[B! csrf] kiyo_hikoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

kiyo_hiko id:kiyo_hiko

csrfã«é–¢ã™ã‚‹kiyo_hikoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (9)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Railsã®CSRFä¿è·ã‚’è©³ã—ãèª¿ã¹ã¦ã¿ãŸï¼ˆç¿»è¨³ï¼‰ï½œTechRacho by BPSæ ªå¼ä¼šç¤¾
æ¦‚è¦ åŽŸè‘—è€…ã®è¨±è«¾ã‚’å¾—ã¦ç¿»è¨³ãƒ»å…¬é–‹ã„ãŸã—ã¾ã™ã€‚ è‹±èªžè¨˜äº‹: A Deep Dive into CSRF Protection in Rails å…¬é–‹æ—¥: 2017/07/31 è‘—è€…: Alex Taylor ã‚µã‚¤ãƒˆ: Ruby Inside 2017/10/23: åˆç‰ˆå…¬é–‹ 2021/11/26: æ›´æ–° ç¾åœ¨Railsã‚’ä½¿ã£ã¦ã„ã‚Œã°CSRFä¿è·ã‚’ä½¿ã†ã“ã¨ãŒã‚ã‚‹ã§ã—ã‚‡ã†ã€‚ã“ã®æ©Ÿèƒ½ã¯Railsã®ã»ã¼åˆæœŸã‹ã‚‰å˜åœ¨ã—ã€å³åº§ã«å°Žå…¥ã—ã¦é–‹ç™ºã‚’æ¥½ã«ã§ãã‚‹Railsã®æ©Ÿèƒ½ã®ã²ã¨ã¤ã§ã™ã€‚ CSRFï¼ˆCross-Site Request Forgeryï¼‰ã‚’ç°¡å˜ã«èª¬æ˜Žã™ã‚‹ã¨ã€æ‚ªæ„ã®ã‚ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒã‚µãƒ¼ãƒãƒ¼ã¸ã®ãƒªã‚¯ã‚¨ã‚¹ãƒˆã‚’æé€ ã—ã¦æ£å½“ãªã‚‚ã®ã«è¦‹ã›ã‹ã‘ã€èªè¨¼æ¸ˆã¿ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’è£…ã†ã¨ã„ã†æ”»æ’ƒæ‰‹æ³•ã§ã™ã€‚Railsã§ã¯ã€ä¸€æ„ã®ãƒˆãƒ¼ã‚¯ãƒ³ã‚’ç”Ÿæˆã—ã¦é€ä¿¡ã®ãŸã³ã«çœŸæ£æ€§ã‚’ç¢ºèªã™ã‚‹ã“ã¨ã§ã“ã®ç¨®ã®æ”»æ’ƒã‹ã‚‰ä¿è·ã—ã¾ã™ã€‚ æœ€è¿‘ç§ãŒUnboun
kiyo_hiko 2017/10/24
rails

csrf

ã—ãã¿
ãƒªãƒ³ã‚¯
Proper way to send an Authenticity Token with AJAX to Rails
This works but gets stopped because it lacks an authenticity token: $(".ajax-referral").click(function(){ $.ajax({type: "POST", url: $(this).parent("form").attr("action"), dataType: "script"}); return false; }); So I tried adding it like so: $(".ajax-referral").click(function(){ $.ajax({type: "POST", url: $(this).parent("form").attr("action") + "?&authenticity_token=" + AUTH_TOKEN, dataType: "scri
kiyo_hiko 2016/04/18
js

csrf

ajax
ãƒªãƒ³ã‚¯
How can I make Sinatra use CSRF Authenticity tokens?
I'm building a simple app in ruby using the Sinatra framework. It's mainly "get" based - most requests will be for listing data. However there are a couple of key screens in the app that will collect user input. I want to ensure the app is as safe as I can make it, and currently, trying to find how to implement the kind of authenticity tokens that you get in a Rails form? Where I've got to: Well,
kiyo_hiko 2016/04/18
rack

sinatra

padrino

csrf

ajax
ãƒªãƒ³ã‚¯
WARN - attack prevented by Rack::Protection::AuthenticityToken Â· Issue #1251 Â· padrino/padrino-framework
kiyo_hiko 2016/04/18
Ajaxã§POSTã«ãƒªã‚¯ã‚¨ã‚¹ãƒˆãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ãƒ¼æ¸¡ãã†ã¨ã—ãŸã‚‰ã‚»ã‚ãƒ¥ã‚¢ãƒˆãƒ¼ã‚¯ãƒ³ã®å•é¡Œã§ãƒˆãƒ©ãƒ–ãƒƒã‚¿â€¦ï¼( ^x^)ï¼¼

