[B! WebSocket] ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ionis id:ionis

WebSocketã«é–¢ã™ã‚‹ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (7)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

OWASP Top 10 Details About WebSocket Vulnerabilities and Mitigations - SecureLayer7
ionis 2018/10/24
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

WebSocket
ãƒªãƒ³ã‚¯
ã‚µãƒ¼ãƒã‹ã‚‰ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã«é€ä¿¡ã™ã‚‹æŠ€è¡“ - WebSocketã‚’ä¸å¿ƒã« - Qiita
Deleted articles cannot be recovered. Draft of this article would be also deleted. Are you sure you want to delete this article? Webã§ã®ãƒ—ãƒƒã‚·ãƒ¥æŠ€è¡“ HTTPã¯ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆï¼ˆãƒ–ãƒ©ã‚¦ã‚¶ï¼‰ã‹ã‚‰ãƒªã‚¯ã‚¨ã‚¹ãƒˆã—ã¦ã‚µãƒ¼ãƒã‹ã‚‰ãƒ¬ã‚¹ãƒãƒ³ã‚¹ãŒè¿”ã‚‹ä¸€å•ä¸€ç”åž‹ã®ãƒ—ãƒãƒˆã‚³ãƒ«ãªã®ã§ã€åŸºæœ¬çš„ã«ã¯ã‚µãƒ¼ãƒå´ã‹ã‚‰ãƒ–ãƒ©ã‚¦ã‚¶ã«æ–°ç€æƒ…å ±ã‚’ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§é€šçŸ¥ï¼ˆãƒ—ãƒƒã‚·ãƒ¥ï¼‰ã§ãã‚‹ã‚ˆã†ã«ã¯ã§ãã¦ã„ã¾ã›ã‚“ã€‚ ã—ã‹ã—ãã‚Œã§ã‚‚ãƒ—ãƒƒã‚·ãƒ¥ã‚’ã—ãŸã„ã¨ã„ã†å ´åˆã«ã©ã†ã™ã‚‹ã‹ã¨ã„ã†è©±ãŒå‡ºã¦ãã¾ã™ã€‚ã‚„ã‚Šæ–¹ã«ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚ã‚Šã¾ã™ã€‚ ãƒãƒ¼ãƒªãƒ³ã‚° ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã‹ã‚‰ã‚µãƒ¼ãƒã«å®šæœŸçš„ã«æ–°ç€ã‚’å•ã„åˆã‚ã›ã‚‹ã‚ˆã†ã«ã—ã¾ã™ã€‚ æœ€ã‚‚åŽŸå§‹çš„ã‹ã¤ç¢ºå®Ÿãªã‚„ã‚Šæ–¹ã€‚æ¬ ç‚¹ã¯ã€æœ€å¤§ã§ãƒãƒ¼ãƒªãƒ³ã‚°é–“éš”ã®åˆ†ã ã‘é€šçŸ¥ãŒé…å»¶ã—ã†ã‚‹ã“ã¨ã§ã™ã€‚ ãƒãƒ³ã‚°ãƒãƒ¼ãƒªãƒ³ã‚°ï¼ˆâ€œC
ionis 2018/08/10
WebSocket

HTTP

squid
ãƒªãƒ³ã‚¯
Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token - Detectify Labs
Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token TLDR; I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it. Recently a bug I found in Slack was published on HackerOne and I wanted to explain it, and the method
ionis 2017/03/03
è„†å¼±æ€§

Slack

WebSocket
ãƒªãƒ³ã‚¯
WebSocket Echo Server - Free Testing Tool for Real-Time Applications
The WebSocket Echo Server at echo.websocket.org is a free, publ icly available testing endpoint that has become an essential tool for developers working with real-time web techno logies. This server provides instant echo responses for WebSocket connections, Server-Sent Events (SSE), and standard HTTP requests, making it invaluable for testing, debugging, and validating real-time implementations. Unl
ionis 2015/09/14
WebSocket

