çŽ XNUMX 幎åãç§ãã¡ DataLine ã¯
以äžã®èšäºã§ã¯ãããŸããŸãªã¬ãã«ã®éèŠåºŠã®èåŸã« Web ãµã€ãã®ã»ãã¥ãªãã£ã®ã©ã®ãããªç©Žãé ãããŠããããæ£ç¢ºã«èª¬æããŸããã¹ãã£ããŒã«ãã£ãŠç¹ã«é »ç¹ã«æ€åºãããè匱æ§ããã®è匱æ§ãçºçããçç±ãããã³èº«ãå®ãæ¹æ³ãèŠãŠã¿ãŸãããã
Qualys ã§ã¯ããã¹ãŠã® Web ã¢ããªã±ãŒã·ã§ã³ã®è匱æ§ããäœãäžãé«ã® XNUMX ã€ã®é倧床ã¬ãã«ã«åé¡ããŠããŸãã ãæ·±å»åºŠãå¥ã«ååžãèŠããšããã¹ãŠãããã»ã©æªãã¯ãªãããã§ããé倧床ã®é«ãè匱æ§ã¯ã»ãšãã©ãªããã»ãšãã©ãã¹ãŠãéé倧ã§ãã
ããããæ¹å€çã§ãªããšããããšã¯ç¡å®³ãšããæå³ã§ã¯ãããŸãããé倧ãªæ害ãåŒãèµ·ããå¯èœæ§ããããŸãã
äžäœã®ãé倧ã§ã¯ãªããè匱æ§
- æ··åã³ã³ãã³ãã®è匱æ§ã
Web ãµã€ãã®ã»ãã¥ãªãã£ã®æšæºã¯ãæå·åããµããŒãããæ å ±ã®ååããä¿è·ãã HTTPS ãããã³ã«ãä»ããã¯ã©ã€ã¢ã³ããšãµãŒããŒéã®ããŒã¿è»¢éã§ãã
äžéšã®ãµã€ãã§ã¯ã æ··åã³ã³ãã³ã: äžéšã®ããŒã¿ã¯ãå®å šã§ãªã HTTP ãããã³ã«ãä»ããŠè»¢éãããŸãããããã£ãŠäŒããããšãå€ãã§ã ååçã³ã³ãã³ã â ãµã€ãã®è¡šç€ºã®ã¿ã«åœ±é¿ããæ å ±: ç»åãCSS ã¹ã¿ã€ã«ãã§ããããã£ãŠäŒããããšããã ã¢ã¯ãã£ãã³ã³ãã³ã: ãµã€ãã®åäœãå¶åŸ¡ããã¹ã¯ãªããããã®å Žåãç¹å¥ãªãœãããŠã§ã¢ã䜿çšãããšããµãŒããŒããéä¿¡ãããã¢ã¯ãã£ããªã³ã³ãã³ããå«ãæ å ±ãåæãããã®å Žã§å¿çãå€æŽããäœæè ãæå³ããŠããªãæ¹æ³ã§ãã·ã³ãåäœãããããšãã§ããŸãã
æ°ããããŒãžã§ã³ã®ãã©ãŠã¶ã§ã¯ãã³ã³ãã³ããæ··åšãããµã€ãã¯å®å šã§ãªããã³ã³ãã³ãããããã¯ããããšãŠãŒã¶ãŒã«èŠåããŸãã Web ãµã€ãéçºè ã¯ãã³ã³ãœãŒã«ã§ãã©ãŠã¶ãŒã®èŠåãåãåããŸããããšãã°ã次ã®ããã«ãªããŸã
Firefoxã® :
ãªãå±éºãªã®ã§ãããã?ïŒæ»æè ã¯ãå®å šã§ãªããããã³ã«ã䜿çšããŠãŠãŒã¶ãŒæ å ±ãååããã¹ã¯ãªããã眮ãæãããŠãŒã¶ãŒã«ä»£ãã£ãŠãµã€ãã«ãªã¯ãšã¹ããéä¿¡ããŸãããµã€ã蚪åè ãããŒã¿ãå ¥åããªãã£ããšããŠããããã¯åœŒãä¿è·ãããã®ã§ã¯ãããŸããã ãã£ãã·ã³ã° â äžæ£ãªæ¹æ³ã䜿çšããŠæ©å¯æ å ±ãååŸããããšãããšãã°ãã¹ã¯ãªããã䜿çšãããšããŠãŒã¶ãŒãããç¥ã£ãŠãããµã€ããè£ ã£ãå®å