[B! development][security] yuki_2021ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

yuki_2021 id:yuki_2021

developmentã¨securityã«é–¢ã™ã‚‹yuki_2021ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (8)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

CSRFå¯¾ç–ã®ã‚„ã‚Šæ–¹ã€ãã‚ãã‚ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã—ã¾ã›ã‚“ã‹ / Update your knowledge of CSRF protection
PHPerKaigi 2024 â€¢ Day 1ã§ã®ç™»å£‡è³‡æ–™ã§ã™ã€‚ https://phperkaigi.jp/2024/ https://fortee.jp/phperkaigi-2024/proposal/0d0f8507-0a53-46f6-bca6-23386d78f17f â€» Authorâ€¦
yuki_2021 2024/03/11
security

development
ãƒªãƒ³ã‚¯
æœ¬å½“ã«ã‚ã£ãŸ Web ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®è„†å¼±æ€§
ã“ã®è¨˜äº‹ã®ç›®çš„ ä»Šã¾ã§ Web ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³è£½ä½œã‚’è¡Œã£ãŸçµŒé¨“ãŒç„¡ã„æ–¹ãŒã€Œã¡ã‚‡ã£ã¨å€‹äººé–‹ç™ºã§ä½•ã‹ä½œã£ã¦ã¿ã‚ˆã†ã‹ãªï¼ã€ã¨æ€ã£ãŸã¨ãã«ã†ã£ã‹ã‚Šè„†å¼±æ€§ã‚’ä½œã‚Šã“ã‚“ã§ã—ã¾ã†ã“ã¨ã‚’å°‘ã—ã§ã‚‚é˜²ã’ãŸã‚‰ã„ã„ãªã¨è€ƒãˆã¾ã—ãŸã€‚ ãã®ãŸã‚ã«ã¯ã¾ãšè„†å¼±æ€§ã‚’ä»–äººäº‹ã ã¨è€ƒãˆãªã„ã“ã¨ãŒå¤§äº‹ã ã¨æ€ã£ãŸã®ã§ã€ç§ãŒéŽåŽ»ã®é–‹ç™ºç¾å ´ã«ãŠã„ã¦å®Ÿéš›ã«éé‡ã—ãŸã“ã¨ãŒã‚ã‚‹ Web ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®è„†å¼±æ€§ã®äº‹ä¾‹ã‚’å¹¾ã¤ã‹ç´¹ä»‹ã—ã¾ã™ã€‚ ç´¹ä»‹ã®å‰ã«æ³¨æ„å–šèµ·ã‚’ã—ã¾ã™ã€‚ è‡ªåˆ†ãŒç®¡ç†ã—ã¦ã„ã‚‹ã‚ã‘ã§ã¯ãªã„ Web ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã«å¯¾ã—ã€ä¾é ¼ã•ã‚Œã¦ã‚‚ã„ãªã„ã®ã«è„†å¼±æ€§ã‚’æŽ¢ã™è¡Œç‚ºã¯çµ¶å¯¾ã«ã—ãªã„ã§ãã ã•ã„ã€‚ãã®è¡Œç‚ºã®å†…å®¹ã«ã‚ˆã£ã¦ã¯çŠ¯ç½ªã«ãªã‚‹å¯èƒ½æ€§ã‚‚ã‚ã‚Šã¾ã™ã€‚ å¤–éƒ¨ã‹ã‚‰æ¸¡ã•ã‚ŒãŸãƒ‡ãƒ¼ã‚¿ã‚’ä½•ã®å¯¾ç–ã‚‚ãªã—ã« SQL ã«åŸ‹ã‚è¾¼ã‚“ã§ã„ã‚‹ SQL ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³æ”»æ’ƒã®èª¬æ˜Žã§ã‚ˆãã¿ã‚‰ã‚Œã‚‹ä¾‹ã§ã™ãŒã€ãƒã‚°ã‚¤ãƒ³å‡¦ç†ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒå…¥åŠ›ã—ãŸ ID ã¨ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã«ä¸€è‡´ã™ã‚‹ãƒ¦ãƒ¼ã‚¶ãƒ¼æƒ…å ±
yuki_2021 2023/10/05
development

security

ãƒãƒƒã‚¯ã‚¨ãƒ³ãƒ‰
ãƒªãƒ³ã‚¯
IPA-å®‰å…¨ãªã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®ä½œã‚Šæ–¹2021å¹´æ”¹è¨‚ç¬¬7ç‰ˆ.pdf
yuki_2021 2022/04/20
security

