[B! ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£] skozawaã®ãƒ

skozawa id:skozawa

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«é–¢ã™ã‚‹skozawaã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (9)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã«ãŠã‘ã‚‹ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®ç®¡ç†ã«ã¤ã„ã¦
#LTé§†å‹• 29ã§ã®ç™ºè¡¨ã‚¹ãƒ©ã‚¤ãƒ‰
skozawa 2016/09/14
ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

Web
ãƒªãƒ³ã‚¯
Web Storage: ã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒˆãƒ¼ã‚¯ãƒ³ã®ãƒžã‚·ãªæ‰‹æ®µ â€• cookieã¨ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£é¢ã‚’æ¯”è¼ƒã—ã¦ã¿ã‚‹ | POSTD
æœ€è¿‘ã€ç§ã¯ã€Œã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒˆãƒ¼ã‚¯ãƒ³ã‚’ã€cookieã®ä»£ã‚ã‚Šã« Web Storage (sessionStorage/localStorage)ã«ä¿å˜ã™ã‚‹ã®ã¯å®‰å…¨ã§ã™ã‹ï¼Ÿã€ã¨ã„ã†ã“ã¨ã‚’å°‹ãã‚‰ã‚Œã¾ã—ãŸã€‚ã“ã®ã“ã¨ã«ã¤ã„ã¦Googleã§æ¤œç´¢ã—ãŸã¨ã“ã‚ã€æ¤œç´¢çµæžœã®ä¸Šä½ã®ã»ã¨ã‚“ã©ãŒã€ŒWeb storageã¯cookieã«æ¯”ã¹ã¦ã‹ãªã‚Šã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãŒå¼±ãã€ã‚»ãƒƒã‚·ãƒ§ãƒ³ãƒˆãƒ¼ã‚¯ãƒ³ã«ã¯ä¸å‘ãã§ã‚ã‚‹ã€ã¨æ–è¨€ã—ã¦ã„ã¾ã—ãŸã€‚é€æ˜Žæ€§ã®ãŸã‚ã€ç§ã¯ã“ã®é€†ã®çµè«–ã«è‡³ã£ãŸç†è«–çš„æ ¹æ‹ ã‚’å…¬ã«æ›¸ãã“ã¨ã«ã—ã¾ã—ãŸã€‚ Web Storageã«é–¢ã™ã‚‹è°è«–ã®ä¸æ ¸ã¨ã—ã¦è¨€ã‚ã‚Œã‚‹ã®ã¯ã€ã€ŒWeb Storageã¯secureãƒ•ãƒ©ã‚°ã‚„HttpOnlyãƒ•ãƒ©ã‚°ã¨ã„ã£ãŸcookieç‰¹æœ‰ã®æ©Ÿèƒ½ã‚’ã‚µãƒãƒ¼ãƒˆã—ã¦ã„ãªã„ãŸã‚ã€æ”»æ’ƒè€…ãŒå®¹æ˜“ã«ç›—ã¿å–ã‚‹ã“ã¨ãŒå¯èƒ½ã€ã¨ã„ã†ã‚‚ã®ã§ã™ã€‚pathå±žæ€§ã«ã¤ã„ã¦ã‚‚è¨€åŠã•ã‚Œã¾ã™ã€‚ç§ã¯ã€ã“ã‚Œã‚‰ã®æ©Ÿèƒ½ãã‚Œãžã‚Œã«ã¤ã„ã¦èª¿ã¹ã¦ã¿ã¾ã—ãŸã€‚ãã—ã¦ã€
skozawa 2016/06/17
Web

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

cookie
ãƒªãƒ³ã‚¯
http://www.saitolab.org/taiken/
skozawa 2014/06/08
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

