ã“ã‚Œã¾ã§ã¯ã€ã€Œãƒãƒƒã‚ング・ラボã®ã¤ãã‚Šã‹ãŸ 完全版 仮想環境ã«ãŠã‘ã‚‹ãƒãƒƒã‚«ãƒ¼ä½“験å¦ç¿’ã€ã‚’å‚考ã«ã•ã›ã¦ã‚‚らã£ã¦ã€ç†è§£ã‚’進ã‚ã¦ãã¾ã—ãŸã€‚今回ã‹ã‚‰ã¯ã€ä¸¦è¡Œã—ã¦ã€Œä½“系的ã«å¦ã¶ 安全ãªWebアプリケーションã®ä½œã‚Šæ–¹ 第2版 脆弱性ãŒç”Ÿã¾ã‚Œã‚‹åŽŸç†ã¨å¯¾ç–ã®å®Ÿè·µã€ï¼ˆé€šç§°ï¼šå¾³ä¸¸æœ¬ï¼‰ã‚’å‚考ã«ã€å‹‰å¼·ã‚’進ã‚ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚
ã“ã®å¾³ä¸¸æœ¬ã¨ã¯ã€è„†å¼±æ€§ã®ã‚る仮想マシンを準備ã—ã¦ãã‚Œã¦ã„ã¦ï¼ˆVirtualBox 㨠Docker ãŒæº–å‚™ã•ã‚Œã¦ã„る)ã€ãã®ä»®æƒ³ãƒžã‚·ãƒ³ã«å¯¾ã—ã¦ã€å®Ÿéš›ã«æ”»æ’ƒã‚’体験ã™ã‚‹ã“ã¨ã§ã€è„†å¼±æ€§ã®ç†è§£ã‚’æ·±ã‚ã‚‹ã“ã¨ãŒã§ãã‚‹ã¨ã„ã†ã‚‚ã®ã§ã™ã€‚
今回ã¯ã€å¾³ä¸¸æœ¬ã®å®Ÿç¿’環境ã®æ§‹ç¯‰ã‚’進ã‚ã¦ã„ãã¾ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
å‚考文献
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
徳丸本ã®å®Ÿç¿’環境ã®æ§‹ç¯‰ã®å…¨ä½“åƒ
徳丸本ã®å®Ÿç¿’環境ã«ã¤ã„ã¦ã§ã™ãŒã€ä»¥ä¸‹ã®é’ç´«ã®èƒŒæ™¯è‰²ã®2ã¤ã®ãƒžã‚·ãƒ³ã‚’想定ã—ã¦ã„ã¾ã™ã€‚wasbook ãŒè„†å¼±æ€§ã®ã‚る仮想マシンã§ã€å®Ÿéš›ã«æ”»æ’ƒã‚’è¡Œã†ã®ã¯ Windows を想定ã—ã¦ã„ã¾ã™ã€‚
図㮠DHCP-server ã¯ã€VirtualBox ãŒç”¨æ„ã—ã¦ãã‚ŒãŸã‚‚ã®ã§ã€192.168.56.x/24 ã®ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’é…布ã—ã¦ã„ã¾ã™ã€‚ParrotOS ã¯ã€ã“ã‚Œã¾ã§ä½¿ã£ã¦ã㟠VirtualBox ã®ä»®æƒ³ãƒžã‚·ãƒ³ã§ã™ã€‚
徳丸本ã®å®Ÿç¿’環境
攻撃ã™ã‚‹ãƒžã‚·ãƒ³ã‚’ Windows10 ã¨ã—ã¦ã„ã‚‹ãŸã‚ã€ã„ã‚ã„ã‚インストールã™ã‚‹ã“ã¨ã«ãªã‚Šã¾ã™ãŒã€ã¡ã‚‡ã£ã¨æ°—ãŒé€²ã¾ãªã„ã®ã§ã€å¯èƒ½ãªé™ã‚Šã€ParrotOS を攻撃マシンã¨ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚以下ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
徳丸本ã®å®Ÿç¿’環境ã‹ã‚‰æ”»æ’ƒãƒžã‚·ãƒ³ã‚’ParrotOSã«å¤‰æ›´
PlantUML ã¯ã€ä»Šã¾ã§ä½•å›žã‹ä½¿ã£ã¦ã„ã¾ã—ãŸãŒã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯å›³ã¯åˆã‚ã¦ä½œã‚Šã¾ã—ãŸã€‚ãªã‹ãªã‹ã„ã„æ„Ÿã˜ã«ä½œå›³ã—ã¦ãã‚Œã¾ã—ãŸã€‚ソースも貼ã£ã¦ãŠãã¾ã™ã€‚
@startuml
title 徳丸本ã®å®Ÿç¿’環境
nwdiag {
network home {
address = "192.168.11.x/24";
win10 [ address = 192.168.11.13 ];
}
network VirtualBox {
address = "192.168.56.x/24";
win10 [ address = 192.168.56.1 ];
DHCP-server [ address = 192.168.56.100 ];
group {
color = "#aaaaFF";
wasbook [ address = 192.168.56.101 ];
