ææ°ã®Webã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒã¯ãå€æ©èœã§é«åºŠã«æŽç·Žããã補åã§ãã ãããã£ãŠããã®ãã¹ããšåæ§ã®ãœãªã¥ãŒã·ã§ã³ãšã®æ¯èŒã«ã¯å€ãã®æ©èœããããŸãã
è©Šéšæé
èšäºã Webã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒçšã®ãã¹ãã¹ã€ãŒãã®æ§ç¯ ãã§ã¯ãã¹ãã£ããŒããã¹ãããäžè¬çãªååã®æŠèŠã説æããŸãã ãããã®ååã®1ã€ã¯ãããŸããŸãªWebã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒã®ããã©ãŒãã³ã¹ãæ¯èŒããããã®ãã¹ãæé ã§ãã ãããã«å€æŽããã圢åŒã§ã¯ããã®æé ã¯æ¬¡ã®ãšããã§ãã
- ãã¹ãŠã®æè¡èŠä»¶ã®æ©èœæ€èšŒã«å¿ èŠãªãã¹ãã³ã³ãã³ããæºåãããã¹ãã¹ã¿ã³ããå±éããŸãã
- ãã¹ããåæåãããã¹ãã«å¿ èŠãªãã¹ãŠã®èšå®ãååŸããŸãã
- ã¹ãã£ã³ãããWebã¢ããªã±ãŒã·ã§ã³ãèšå®ããè匱æ§ã®ã¿ã€ããšãã®ä¿è·ã¬ãã«ãéžæããŸãã
- ãã¹ã察象ã®Webã¢ããªã±ãŒã·ã§ã³ã§éžæããèšå®ã§ã¹ãã£ããŒãå®è¡ããäžé£ã®æ©èœãã¹ãã«åæ ŒããŸãã
- ã¹ãã£ããŒã«ãã£ãŠæ€åºãããWebãªããžã§ã¯ãïŒäžæã®ãªã³ã¯ãè匱æ§ãæ»æãã¯ãã«ãªã©ïŒãã«ãŠã³ãããã³åé¡ããŸãã
- è匱æ§ã®çš®é¡ãšä¿è·ã¬ãã«ããšã«æé 2ã5ãç¹°ãè¿ããŸãã
åå埩åŸã®å€æŽã¯ããªããžã§ã¯ãã®æ€åºçµæã®ãµããªãŒããŒãã«ã«å ¥åããå¿ èŠããããŸãã 次ã®ããã«ãªããŸãã
æããã«ããã¹ãŠã®Webã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒãåãã¹ãã£ã³ã¢ãžã¥ãŒã«ã®ã»ãããæã£ãŠããããã§ã¯ãããŸãããããã®ããŒãã«ã¯åŒãç¶ã䜿çšã§ããç¹å®ã®ã¢ãžã¥ãŒã«ãŸãã¯1ã€ãŸãã¯å¥ã®æ©èœããªãå Žåã®ã¹ãã£ããŒã®è©äŸ¡ãäžããŸãã
äºåã«ããã£ãŠããç¹å®ã®çš®é¡ã®è匱æ§ã®æ£ç¢ºãªæ°ã§ãã¹ãã¢ããªã±ãŒã·ã§ã³ãæºåããããšã¯ã§ããŸããã ãã®ããããã®ãããªããŒãã«ãã³ã³ãã€ã«ããå Žåãæ€çŽ¢ããå®éã®ãªããžã§ã¯ãã®æ°ã決å®ããéã«å¿ ç¶çã«å°é£ã«çŽé¢ããŸãã ãã®åé¡ã¯æ¬¡ã®ããã«è§£æ±ºã§ããŸãã