Web

è„†å¼±æ€§
ãƒªãƒ³ã‚¯
ã‚µãƒ¼ãƒ“ã‚¹æš—å·åŒ–ã®å„ªç‰ç”Ÿã¯Googleã¨Dropboxã€Amazonã¯è¦æ³¨æ„â”€â”€EFFèª¿ã¹
ãƒ‡ã‚¸ã‚¿ãƒ«å¸‚æ°‘æ¨©å›£ä½“ã®é›»åãƒ•ãƒãƒ³ãƒ†ã‚£ã‚¢è²¡å›£ï¼ˆEFFï¼‰ã¯11æœˆ20æ—¥ï¼ˆç¾åœ°æ™‚é–“ï¼‰ã€ç±³ITä¼æ¥å¤§æ‰‹ã®ã‚µãƒ¼ãƒ“ã‚¹ã®æš—å·åŒ–çŠ¶æ³ã‚’ä¸€è¦§ã§ãã‚‹ãƒªã‚¹ãƒˆã‚’å…¬é–‹ã—ãŸã€‚ ç±³å›½å®¶å®‰å…¨ä¿éšœå±€ï¼ˆNSAï¼‰ã«ã‚ˆã‚‹å¤§æ‰‹ITä¼æ¥ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãƒ‡ãƒ¼ã‚¿ã¸ã®ç„¡æ–ã‚¢ã‚¯ã‚»ã‚¹ãŒå ±ã˜ã‚‰ã‚Œã‚‹ä¸ã€ä¼æ¥ãŒãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’å®ˆã‚‹ãŸã‚ã«ã©ã®ã‚ˆã†ãªå¯¾ç–ã‚’ã¨ã£ã¦ã„ã‚‹ã‹ã‚’ç¢ºèªã™ã‚‹ã“ã¨ãŒç›®çš„ã€‚ ãƒªã‚¹ãƒˆã®é …ç›®ã¯ã€å·¦ã‹ã‚‰ãƒ‡ãƒ¼ã‚¿ã‚»ãƒ³ã‚¿ãƒ¼é–“ã®ãƒªãƒ³ã‚¯ã€HTTPSã®ã‚µãƒãƒ¼ãƒˆã€HTTP Strict Transport Securityï¼ˆHSTSï¼‰ã®ã‚µãƒãƒ¼ãƒˆã€forward secrecyï¼ˆPFSã¨ã‚‚å‘¼ã°ã‚Œã‚‹ï¼‰ã®æŽ¡ç”¨ã€STARTTLSã®ã‚µãƒãƒ¼ãƒˆã€‚ ç¾æ™‚ç‚¹ã§ã™ã¹ã¦å¯¾å¿œã—ã¦ã„ã‚‹ã®ã¯Googleã€Dropboxã€Dropboxã®ç«¶åˆã®SpiderOakã€ãƒ–ãƒãƒ¼ãƒ‰ãƒãƒ³ãƒ‰ISPã®Sonic.netã®4ç¤¾ã®ã¿ã€‚Verizonã¨AT&Tã¨ã„ã†ç±³é€šä¿¡ã‚ãƒ£ãƒªã‚¢1ä½ã¨2ä½ã¯ã„ãšã‚Œã‚‚å¯¾å¿œçŠ¶æ³ã‚’æ˜Žã‚‰ã‹ã«ã—ã¦
skozawa 2013/11/22
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

webã‚µãƒ¼ãƒ“ã‚¹
ãƒªãƒ³ã‚¯
æ©Ÿå¯†æƒ…å ±ã‚’å«ã‚€JSONã«ã¯ X-Content-Type-Options: nosniff ã‚’ã¤ã‘ã‚‹ã¹ã - è‘‰ã£ã±æ—¥è¨˜
Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã«ãŠã„ã¦JSONã‚’ç”¨ã„ã¦ãƒ–ãƒ©ã‚¦ã‚¶ - ã‚µãƒ¼ãƒé–“ã§ãƒ‡ãƒ¼ã‚¿ã®ã‚„ã‚Šå–ã‚Šã‚’è¡Œã†ã“ã¨ã¯ã‚‚ã¯ã‚„æ™®é€šã®ã“ã¨ã§ã™ãŒã€ã“ã®ã¨ãJSONå†…ã«ç¬¬ä¸‰è€…ã«æ¼ã‚Œã¦ã¯å›°ã‚‹æ©Ÿå¯†æƒ…å ±ãŒå«ã¾ã‚Œã‚‹å ´åˆã¯ã€å¿…ãš X-Content-Type-Options: nosniff ãƒ¬ã‚¹ãƒãƒ³ã‚¹ãƒ˜ãƒƒãƒ€ã‚’ã¤ã‘ã‚‹ã‚ˆã†ã«ã—ã¾ã—ã‚‡ã†(ã‚€ã—ã‚æ©Ÿå¯†æƒ…å ±ã‹ã©ã†ã‹ã«é–¢ã‚ã‚‰ãšã€å…¨ã¦ã®ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã«ã¤ã‘ã‚‹ã»ã†ãŒã‚ˆã„ã€‚é–¢é€£:X-Content-Type-Options: nosniff ã¤ã‹ã‚ãªã„ã‚„ã¤ã¯æ»ãã°ã„ã„ã®ã«! - è‘‰ã£ã±æ—¥è¨˜)ã€‚ ä¾‹ãˆã°ã€æ©Ÿå¯†æƒ…å ±ã‚’å«ã‚€ä»¥ä¸‹ã®ã‚ˆã†ãªJSONé…åˆ—ã‚’è¿”ã™ãƒªã‚½ãƒ¼ã‚¹(http://example.jp/target.json)ãŒã‚ã£ãŸã¨ã—ã¾ã™ã€‚ [ "secret", "data", "is", "here" ] æ”»æ’ƒè€…ã¯ç½ ãƒšãƒ¼ã‚¸ã‚’ä½œæˆã—ã€ä»¥ä¸‹ã®ã‚ˆã†ã«JSONé…åˆ—ã‚’vbscriptã¨ã—ã¦èªã¿è¾¼ã¿ã¾ã™ã€‚ã‚‚ã¡ã‚
skozawa 2013/05/19
javascript