ParrotOS [ address = 192.168.56.105 ];
}
}
}
@enduml
徳丸本ã®å®Ÿç¿’環境ã®æ§‹ç¯‰ã¯ã€å¤§ãã分ã‘ã¦ã€è„†å¼±æ€§ä»®æƒ³ãƒžã‚·ãƒ³ï¼ˆwasbook)ã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—ã¨ã€æ”»æ’ƒå´ã® ParrotOS ã®è¨å®šã«ãªã‚Šã¾ã™ã€‚
脆弱性仮想マシン(wasbook)ã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—
環境構築ã«ã‚ãŸã‚Šã€å¿…è¦ãªã‚½ãƒ•ãƒˆãªã©ã¯ã€ä»¥ä¸‹ã®å¾³ä¸¸æœ¬ã®ã‚µãƒãƒ¼ãƒˆã‚µã‚¤ãƒˆã‹ã‚‰ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã—ã¾ã™ã€‚
wasbook.org
脆弱性仮想マシン(wasbook)ã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«
サãƒãƒ¼ãƒˆã‚µã‚¤ãƒˆã®ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ãƒšãƒ¼ã‚¸ã‹ã‚‰ã€ã€Œå®Ÿç¿’用仮想マシン(VirtualBox用 Ver 1.0.4)ã€ã‚’ダウンãƒãƒ¼ãƒ‰ã—ã¾ã™ã€‚
ダウンãƒãƒ¼ãƒ‰ã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ã¯ OVAファイルãªã®ã§ã€ãƒ€ãƒ–ルクリックã™ã‚‹ã¨ã€VirtualBox ã«ã‚¤ãƒ³ãƒãƒ¼ãƒˆã§ãã¾ã™ã€‚
CPU ㌠1ã¤ã€RAM 㯠512MBã€GUI ç„¡ã—ã€ã¨ã„ã†ã“ã¨ã§ã€è»½ã„仮想マシンã®ã‚ˆã†ã§ã™ã€‚
wasbook仮想マシンã®ã‚¤ãƒ³ãƒãƒ¼ãƒˆ
インãƒãƒ¼ãƒˆãŒå®Œäº†ã—ãŸã‚‰ã€ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’クリックã—ã¦ã€ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã® NAT ã«åŠ ãˆã¦ã€ãƒ›ã‚¹ãƒˆã‚ªãƒ³ãƒªãƒ¼ã‚¢ãƒ€ãƒ—ã‚¿ã‚’è¿½åŠ ã—ã¦ãŠãã¾ã™ã€‚
wasbook仮想マシンã®è¨å®š
ã§ã¯ã€èµ·å‹•ã—ã¾ã™ã€‚
CUI ã®ãƒã‚°ã‚¤ãƒ³ç”»é¢ã«ãªã‚‹ã®ã§ã€ãƒ¦ãƒ¼ã‚¶å:wasbookã€ãƒ‘スワード:wasbook ã§ãƒã‚°ã‚¤ãƒ³ã—ã¾ã™ã€‚
SSHサーãƒãŒãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§èµ·å‹•ã—ã¦ã„ãŸã®ã§ã€TeraTerm ã§æŽ¥ç¶šã§ãã¾ã™ã€‚
æƒ…å ±åŽé›†ã¨ã€ParrotOS ã«æŽ¥ç¶šã§ãã‚‹ã“ã¨ã‚’確èªã—ã¾ã™ã€‚
$ cat /etc/issue
Debian GNU/Linux 9 \n \l
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 1000
link/ether 08:00:27:92:63:9e brd ff:ff:ff:ff:ff:ff
inet 10.0.2.15/24 brd 10.0.2.255 scope global enp0s3
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 08:00:27:5b:4c:dc brd ff:ff:ff:ff:ff:ff
inet 192.168.56.101/24 brd 192.168.56.255 scope global enp0s8
valid_lft forever preferred_lft forever
$ ping 192.168.56.105
PING 192.168.56.105 (192.168.56.105) 56(84) bytes of data.