- 1ã€ã®è匱æ§ãšããŠããã¹ãWebã¢ããªã±ãŒã·ã§ã³ã«èŠãããåçã®è匱æ§ã®ã¯ã©ã¹ãèæ ®ããŠãã ããã ããšãã°ãSQLã€ã³ãžã§ã¯ã·ã§ã³ã®å Žåãåçã®è匱æ§ã®ã¯ã©ã¹ã¯ãã¢ããªã±ãŒã·ã§ã³ãžã®GETèŠæ±ã®åããã©ã¡ãŒã¿ãŒã§èŠã€ãã£ããã¹ãŠã®è匱æ§ãšèŠãªãããšãã§ããŸãã èšãæãããšãWebãµãŒããŒãŸãã¯ããŒã¿ããŒã¹ã®é害ãåŒãèµ·ããè匱ãªidãã©ã¡ãŒã¿ãŒãããå Žåããã®ãã©ã¡ãŒã¿ãŒã䜿çšãããã¹ãŠã®æ»æãã¯ãã«ã¯ããã©ã¡ãŒã¿ãŒã®äžŠã¹æ¿ããŸã§åçãšèŠãªãããšãã§ããŸãïŒ example.com/page.php? id= blabla ãexample.com / page.php ? a=1&id=bla&b=2
- ããã€ãã®è匱æ§ãå®è£ ãŸãã¯ã·ãã¥ã¬ãŒãããåçŽãªãã¹ãã¢ããªã±ãŒã·ã§ã³ãéçºããŸãããããŸããŸãªãã¬ãŒã ã¯ãŒã¯ã䜿çšããŠãããŸããŸãªãªãã¬ãŒãã£ã³ã°ã·ã¹ãã ãªãã·ã§ã³ãããŸããŸãªWebãµãŒããŒãããŸããŸãªããŒã¿ããŒã¹ãããŸããŸãªçš®é¡ã®ãããã¯ãŒã¯ãããã³ã«ããã³ããŸããŸãªãããã·ãã§ãŒã³ãä»ããŠå±éããŸãã
- å€ãã®ç°ãªãCMSãè匱ãªã¢ããªã±ãŒã·ã§ã³ïŒDVWAãGruyereãOWASP Site Generatorãªã©ïŒããã¹ãã¹ã¿ã³ãã«å±éããããŸããŸãªã»ãã¥ãªãã£ã¹ãã£ããŒã§ã¹ãã£ã³ããŸãã ãã¹ãŠã®ã¹ãã£ããŒã§çºèŠãããè匱æ§ã®ç·æ°ãæšæºãšã¿ãªãããããªããã¹ãã§äœ¿çšããå¿ èŠããããŸãã
ããšãã°ã OWASP Site GeneratorããŒã«ã䜿çšããŠå¿ èŠãªä¿è·ã¬ãã«ãèšå®ããããšã«ããããã¹ãã¢ããªã±ãŒã·ã§ã³ãæ§æããã³ç®¡çã§ããŸããOWASPSite GeneratorããŒã«ã®æ§æã¯ãéåžžã®XMLãã¡ã€ã«ã«ä¿åããã³ç·šéã§ããŸãã æ®å¿µãªãããçŸæç¹ã§ã¯ãã®ããŒã«ã¯å»æ¢ãããŠãããšèŠãªãããŠãããããç¬èªã®éçºçšã¢ããªã±ãŒã·ã§ã³ãäœæããŠãçŸä»£ã®è匱æ§ããšãã¥ã¬ãŒãããããšããå§ãããŸãã
ã¹ãã£ããŒãã¹ãã£ã³ããããã«ãã¹ãã³ã³ãã³ãã«å®è£ ãããè匱æ§ã®ã¿ã€ãã¯ã WASC Threat ClassificationããååŸã§ããŸãã
ã€ã³ã¹ããŒã«ãããã¢ããªã±ãŒã·ã§ã³ã®ãã¹ãŠã®å¯èœãªçµã¿åããã«å¯Ÿãããã¹ãæé ã®äºæ³ãããéå§åæ°ã¯ãéåžžã«å€§ãããªããŸãããããã¯é©ãããšã§ã¯ãããŸããã ãã®æ°ã¯ã ãã¢ã¯ã€ãºåæãã¹ãææ³ã䜿çšããŠæžããããšãã§ããŸãã