šã§ãªããµã€ãã«ãŠãŒã¶ãŒããªãã€ã¬ã¯ãã§ããŸããå Žåã«ãã£ãŠã¯ãæªæã®ãããµã€ãã¯å ã®ãµã€ããããèŠæ ãããããªãããŠãŒã¶ãŒãèªåã§ãã©ãŒã ã«èšå ¥ããŠæ©å¯ããŒã¿ãéä¿¡ããããšãã§ããŸããWebéçºè ãèŠããŠããã¹ãããš: ãµã€ã管çè ã SSL/TLS 蚌ææžãã€ã³ã¹ããŒã«ããŠèšå®ããå Žåã§ãã人çãã¹ã«ããè匱æ§ãçºçããå¯èœæ§ããããŸããããšãã°ãããŒãžã® XNUMX ã€ã«çžå¯Ÿãªã³ã¯ã§ã¯ãªã http ããã®çµ¶å¯Ÿãªã³ã¯ãé 眮ããããã« http ãã https ãžã®ãªãã€ã¬ã¯ããèšå®ããªãã£ããšããŸãã
ãã©ãŠã¶ã䜿çšããŠãµã€ãäžã®æ··åã³ã³ãã³ããæ€åºã§ããŸããããŒãžã®ãœãŒã¹ ã³ãŒããæ€çŽ¢ããéçºè ã³ã³ãœãŒã«ã§éç¥ãèªã¿ãŸãããã ããéçºè ã¯é·æéã«ããã£ãŠã³ãŒãããããå¿ èŠããããŸãã次ã®ãããªèªååæããŒã«ã䜿çšããŠããã»ã¹ãé«éåã§ããŸãã
SSLããã§ã㯠ãç¡æã® Lighthouse ãœãããŠã§ã¢ãŸãã¯ææãœãããŠã§ã¢ Screaming Frog SEO SpiderããŸãããã®è匱æ§ã¯ãã¬ã¬ã·ãŒã³ãŒã (ç¶æ¿ãããã³ãŒã) ã®åé¡ã«ãã£ãŠçºçããå¯èœæ§ããããŸããããšãã°ããµã€ãã® https ãžã®ç§»è¡ãèæ ®ãããŠããªãå€ããã³ãã¬ãŒãã䜿çšããŠäžéšã®ããŒãžãçæãããŠãããšããŸãã
- ãHTTPOnlyãããã³ãsecureããã©ã°ã®ãªã Cookieã
ãHTTPOnlyãå±æ§ã¯ãæ»æè ããŠãŒã¶ãŒ ããŒã¿ãçãããã«äœ¿çšããã¹ã¯ãªããã«ãã£ãŠ Cookie ãåŠçãããã®ãé²ããŸãã ãã»ãã¥ã¢ããã©ã°ã§ã¯ãCookie ãã¯ãªã¢ ããã¹ãã§éä¿¡ããããšã¯ã§ããŸãããéä¿¡ã¯ãCookie ã®éä¿¡ã«å®å šãª HTTPS ãããã³ã«ã䜿çšãããå Žåã«ã®ã¿èš±å¯ãããŸãã
äž¡æ¹ã®å±æ§ã¯ Cookie ããããã£ã§æå®ãããŸãã
Set-Cookie: Secure; HttpOnly
ãªãå±éºãªã®ã§ãããã?泚ïŒãµã€ãéçºè ããããã®å±æ§ãæå®ããªãã£ãå Žåãæ»æè ã Cookie ãããŠãŒã¶ãŒã®æ å ±ãååããæªçšããå¯èœæ§ããããŸããèªèšŒãšèªå¯ã« Cookie ã䜿çšãããŠããå ŽåããŠãŒã¶ãŒã®ã»ãã·ã§ã³ããã€ãžã£ãã¯ããŠããŠãŒã¶ãŒã«ä»£ãã£ãŠãµã€ãäžã§ã¢ã¯ã·ã§ã³ãå®è¡ã§ããããã«ãªããŸãã
Webéçºè ãèŠããŠããã¹ãããš: äžè¬ã«ãäžè¬çãªãã¬ãŒã ã¯ãŒã¯ã§ã¯ããããã®å±æ§ã¯èªåçã«èšå®ãããŸãããã ããWeb ãµãŒããŒã®æ§æã確èªãããã©ã° Set-Cookie HttpOnly; ãèšå®ããŸããå®å šãªã