64 bytes from 192.168.56.105: icmp_seq=1 ttl=64 time=2.07 ms
64 bytes from 192.168.56.105: icmp_seq=2 ttl=64 time=1.13 ms
^C
--- 192.168.56.105 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 1.130/1.601/2.073/0.473 ms
ã“ã®æ™‚点ã§ã€ParrotOS ã‹ã‚‰ wasbook ã® Webサーãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã§ãã¾ã™ã€‚hosts ã®è¨å®šãŒã¾ã ãªã®ã§ã€IPアドレスã§ã€http://192.168.56.101 ã§ã€wasbook ã®ãƒˆãƒƒãƒ—ページãŒè¡¨ç¤ºã•ã‚Œã¾ã™ã€‚ã“ã“ã¾ã§ã§ã€è„†å¼±æ€§ä»®æƒ³ãƒžã‚·ãƒ³ï¼ˆwasbook)ã®ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã¯å®Œäº†ã§ã™ã€‚
脆弱性仮想マシン(wasbook)ã®è¨å®š
ã“ã“ã‹ã‚‰ã¯ã€å¿…é ˆã§ã¯ãªã„ã§ã™ãŒã€wasbook を使ã„ã‚„ã™ãã™ã‚‹è¨å®šã‚’è¡Œã„ã¾ã™ã€‚
visudo
sudo を付ã‘ã‚‹ãŸã³ã«ã€æ¯Žå›žãƒ‘スワードをèžã‹ã‚Œã‚‹ã®ã¯é¢å€’ãªã®ã§ã€visudo ã§ãƒ‘スワードを入力ã—ãªã„ã§ã„ã„よã†ã«è¨å®šã—ã¾ã—ãŸã€‚
$ sudo visudo
wasbook ALL=(ALL:ALL) NOPASSWD: ALL
sambaサーãƒ
ソースコードを編集ã—ãŸã‚Šã™ã‚‹ã®ã«ä¾¿åˆ©ãªã®ã§ã€sambaサーãƒã‚’インストールã—ã¾ã™ã€‚
$ sudo apt install samba
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
samba : Depends: python-dnspython but it is not installable
Depends: python-samba but it is not going to be installed
Depends: samba-common-bin (= 2:4.5.12+dfsg-2+deb9u2) but it is not going to be installed
Depends: tdb-tools but it is not installable
Depends: update-inetd but it is not installable
Depends: libldb1 (>= 0.9.21) but it is not installable
Depends: libpython2.7 (>= 2.7) but it is not installable
Depends: libtalloc2 (>= 2.0.4~git20101213) but it is not installable
Depends: libtdb1 (>= 1.2.7+git20101214) but it is not installable
Depends: libtevent0 (>= 0.9.16) but it is not installable
Depends: samba-libs (= 2:4.5.12+dfsg-2+deb9u2) but it is not going to be installed
Recommends: attr but it is not installable
Recommends: samba-dsdb-modules but it is not going to be installed
Recommends: samba-vfs-modules but it is not going to be installed
E: Unable to correct problems, you have held broken packages.
Debian 9 ã¯å¤ã„ã®ã§ã€ã†ã¾ã入らãªã„ã§ã™ã€‚Docker ã¸ã®ç§»è¡Œã‚’考ãˆãŸæ–¹ãŒã„ã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。
ParrotOSã®è¨å®š
ã“ã“ã‹ã‚‰ã¯ã€æ”»æ’ƒå´ã® ParrotOS ã®è¨å®šã«ãªã‚Šã¾ã™ã€‚
ParrotOSã®hostsファイルã®è¨å®š
åå‰ã§ã‚¢ã‚¯ã‚»ã‚¹ã§ãるよã†ã«ã€ParrotOS ã® hosts ファイル㫠wasbook ã® IPアドレスã¨åå‰ã‚’登録ã—ã¾ã™ã€‚以下ã®ã‚ˆã†ã«ã€/etc/hosts ファイル㫠1è¡Œè¿½åŠ ã—ã¾ã™ã€‚
ping ã§ç¢ºèªã™ã‚‹ã¨ã€ã¡ã‚ƒã‚“ã¨ã‚¢ã‚¯ã‚»ã‚¹ã§ãã¦ã„ã¾ã™ã€‚
$ sudo nano /etc/hosts
192.168.56.101 example.jp api.example.net trap.example.com
$ sudo ping example.jp
PING example.jp (192.168.56.101) 56(84) bytes of data.