pdf

development
ãƒªãƒ³ã‚¯
è¦‹ã¦ã„ã‚‹ã‚µã‚¤ãƒˆä¸Šã«éœ²å‡ºã—ã¦ã„ã‚‹æ©Ÿå¯†æƒ…å ±(APIãƒˆãƒ¼ã‚¯ãƒ³ã€IPã‚¢ãƒ‰ãƒ¬ã‚¹ãªã©)ã‚’è¦‹ã¤ã‘ã‚‹ãƒ–ãƒ©ã‚¦ã‚¶æ‹¡å¼µã‚’ä½œã‚Šã¾ã—ãŸ
è¦‹ã¦ã„ã‚‹ã‚µã‚¤ãƒˆä¸Šã«éœ²å‡ºã—ã¦ã„ã‚‹æ©Ÿå¯†æƒ…å ±(APIãƒˆãƒ¼ã‚¯ãƒ³ã€IPã‚¢ãƒ‰ãƒ¬ã‚¹ãªã©)ã‚’è¦‹ã¤ã‘ã‚‹ãƒ–ãƒ©ã‚¦ã‚¶æ‹¡å¼µã‚’ä½œã‚Šã¾ã—ãŸ Secretlintã¨ã„ã†APIãƒˆãƒ¼ã‚¯ãƒ³ãªã©ã®æ©Ÿå¯†æƒ…å ±ãŒãƒ•ã‚¡ã‚¤ãƒ«å†…ã«å«ã¾ã‚Œã¦ã„ã‚‹ã‹ã‚’ãƒã‚§ãƒƒã‚¯ã§ãã‚‹ãƒ„ãƒ¼ãƒ«ã‚’æ›¸ã„ã¦ã„ã¾ã™ã€‚ Secretlintã¯ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³ãƒ„ãƒ¼ãƒ«ã¨ã—ã¦å‹•ãã®ã§ã€ä¸»ã«CIã‚„Gitã®pre-commit hookã‚’åˆ©ç”¨ã—ã¦ã€ãƒªãƒã‚¸ãƒˆãƒªã«æ©Ÿå¯†æƒ…å ±ãŒå…¥ã‚‹ã®ã‚’é˜²æ¢ã§ãã¾ã™ã€‚ Secretlintã§APIãƒˆãƒ¼ã‚¯ãƒ³ã‚„ç§˜å¯†éµãªã©ã®ã‚³ãƒŸãƒƒãƒˆã‚’é˜²æ¢ã™ã‚‹ | Web Scratch ä¸€æ–¹ã§ã€å®Ÿéš›ã®ã‚¦ã‚§ãƒ–ã‚µãƒ¼ãƒ“ã‚¹ãªã©ã¯æ©Ÿå¯†æƒ…å ±ãŒãƒ•ã‚¡ã‚¤ãƒ«ã«ãƒãƒ¼ãƒ‰ã‚³ãƒ¼ãƒ‰ã•ã‚Œã¦ã„ã‚‹ã‚ã‘ã§ã¯ãªã(Secre lintè‡ªä½“ãŒã“ã†ã„ã†ãƒãƒ¼ãƒ‰ã‚³ãƒ¼ãƒ‰ã‚’é˜²ããƒ„ãƒ¼ãƒ«ã§ã™)ã€ç’°å¢ƒå¤‰æ•°ã‚„Databaseã«ä¿å˜ã—ã¦ã„ã‚‹ã¨æ€ã„ã¾ã™ã€‚ ã“ã®ã‚ˆã†ãªå ´åˆã«ã‚‚ã€ã‚³ãƒ¼ãƒ‰ã®ãƒŸã‚¹ãªã©ã«ã‚ˆã£ã¦å…¬é–‹ã™ã‚‹ã¹ãã§ã¯ãªã„æƒ…å ±(ç§˜å¯†éµã€APIãƒˆãƒ¼ã‚¯ãƒ³ã€Sl
yuki_2021 2021/08/20
security