ã¹ãã£ã³çµæã«åºã¥ããŠã次ã®åœ¢åŒã®æ°å€ãã¯ãã«ãååŸããŸã
ïŒä¿è·ã¬ãã«ãæ€åºããããªããžã§ã¯ãã®æ°ãFalse PositiveãFalse Negativeãåèšãªããžã§ã¯ããã¹ãã£ã³æéïŒ
次ã«ãã¹ãã£ã³ã®å質ã«é¢ããã¡ããªãã¯ãå ¥åããå¿ èŠããããŸããããã¯ãã€ã³ãžã±ãŒã¿ãŒãšã¹ãã£ããŒãäºãã«æ¯èŒããããã«äœ¿çšã§ããŸãã æãåçŽãªãŠãŒã¯ãªããã¡ããªãã¯ãåæ§ã®ã¡ããªãã¯ãšããŠäœ¿çšããã ãã§ååã§ãã
ãã¹ãã®çš®é¡
Webã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒããã¹ããããšãã«ä¿¡é Œã§ããå¥ã®èšäºã¯ãWebã¢ããªã±ãŒã·ã§ã³ã»ãã¥ãªãã£ã¹ãã£ããŒã®ç²ŸåºŠãšæéã³ã¹ãã®åæãšåŒã°ããŸãã ãã®è³æã§ã¯ãããŸããŸãªã¹ãã£ããŒïŒBurpSuiteProãQualysãWebInspectãNTOSpiderãAppscanãHailstormãAcunetixïŒã®ãã¹ãã«ã€ããŠèª¬æããç¹å®ã®ããŒã«ããšã«4çš®é¡ã®ãã¹ããå®æœããããšãææ¡ããŠããŸãã
- ãã€ã³ãã¢ã³ãã·ã¥ãŒãïŒPaSïŒã¢ãŒãã§Webã¢ããªã±ãŒã·ã§ã³ãã¹ãã£ã³ããæ€åºããã³ç¢ºèªãããè匱æ§ã®æ°ãå€æããŸãã
- äºåçãªããã¬ãŒãã³ã°ãåŸã«åã¹ãã£ã³ãããã®ã¿ã€ãã®ã¢ããªã±ãŒã·ã§ã³ã§åäœããããã«ã¹ãã£ããŒãæ§æãããã®å Žåã«çºèŠããã³ç¢ºèªãããè匱æ§ã®æ°ãå€æããŸãã
- èŠã€ãã£ãè匱æ§ã®èª¬æã®æ£ç¢ºæ§ãšå®å šæ§ãè©äŸ¡ããŸãã
- ãã¹ããåæã®æºåãšå®è¡ãããã³ã¹ãã£ã³çµæã®å質ã®ç¢ºä¿ã«å°é家ãè²»ãããåèšæéãè©äŸ¡ããŸãã
PaSã¢ãŒãã¯ãæšæºã®ã¹ãã£ããŒèšå®ã§ã¹ãã£ã³ãéå§ããããšã§ãã ãç®æšã®èšå®-ã¹ãã£ã³-çµæã®ååŸãã¹ããŒã ã«åŸã£ãŠè¡ãããŸãã
ãã¬ãŒãã³ã° -æ§æèšå®ãã¹ã¯ãªããã®å€æŽãã¹ãã£ããŒã®ãµãã©ã€ã€ãŒãšã®éä¿¡ãªã©ãå«ãŸããŸãã
å°é家ã質ã®é«ãçµæãåŸãããã«è²»ããå¿ èŠãããæéã決å®ããããã«ããã®èšäºã§ã¯ç°¡åãªåŒã䜿çšããããšãææ¡ããŠããŸãã
åèšæé=ãã¬ãŒãã³ã°æé+ #False Positive * 15å + #False Negative * 15å
åãã¹ãäžã«ãäžèšã§èª¬æãããã¹ãæé ãé©çšããå¿ èŠããããŸãã