64 bytes from example.jp (192.168.56.101): icmp_seq=1 ttl=64 time=1.04 ms
64 bytes from example.jp (192.168.56.101): icmp_seq=2 ttl=64 time=1.12 ms
^C
--- example.jp ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1004ms
rtt min/avg/max/mdev = 1.044/1.079/1.115/0.035 ms
OWASP ZAPã®ã‚»ãƒƒãƒˆã‚¢ãƒƒãƒ—
youtube ã§ã€æµ·å¤–ã®ã‚µã‚¤ãƒˆã§ã€OWASP ZAP ã®è§£èª¬ã‚’ã—ã¦ã„ã‚‹ã®ã‚’èžã„ãŸã¨ã“ã‚ã€æ™®é€šã«ã€ã‚ªãƒ¯ã‚¹ãƒ—ザップã¨å‘¼ã‚“ã§ã„ãŸã‚ˆã†ãªæ°—ãŒã—ã¾ã™ã€‚
「ãƒãƒƒã‚ング・ラボã®ã¤ãã‚Šã‹ãŸ 完全版 仮想環境ã«ãŠã‘ã‚‹ãƒãƒƒã‚«ãƒ¼ä½“験å¦ç¿’ã€ã§ã¯ã€HTTP通信ã®ã‚¢ãƒŠãƒ©ã‚¤ã‚¶ï¼Ÿã¨ã—ã¦ã€Burp Suite を使ã£ã¦ã„ã¾ã™ãŒã€å¾³ä¸¸æœ¬ã§ã¯ã€åŒç¨®ã®ãƒ„ールã§ã‚ã‚‹ OWASP ZAP を使ã†ã‚ˆã†ã§ã™ã€‚
ParrotOS ã«ã¯ã€æœ€åˆã‹ã‚‰ OWASP ZAP ãŒã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã•ã‚Œã¦ã„ã¾ã™ã€‚ã§ã¯ã€èµ·å‹•ã—ã¦ã¿ã¾ã™ã€‚
OWASP ZAPã®èµ·å‹•
起動完了ã™ã‚‹ã¨ã€ä»¥ä¸‹ã®ã‚ˆã†ãªç”»é¢ã«ãªã‚Šã¾ã™ã€‚一番上ã®ã‚¿ã‚¤ãƒ スタンプベースをé¸ã‚“ã§ã€Start をクリックã—ã¾ã™ã€‚
OWASP ZAPã®èµ·å‹•å®Œäº†
ãã®å¾Œã€ã‚¢ãƒƒãƒ—デートã§ãã‚‹ç”»é¢ã«ãªã‚Šã¾ã™ãŒã€ã¾ãŸå¿…è¦ã«ãªã£ãŸã‚‰ã‚¢ãƒƒãƒ—デートã™ã‚‹ã“ã¨ã«ã—ã¦ã€Close をクリックã—ã¾ã™ã€‚OWASP ZAP ãŒèµ·å‹•ã—ã¾ã—ãŸã€‚
続ã„ã¦ã€ãƒ—ãƒã‚ã‚·ã®è¨å®šã‚’è¡Œã„ã¾ã™ã€‚OWASP ZAP ã‚„ã€Burp Suite 㯠HTTP ã®ãƒãƒ¼ã‚«ãƒ«ãƒ—ãƒã‚ã‚·ã¨ã—ã¦å‹•ãã¾ã™ã€‚Webブラウザã‹ã‚‰Webサーãƒã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹éš›ã€ãã®é€šä¿¡ã‚’仲介ã—ã€Webブラウザã®è¦æ±‚を確èªã—ãŸã‚Šã€å†…容を変更ã—ãŸã‚Šã§ãã¾ã™ã€‚
Tool → Options... をクリックã—ã¾ã™ã€‚
プãƒã‚ã‚·ã®è¨å®šã‚’èµ·å‹•