ãã®å ŽåããHTTPOnlyãå±æ§ã«ãããCookie ãç¬èªã® JavaScript ããèŠããªããªããŸãã
- ãã¹ããŒã¹ã®è匱æ§ã
ã¹ãã£ããŒã¯ãæ©å¯æ å ±ã®å¯èœæ§ãããå ¬çã«ã¢ã¯ã»ã¹å¯èœãªãã¡ã€ã«ãŸã㯠Web ãµã€ãã®ãã£ã¬ã¯ããªãæ€åºããå Žåããã®ãããªè匱æ§ãå ±åããŸããããšãã°ãåã ã®ã·ã¹ãã æ§æãã¡ã€ã«ããã¡ã€ã« ã·ã¹ãã å šäœãžã®ã¢ã¯ã»ã¹ãæ€åºããŸãããã®ç¶æ³ã¯ããµã€ãã§ã¢ã¯ã»ã¹æš©ãæ£ããèšå®ãããŠããªãå Žåã«çºçããå¯èœæ§ããããŸãã
ãªãå±éºãªã®ã§ãããã?: ãã¡ã€ã« ã·ã¹ãã ããã¯ã¿åºããŠãããå Žåãæ»æè ã¯ãªãã¬ãŒãã£ã³ã° ã·ã¹ãã ã€ã³ã¿ãŒãã§ã€ã¹ã«äŸµå ¥ãããã¹ã¯ãŒããã¯ãªã¢ ããã¹ãã§ä¿åãããŠããå Žåã¯ããã¹ã¯ãŒããæã€ãã©ã«ããŒãèŠã€ããããšããå¯èœæ§ããããŸã (絶察ã«è¡ããªãã§ãã ãã)ããããã¯ããã¹ã¯ãŒã ããã·ã¥ãçãã§ãã¹ã¯ãŒããç·åœããæ»æããã·ã¹ãã å ã®æš©éãäžããŠã€ã³ãã©ã¹ãã©ã¯ãã£ã®å¥¥æ·±ãã«äŸµå ¥ããããšããããšãã§ããŸãã
Webéçºè ãèŠããŠããã¹ãããš: ã¢ã¯ã»ã¹æš©ãå¿ããã«ãWeb ãã£ã¬ã¯ããªããããšã¹ã±ãŒããã§ããªãããã«ãã©ãããã©ãŒã ãWeb ãµãŒããŒãWeb ã¢ããªã±ãŒã·ã§ã³ãæ§æããŠãã ããã
- èªåå
¥åãæå¹ã«ãªã£ãŠããæ©å¯ããŒã¿ãå
¥åããããã®ãã©ãŒã ã
ãŠãŒã¶ãŒã Web ãµã€ãäžã®ãã©ãŒã ã«é »ç¹ã«å ¥åããå Žåããã©ãŠã¶ã¯èªåå ¥åæ©èœã䜿çšããŠãã®æ å ±ãä¿åããŸãã
Web ãµã€ãäžã®ãã©ãŒã ã«ã¯ããã¹ã¯ãŒããã¯ã¬ãžãã ã«ãŒãçªå·ãªã©ã®æ©å¯æ å ±ãå«ããã£ãŒã«ããå«ãŸããå ŽåããããŸãããã®ãããªãã£ãŒã«ãã«ã€ããŠã¯ããµã€ãèªäœã§ãã©ãŒã ã®èªåå ¥åæ©èœãç¡å¹ã«ãã䟡å€ããããŸãã
ãªãå±éºãªã®ã§ãããã?: ãŠãŒã¶ãŒã®ãã©ãŠã¶ã«æ©å¯æ å ±ãä¿åãããŠããå ŽåãåŸã§æ»æè ããã£ãã·ã³ã°ãªã©ãéããŠãã®æ å ±ãååããå¯èœæ§ããããŸããæ¬è³ªçã«ã¯ããã®ãã¥ã¢ã³ã¹ãå¿ãã Web éçºè ããŠãŒã¶ãŒãã»ããã¢ããããŠããããšã«ãªããŸãã
Webéçºè ãèŠããŠããã¹ãããš: ãã®å Žåãå©äŸ¿æ§ãšã»ãã¥ãªãã£ãšããå€å žçãªå¯Ÿç«ãçããŸãã Web éçºè ããŠãŒã¶ãŒ ãšã¯ã¹ããªãšã³ã¹ã«ã€ããŠèããŠããå Žåã¯ãæèçã«ãªãŒãã³ã³ããªãŒããéžæã§ããŸããããšãã°ã次ã®ããšãéèŠã§ããå Žåã