Web Application Scannerã®è©äŸ¡åºæº
å¥ã®æçšãªèšäºã Top 10ïŒThe Web Application Vulnerability Scanners Benchmark ãã§ãèè ã¯ã¹ãã£ããŒã®ç¹æ§ãæ¯èŒããäžè¬çãªã¢ãããŒããšããã®ãããªç¹æ§ã®ã»ãããäŸãæããŠææ¡ããŠããŸãã ãã®èšäºã§ã¯ã以äžã®åºæºã䜿çšããŠãWebã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒã®æ©èœã衚圢åŒã§è©äŸ¡ããããšãææ¡ããŸãã
- åºæºæšå®ã«é¢é£ãã補åäŸ¡æ Œã®æ¯èŒ ã ïŒäŸ¡æ Œæ¯èŒ-æ®ãã®ãã³ãããŒã¯çµæãšã®é¢ä¿ã§ïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- ã¹ãã£ããŒã®æ±çšæ§-ãããã³ã«ããã³å ¥åé ä¿¡ãã¯ã¿ãŒã®ã¹ãã£ããŒã®ãµããŒãã®å°ºåºŠã¯ããµããŒããããŠãããããã³ã«ãšé ä¿¡ãã¯ã¿ãŒã®æ°ã§ããããµãŒããŒã«ããŒã¿ãé ä¿¡ããæ¹æ³ã§ãã é ä¿¡ãã¯ãã«ã«ã¯ãã¯ãšãªæååã®HTTPãã©ã¡ãŒã¿ãŒãHTTPããã£ãã©ã¡ãŒã¿ãŒãJSONãXMLãAMFãJavaã·ãªã¢ã«åãªããžã§ã¯ããWCFãªã©ã®ç¹å®ã®ãã¯ãããžã®ãã€ããªã¡ãœãããªã©ããµãŒããŒã«ããŒã¿ãé ä¿¡ããããã®ã¡ãœãããå«ãŸããŸãã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- ãµããŒããããæ»æãã¯ãã«ã®æ°ïŒã¢ã¯ãã£ããªã¹ãã£ããŒãã©ã°ã€ã³ã®æ°ãšã¿ã€ãïŒæ»æãã¯ãã«ã®ãµããŒã-ã¢ã¯ãã£ããªã¹ãã£ã³ãã©ã°ã€ã³ã®éãšã¿ã€ãïŒè匱æ§æ€åºïŒïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- CSSæ€åºç²ŸåºŠ ïŒã¯ãã¹ãµã€ãã¹ã¯ãªããã£ã³ã°æ€åºç²ŸåºŠãåæ ïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- SQLã€ã³ãžã§ã¯ã·ã§ã³æ€åºã®ç²ŸåºŠ æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- Webã¢ããªã±ãŒã·ã§ã³æ§é ããã€ãã¹ããããŒã«ã«ãã¡ã€ã«ãæ€çŽ¢ãã粟床 ã ïŒãã¹ãã©ããŒãµã«/ããŒã«ã«ãã¡ã€ã«ã€ã³ã¯ã«ãŒãžã§ã³æ€åºç²ŸåºŠïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- ãªã¢ãŒããã¡ã€ã«äœ¿çšãXSSãRFIçµç±ã®ãã£ãã·ã³ã° ã ïŒãªã¢ãŒããã¡ã€ã«ã€ã³ã¯ã«ãŒãžã§ã³æ€åºç²ŸåºŠïŒXSS / RFIçµç±ã®ãã£ãã·ã³ã°ïŒïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã RFIãã¹ãã±ãŒã¹ã®äŸã¯å³ã«ç€ºãããŸã ã