JSON

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£
ãƒªãƒ³ã‚¯
DNSã‚µãƒ¼ãƒãƒ¼ã®ä¸é©åˆ‡ãªè¨å®šã€Œã‚ªãƒ¼ãƒ—ãƒ³ãƒªã‚¾ãƒ«ãƒãƒ¼ã€ã«ã¤ã„ã¦ | 2013å¹´ | ãƒ‰ãƒ¡ã‚¤ãƒ³åãƒ»DNSé–¢é€£ãƒˆãƒ”ãƒƒã‚¯ã‚¹ | æ–°ç€æƒ…å ±ä¸€è¦§ | JPRS
DNSã‚µãƒ¼ãƒãƒ¼ã®ä¸é©åˆ‡ãªè¨å®šã§ã‚ã‚‹ã€Œã‚ªãƒ¼ãƒ—ãƒ³ãƒªã‚¾ãƒ«ãƒãƒ¼ã€ã¯ã€ã€ŒDNS Reflector Attacksï¼ˆDNSãƒªãƒ•ãƒ¬ã‚¯ã‚¿ãƒ¼æ”»æ’ƒï¼‰ã€ã¨ã„ã†åˆ†æ•£ã‚µãƒ¼ãƒ“ã‚¹ä¸èƒ½ï¼ˆDDoSï¼‰æ”»æ’ƒã«æ‚ªç”¨ã•ã‚Œã‚‹æã‚ŒãŒã‚ã‚Šã€JPRSã§ã¯ã“ã‚Œã¾ã§ã‚‚å„æ‰€ã§ã®æƒ…å ±æä¾›ã‚„æ³¨æ„å–šèµ·ã‚’è¡Œã£ã¦ãã¦ã„ã¾ã™ã€‚ 2013å¹´3æœˆã€æµ·å¤–ã§å¤§è¦æ¨¡ãªæ”»æ’ƒäº‹ä¾‹ãŒã‚ã‚Šã€ä¸€éƒ¨åœ°åŸŸã«ãŠã„ã¦ã‚¤ãƒ³ã‚¿ãƒ¼ãƒãƒƒãƒˆãŒä¸€æ™‚çš„ã«åˆ©ç”¨ã—ã«ãããªã‚‹ãªã©ã®éšœå®³ãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚JPRSã§ã¯ã€ã“ã®å•é¡Œã«é–¢ã™ã‚‹æŠ€è¡“è§£èª¬ã‚„DNSã‚µãƒ¼ãƒãƒ¼ã®é©åˆ‡ãªè¨å®šæ–¹æ³•ã«ã¤ã„ã¦ã€æ”¹ã‚ã¦ä»¥ä¸‹ã®é€šã‚Šã¾ã¨ã‚ã€å…¬é–‹ã—ã¾ã—ãŸã€‚ è‡ªèº«ã®ç®¡ç†ã™ã‚‹DNSã‚µãƒ¼ãƒãƒ¼ãŒã‚ªãƒ¼ãƒ—ãƒ³ãƒªã‚¾ãƒ«ãƒãƒ¼ã§ã‚ã‚‹ã¨ã€DDoSæ”»æ’ƒã®åŠ å®³è€…ã‚„è¸ã¿å°ã¨ãªã‚‹æã‚ŒãŒã‚ã‚Šã¾ã™ã€‚DNSã‚µãƒ¼ãƒãƒ¼ç®¡ç†è€…ã‚„é–¢ä¿‚è€…ã®çš†ã•ã¾ã¯ã”ç¢ºèªã‚’ãŠé¡˜ã„ã—ã¾ã™ã€‚
skozawa 2013/04/19
DNS