Webã³ã³ãã³ãã®ã¢ã¯ã»ã·ããªãã£ã¬ã€ãã©ã€ã³ â é害ã®ãããŠãŒã¶ãŒã«å¯Ÿããã³ã³ãã³ãã®ã¢ã¯ã»ã·ããªãã£ã«é¢ããæšå¥šäºé ãã»ãšãã©ã®ãã©ãŠã¶ã§ã¯ãautocompete="off" å±æ§ã䜿çšããŠãªãŒãã³ã³ããªãŒããç¡å¹ã«ã§ããŸãã次ã«äŸã瀺ããŸãã
<body> <form action="/ja/form/submit" method="get" autocomplete="off"> <div> <input type="text" placeholder="First Name"> </div> <div> <input type="text" id="lname" placeholder="Last Name" autocomplete="on"> </div> <div> <input type="number" placeholder="Credit card number"> </div> <input type="submit"> </form> </body>
ãã ããChrome ã§ã¯æ©èœããŸããããã㯠JavaScript ã䜿çšããŠåé¿ãããã¬ã·ãã®ããªã¢ã³ããèŠã€ãããŸãã
ãã㧠. - X-Frame-Options ããããŒã¯ãµã€ã ã³ãŒãã«èšå®ãããŠããŸããã
ãã®ããããŒã¯ãframeãiframeãembedããŸã㯠object ã¿ã°ã«åœ±é¿ããŸãããããå©çšãããšããµã€ãããã¬ãŒã å ã«åã蟌ãããšãå®å šã«çŠæ¢ã§ããŸãããããè¡ãã«ã¯ãå€ X-Frame-Options:deny ãæå®ããå¿ èŠããããŸãããŸãã¯ãX-Frame-Options: Sameorigin ãæå®ãããšãiframe ãžã®åã蟌ã¿ããã¡ã€ã³ã§ã®ã¿å©çšå¯èœã«ãªããŸãã
ãªãå±éºãªã®ã§ãããã?: ãã®ãããªããããŒããªãããšãæªæã®ãããµã€ãã§å©çšããŠã ã¯ãªãã¯ãžã£ããã³ã°ããã®æ»æã§ã¯ãæ»æè ã¯ãã¿ã³ã®äžã«éæãªãã¬ãŒã ãäœæãããŠãŒã¶ãŒãéšããŸããããšãã°ãè©æ¬ºåž«ã¯ Web ãµã€ãäžã«ãœãŒã·ã£ã« ãããã¯ãŒãã³ã° ããŒãžããã¬ãŒã åããŸãããŠãŒã¶ãŒã¯ããã®ãµã€ãäžã®ãã¿ã³ãã¯ãªãã¯ããŠãããšèããŠããŸãã代ããã«ãã¯ãªãã¯ã¯ã€ã³ã¿ãŒã»ããããããŠãŒã¶ãŒã®ãªã¯ãšã¹ãã¯ã¢ã¯ãã£ããªã»ãã·ã§ã³ãååšãããœãŒã·ã£ã« ãããã¯ãŒã¯ã«éä¿¡ãããŸããããã¯ãæ»æè ããŠãŒã¶ãŒã«ä»£ãã£ãŠã¹ãã ãéä¿¡ãããã賌èªè ãããããïŒããç²åŸãããããæ¹æ³ã§ãã
ãã®æ©èœãç¡å¹ã«ããªããšãæ»æè ãæªæã®ãããµã€ãã«ã¢ããªã±ãŒã·ã§ã³ ãã¿ã³ãé 眮ããå¯èœæ§ããããŸãã圌ã¯ããªãã®çŽ¹ä»ããã°ã©ã ããŠãŒã¶ãŒã«èå³ããããããããŸããã
