[B! WebSocket] ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ionis id:ionis

WebSocketã«é–¢ã™ã‚‹ionisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (7)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

OWASP Top 10 Details About WebSocket Vulnerabilities and Mitigations - SecureLayer7
ionis 2018/10/24
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

WebSocket
ãƒªãƒ³ã‚¯
ã‚µãƒ¼ãƒã‹ã‚‰ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã«é€ä¿¡ã™ã‚‹æŠ€è¡“ - WebSocketã‚’ä¸å¿ƒã« - Qiita
Deleted articles cannot be recovered. Draft of this article would be also deleted. Are you sure you want to delete this article? Webã§ã®ãƒ—ãƒƒã‚·ãƒ¥æŠ€è¡“ HTTPã¯ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆï¼ˆãƒ–ãƒ©ã‚¦ã‚¶ï¼‰ã‹ã‚‰ãƒªã‚¯ã‚¨ã‚¹ãƒˆã—ã¦ã‚µãƒ¼ãƒã‹ã‚‰ãƒ¬ã‚¹ãƒãƒ³ã‚¹ãŒè¿”ã‚‹ä¸€å•ä¸€ç”åž‹ã®ãƒ—ãƒãƒˆã‚³ãƒ«ãªã®ã§ã€åŸºæœ¬çš„ã«ã¯ã‚µãƒ¼ãƒå´ã‹ã‚‰ãƒ–ãƒ©ã‚¦ã‚¶ã«æ–°ç€æƒ…å ±ã‚’ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§é€šçŸ¥ï¼ˆãƒ—ãƒƒã‚·ãƒ¥ï¼‰ã§ãã‚‹ã‚ˆã†ã«ã¯ã§ãã¦ã„ã¾ã›ã‚“ã€‚ ã—ã‹ã—ãã‚Œã§ã‚‚ãƒ—ãƒƒã‚·ãƒ¥ã‚’ã—ãŸã„ã¨ã„ã†å ´åˆã«ã©ã†ã™ã‚‹ã‹ã¨ã„ã†è©±ãŒå‡ºã¦ãã¾ã™ã€‚ã‚„ã‚Šæ–¹ã«ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚ã‚Šã¾ã™ã€‚ ãƒãƒ¼ãƒªãƒ³ã‚° ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã‹ã‚‰ã‚µãƒ¼ãƒã«å®šæœŸçš„ã«æ–°ç€ã‚’å•ã„åˆã‚ã›ã‚‹ã‚ˆã†ã«ã—ã¾ã™ã€‚ æœ€ã‚‚åŽŸå§‹çš„ã‹ã¤ç¢ºå®Ÿãªã‚„ã‚Šæ–¹ã€‚æ¬ ç‚¹ã¯ã€æœ€å¤§ã§ãƒãƒ¼ãƒªãƒ³ã‚°é–“éš”ã®åˆ†ã ã‘é€šçŸ¥ãŒé…å»¶ã—ã†ã‚‹ã“ã¨ã§ã™ã€‚ ãƒãƒ³ã‚°ãƒãƒ¼ãƒªãƒ³ã‚°ï¼ˆâ€œC
ionis 2018/08/10
WebSocket

HTTP

squid
ãƒªãƒ³ã‚¯
Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token - Detectify Labs
Hacking Slack using postMessage and WebSocket-reconnect to steal your precious token TLDR; I was able to create a malicious page that would reconnect your Slack WebSocket to my own WebSocket to steal your private Slack token. Slack fixed the bug in 5 hours (on a Friday) and paid me $3,000 for it. Recently a bug I found in Slack was published on HackerOne and I wanted to explain it, and the method
ionis 2017/03/03
è„†å¼±æ€§

Slack

WebSocket
ãƒªãƒ³ã‚¯
WebSocket Echo Server
WebSocket Echo Server We run a free very simple endpoint server with support for websockets and server-sent events (SSE) so that you can test your websocket and SSE clients easily. The server is designed for testing HTTP proxies and clients. It echoes information about HTTP request headers and bodies back to the client. The endpoint is https://echo.websocket.org/ Behavior Any messages sent from a
ionis 2015/09/14
WebSocket