padrino

sinatra

csrf

request

parameter

ajax
ãƒªãƒ³ã‚¯
è¶…çµ¶æŠ€å·§CSRF / Shibuya.XSS techtalk #7
CSRF, HTML Form Protocol Attack, Cross-protocol scripting attackã«ã¤ã„ã¦
kiyo_hiko 2016/03/29
csrf
ãƒªãƒ³ã‚¯
IPA ã‚¦ã‚§ãƒ–å¥åº·è¨ºæ–ä»•æ§˜ã‚’ä½¿ã£ãŸWebã‚¢ãƒ—ãƒªè„†å¼±æ€§æ¤œæŸ»(CSRFç·¨)
Software WebSecurity IPA ã‚¦ã‚§ãƒ–å¥åº·è¨ºæ–ä»•æ§˜ã‚’ä½¿ã£ãŸWebã‚¢ãƒ—ãƒªè„†å¼±æ€§æ¤œæŸ»(CSRFç·¨)â€»å½“ã‚µã‚¤ãƒˆã«ã¯ãƒ—ãƒãƒ¢ãƒ¼ã‚·ãƒ§ãƒ³ãŒå«ã¾ã‚Œã¦ã„ã¾ã™ã€‚ è¨ºæ–å†…å®¹ã‚¦ã‚§ãƒ–å¥åº·è¨ºæ–ä»•æ§˜.pdf ã‚ˆã‚ŠæŠœç²‹ è¨ºæ–ã™ã‚‹ç’°å¢ƒã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆOSï¼šOS Xãƒ–ãƒ©ã‚¦ã‚¶ï¼šFirefox (OWASP ZAPã«å¯¾ã™ã‚‹ãƒ—ãƒã‚ã‚·è¨å®šã¯æ¸ˆã‚“ã§ã„ã‚‹ã‚‚ã®ã¨ã—ã¾ã™)HTTPé€šä¿¡ã‚’è¨˜éŒ²ã™ã‚‹ãƒ„ãƒ¼ãƒ«ï¼šOWASP ZAPè¨ºæ–å¯¾è±¡ã¨ãªã‚‹Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ï¼šVirtualBoxã§å°Žå…¥ã—ãŸ OWASP BWAä¸Šã®DVWA(Damn Vulnerable Web Application)OWASP BWAã®IPã‚¢ãƒ‰ãƒ¬ã‚¹ï¼š192.168.0.50â€» OWASP BWAã€DVWA(Damn Vulnerable Web Application) ã«ã¤ã„ã¦ã¯ã€ã“ã¡ã‚‰ã®è¨˜äº‹ OWASP BWA (The Broken Web Applica
kiyo_hiko 2015/10/09
ipa

security

impl

csrf
ãƒªãƒ³ã‚¯
rack-protection ã¨ã¯ - Qiita
rack-protection ã¨ã¯ï¼ŒSinatra é–¢é€£ã®ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ (sinatra-contrib ãªã©) ã‚’å¤šæ•°ä½œã£ã¦ã‚‹ rkh æ°ã®ãƒ—ãƒãƒ€ã‚¯ãƒˆã®ä¸€ã¤ã§ï¼ŒRack ã«çµ„ã¿è¾¼ã‚€ã ã‘ã§ã„ãã¤ã‹ã®è„†å¼±æ€§ã«å¯¾ã™ã‚‹é˜²å¾¡ã‚’ã—ã¦ãã‚Œã‚‹ Rack middleware ã§ã™ã€‚ ã„ã‹ãŒã‹ãªã¨æ€ã†ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚‚ã‚ã‚Šã¾ã™ãŒï¼ŒåŸºæœ¬çš„ã«ãã†ã„ã†ã®ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ç„¡åŠ¹åŒ–ã•ã‚Œã¦ã¾ã™ã—ï¼ŒFrameOptions ã‚„ XSSHeader ã®ã‚ˆã†ã«ã€Œã¨ã‚Šã‚ãˆãšå…¥ã‚Œã¨ã„ã¦ã‚‚å‰¯ä½œç”¨ãªã„ã—å®ŸåŠ¹æ€§ãŒã‚ã‚‹ã€ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã‚‚å¤šã„ã®ã§ï¼Œã¨ã‚Šã‚ãˆãšã„ã‚Œã¨ãã¨ã„ã†ã‚¹ã‚¿ãƒ³ã‚¹ã§ã‚‚ã‚ˆã„ã®ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ã€‚ ä½¿ã„æ–¹ ã–ã£ãã‚Šã¨çœç•¥ã€‚ ã¨ã‚Šã‚ãˆãšèª¬æ˜Žãƒšãƒ¼ã‚¸ã«ã‚ã‚‹ã‚ˆã†ã«ï¼Œconfig.ru ã«æ›¸ãå ´åˆï¼Œ ãªæ„Ÿã˜ã§ä½¿ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚ã“ã® Rack::Protection ã‚’ use ã™ã‚‹ã¨ï¼Œãƒãƒ³ãƒ‰ãƒ«ã•ã‚Œã¦ã„ã‚‹ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆ (middlew
kiyo_hiko 2015/09/07
Padrinoã ã¨ãƒ‡ãƒ•ã‚©