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

ã‚ªãƒ¼ãƒ—ãƒ³ãƒªã‚¾ãƒ«ãƒ
ãƒªãƒ³ã‚¯
XMLHttpRequestã‚’ä½¿ã£ãŸCSRFå¯¾ç– - è‘‰ã£ã±æ—¥è¨˜
åˆã‚ã›ã¦èªã‚“ã§ãã ã•ã„ï¼šFlashã¨ç‰¹å®šãƒ–ãƒ©ã‚¦ã‚¶ã®çµ„ã¿åˆã‚ã›ã§cross originã§ã‚«ã‚¹ã‚¿ãƒ ãƒ˜ãƒƒãƒ€ä»˜ä¸ŽãŒå‡ºæ¥ã¦ã—ã¾ã†å•é¡ŒãŒæœªã ã«ç›´ã£ã¦ã„ãªã„è©± (2014-02/07) XMLHttpRequestã‚’ä½¿ã†ã“ã¨ã§ã€Cookieã‚„ãƒªãƒ•ã‚¡ãƒ©ã€hiddenå†…ã®ãƒˆãƒ¼ã‚¯ãƒ³ã‚’ä½¿ç”¨ã›ãšã«ã‚·ãƒ³ãƒ—ãƒ«ã«CSRFå¯¾ç–ãŒè¡Œãˆã‚‹ã€‚POSTã™ã‚‹JavaScriptã¯ä»¥ä¸‹ã®é€šã‚Šã€‚(2013/03/04:ã‚³ãƒ¼ãƒ‰ä¸€éƒ¨ä¿®æ£) function post(){ var s = "mail=" + encodeURIComponent( document.getElementById("mail").value ) + "&msg=" + encodeURIComponent( document.getElementById("msg").value ); var xhr = new XMLHttpRequest(); xhr
skozawa 2013/03/03
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

CSRF
ãƒªãƒ³ã‚¯
é«˜æœ¨æµ©å…‰ã•ã‚“ã¸ã€ã—ã£ã‹ã‚Šã—ã¦ãã ã•ã„ - æœ€é€Ÿè»¢è·ç ”ç©¶ä¼š
æŠ€è¡“è€…ã¨ã—ã¦ã®è‰¯å¿ƒã«å¾“ã£ã¦ã“ã®è¨˜äº‹ã‚’æ›¸ãã¾ã™ã€‚ä¿ºã¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã¨ãƒ—ãƒ©ã‚¤ãƒã‚·ãƒ¼ã®äººã§ã¯ãªãã€JavaScriptã¨UIã®äººã§ã‚ã‚‹ã€‚æ³•å¾‹ã®å‹‰å¼·ã ã£ã¦è‡ªåˆ†ã®ç”Ÿæ´»ã¨æ¥å‹™ã«é–¢ã‚ã‚Šã®ã‚ã‚‹ç¯„å›²ã§ã—ã‹ã—ãªã„ã ã‚ã†ã€‚ã—ã‹ã—å°‘ãªãã¨ã‚‚JavaScriptã‚„ãƒ–ãƒ©ã‚¦ã‚¶ãŒçµ¡ã‚€ã‚ˆã†ãªéƒ¨åˆ†ã«ã¤ã„ã¦ã¯ã€ç¢ºå®Ÿã«è‡ªåˆ†ã®ã»ã†ãŒç†è§£ã—ã¦ã„ã‚‹ã¨æ€ã£ã¦ã„ã‚‹ã€‚é«˜æœ¨æµ©å…‰ã•ã‚“ãŒã€ã‚ã‹ã‚‰ã•ã¾ã«é–“é•ã£ãŸã“ã¨ã‚’æ›¸ã„ãŸã‚Šã€ãŠã‹ã—ãªã“ã¨ã‚’æ›¸ã„ã¦ã„ãŸã‚Šã—ã¦ã‚‚ã€å¾ã€…ã«èª°ã‚‚æŒ‡æ‘˜ã—ãªããªã£ã¦ããŸã¨æ€ã†ã€‚ãŠã‹ã—ãªã“ã¨æ›¸ã„ã¦ã„ãŸã¨ã—ã¦ã‚‚ã€éžæŠ€è¡“è€…ã‹ã‚‰è¦‹ãŸã¨ãã«ã€Œå¤šå°‘éŽæ¿€ãªç‰©è¨€ã„ã ã‘ã©ã€ã‚ã®äººã¯å°‚é–€å®¶ã ã‹ã‚‰è¨€ã£ã¦ã„ã‚‹ã“ã¨ã¯æ£è«–ãªã®ã ã‚ã†ã€ã¨ã‹ã€ã‚ã‚‹ã„ã¯æŠ€è¡“è€…ã‹ã‚‰è¦‹ãŸæ™‚ã§ã‚‚ã€å°‚é–€åˆ†é‡ŽãŒé•ãˆã°é–“é•ã£ãŸã“ã¨ãŒæ›¸ã‹ã‚Œã¦ã„ã¦ã‚‚æ°—ä»˜ã‘ãªã„ã¨ã„ã†ã“ã¨ã‚‚ã‚ã‚‹ã ã‚ã†ã€‚ ã‚‚ã†è‡ªåˆ†ã«ã¯åˆ†ã‹ã‚‰ãªããªã£ã¦ã„ã‚‹ã€‚èª°ã«ã§ã‚‚æ¤œè¨¼ã§ãã‚‹ã‚ˆã†ãªäº‹å®Ÿé–¢ä¿‚ã®é–“é•ã„ã€ã‚ã‚‹ã„ã¯ã€æŠ€è¡“çš„ãªé–“é•ã„ãŒå«ã¾ã‚Œã¦ã„
skozawa 2012/08/31
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