ãƒã‚§ãƒƒã‚¯
ãƒªãƒ³ã‚¯
WebSocketã‚’ç ”ç©¶ã—ã¦ã¿ãŸ | ãƒ¯ãƒ¼ã‚¯ãƒ•ãƒãƒ¼ã‚·ã‚§ã‚¢No.1ã€€æ ªå¼ä¼šç¤¾ã‚¨ã‚¤ãƒˆãƒ¬ãƒƒãƒ‰
ã“ã‚“ã«ã¡ã¯ï¼ã€€ã‚¨ã‚¤ãƒˆãƒ¬ãƒƒãƒ‰æŠ€è¡“éƒ¨å’Œç”°ã§ã™ï¼ ã‚¨ã‚¤ãƒˆãƒ¬ãƒƒãƒ‰ã§ã¯æ¯Žæœˆãƒ†ãƒ¼ãƒžã‚’æ±ºã‚ã¦ã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãŒæŒã¡å›žã‚Šã§å‹‰å¼·ä¼šã‚’å®Ÿæ–½ã—ã¦ã„ã¾ã™ã€‚ ä¸–é–“ã‹ã‚‰ã¯ï¼“é€±ãã‚‰ã„é…ã‚Œã¦ã‚‹æ°—ã‚‚ã—ã¾ã™ãŒã€å…ˆæ—¥ã¯WebSocketã‚’ãƒ†ãƒ¼ãƒžã«å‹‰å¼·ä¼šã‚’ è¡Œã„ã¾ã—ãŸã®ã§ã€ä»Šå›žãã®å†…å®¹ã‚’ãƒ€ã‚¤ã‚¸ã‚§ã‚¹ãƒˆç‰ˆã§ãŠé€ã‚Šã—ã¾ã™ã€‚ 1ï¼ŽWebSocketã¨ã¯ï¼Ÿ ãã‚‚ãã‚‚WebSocketã¨ã¯ä½•ãªã®ã§ã—ã‚‡ã†ã‹ï¼Ÿ WebSocketã¨ã¯ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆï¼ˆãƒ–ãƒ©ã‚¦ã‚¶ï¼‰ã¨ã‚µãƒ¼ãƒé–“ã§ æœ¬å½“ã®æ„å‘³ã§ã®å…¨äºŒé‡ï¼ˆåŒæ–¹å‘ï¼‰é€šä¿¡ã‚’è¡Œã†ãŸã‚ã®ãƒ—ãƒãƒˆã‚³ãƒ«ã§ã™ã€‚ ã‚‚ã¨ã‚‚ã¨ã¯HTML5ã®ä¸€éƒ¨ã¨ã—ã¦ã€ä»•æ§˜ã®ç–å®šãŒé€²ã‚ã‚‰ã‚Œã¦ã„ã¾ã—ãŸãŒ ãã®å¾Œç‹¬ç«‹ã—ã€å˜ä½“ã®ãƒ—ãƒãƒˆã‚³ãƒ«ã¨ã—ã¦ä»•æ§˜ç–å®šãŒé€²ã‚ã‚‰ã‚Œã¦ã„ã¾ã™ã€‚ WebSocketã®ç‰¹å¾´ã¨ã—ã¦ã¯æ¬¡ã®ç‚¹ãŒã‚ã’ã‚‰ã‚Œã¾ã™ã€‚ TCPä¸Šã§å‹•ä½œ ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãƒãƒ¼ãƒˆã¯ 80ç•ª ã¾ãŸã¯ 443ç•ª æ˜Žç¤ºçš„ã«åˆ‡æ–ã—ãªã„é™ã‚ŠæŽ¥ç¶šã•ã‚Œç¶šã‘ã‚‹â‡’åŠ¹çŽ‡çš„ã«åŒæ–¹å‘é€šä¿¡ãŒ
ionis 2015/09/14
WebSocket

è§£èª¬
ãƒªãƒ³ã‚¯
ã‚³ãƒ©ãƒ - Ruby ï¼† Rails | ç¬¬12å›žã€€WebSocketã§ã‚µãƒ¼ãƒãƒ—ãƒƒã‚·ãƒ¥ï½œCTCæ•™è‚²ã‚µãƒ¼ãƒ“ã‚¹ ç ”ä¿®/ãƒˆãƒ¬ãƒ¼ãƒ‹ãƒ³ã‚°
[ITç ”ä¿®]æ³¨ç›®ã‚ãƒ¼ãƒ¯ãƒ¼ãƒ‰ Python UiPath(RPA) æœ€æ–°æŠ€è¡“å‹•å‘ Microsoft Azure Docker Kubernetes ç¬¬12å›žã€€WebSocketã§ã‚µãƒ¼ãƒãƒ—ãƒƒã‚·ãƒ¥ (æ¾æ°¸ç´˜) 2014å¹´3æœˆ 2/18ã«Rails3.2.17ã€4.0.3ã€åŠã³4.1.0.beta2ï¼ˆ*1ï¼‰ãŒãƒªãƒªãƒ¼ã‚¹ã•ã‚Œã¾ã—ãŸï¼ˆ*2ï¼‰ã€‚ã“ã‚Œã‚‰ã¯å‰å›žã®ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆåŒæ§˜ã€DoSæ”»æ’ƒã‚„XSSã®è„†å¼±æ€§ã«å¯¾ã™ã‚‹ç·Šæ€¥åº¦ã®é«˜ã„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ•ã‚£ãƒƒã‚¯ã‚¹ã®ã‚ˆã†ã§ã™ã®ã§ã€ã§ãã‚‹ã ã‘æ—©ãã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã™ã‚‹ã“ã¨ã‚’ãŠå‹§ã‚ã„ãŸã—ã¾ã™ã€‚ ã•ã¦è©±ã¯å¤‰ã‚ã‚Šã¾ã™ãŒã€1/25ï½ž26ã«ã‹ã‘ã¦é–‹å‚¬ã•ã‚ŒãŸã€ŒSECCON 2013 CTF ã‚ªãƒ³ãƒ©ã‚¤ãƒ³äºˆé¸ï¼ˆ*3ï¼‰ã€ã«å‚åŠ ã—ã¦ã¿ã¾ã—ãŸã€‚ã“ã®äºˆé¸ã¯ã€ŽIT æŠ€è¡“ã‚„ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«é–¢ã™ã‚‹5ã¤ã®ã‚¸ãƒ£ãƒ³ãƒ«ã€Œãƒ•ã‚©ãƒ¬ãƒ³ã‚¸ãƒƒã‚¯ã‚¹ã€ã€Œãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°ãƒ»æš—å·ã€ã€Œãƒã‚¤ãƒŠãƒªã€ã€Œãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ãƒ»Webã€ã€Œãã®ä»–ãƒ»ãƒˆãƒªãƒ“ã‚¢ã€ã‹ã‚‰è¨ˆ2
ionis 2015/09/14
WebSocket