Webéçºè ãèŠããŠããã¹ãããšæ³šïŒWeb ãµãŒããŒãŸãã¯ããŒããã©ã³ãµäžã§ã競åããå€ã® X-Frame-Options ãèšå®ãããŠããå Žåããã®è匱æ§ãçºçããå¯èœæ§ããããŸãããã®å ŽåããµãŒããŒãšãã©ã³ãµãŒã¯ããã¯ãšã³ã ã³ãŒãã«æ¯ã¹ãŠåªå 床ãé«ããããããããŒãæžãæããã ãã§ãã
X-Frame-OptionsããããŒã®denyå€ãšsameoriginå€ã¯ãYandex Webãã¥ãŒã¢ã®åäœã劚ããŸãã Web ãã¥ãŒã¢ã§ iframe ã®äœ¿çšãèš±å¯ããã«ã¯ãèšå®ã«å¥ã®ã«ãŒã«ãèšè¿°ããå¿ èŠããããŸããããšãã°ãnginx ã®å Žåã¯æ¬¡ã®ããã«èšå®ã§ããŸãã
http{ ... map $http_referer $frame_options { "~webvisor.com" "ALLOW-FROM http://webvisor.com"; default "SAMEORIGIN"; } add_header X-Frame-Options $frame_options; ... }
- PRSSI (ãã¹çžå¯Ÿã¹ã¿ã€ã«ã·ãŒãã€ã³ããŒã) ã®è匱æ§ã
ããã¯ãµã€ãã®ã¹ã¿ã€ã«ã®è匱æ§ã§ãããã®åé¡ã¯ãhref="/ja/somefolder/styles.css/" ã®ãããªçžå¯Ÿãªã³ã¯ã䜿çšããŠã¹ã¿ã€ã« ãã¡ã€ã«ã«ã¢ã¯ã»ã¹ããå Žåã«çºçããŸããæ»æè ã¯ããŠãŒã¶ãŒãæªæã®ããããŒãžã«ãªãã€ã¬ã¯ãããæ¹æ³ãèŠã€ããå Žåããããå©çšããŸããããŒãžã¯ URL ã«çžå¯Ÿãªã³ã¯ãæ¿å ¥ããã¹ã¿ã€ã«åŒã³åºããã·ãã¥ã¬ãŒãããŸãã badsite.ru/âŠ/somefolder/styles.css/ ã®ãããªãªã¯ãšã¹ããåãåããŸããããã¯ãã¹ã¿ã€ã«ãè£ ã£ãŠæªæã®ããã¢ã¯ã·ã§ã³ãå®è¡ããå¯èœæ§ããããŸãã
ãªãå±éºãªã®ã§ãããã?: è©æ¬ºåž«ãå¥ã®ã»ãã¥ãªã㣠ããŒã«ãèŠã€ããå Žåããã®è匱æ§ãæªçšããå¯èœæ§ããããŸãããã®çµæãCookie ãããŒã¯ã³ãããŠãŒã¶ãŒ ããŒã¿ãçãããšãå¯èœã«ãªããŸãã
Webéçºè ãèŠããŠããã¹ãããš: X-Content-Type-Options ããããŒã nosniff ã«èšå®ããŸãããã®å Žåããã©ãŠã¶ã¯ã¹ã¿ã€ã«ã®ã³ã³ãã³ã ã¿ã€ãããã§ãã¯ããŸããã¿ã€ãã text/css 以å€ã®å Žåããã©ãŠã¶ã¯ãªã¯ãšã¹ãããããã¯ããŸãã
é倧ãªè匱æ§
- ãã¹ã¯ãŒã ãã£ãŒã«ããå«ãããŒãžã¯ãå®å
šã§ãªããã£ãã«ãä»ããŠãµãŒããŒããéä¿¡ãããŸã (ãã¹ã¯ãŒã ãã£ãŒã«ããå«ã HTML ãã©ãŒã 㯠HTTP çµç±ã§æäŸãããŸã)ã