development
ãƒªãƒ³ã‚¯
ã¡ã‚‡ã£ã¨ã§ã‚‚ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«è‡ªä¿¡ãŒãªã„ãªã‚‰ã€ Firebase Authentication ã‚’æ¤œè¨Žã—ã‚ˆã†
note ã®ã‚„ã‚‰ã‹ã—ã®ã‚ã®ã¸ã‚“ã«ã¤ã„ã¦ã€‚ èªè¨¼è‡ªä½œã€ Rails ã€ Devise - Diary ãƒ‘ãƒ¼ãƒ•ã‚§ã‚¯ãƒˆ Rails è‘—è€…ãŒè§£èª¬ã™ã‚‹ devise ã®ç¾ä»£çš„ãªãƒ¦ãƒ¼ã‚¶ãƒ¼èªè¨¼ã®ãƒ¢ãƒ‡ãƒ«æ§‹æˆã«ã¤ã„ã¦ - joker1007â€™s diary èªè¨¼ã‚µãƒ¼ãƒãƒ¼ã®å®Ÿè£…ã¯æœ¬è³ªçš„ã«é›£ã—ã„ã§ã™ã€‚ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãŒçµ¡ã‚€ã‚‚ã®ã¯ã€Œç°¡å˜ãªå®Ÿè£…ã€ãªã©ãªãã€ãƒ—ãƒã‚¢ãƒžå€‹äººæ³•äººå•ã‚ãšã€å€‹äººæƒ…å ±ã‚’å®ˆã‚‹ã¨ã„ã†ç‚¹ã§ã€åŒã˜æ°´æº–ã‚’è¦æ±‚ã•ã‚Œã¾ã™ã€‚æ‚ªæ„ã‚ã‚‹ãƒãƒƒã‚«ãƒ¼ã¯å¸¸ã«ã‚«ãƒ¢ã‚’æŽ¢ã—ã¦ã„ã¦ã€ã‚‚ã—èªè¨¼ãŒç ´ã‚‰ã‚ŒãŸå ´åˆã€è‡ªåˆ†ã ã‘ã§ã¯ãªãå¤§å¤šæ•°ã«è¿·æƒ‘ãŒæŽ›ã‹ã‚Šã¾ã™ã€‚åˆå¿ƒè€…ã ã‹ã‚‰å…è²¬ã•ã‚Œã‚‹ã¨ã„ã£ãŸã“ã¨ã‚‚ã‚ã‚Šã¾ã›ã‚“ã€‚å…¨å“¡ãŒåŒã˜åœŸä¿µã«ç«‹ãŸã•ã‚Œã¦ã„ã¾ã™ã€‚ ã¨ã¯ã„ãˆã€èªè¨¼åŸºç›¤ã‚’ä½œã‚‰ãªã„ã¨ã„ã‚ã‚“ãªã‚µãƒ¼ãƒ“ã‚¹ãŒæˆç«‹ã—ã¾ã›ã‚“ã€‚ãã†ã„ã†ã¨ãã«ã©ã†ã™ã‚‹ã‹ã€‚ Firebase Authentication ã§ã€ã‚¿ã‚¤ãƒˆãƒ«ã®ä»¶ãªã‚“ã§ã™ãŒã€ Firebase Authenticat
yuki_2021 2020/08/18
security