è§£èª¬
ãƒªãƒ³ã‚¯
ã“ã‚Œã¯é¢ç™½ã„ã€‚WebSocketã‚’ä½¿ã£ãŸWebãƒ™ãƒ¼ã‚¹ã®ã‚¿ãƒ¼ãƒŸãƒŠãƒ«Â·ws-io MOONGIFT
ws-ioã¯WebSocketã¨I/Oã‚’çµ„ã¿åˆã‚ã›ã‚‹ã“ã¨ã§Webãƒ™ãƒ¼ã‚¹ã®ã‚¿ãƒ¼ãƒŸãƒŠãƒ«ã‚’å®Ÿç¾ã™ã‚‹ã€‚ ws-ioã¯Rubyè£½ã®ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ãƒ»ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã€‚HTML5ã§æ–°ã—ãç™»å ´ã—ãŸæ©Ÿèƒ½ã¯å¹¾ã¤ã‚‚ã‚ã‚‹ãŒã€ãã®ä¸ã§ã‚‚ç‰¹æ®Šãªä½ç½®ã«ã‚ã‚‹ã®ãŒWebSocketã§ã¯ãªã„ã ã‚ã†ã‹ï¼ˆä»•æ§˜ã‹ã‚‰ã¯åˆ‡ã‚Šé›¢ã•ã‚Œã¦ã„ã‚‹ãŒï¼‰ã€‚ã“ã‚Œã¾ã§ã«ãªã‹ã£ãŸã‚½ã‚±ãƒƒãƒˆé€šä¿¡ã‚’ã©ã†æ´»ã‹ã™ã‹ãŒå•é¡Œã ã€‚ Webä¸Šã§irb ãã®ãŸã‚ã€å‡ºã¦ã„ã‚‹ã‚‚ã®ã‚‚ãƒãƒ£ãƒƒãƒˆãã‚‰ã„ãŒãƒ¡ã‚¤ãƒ³ã§ã€ã¾ã ã¾ã æ¨¡ç´¢ã—ã¦ã„ã‚‹æ®µéšŽã ã€‚ãã®ã‚ˆã†ãªæ™‚æœŸã«ã¯ã¨ã«ã‹ãè‰²ã€…ãªã‚‚ã®ã‚’ä½œã‚Šã€ãã®ä¸ã§æœ€ã‚‚ãƒžãƒƒãƒã—ã¦ã„ã‚‹ã¨æ€ã‚ã‚Œã‚‹ã‚‚ã®ã‚’è¦‹æ¥µã‚ãªã‘ã‚Œã°ãªã‚‰ãªã„ã€‚ä»Šå›žã¯ãã®ä¸€ã¤ã€ws-ioã‚’ç´¹ä»‹ã—ã‚ˆã†ã€‚ ws-ioã¯WebSocketã¨ã‚µãƒ¼ãƒã®I/Oã‚’ã¤ãªã’ã¦ã—ã¾ã†ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã ã€‚ä¾‹ãˆã°Shellã¨ã¤ãªã’ã¦ã—ã¾ã†ã“ã¨ã§ã€Webãƒ–ãƒ©ã‚¦ã‚¶ä¸Šã«ã‚¿ãƒ¼ãƒŸãƒŠãƒ«ãŒç«‹ã¡ä¸ŠãŒã‚‹ã¨è¨€ã£ãŸå…·åˆã ã€‚WebSocketã§ç¹‹ãŒã£ã¦
ionis 2011/03/03
HTML5

ruby

WebSocket
ãƒªãƒ³ã‚¯
1