æå·åãããŠããªããã£ãã«ãä»ãããµãŒããŒããã®å¿çã¯ããäžéè ãæ»æã«å¯ŸããŠè匱ã§ããæ»æè ã¯ãã©ãã£ãã¯ãååããããŒãžããµãŒããŒããã¯ã©ã€ã¢ã³ãã«ç§»åããéã«ã¯ã©ã€ã¢ã³ããšãµãŒããŒã®éã«å²ã蟌ãå¯èœæ§ããããŸãã
ãªãå±éºãªã®ã§ãããã?: è©æ¬ºåž«ã¯ããŒãžã眮ãæããŠæ©å¯ããŒã¿ã®ãã©ãŒã ããŠãŒã¶ãŒã«éä¿¡ãããã®ãã©ãŒã ãæ»æè ã®ãµãŒããŒã«éä¿¡ãããããã«ãªããŸãã
Webéçºè ãèŠããŠããã¹ãããšïŒäžéšã®ãµã€ãã§ã¯ããã¹ã¯ãŒãã®ä»£ããã«é»åã¡ãŒã«ãŸãã¯é»è©±ã§ã¯ã³ã¿ã€ã ã³ãŒãããŠãŒã¶ãŒã«éä¿¡ããŸãããã®å Žåãè匱æ§ã¯ããã»ã©é倧ã§ã¯ãããŸãããããã®ã¡ã«ããºã ã¯ãŠãŒã¶ãŒã®ç掻ãè€éã«ããã§ãããã
- ãã°ã€ã³ãšãã¹ã¯ãŒããå«ããã©ãŒã ãå®å
šã§ãªããã£ãã«çµç±ã§éä¿¡ãã (ãã°ã€ã³ ãã©ãŒã 㯠HTTPS çµç±ã§éä¿¡ãããªã)ã
ãã®å Žåããã°ã€ã³ãšãã¹ã¯ãŒããå«ããã©ãŒã ããæå·åãããŠããªããã£ãã«ãä»ããŠãŠãŒã¶ãŒãããµãŒããŒã«éä¿¡ãããŸãã
ãªãå±éºãªã®ã§ãããã?: åã®ã±ãŒã¹ãšã¯ç°ãªããããã¯ãã§ã«é倧ãªè匱æ§ã§ããã³ãŒããèšè¿°ããå¿ èŠããªããããæ©å¯ããŒã¿ãååããã®ãç°¡åã«ãªããŸãã
- æ¢ç¥ã®è匱æ§ã®ãã JavaScript ã©ã€ãã©ãªã䜿çšããŠããã
ã¹ãã£ã³äžã«æã䜿çšãããã©ã€ãã©ãªã¯ãå€æ°ã®ããŒãžã§ã³ããã jQuery ã§ãããåããŒãžã§ã³ã«ã¯å°ãªããšã XNUMX ã€ããŸãã¯ãã以äžã®æ¢ç¥ã®è匱æ§ããããŸãã圱é¿ã¯è匱æ§ã®æ§è³ªã«å¿ããŠå€§ããç°ãªãå¯èœæ§ããããŸãã
ãªãå±éºãªã®ã§ãããã?: æ¢ç¥ã®è匱æ§ãæªçšããæ¹æ³ããããŸããããšãã°ã次ã®ãšããã§ãã
Webéçºè ãèŠããŠããã¹ãããš: æ¢ç¥ã®è匱æ§ã®æ€çŽ¢ - ä¿®æ£ - ãã§ãã¯ã®ãµã€ã¯ã«ã«å®æçã«æ»ããŸããããšãã°ãå€ããã©ãŠã¶ããµããŒããããã³ã¹ããç¯çŽãããããããã«ãã¬ã¬ã·ãŒ ã©ã€ãã©ãªãæå³çã«äœ¿çšããå Žåã¯ãæ¢ç¥ã®è匱æ§ãä¿®æ£ããæ©äŒãæ¢ããŠãã ããã - ã¯ãã¹ãµã€ã ã¹ã¯ãªããã£ã³ã° (XSS)ã
ã¯ãã¹ãµã€ã ã¹ã¯ãªããã£ã³ã° (XSS) ãŸãã¯ã¯ãã¹ãµã€ã ã¹ã¯ãªããã£ã³ã°ã¯ãWeb ã¢ããªã±ãŒã·ã§ã³ã«å¯Ÿããæ»æã§ãããããŒã¿ããŒã¹ã«ãã«ãŠã§ã¢ãå°å ¥ãããŸãã Qualys ããã®ãããªè匱æ§ãçºèŠããå Žåãæœåšçãªæ»æè ãç¬èªã® js ã¹ã¯ãªããããµã€ã ã³ãŒãã«å°å ¥ããŠæªæã®ããã¢ã¯ã·ã§ã³ãå®è¡ã§ãããããã§ã«å°å ¥ããŠããããšãæå³ããŸããä¿åããã XSS ã¹ã¯ãªããã¯ãµãŒããŒã«åã蟌ãŸããŠãããæ»æãããããŒãžããã©ãŠã¶ã§éããããã³ã«å®è¡ããããããããå±éºã§ãã
