ã‚»ã‚ュリティエンジニアãŒæœ¬æ°—ã§ã‚ªã‚¹ã‚¹ãƒ¡ã™ã‚‹é–‹ç™ºè€…å‘ã‘コンテンツ 20é¸ - Flatt Security Blog
ç”»åƒå‡ºå…¸: 書ç±...記事ä¸ã«æŽ²è¼‰ã—ãŸè²©å£²ãƒšãƒ¼ã‚¸ / Webサイト...スクリーンショット ã¯ã˜ã‚ã« ã“ã‚“ã«ã¡ã¯ã€‚æ ªå¼ä¼šç¤¾Flatt Securityã® @toyojuni ã§ã™ã€‚ çªç„¶ã§ã™ãŒã€å¼Šç¤¾Flatt Securityã¯ã€Œé–‹ç™ºè€…ã«å¯„ã‚Šæ·»ã£ãŸã‚»ã‚ュリティã€ã‚’標榜ã—ã¦ã„ã¾ã™ã€‚Webアプリケーションãªã©ã«è„†å¼±æ€§ãŒãªã„ã‹èª¿æŸ»ã™ã‚‹ 「セã‚ュリティ診æ–〠ã«ãŠã„ã¦ã‚‚ã€ã‚»ã‚ュアコーディングå¦ç¿’プラットフォーム「KENRO〠ã«ãŠã„ã¦ã‚‚ã€ã„ã‹ã«é–‹ç™ºè€…フレンドリーãªã‚µãƒ¼ãƒ“スをæä¾›ã§ãã‚‹ã‹ã¨ã„ã†ç‚¹ã‚’大事ã«ã—ã¦ã„ã¾ã™ã€‚ ãã‚“ãªå¼Šç¤¾ã¯ãŠå®¢æ§˜ã‹ã‚‰ã•ã¾ã–ã¾ãªé–‹ç™ºã«ãŠã‘ã‚‹ã‚»ã‚ュリティã®ã‚¢ãƒ‰ãƒã‚¤ã‚¹ã‚’求ã‚られるã“ã¨ã‚‚多ã„ã®ã§ã™ãŒã€ãã®ä¸ã§ã€Œé–‹ç™ºã«å½¹ã«ç«‹ã¤ã‚»ã‚ュリティã€ã¨ã„ã†åˆ‡ã‚Šå£ã§ã¯ã€ãªã‹ãªã‹ã¾ã¨ã¾ã£ã¦ã„るリファレンス集ãŒãªã„ã¨ã„ã†èª²é¡Œã«æ°—付ã‹ã•ã‚Œã¾ã—ãŸã€‚ ãã“ã§ã€ç¤¾å†…ã§ã‚¢ãƒ³ã‚±ãƒ¼ãƒˆã‚’実施ã—ã¦ã€Œé–‹ç™ºè€…ã«ã‚ªã‚¹ã‚¹ãƒ¡ã®ã‚»
CSP Evaluator
CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a strong mitigation against cross-site scripting attacks. It assists with the process of reviewing CSP policies, which is usually a manual task, and helps identify subtle CSP bypasses which undermine the value of a policy. CSP Evaluator checks are based on a large-scale study and are aimed to
Security headers quick reference  | Articles  | web.dev
This article lists the most important security headers you can use to protect your website. Use it to understand web-based security features, learn how to implement them on your website, and as a reference for when you need a reminder. Security headers recommended for websites that handle sensitive user data: Content Security Policy (CSP) Trusted Types Security headers recommended for all websites
GitHub's CSP journey