- WIVETã®æ¯èŒ ïŒèªåã¯ããŒã«ããã³æ»æçšå ¥åãã¯ãã«ã®ååŸïŒWIVETïŒWebå ¥åãã¯ãã«æœåºãã£ãŒã¶ãŒïŒã¹ã³ã¢æ¯èŒ-èªåã¯ããŒã«/å ¥åãã¯ãã«æœåºïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- ã¹ãã£ããŒã®é©å¿æ§ ïŒä¿è·ããªã¢ãå æããããã®ã¹ãã£ããŒã®è¿œå æ©èœã®æ°ïŒã¹ãã£ããŒã®é©å¿æ§-è£å®çãªã«ãã¬ããžæ©èœãšã¹ãã£ã³ããªã¢ãµããŒãïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- èªèšŒæ©èœã®æ¯èŒ ïŒãµããŒããããŠããèªèšŒæ¹æ³ãšèªèšŒã®æ°ãšçš®é¡ïŒèªèšŒæ©èœã®æ¯èŒïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- è¿œå ã®ã¹ãã£ã³æ©èœãšçµã¿èŸŒã¿ã¡ã«ããºã ã®æ°ã ïŒè£å®çãªã¹ãã£ã³æ©èœãšçµã¿èŸŒã¿è£œåïŒã æ¯èŒã®äŸã¯ãããããããŒãã«ã«ãããŸã ã
- ã¡ã€ã³ã¹ãã£ã³æ©èœã®åäœã®äžè¬çãªå°è±¡ ïŒäžè¬çãªã¹ãã£ã³æ©èœãšå šäœçãªå°è±¡ïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
- ã©ã€ã»ã³ã¹ãšãã¯ãããžãŒã®æ¯èŒïŒã©ã€ã»ã³ã¹æ¯èŒãšäžè¬æ å ±ïŒã æ¯èŒã®äŸã¯ã ããããããŒãã«ã«ãããŸã ã
ãªã¹ããããŠããé ç®ã®äžéšã¯ããªããžã§ã¯ãæ€åºã®æŠèŠè¡šã«å«ãŸããŠããŸãã ããã«ãã»ãšãã©ã®åºæºã§ã¯å°é家ã«ããè©äŸ¡ãå¿ èŠã§ãããããã«ããã¹ãã£ããŒã®èªåãã¹ããšæ¯èŒãå°é£ã«ãªãããšã«æ°ä»ããããããŸããã çµæãšããŠãææ¡ãããè©äŸ¡åºæºã¯ãããšãã°ãã¹ãã£ããŒã®ç¹æ§ã«é¢ããããäžè¬çãªã¬ããŒãã®ã»ã¯ã·ã§ã³ãšããŠäœ¿çšã§ããŸãããã®ã»ã¯ã·ã§ã³ã«ã¯ãç¹å®ã®ã¹ãã£ããŒã競åä»ç€Ÿãšãã¹ãããã³æ¯èŒãããã¹ãŠã®çµæãå«ãŸããŸãã
Webã¢ããªã±ãŒã·ã§ã³ã¹ãã£ããŒã®ãã¹ãã®çš®é¡
äžèšã®èšäºã®è³æã«åºã¥ããŠããã¹ãæé ã§äœ¿çšã§ãããã¹ãã¿ã€ãã®åé¡ãéçºããŸããã