åå°å XSS æªæã®ããã¹ã¯ãªããã HTTP ãªã¯ãšã¹ãã«æ¿å ¥ã§ãããããå®è¡ã容æã«ãªããŸããã¢ããªã±ãŒã·ã§ã³ã¯ HTTP ãªã¯ãšã¹ããåãåããããŒã¿ãæ€èšŒãããããã±ãŒãžåããŠããã«éä¿¡ããŸããæ»æè ããã©ãã£ãã¯ãååãã次ã®ãããªã¹ã¯ãªãããæ¿å ¥ããå Žå
<script>/*+ÑÑП+ÑП+Ð¿Ð»ÐŸÑ ÐŸÐµ+*/</script>
ãã®åŸãã¯ã©ã€ã¢ã³ãã«ä»£ãã£ãŠæªæã®ãããªã¯ãšã¹ããéä¿¡ãããŸãã
XSS ã®é¡èãªäŸ: CVC ãã«ãŒãã®æå¹æéãªã©ãå ¥åããããŒãžãã·ãã¥ã¬ãŒããã js ã¹ããã¡ãŒã
Webéçºè ãèŠããŠããã¹ãããš: Content-Security-Policy ããããŒã§ script-src å±æ§ã䜿çšããŠãã¯ã©ã€ã¢ã³ã ãã©ãŠã¶ãŒãä¿¡é Œã§ãããœãŒã¹ããã®ã¿ã³ãŒããããŠã³ããŒãããŠå®è¡ããããã«åŒ·å¶ããŸããããšãã°ãscript-src 'self' ã¯ãåœç€Ÿã®ãµã€ãããã®ãã¹ãŠã®ã¹ã¯ãªããã®ã¿ããã¯ã€ããªã¹ãã«ç»é²ããŸãã
ãã¹ã ãã©ã¯ãã£ã¹ã¯ã€ã³ã©ã€ã³ ã³ãŒãã§ããunsafe-inline å€ã䜿çšããã€ã³ã©ã€ã³ JavaScript ã®ã¿ãèš±å¯ããŸãããã®å€ã«ãããã€ã³ã©ã€ã³ js/css ã®äœ¿çšãèš±å¯ãããŸãããjs ãã¡ã€ã«ãå«ããããšã¯çŠæ¢ãããŸããã script-src 'self' ãšçµã¿åãããŠãå€éšã¹ã¯ãªããã®å®è¡ãç¡å¹ã«ããŸããreport-uri ã䜿çšããŠãã¹ãŠãèšé²ããããããµã€ãã«å®è£ ããããšããè©Šã¿ã確èªããŠãã ããã
- SQLã€ã³ãžã§ã¯ã·ã§ã³ã
ãã®è匱æ§ã¯ãWeb ãµã€ãã®ããŒã¿ããŒã¹ã«çŽæ¥ã¢ã¯ã»ã¹ãã SQL ã³ãŒãã Web ãµã€ãã«æ¿å ¥ããå¯èœæ§ã瀺ããŠããŸãããŠãŒã¶ãŒããã®ããŒã¿ãã¹ã¯ãªãŒãã³ã°ãããŠããªãå ŽåãSQL ã€ã³ãžã§ã¯ã·ã§ã³ãçºçããå¯èœæ§ããããŸããããŒã¿ã¯æ£ç¢ºæ§ããã§ãã¯ããããããã«ã¯ãšãªã§äœ¿çšãããŸããããšãã°ãWeb ãµã€ãäžã®ãã©ãŒã ãå ¥åãããŒã¿åãšäžèŽãããã©ããããã§ãã¯ããªãå Žåã«ããããçºçããŸãããªãå±éºãªã®ã§ãããã?: æ»æè ããã®ãã©ãŒã ã« SQL ã¯ãšãªãå ¥åãããšãããŒã¿ããŒã¹ãã¯ã©ãã·ã¥ããããæ©å¯æ å ±ãæŒæŽ©ãããããå¯èœæ§ããããŸãã
Webéçºè ãèŠããŠããã¹ãããš: ãã©ãŠã¶ããæ¥ããã®ãä¿¡çšããªãã§ãã ãããã¯ã©ã€ã¢ã³ãåŽãšãµãŒããŒåŽã®äž¡æ¹ã§èªåèªèº«ãä¿è·ããå¿ èŠããããŸãã