AI & MLLearn about artificial intelligence and machine learning across the GitHub ecosystem and the wider industry. Generative AILearn how to build with generative AI. GitHub CopilotChange how you work with GitHub Copilot. LLMsEverything developers need to know about LLMs. Machine learningMachine learning tips, tricks, and best practices. How AI code generation worksExplore the capabilities and be
Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP)  | Articles  | web.dev
Mitigate cross-site scripting (XSS) with a strict Content Security Policy (CSP) Stay organized with collections Save and categorize content based on your preferences. Cross-site scripting (XSS), the ability to inject malicious scripts into a web app, has been one of the biggest web security vulnerabilities for over a decade. Content Security Policy (CSP) is an added layer of security that helps to
Web Security
The goal of this document is to help operational teams with creating secure web applications. All Mozilla sites and deployments are expected to follow the recommendations below. Use of these recommendations by the public is strongly encouraged. The Security Assurance team maintains this document as a reference guide. Table of Contents Cheat Sheet Transport Layer Security (TLS/SSL) HTTPS HTTP Stric
Mozillaã®Webã‚»ã‚ュリティガイドラインãŒä¸ã€…良ã‹ã£ãŸè©± - Qiita
最åˆã« 今ã¾ã§ã¯ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰ã®é–‹ç™ºã‚’ガシガシやã£ã¦ãŠã‚Šã€ã“ã“1å¹´ã¡ã‚‡ã£ã¨ãƒ•ãƒãƒ³ãƒˆã‚¨ãƒ³ãƒ‰ã®é–‹ç™ºã‚’ãŠã“ãªã£ã¦ã„ã¦MDNã«ç›®ã‚’通ã™æ©Ÿä¼šãŒå¢—ãˆã¦ã¾ã™ã€‚ ãã“ã§MozillaãŒå‡ºã—ã¦ã„ã‚‹Webã‚»ã‚ュリティガイドラインをèªã‚“ã§ã¿ã¦ã€ä¸ã€…良ã‹ã£ãŸã®ã§ç°¡å˜ã«ã¾ã¨ã‚ã¦ã¿ã‚ˆã†ã¨æ€ã„ã¾ã™ã€‚ ã¾ãšãƒãƒ¼ãƒˆã‚·ãƒ¼ãƒˆã¨ã„ã†ã®ãŒã‚ã£ã¦ã€å„ガイドラインã®é …ç›®ã®ã‚»ã‚ュリティ上ã®ãƒ¡ãƒªãƒƒãƒˆã‚„実装ã®é›£ã—ã•ã®ãƒ¬ãƒ™ãƒ«ã€å–り組むã¹ã優先度ãŒè¼‰ã£ã¦ã„ã¾ã™ã€‚ 基本的ã«ã‚¢ãƒ—リケーションを作æˆã™ã‚‹éš›ã¯ã“ã®ãƒãƒ¼ãƒˆã‚·ãƒ¼ãƒˆã«è¼‰ã£ã¦ã„る優先度や実装ã®é›£ã—ã•ã‚’考慮ã—ã¦ã‚»ã‚ュリティã®ç¢ºä¿ã‚’ã‚„ã£ã¦ã„ãã®ãŒè‰¯ã•ãã†ã ãªã¨æ€ã„ã¾ã—ãŸã€‚ 軽ãå„é …ç›®ã‚’çœºã‚ã¦ã„ãã¾ã™ã€‚ HTTPS 最新ã®ãƒ–ラウザã§ã‚·ã‚¹ãƒ†ãƒ ã¨é€šä¿¡ã™ã‚‹æƒ³å®šã®å ´åˆã¯Mozilla Wikiã«ã‚る最新ã®TLS構æˆãŒè‰¯ã„ã¿ãŸã„ã§ã™ã€‚ レガシーブラウザã¨ã®äº’æ›æ€§ã‚’ä¿ã¡ãŸã„å ´åˆã¯ä¸‹ä½äº’æ›ã®ã‚ã‚‹TLS構æˆãŒè‰¯ã„ã¿ãŸã„