ãƒã‚§ãƒƒã‚¯
ãƒªãƒ³ã‚¯
WebSocketã‚’ç ”ç©¶ã—ã¦ã¿ãŸ | ãƒ¯ãƒ¼ã‚¯ãƒ•ãƒãƒ¼ã‚·ã‚§ã‚¢No.1ã€€æ ªå¼ä¼šç¤¾ã‚¨ã‚¤ãƒˆãƒ¬ãƒƒãƒ‰
ã“ã‚“ã«ã¡ã¯ï¼ã€€ã‚¨ã‚¤ãƒˆãƒ¬ãƒƒãƒ‰æŠ€è¡“éƒ¨å’Œç”°ã§ã™ï¼ ã‚¨ã‚¤ãƒˆãƒ¬ãƒƒãƒ‰ã§ã¯æ¯Žæœˆãƒ†ãƒ¼ãƒžã‚’æ±ºã‚ã¦ã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãŒæŒã¡å›žã‚Šã§å‹‰å¼·ä¼šã‚’å®Ÿæ–½ã—ã¦ã„ã¾ã™ã€‚ ä¸–é–“ã‹ã‚‰ã¯ï¼“é€±ãã‚‰ã„é…ã‚Œã¦ã‚‹æ°—ã‚‚ã—ã¾ã™ãŒã€å…ˆæ—¥ã¯WebSocketã‚’ãƒ†ãƒ¼ãƒžã«å‹‰å¼·ä¼šã‚’ è¡Œã„ã¾ã—ãŸã®ã§ã€ä»Šå›žãã®å†…å®¹ã‚’ãƒ€ã‚¤ã‚¸ã‚§ã‚¹ãƒˆç‰ˆã§ãŠé€ã‚Šã—ã¾ã™ã€‚ 1ï¼ŽWebSocketã¨ã¯ï¼Ÿ ãã‚‚ãã‚‚WebSocketã¨ã¯ä½•ãªã®ã§ã—ã‚‡ã†ã‹ï¼Ÿ WebSocketã¨ã¯ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆï¼ˆãƒ–ãƒ©ã‚¦ã‚¶ï¼‰ã¨ã‚µãƒ¼ãƒé–“ã§ æœ¬å½“ã®æ„å‘³ã§ã®å…¨äºŒé‡ï¼ˆåŒæ–¹å‘ï¼‰é€šä¿¡ã‚’è¡Œã†ãŸã‚ã®ãƒ—ãƒãƒˆã‚³ãƒ«ã§ã™ã€‚ ã‚‚ã¨ã‚‚ã¨ã¯HTML5ã®ä¸€éƒ¨ã¨ã—ã¦ã€ä»•æ§˜ã®ç–å®šãŒé€²ã‚ã‚‰ã‚Œã¦ã„ã¾ã—ãŸãŒ ãã®å¾Œç‹¬ç«‹ã—ã€å˜ä½“ã®ãƒ—ãƒãƒˆã‚³ãƒ«ã¨ã—ã¦ä»•æ§˜ç–å®šãŒé€²ã‚ã‚‰ã‚Œã¦ã„ã¾ã™ã€‚ WebSocketã®ç‰¹å¾´ã¨ã—ã¦ã¯æ¬¡ã®ç‚¹ãŒã‚ã’ã‚‰ã‚Œã¾ã™ã€‚ TCPä¸Šã§å‹•ä½œ ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãƒãƒ¼ãƒˆã¯ 80ç•ª ã¾ãŸã¯ 443ç•ª æ˜Žç¤ºçš„ã«åˆ‡æ–ã—ãªã„é™ã‚ŠæŽ¥ç¶šã•ã‚Œç¶šã‘ã‚‹â‡’åŠ¹çŽ‡çš„ã«åŒæ–¹å‘é€šä¿¡ãŒ
ionis 2015/09/14
WebSocket

è§£èª¬
ãƒªãƒ³ã‚¯
ã‚³ãƒ©ãƒ - Ruby ï¼† Rails | ç¬¬12å›žã€€WebSocketã§ã‚µãƒ¼ãƒãƒ—ãƒƒã‚·ãƒ¥ï½œCTCæ•™è‚²ã‚µãƒ¼ãƒ“ã‚¹ ç ”ä¿®/ãƒˆãƒ¬ãƒ¼ãƒ‹ãƒ³ã‚°
[ITç ”ä¿®]æ³¨ç›®ã‚ãƒ¼ãƒ¯ãƒ¼ãƒ‰ Python UiPath(RPA) æœ€æ–°æŠ€è¡“å‹•å‘ Microsoft Azure Docker Kubernetes ç¬¬12å›žã€€WebSocketã§ã‚µãƒ¼ãƒãƒ—ãƒƒã‚·ãƒ¥ (æ¾æ°¸ç´˜) 2014å¹´3æœˆ 2/18ã«Rails3.2.17ã€4.0.3ã€åŠã³4.1.0.beta2ï¼ˆ*1ï¼‰ãŒãƒªãƒªãƒ¼ã‚¹ã•ã‚Œã¾ã—ãŸï¼ˆ*2ï¼‰ã€‚ã“ã‚Œã‚‰ã¯å‰å›žã®ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆåŒæ§˜ã€DoSæ”»æ’ƒã‚„XSSã®è„†å¼±æ€§ã«å¯¾ã™ã‚‹ç·Šæ€¥åº¦ã®é«˜ã„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ•ã‚£ãƒƒã‚¯ã‚¹ã®ã‚ˆã†ã§ã™ã®ã§ã€ã§ãã‚‹ã ã‘æ—©ãã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã™ã‚‹ã“ã¨ã‚’ãŠå‹§ã‚ã„ãŸã—ã¾ã™ã€‚ ã•ã¦è©±ã¯å¤‰ã‚ã‚Šã¾ã™ãŒã€1/25ï½ž26ã«ã‹ã‘ã¦é–‹å‚¬ã•ã‚ŒãŸã€ŒSECCON 2013 CTF ã‚ªãƒ³ãƒ©ã‚¤ãƒ³äºˆé¸ï¼ˆ*3ï¼‰ã€ã«å‚åŠ ã—ã¦ã¿ã¾ã—ãŸã€‚ã“ã®äºˆé¸ã¯ã€ŽIT æŠ€è¡“ã‚„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«é–¢ã™ã‚‹5ã¤ã®ã‚¸ãƒ£ãƒ³ãƒ«ã€Œãƒ•ã‚©ãƒ¬ãƒ³ã‚¸ãƒƒã‚¯ã‚¹ã€ã€Œãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°ãƒ»æš—å·ã€ã€Œãƒã‚¤ãƒŠãƒªã€ã€Œãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ»Webã€ã€Œãã®ä»–ãƒ»ãƒˆãƒªãƒ“ã‚¢ã€ã‹ã‚‰è¨ˆ2
ionis 2015/09/14
WebSocket