é«˜æœ¨æµ©å…‰

mala
ãƒªãƒ³ã‚¯
Facebookã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã¯é€ä¿¡è€…ã‚’è‡ªç”±ã«å½è£…ã—ã¦é€ã‚Œã‚‹ã“ã¨ãŒåˆ¤æ˜Ž
ã“ã‚Œã¡ã‚‡ã£ã¨ãƒžã‚ºã„ã‚“ã˜ã‚ƒãªã„ã‹ãªã‚ã€‚ Kampa! ã®äººã§ã‚ã‚‹ä½ç”°ã•ã‚“ãŒè¦‹ã¤ã‘ã¦æ•™ãˆã¦ãã‚ŒãŸã‚“ã ã‘ã©ã€ Facebook ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã¯å‰²ã¨ç°¡å˜ã«ä»–äººã«ãªã‚Šã™ã¾ã—ã¦é€ã‚Œã‚‹ã¿ãŸã„ã€‚ ä»¥ä¸‹ã€ã™ã¹ã¦é€ä¿¡è€…ã¨å—ä¿¡è€…ã®è‡ªç™ºçš„ãªå”åŠ›ã‚’å¾—ã¦è©¦ã—ã¦ã¿ãŸçµæžœã§ã™ã€‚ èµ·ãã‚‹ã“ã¨ Facebook ã§ã¯ãƒ¦ãƒ¼ã‚¶ãƒ¼ã« @facebook.com ã®ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒä¸Žãˆã‚‰ã‚Œã¦ã„ã¾ã™ã€‚ å€‹äººãƒšãƒ¼ã‚¸ãŒ www.facebook.com/namaewo ã®äººãªã‚‰ [email protected] ã¨ã„ã†å…·åˆã«ã€‚ ãã®ã‚¢ãƒ‰ãƒ¬ã‚¹å®›ã«ãƒ¡ãƒ¼ãƒ«ã‚’é€ã‚‹ã¨ã€ ã‚¢ãƒ‰ãƒ¬ã‚¹ã®æ‰€æœ‰è€…ã« Facebook ä¸Šã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã¨ã—ã¦å±Šãã¾ã™ãã€‚ ã“ã®æ™‚ã€ãã®ãƒ¡ãƒ¼ãƒ«ã®é€ä¿¡å…ƒãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒ åˆ¥ã® Facebook ãƒ¦ãƒ¼ã‚¶ãƒ¼ã«ã‚ˆã£ã¦ç™»éŒ²ã•ã‚Œã¦ã„ã‚‹ã‚¢ãƒ‰ãƒ¬ã‚¹ã§ã‚ã£ãŸå ´åˆ Facebook ã§ã¯ã€ãã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‹ã‚‰é€ã‚‰ã‚ŒãŸãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã¨ã—ã¦æ‰±ã‚ã‚Œã¾ã™ã€‚ é›»å
skozawa 2012/08/21
facebook

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£
ãƒªãƒ³ã‚¯
1