ¥ããæåŠããŸãã
å¥ã®æ€åºããã XSS ã®äŸãèŠãŠã¿ãŸããããä»åã¯ããå·§åŠãªãšã¯ã¹ããã€ãã䜿çšãããŠããŸãã MCS ãµãŒãã¹ã䜿çšãããšããã¡ã€ã¢ãŠã©ãŒã«èšå®ãã°ã«ãŒãã«çµåã§ããŸãã ã°ã«ãŒãå㯠XSS ãæ€åºãããå Žæã§ãã ãã®ç¹åŸŽã¯ãã«ãŒã«ã®ãªã¹ãã衚瀺ãããšãã§ã¯ãªããã°ã«ãŒããåé€ãããšãã«ãã¯ã¿ãŒãããã«ããªã¬ãŒãããªãããšã§ãã
ã€ãŸããæ»æè
ãååã«ãloadããå«ããã¡ã€ã¢ãŠã©ãŒã« ã«ãŒã«ãäœæãã管çè
ããã°ããããŠããã«æ°ã¥ããåé€ããã»ã¹ãéå§ãããšããã·ããªãªã§ããããšãå€æããŸããã ãããŠããããæªæã®ãã JS ãæ©èœããå Žæã§ãã
MCS éçºè åãã«ãããŠã³ããŒããã SVG ç»åã® XSS ããä¿è·ããããã« (æŸæ£ã§ããªãå Žå)ãããžã¿ã« ã»ãã¥ãªã㣠ããŒã ã¯æ¬¡ã®ããšãæšå¥šããŸããã
- ãŠãŒã¶ãŒãã¢ããããŒããããã¡ã€ã«ã¯ããCookieããšã¯é¢ä¿ã®ãªãå¥ã®ãã¡ã€ã³ã«é 眮ããŸãã ã¹ã¯ãªããã¯å¥ã®ãã¡ã€ã³ã®ã³ã³ããã¹ãã§å®è¡ãããMCS ã«è åšãäžããããšã¯ãããŸããã
- ãµãŒããŒã® HTTP å¿çã§ããContent-disposition:attachmentãããããŒãéä¿¡ããŸãã ãã®åŸããã¡ã€ã«ã¯ãã©ãŠã¶ã«ãã£ãŠããŠã³ããŒããããå®è¡ãããŸããã
ããã«ãéçºè ã XSS æªçšã®ãªã¹ã¯ã軜æžããããã«å©çšã§ããæ¹æ³ãæ°å€ããããŸãã
- ãHTTP ã®ã¿ããã©ã°ã䜿çšãããšãæªæã®ãã JavaScript ãã»ãã·ã§ã³ãCookieãããããŒã«ã¢ã¯ã»ã¹ã§ããªãããã«ã§ããŸãã
æ£ããå®è£ ããã CSP ããªã·ãŒ æ»æè ã XSS ãæªçšããããšãã¯ããã«å°é£ã«ãªããŸãã- Angular ã React ãªã©ã®ææ°ã®ãã³ãã¬ãŒã ãšã³ãžã³ã¯ããŠãŒã¶ãŒ ããŒã¿ããŠãŒã¶ãŒã®ãã©ãŠã¶ãŒã«åºåããåã«èªåçã«ãµãã¿ã€ãºããŸãã
äºèŠçŽ èªèšŒã®è匱æ§
ã¢ã«ãŠã³ãã®ã»ãã¥ãªãã£ãåäžãããããã«ããŠãŒã¶ãŒã¯åžžã« 2FA (äºèŠçŽ èªèšŒ) ãæå¹ã«ããããšããå§ãããŸãã å®éãããã¯ããŠãŒã¶ãŒã®è³æ Œæ å ±ã䟵害ãããå Žåã«ãæ»æè ããµãŒãã¹ã«ã¢ã¯ã»ã¹ããã®ãé²ãå¹æçãªæ¹æ³ã§ãã
ãããã2 çªç®ã®èªèšŒèŠçŽ ã䜿çšãããšãåžžã«ã¢ã«ãŠã³ãã®å®å šæ§ãä¿èšŒãããã®ã§ãããã? XNUMXFA ã®å®è£ ã«ã¯æ¬¡ã®ã»ãã¥ãªãã£äžã®åé¡ããããŸãã
- OTP ã³ãŒã (ã¯ã³ã¿ã€ã ã³ãŒã) ã®ç·åœããæ€çŽ¢ã æäœãåçŽã§ããã«ãããããããOTP ã®ãã«ãŒã ãã©ãŒã¹ã«å¯Ÿããä¿è·ãæ¬ åŠããŠãããªã©ã®ãšã©ãŒã倧äŒæ¥ã§ãçºçããŸãã