è§£èª¬
ãƒªãƒ³ã‚¯
ã“ã‚Œã¯é¢ç™½ã„ã€‚WebSocketã‚’ä½¿ã£ãŸWebãƒ™ãƒ¼ã‚¹ã®ã‚¿ãƒ¼ãƒŸãƒŠãƒ«Â·ws-io MOONGIFT
ws-ioã¯WebSocketã¨I/Oã‚’çµ„ã¿åˆã‚ã›ã‚‹ã“ã¨ã§Webãƒ™ãƒ¼ã‚¹ã®ã‚¿ãƒ¼ãƒŸãƒŠãƒ«ã‚’å®Ÿç¾ã™ã‚‹ã€‚ ws-ioã¯Rubyè£½ã®ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ãƒ»ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã€‚HTML5ã§æ–°ã—ãç™»å ´ã—ãŸæ©Ÿèƒ½ã¯å¹¾ã¤ã‚‚ã‚ã‚‹ãŒã€ãã®ä¸ã§ã‚‚ç‰¹æ®Šãªä½ç½®ã«ã‚ã‚‹ã®ãŒWebSocketã§ã¯ãªã„ã ã‚ã†ã‹ï¼ˆä»•æ§˜ã‹ã‚‰ã¯åˆ‡ã‚Šé›¢ã•ã‚Œã¦ã„ã‚‹ãŒï¼‰ã€‚ã“ã‚Œã¾ã§ã«ãªã‹ã£ãŸã‚½ã‚±ãƒƒãƒˆé€šä¿¡ã‚’ã©ã†æ´»ã‹ã™ã‹ãŒå•é¡Œã ã€‚ Webä¸Šã§irb ãã®ãŸã‚ã€å‡ºã¦ã„ã‚‹ã‚‚ã®ã‚‚ãƒãƒ£ãƒƒãƒˆãã‚‰ã„ãŒãƒ¡ã‚¤ãƒ³ã§ã€ã¾ã ã¾ã æ¨¡ç´¢ã—ã¦ã„ã‚‹æ®µéšŽã ã€‚ãã®ã‚ˆã†ãªæ™‚æœŸã«ã¯ã¨ã«ã‹ãè‰²ã€…ãªã‚‚ã®ã‚’ä½œã‚Šã€ãã®ä¸ã§æœ€ã‚‚ãƒžãƒƒãƒã—ã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã‚‹ã‚‚ã®ã‚’è¦‹æ¥µã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„ã€‚ä»Šå›žã¯ãã®ä¸€ã¤ã€ws-ioã‚’ç´¹ä»‹ã—ã‚ˆã†ã€‚ ws-ioã¯WebSocketã¨ã‚µãƒ¼ãƒã®I/Oã‚’ã¤ãªã’ã¦ã—ã¾ã†ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã ã€‚ä¾‹ãˆã°Shellã¨ã¤ãªã’ã¦ã—ã¾ã†ã“ã¨ã§ã€Webãƒ–ãƒ©ã‚¦ã‚¶ä¸Šã«ã‚¿ãƒ¼ãƒŸãƒŠãƒ«ãŒç«‹ã¡ä¸ŠãŒã‚‹ã¨è¨€ã£ãŸå…·åˆã ã€‚WebSocketã§ç¹‹ãŒã£ã¦
ionis 2011/03/03
HTML5

ruby

WebSocket
ãƒªãƒ³ã‚¯
1