安全ãªWebサイトをé‹ç”¨ã™ã‚‹ãŸã‚ã®ãƒã‚§ãƒƒã‚¯ãƒ„ール集 - Qiita
SSL/TLS SSL/TLSæš—å·è¨å®šã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ SSL/TLSæš—å·è¨å®šã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³(PDF) IPA(æƒ…å ±å‡¦ç†æŽ¨é€²æ©Ÿæ§‹)ãŒç™ºè¡Œã—ã¦ã„ã‚‹ã€SSLè¨å®šã®ã‚¬ã‚¤ãƒ‰ãƒ©ã‚¤ãƒ³ã§ã™ã€‚(PDF) 全部é‡è¦ã§ã™ãŒã€ã‹ãªã‚Šé•·ã„ã®ã§ 高セã‚ュリティ型ã€æŽ¨å¥¨ã‚»ã‚ュリティ型ã§ã®æš—å·ã‚¹ã‚¤ãƒ¼ãƒˆã®è©³ç´°è¦æ±‚è¨å®š を見ã¦ä¸‹ã•ã„。 SSL Server Test (by Qualys) SSL Server Test SSL導入時ã€æœ€åˆã«è¡Œã£ã¦ã‚‚らã„ãŸã„テストツールã§ã™ã€‚ 様々ãªè„†å¼±æ€§ãªã©ã‚’ãƒã‚§ãƒƒã‚¯ã—ã€æ˜Žç¤ºã—ã¦ãã‚Œã¾ã™ã€‚ 有åãªãƒã‚§ãƒƒã‚¯ãƒ„ールãªã®ã§è§£èª¬ã‚µã‚¤ãƒˆãªã©ã§A+ã‚’å–ã‚‹ãŸã‚ã®è¨å®šå€¤ãªã©ãŒå…¬é–‹ã•ã‚Œã¦ã„ã¾ã™ãŒã€æƒ…å ±ãŒå¤ã„ã‚‚ã®ãŒå¤šã„ã®ã§ã€è¦æ³¨æ„ã§ã™ã€‚ 「Do not show the results on the boardsã€ã«ãƒã‚§ãƒƒã‚¯ã‚’入れるã¨ãƒªã‚¹ãƒˆã«è¡¨ç¤ºã•ã‚Œãªããªã‚Šã¾ã™ã€‚ CryptCheck CryptCheck æš—å·
H5SC Minichallenge 3: "Sh*t, it's CSP!"
Welcome to yet another XSS challenge. This time, you, the fellow contestant, are confronted with a powerful adversary: The Content Security Policy. CSP is cool. Even if the websites in scope are injectable, an attacker cannot do no nothing no more. Perfect. Let's throw escaping, encoding and filtering overboard because the magic headers will protect us! Yay :D But is CSP really that powerful? Will
CSP(コンテンツセã‚ュリティãƒãƒªã‚·ãƒ¼)ã«ã¤ã„ã¦èª¿ã¹ã¦ã¿ãŸ - ã‚»ã‚ュアスカイプラス
ã¯ã˜ã‚ã« SSTã§ã‚¢ãƒ«ãƒã‚¤ãƒˆã‚’ã—ã¦ã„ã¦ç´„一年åŠã€ä»•äº‹ã¯å‹‰å¼·ã«ãªã‚‹ã“ã¨ã°ã‹ã‚Šã§ã€Œã‚€ã—ã‚自分ãŒãŠé‡‘を払ã‚ãªãã¦è‰¯ã„ã®ã‹ï¼Ÿã€ã¨æ€ã„ã¤ã¤ã‚る石渡ã§ã™ã€‚ 今回ã¯ã¨ã‚ã‚‹ç†ç”±ã§CSP(コンテンツセã‚ュリティãƒãƒªã‚·ãƒ¼)ã«ã¤ã„ã¦èª¿ã¹ã‚‹æ©Ÿä¼šã‚’é ‚ãã€è‰²ã€…ãªè¨˜äº‹ã‚’èªã¿ã¾ã—ãŸã®ã§ã€CSPã«ã¤ã„ã¦ã¾ã¨ã‚ã¦ã¿ã¾ã™ã€‚ CSPã¨ã¯ CSP(Content Security