ã¹ã©ãã¯ã±ãŒã¹ ,ãã§ã€ã¹ããã¯ã®ã±ãŒã¹ . - çæã¢ã«ãŽãªãºã ã匱ã (次ã®ã³ãŒããäºæž¬ããæ©èœãªã©)ã
- 次ã®ãããªè«çãšã©ãŒ (é»è©±æ©ã§ä»äººã® OTP ããªã¯ãšã¹ãã§ããæ©èœãªã©)
бÑлП ã·ã§ãããã¡ã€ããã
MCS ã®å Žåã2FA 㯠Google Authenticator ã«åºã¥ããŠå®è£
ãããŠããã
MCS 2FA ã¯ããã€ãã®å Žæã§äœ¿çšãããŸãã
- ãŠãŒã¶ãŒãèªèšŒãããšãã ãã«ãŒã ãã©ãŒã¹ã«å¯Ÿããä¿è·æ©èœããããŸãããŠãŒã¶ãŒã¯ã¯ã³ã¿ã€ã ãã¹ã¯ãŒãã®å ¥åãæ°åè©Šè¡ããã ãã§ããã®åŸã¯å ¥åããã°ãããããã¯ãããŸãã ããã«ãããOTP ããã«ãŒããã©ãŒã¹ã§éžæãããå¯èœæ§ããããã¯ãããŸãã
- 2FA ãå®è¡ããããã®ãªãã©ã€ã³ ããã¯ã¢ãã ã³ãŒããçæãããšããããã³ãããç¡å¹ã«ãããšãã ããã§ã¯ããã«ãŒã ãã©ãŒã¹ä¿è·ã¯å®è£ ãããŠããªããããã¢ã«ãŠã³ãã®ãã¹ã¯ãŒããšã¢ã¯ãã£ããªã»ãã·ã§ã³ãããã°ãããã¯ã¢ãã ã³ãŒããåçæãããã2FA ãå®å šã«ç¡å¹ã«ãããããããšãå¯èœã§ããã
ããã¯ã¢ãã ã³ãŒãã OTP ã¢ããªã±ãŒã·ã§ã³ã«ãã£ãŠçæããããã®ãšåãæååå€ã®ç¯å²ã«ãã£ãããšãèæ ®ãããšãçæéã§ã³ãŒããèŠã€ããå¯èœæ§ã¯ã¯ããã«é«ããªããŸãã
ãBurp: IntruderãããŒã«ã䜿çšã㊠2FA ãç¡å¹ã«ãã OTP ãéžæããããã»ã¹
çµæ
å šäœãšããŠãMCS ã¯è£œåãšããŠå®å šã§ããããã§ãã ç£æ»äžãäŸµå ¥ãã¹ã ããŒã ã¯ã¯ã©ã€ã¢ã³ã VM ãšãã®ããŒã¿ã«ã¢ã¯ã»ã¹ã§ãããèŠã€ãã£ãè匱æ§ã¯ MCS ããŒã ã«ãã£ãŠããã«ä¿®æ£ãããŸããã
ãã ããã»ãã¥ãªãã£ã¯ç¶ç¶çãªäœæ¥ã§ããããšã«æ³šæããããšãéèŠã§ãã ãµãŒãã¹ã¯éçãªãã®ã§ã¯ãªããåžžã«é²åããŠããŸãã ãŸããå®å šã«è匱æ§ã®ãªã補åãéçºããããšã¯äžå¯èœã§ãã ããããæéå ã«ããããçºèŠããåçºã®å¯èœæ§ãæå°éã«æããããšã¯ã§ããŸãã
çŸåšãMCS ã®åè¿°ã®è匱æ§ã¯ãã¹ãŠãã§ã«ä¿®æ£ãããŠããŸãã ãããŠãæ°ãããã®ã®æ°ãæå°éã«æãããã®å¯¿åœãççž®ããããã«ããã©ãããã©ãŒã ããŒã ã¯æ¬¡ã®ããšãç¶ããŠããŸãã
- å€éšäŒæ¥ã«ããå®æçãªç£æ»ãå®æœããŸãã
- åå ããµããŒãããçºå±ããã
Mail.ru ã°ã«ãŒãã®ãã°å ±å¥šéããã°ã©ã å ; - ã»ãã¥ãªãã£ã«åŸäºããŸãã ð
åºæïŒ habr.com