- åºæ¬çãªæ©èœïŒç ïŒãã¹ãã§ã¯ãã¡ã€ã³ã®äœã¬ãã«ã¹ãã£ããŒããŒãã®åäœã確èªããå¿ èŠããããŸãããã©ã³ã¹ããŒããµãã·ã¹ãã ãæ§æãµãã·ã¹ãã ããã®ã³ã°ãµãã·ã¹ãã ãªã©ã®åäœã§ããããŸããŸãªãã©ã³ã¹ããŒãããªãã€ã¬ã¯ãããããã·ãµãŒããŒãªã©ã䜿çšããå Žå
- æ©èœãã¹ãã§ã¯ãåºæ¬çãªã·ããªãªã®æ€èšŒãå®è£ ããŠãæè¡èŠä»¶ãæ€èšŒããå¿ èŠããããŸãã ã¢ãžã¥ãŒã«ãšãã¹ãç°å¢ã®ç°ãªãèšå®ã䜿çšããŠãåã¹ãã£ã³ã¢ãžã¥ãŒã«ã®æäœæ§ã確èªããå¿ èŠããããŸãã æ£ããã³è² ã®ãã¹ãã¹ã¯ãªãããšããŸããŸãªã¹ãã¬ã¹ãã¹ãã¯ãWebã¢ããªã±ãŒã·ã§ã³ãžã®å¿çãšããŠã¹ãã£ããŒã«éä¿¡ãããæ£ããããŒã¿ãšèª€ã£ãããŒã¿ã®å€§èŠæš¡ãªé åã䜿çšããŠå®è¡ãããŸãã
- æ©èœãæ¯èŒïŒæ¯èŒïŒããããã®ãã¹ããéžæããã¹ãã£ããŒã¢ãžã¥ãŒã«ã«ãããªããžã§ã¯ãã®æ€çŽ¢ã®å質ãšå¹³åé床ãã競å補åã®åæ§ã®æ©èœãåããã¢ãžã¥ãŒã«ãšæ¯èŒããŸãã ç¹å®ã®ã¹ãã£ã³ã¢ãžã¥ãŒã«ããšã«ããªããžã§ã¯ãã®æå³ãšæ€çŽ¢ã®å質ãå®çŸ©ããå¿ èŠããããŸãã
- è©äŸ¡åºæºïŒåºæºïŒã®ææšãæ¯èŒãããã¹ãããã¹ãäžã®ã¹ãã£ããŒã®åæ°ããããŒãžã§ã³ã®åã¹ãã£ã³ã¢ãžã¥ãŒã«ã§ãªããžã§ã¯ããæ€çŽ¢ããé床ãšå質ãã以åã®ããŒãžã§ã³ãšæ¯èŒããŠäœäžããŠããªãããšã確èªããŸãã é床ãšå質ã®å®çŸ©ã¯ãæ©èœãæ¯èŒããããã®ãã¹ããšåãæ¹æ³ã§èšå®ããå¿ èŠããããŸãããã ãããã®ã¿ã€ãã®ãã¹ãã§ã¯ã以åã®ããŒãžã§ã³ã¯ãã¹ãã¹ãã£ããŒã®ç«¶åãšããŠæ©èœããŸãã
Webã¢ããªã±ãŒã·ã§ã³çšã®ã»ãã¥ãªãã£ã¹ãã£ããŒã«ã€ããŠã¯ããããã¯ã§èª¬æãããŠãããã¹ãæé ã䜿çšã§ããŸãããŸããã¹ãã£ã³å質ã¡ããªãã¯ã䜿çšããŠãã¹ãã£ããŒã®ã¡ããªãã¯ãæ¯èŒããããšã«ãããã¹ãã£ããŒãå®æ§çã«æ¯èŒããããŒã«ãååŸã§ããŸãã ãã®ã¢ã€ãã¢ãçºå±ãããããã«ããã¡ãžãŒã€ã³ãžã±ãŒã¿ãŒãã¹ã±ãŒã«ãããã³ã¡ããªãã¯ã䜿çšããŠãã¹ãã£ããŒãšæ¯èŒããŠäœæ¥ãç°¡çŽ åã§ããŸãã
ãéèŽããããšãããããŸãããã³ã¡ã³ãæ¬ã§è³ªåã«ãçãããŸãã
Posted by Timur GilmullinãPositive Technologiesèªåãã¹ãã°ã«ãŒã