rack

csrf

padrino
ãƒªãƒ³ã‚¯
If I add multiple forms in a single page, do I need to add separate Anti-Forgery Tokens in each form?
kiyo_hiko 2015/08/10
"Simply put an Html.AntiForgeryToken() in each form and decorate each controller action you are posting to with the [ValidateAntiForgeryToken] attribute and you should be OK." â†’ ä¾‹å¤–ãŒé£›ã‚“ã§ãã‚‹ã€‚ã€‚

asp

dotnet

mvc

antiforgerytoken

csrf
ãƒªãƒ³ã‚¯
é–‹ç™ºè€…ã®ãŸã‚ã®æ£ã—ã„CSRFå¯¾ç–
è‘—è€…: é‡‘åºŠ <anvil@jumperz.net> http://www.jumperz.net/ â– ã¯ã˜ã‚ã« ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³é–‹ç™ºè€…ã®ç«‹å ´ã‹ã‚‰è¦‹ãŸCSRFå¯¾ç–ã«ã¤ã„ã¦ã€ã•ã¾ã–ã¾ãªæƒ…å ±ãŒå…¥ã‚Šä¹±ã‚Œã¦ã„ã‚‹ã€‚ç†è€…ãŒ2006å¹´3æœˆã®æ™‚ç‚¹ã«ãŠã„ã¦å›½å†…ã®ã‚¦ã‚§ãƒ–ã‚µ ã‚¤ãƒˆã‚„ã‚³ãƒ³ãƒ”ãƒ¥ãƒ¼ã‚¿æ›¸ç±ãƒ»é›‘èªŒãªã©ã§CSRFå¯¾ç–ã«ã¤ã„ã¦æ›¸ã‹ã‚Œã¦ã„ã‚‹è¨˜äº‹ã‚’èª¿ã¹ãŸçµæžœã€ãŠã©ã‚ãã¹ãã“ã¨ã«ã€ãã®ã»ã¨ã‚“ã©ãŒèª¤ã‚Šã‚’å«ã‚“ã§ã„ãŸã‚Šã€ç¾å®Ÿçš„ ã«ã¯ä½¿ç”¨ã§ããªã„æ–¹æ³•ã‚’ç´¹ä»‹ã—ãŸã‚Šã—ã¦ã„ãŸã€‚ãã“ã§æœ¬ç¨¿ã§ã¯ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³é–‹ç™ºè€…ã«ã¨ã£ã¦ã®æœ¬å½“ã«æ£ã—ã„CSRFå¯¾ç–ã«ã¤ã„ã¦ã¾ã¨ã‚ã‚‹ã“ã¨ã¨ã™ ã‚‹ã€‚ã¾ãŸã€æŽ¡ç”¨ã™ã¹ãã§ãªã„CSRFå¯¾ç–ã¨ãã®ç†ç”±ã‚‚åˆã‚ã›ã¦ç´¹ä»‹ã™ã‚‹ã€‚ â– ã‚ã‚‰ã‚†ã‚‹æ©Ÿèƒ½ãŒã‚¿ãƒ¼ã‚²ãƒƒãƒˆã¨ãªã‚Šã†ã‚‹ ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®æŒã¤å…¨ã¦ã®æ©Ÿèƒ½ãŒCSRFæ”»æ’ƒã®å¯¾è±¡ã¨ãªã‚Šã†ã‚‹ã€‚ã¾ãšã“ã®ã“ã¨ã‚’èªè˜ã—ã¦ãŠãå¿…è¦ãŒã‚ã‚‹ã€‚ Amaz
kiyo_hiko 2012/10/08
security

csrf
ãƒªãƒ³ã‚¯
1