development

firebase
ãƒªãƒ³ã‚¯
è„†å¼±æ€§ã®è¦‹ã¤ã‘æ–¹ï¼ˆåˆå¿ƒè€…å‘ã‘è„†å¼±æ€§æ¤œæŸ»å…¥é–€ï¼‰
WEBç³»ã®æƒ…å ±ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£é–¢é€£ã®å¦ç¿’ãƒ¡ãƒ¢ã§ã™ã€‚ãƒ¡ãƒ¢ãªã®ã§ä»–æƒ…å ±ã®ãƒã‚¤ãƒ³ã‚¿ã ã‘ã€ã¨ã‹ã®å‘æ€¯ãªè¨˜äº‹ã‚‚ã‚ã‚Šã¾ã™ã€‚ â€»2020.9 æ³¨è¨˜:æœ¬ãƒ–ãƒã‚°ã®è§£èª¬è¨˜äº‹ã¯å†…å®¹ãŒå¤ããªã£ã¦ãŠã‚Šã¾ã™ã€‚OWASP ZAPãªã©ã®ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã®è§£èª¬ã¯ç¾è¡Œãƒãƒ¼ã‚¸ãƒ§ãƒ³ã®ä»•æ§˜ã‹ã‚‰ä¹–é›¢ã—ã¦ã„ã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚ EC-CUBEã§è„†å¼±æ€§ã‚’è¦‹ã¤ã‘ãŸã‚Šã€mixiã®è„†å¼±æ€§å ±å‘Šåˆ¶åº¦ã§æˆæžœã‚’æŒ™ã’ãŸã‚Šã—ãŸã›ã„ã‹ã€ã€Œã©ã†ã‚„ã£ã¦è„†å¼±æ€§ã‚’è¦‹ã¤ã‘ã¦ã‚‹ã‚“ã§ã™ã‹ï¼Ÿã€ã¨ã„ã†è³ªå•ã‚’ã•ã‚Œã‚‹ã“ã¨ãŒæ™‚æŠ˜ã‚ã‚Šã€ä¸€å¿œæ‰‹é †ã¯èª¬æ˜Žã™ã‚‹ã®ã§ã™ãŒã€ã„ã¤ã‚‚å£é ã§ç´°ã‹ãã¯èª¬æ˜Žã§ããªãã¦ç”³ã—è¨³ãªã„ã®ã§ã€è‡ªåˆ†ã®ã‚„ã‚Šæ–¹ã‚’ã¾ã¨ã‚ã¦ã“ã®ãƒ–ãƒã‚°ã«ã‚¢ãƒƒãƒ—ã—ã¦ãŠãã¾ã™ã€‚ æ¨™æº–çš„ãªè„†å¼±æ€§æ¤œæŸ»ã®ã‚„ã‚Šæ–¹ã—ã‹èª¬æ˜Žã—ã¦ã„ãªã„ã®ã§ã€è„†å¼±æ€§æ¤œæŸ»ã®ã‚„ã‚Šæ–¹ã‚’æ—¢ã«æŠŠæ¡ã—ã¦ã„ã‚‹äººãŒèªã‚“ã§ã‚‚å¾—ã‚‹ã‚‚ã®ã¯å°‘ãªã„ã®ã§ã¯ãªã„ã‹ã¨æ€ã„ã¾ã™ã€‚ä»Šå›žã¯è„†å¼±æ€§æ¤œæŸ»ã«èˆˆå‘³ãŒã‚ã‚‹ãŒä½•ã‚’ã©ã†ã—ãŸã‚‰ã„ã„ã‹åˆ†ã‹ã‚‰ãªã„ã‚ˆã†ãªåˆå¿ƒè€…å‘ã‘ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã§
yuki_2021 2014/05/29
security

webåˆ¶ä½œ

development
ãƒªãƒ³ã‚¯
è„†å¼±æ€§ä½“é¨“å¦ç¿’ãƒ„ãƒ¼ãƒ« AppGoat | æƒ…å ±ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ | IPA ç‹¬ç«‹è¡Œæ”¿æ³•äºº æƒ…å ±å‡¦ç†æŽ¨é€²æ©Ÿæ§‹
è„†å¼±æ€§ä½“é¨“å¦ç¿’ãƒ„ãƒ¼ãƒ« AppGoat è„†å¼±æ€§ä½“é¨“å¦ç¿’ãƒ„ãƒ¼ãƒ« AppGoatã¨ã¯ è„†å¼±æ€§ä½“é¨“å¦ç¿’ãƒ„ãƒ¼ãƒ«ã€ŒAppGoatã€ã¯ã€è„†å¼±æ€§ã®æ¦‚è¦ã‚„å¯¾ç–æ–¹æ³•ç‰ã®è„†å¼±æ€§ã«é–¢ã™ã‚‹åŸºç¤Žçš„ãªçŸ¥è˜ã‚’å®Ÿç¿’å½¢å¼ã§ä½“ç³»çš„ã«å¦ã¹ã‚‹ãƒ„ãƒ¼ãƒ«ã§ã™ã€‚åˆ©ç”¨è€…ã¯ã€å¦ç¿’ãƒ†ãƒ¼ãƒžæ¯Žã«ç”¨æ„ã•ã‚ŒãŸæ¼”ç¿’å•é¡Œã«å¯¾ã—ã¦ã€åŸ‹ã‚è¾¼ã¾ã‚ŒãŸè„†å¼±æ€§ã®ç™ºè¦‹ã€ãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°ä¸Šã®å•é¡Œç‚¹ã®æŠŠæ¡ã€å¯¾ç–æ‰‹æ³•ã®å¦ç¿’ã‚’å¯¾è©±çš„ã«å®Ÿæ–½ã§ãã¾ã™ã€‚ ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®è„†å¼±æ€§å¯¾ç–ã«å¿…è¦ãªã‚¹ã‚ãƒ«ã‚’ç¿’å¾—ã—ãŸã„é–‹ç™ºè€…ã‚„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®ç®¡ç†è€…ã«ãŠã™ã™ã‚ã§ã™ã€‚
yuki_2021 2011/01/28
security

development
ãƒªãƒ³ã‚¯
http://www.machu.jp/posts/20100416/p01/
yuki_2021 2010/04/22
webã‚µãƒ¼ãƒ“ã‚¹

security

development
ãƒªãƒ³ã‚¯
1