ã¯ã©ã€ã¢ã³ãåŽã§ã¯ãJavaScript ã䜿çšããŠãã£ãŒã«ãæ€èšŒãèšè¿°ããŸãã
äžè¬çãªãã¬ãŒã ã¯ãŒã¯ã®çµã¿èŸŒã¿é¢æ°ãããµãŒããŒäžã®çãããæåããšã¹ã±ãŒãããã®ã«åœ¹ç«ã¡ãŸãããµãŒããŒäžã§ãã©ã¡ãŒã¿åãããããŒã¿ããŒã¹ ã¯ãšãªã䜿çšããããšããå§ãããŸãã
ããŒã¿ããŒã¹ãšã®å¯Ÿè©±ã Web ã¢ããªã±ãŒã·ã§ã³ã®ã©ãã§æ£ç¢ºã«è¡ããããã決å®ããŸãã
ã€ã³ã¿ã©ã¯ã·ã§ã³ã¯ãID ã䌎ããªã¯ãšã¹ã (ID ã®å€æŽ)ãæ°ãããŠãŒã¶ãŒã®äœæãæ°ããã³ã¡ã³ããããŒã¿ããŒã¹å ã®æ°ãããšã³ããªãªã©ãäœããã®æ å ±ãåãåããšãã«çºçããŸãããã㧠SQL ã€ã³ãžã§ã¯ã·ã§ã³ãçºçããå¯èœæ§ããããŸããããŒã¿ããŒã¹ããã¬ã³ãŒããåé€ããŠãSQLã€ã³ãžã§ã¯ã·ã§ã³ã¯å¯èœã§ãã
äžè¬çãªæšå¥šäºé
è»èŒªã®åçºæã§ã¯ãªããå®çžŸã®ãããã¬ãŒã ã¯ãŒã¯ã䜿çšããŠãã ãããäžè¬ã«ã人æ°ã®ãããã¬ãŒã ã¯ãŒã¯ã¯ããå®å šã§ãã .NET ã®å Žå - ASP.NET MVC ããã³ ASP.NET CoreãPython ã®å Žå - Django ãŸã㯠FlaskãRuby ã®å Žå - Ruby on RailsãPHP ã®å Žå - SymfonyãLaravelãYiiãJavaScript ã®å Žå - Node.JS-Express.jsãJava ã®å Žå- æ¥ã®MVCã
ãã³ããŒã®æŽæ°æ å ±ã远跡ããå®æçã«æŽæ°ããŠãã ããã圌ãã¯è匱æ§ãèŠã€ããŠãšã¯ã¹ããã€ããäœæãããããå ¬éãããšããã¹ãŠãåã³èµ·ãããŸãããœãããŠã§ã¢ ãã³ããŒããå®å®ããŒãžã§ã³ãžã®ã¢ããããŒãã賌èªããŸãã
ã¢ã¯ã»ã¹æš©ã確èªããããµãŒããŒåŽã§ã¯ãã³ãŒããæåã®æåããæåŸã®æåãŸã§ããµã€ããç Žå£ããããŒã¿ã®æŽåæ§ã䟵害ããããšããæãæãã¹ãæµã«ãã£ãŠæžããããã®ã§ãããã®ããã«ãåžžã«ã³ãŒããæ±ã£ãŠãã ãããããã«ããããçå®ã§ããå ŽåããããŸãã
ã¯ããŒã³ã䜿çšããŠãµã€ãããã¹ãããæ¬çªç°å¢ã«äœ¿çšãããããã¯ã第äžã«ãçç£çãªç°å¢ã§ã®ééããééããé¿ããã®ã«åœ¹ç«ã¡ãŸããçç£çãªç°å¢ã¯ãéããããããŸããã·ã³ãã«ãªçç£çãªç°å¢ã¯éèŠã§ããåé¡ãè¿œå ãä¿®æ£ããŸãã¯è§£æ±ºããå Žåã¯ããã¹ãç°å¢ã§äœæ¥ããèŠã€ãã£ãæ©èœãšè匱æ§ã確èªããŠãããå®çšŒåç°å¢ã§ã®äœæ¥ãèšç»ãã䟡å€ããããŸãã
Web ã¢ããªã±ãŒã·ã§ã³ãä¿è·ããã«ã¯
åºæïŒ habr.com