Policy)ã¯ã€å¯¾å¿œã—ã¦ã„るユーザーエージェント(通常ã¯ãƒ–ラウザ)ã®æŒ™å‹•ã‚’Webサイトé‹å–¶è€…ãŒåˆ¶å¾¡ã§ãるよã†ã«ã™ã‚‹å®£è¨€çš„ãªã‚»ã‚ュリティã®ä»•çµ„ã¿ã§ã™ã€‚ã©ã®æ©Ÿèƒ½ãŒæœ‰åŠ¹ã«ãªã‚‹ã‹ã€ã©ã“ã‹ã‚‰ã‚³ãƒ³ãƒ†ãƒ³ãƒ„をダウンãƒãƒ¼ãƒ‰ã™ã¹ãã‹ã€ãªã©ã‚’制御ã™ã‚‹ã“ã¨ã§ã€Webサイトã®æ”»æ’ƒå¯¾è±¡é ˜åŸŸã‚’å°ã•ãã§ãã¾ã™ã€‚1 ç°¡å˜ã«èª¬æ˜Žã™ã‚‹ã¨ã€XSSç‰ã‚’ç·©å’Œã™ã‚‹ç‚ºã€ã‚¤ãƒ³ãƒ©ã‚¤ãƒ³ã‚¹ã‚¯ãƒªãƒ—トやevalãªã©ã‚’ç¦æ¢ã—ãŸã‚Šã€ä¿¡é ¼ã§ãるコードãªã©ã‚’å‚ç…§ã™ã‚‹ã‚ˆã†ã«åˆ¶é™ã‚’ã‹ã‘ãŸã‚Šã™ã‚‹ã‚»ã‚ュリティã®ç‚ºã®HTTPレス
ã€2019年】CTF Webå•é¡Œã®æ”»æ’ƒæ‰‹æ³•ã¾ã¨ã‚ (Webå•é¡Œã®writeupãœã‚“ã¶èªã‚€) - ã“ã‚“ã¨ã‚ーるã—ーã“ã‚“ã¨ã‚ーるã¶ã„
CTF Advent Calendar 2019 - Adventarã®25日目ã®è¨˜äº‹ã§ã™ã€‚ 1ã¤å‰ã¯@ptr-yudaiæ°ã®2019å¹´ã®pwnå•ã‚’全部解ããƒãƒ£ãƒ¬ãƒ³ã‚¸ã€å¾ŒåŠæˆ¦ã€‘ - CTFã™ã‚‹ãžã§ã—ãŸã€‚ ã¯ã˜ã‚㫠対象イベント å•é¡Œæ•° èªã¿æ–¹ã€ä½¿ã„æ–¹ Cross-Site Scripting(XSS) SVGファイルを利用ã—ãŸCSPãƒã‚¤ãƒ‘ス Googleドメインã®JSONPを利用ã—ãŸCSPãƒã‚¤ãƒ‘ス サブリソース完全性(SRI)機能を利用ã—ãŸå…¥åŠ›ãƒã‚§ãƒƒã‚¯ãƒã‚¤ãƒ‘ス Chrome拡張機能ã®ãƒ‘スワードマãƒãƒ¼ã‚¸ãƒ£ãƒ¼KeePassã®æ‚ªç”¨ HTML likeコメントを使用ã—ãŸã‚³ãƒ¡ãƒ³ãƒˆã‚¢ã‚¦ãƒˆ jQuery.getJSONã®JSONP機能を使用ã—ãŸã‚¹ã‚¯ãƒªãƒ—ト実行 DOM Clobberingã«ã‚ˆã‚‹ã‚³ãƒ¼ãƒ‰ãƒã‚¤ã‚¸ãƒ£ãƒƒã‚¯ Service Workerを利用ã—ãŸã‚¹ã‚¯ãƒªãƒ—ト実行 XSS Auditor機能ã®ãƒã‚¤ãƒ‘ス
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
Using form hijacking to bypass CSP
https://bugbountyguide.org/2022/12/02/active-and-passive-subdomain-enumeration-technique/
The Hunt for Subdomains: A Guide to Subdomain Enumeration
CSP Header Inspector and Validator
Bug Hunting Methodology (part-1)
Intro to the Content Security Policy (CSP)
GitHub - appsecco/practical-recon-levelup0x02: This repository contains all the material from the talk "Practical recon techniques for bug hunters & pentesters" given at Bugcrowd LevelUp 0x02 virtual conference
GitHub - 0xbharath/domains-from-csp: A script to extract domain names from Content Security Policy(CSP) headers
Observatory by MozillaãŒç´¹ä»‹ã™ã‚‹ã‚»ã‚ュリティー関連ã®è¨˜äº‹ã‚„サイト一覧
{{#tags}}- {{label}}
{{/tags}}