ãŸãã•ã‚“è¨å®šé …ç›®ãŒã‚ã‚Šã¾ã™ãŒã€å·¦å´ã®é …ç›®ã‹ã‚‰ã€Network → LocalServers/Proxies ã‚’é¸ã³ã¾ã™ã€‚ãƒãƒ¼ãƒˆç•ªå·ãŒ 8080番ã«ãªã£ã¦ã„ã¾ã™ãŒã€ä»–ã¨ç«¶åˆã—ã‚„ã™ã„ã¨ã„ã†ã“ã¨ã§ã€58888 ã«å¤‰æ›´ã—ã¾ã™ã€‚
ãƒãƒ¼ã‚«ãƒ«ãƒ—ãƒã‚ã‚·ã®ãƒãƒ¼ãƒˆç•ªå·ã‚’変更
OK を押ã—ã¦é–‰ã˜ãšã«ã€å·¦å´ã®é …ç›®ã‹ã‚‰ Breakpoints ã‚’é¸ã³ã¾ã™ã€‚Break Buttons Mode ã‚’ Separate Request and Response Buttons ã«å¤‰æ›´ã—ã¾ã™ã€‚
ブレークãƒã‚¤ãƒ³ãƒˆã®è¨å®šã‚’変更
※2024/8/11:追記ã—ã¾ã—ãŸ
日本語ã«å¯¾å¿œã—ã¦ã„ã‚‹ã®ã§ã€æ—¥æœ¬èªžåŒ–ã—ã¾ã™ã€‚
åŒã˜ãã€Tool → Options... ã® Language をクリックã—ã¦ã€å³ä¸Šã®ã¨ã“ã‚ã‹ã‚‰ã€ã€Œæ—¥æœ¬èªžã€ã‚’é¸æŠžã—ã¾ã™ã€‚日本語化ã•ã‚Œã‚‹ã«ã¯ã€OWASP ZAP ã®å†èµ·å‹•ãŒå¿…è¦ã§ã—ãŸã€‚
日本語化ã®è¨å®š
Firefox ã§ã€https://example.jp/ ã«ã‚¢ã‚¯ã‚»ã‚¹ã™ã‚‹ã¨ã€ã€Œè¦å‘Šï¼šæ½œåœ¨çš„ãªã‚»ã‚ュリティリスクã‚ã‚Šã€ã¨è¡¨ç¤ºã•ã‚Œã¦ã€å±é™ºã‚’承知ã§é€²ã‚€ã¨ã€ä¸€å¿œè¡¨ç¤ºã•ã‚Œã‚‹ã®ã§ã™ãŒã€ç›®æ¬¡ãƒšãƒ¼ã‚¸ã‚„ã€ãã®ã»ã‹ã®ãƒšãƒ¼ã‚¸ã‚‚ã€ä»¥ä¸‹ã®ã‚ˆã†ãªæ„Ÿã˜ã§ã€å·¦å³ã«è¦å‘ŠãŒå‡ºãŸã¾ã¾ã«ãªã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ã€‚
è¦å‘ŠãŒè¡¨ç¤ºã•ã‚Œã‚‹å ´åˆãŒã‚ã‚‹
ã“ã‚Œã¯ã€OWASP ZAP ãŒã‚¢ãƒƒãƒ—デートã•ã‚Œã¦ã€æ©Ÿèƒ½è¿½åŠ ã•ã‚ŒãŸã“ã¨ãŒåŽŸå› ã¨ã„ã†ã“ã¨ã§ã™ã€‚以下ã®ã‚ˆã†ã«ã€Tool → Options... ã® HUD ã§ã€Enable when using the ZAP Desktop ã®é …ç›®ã®ãƒã‚§ãƒƒã‚¯ã‚’外ã™ã¨è§£æ±ºã—ã¾ã™ã€‚
HUDã®è¨å®š
Firefoxã«æ‹¡å¼µæ©Ÿèƒ½ã®FoxyProxy-Standardをインストールã™ã‚‹
Firefox ã‚’èµ·å‹•ã—ã¾ã™ã€‚
次㮠URL ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¾ã™ã€‚https://addons.mozilla.org/ja/firefox/addon/foxyproxy-standard/
FoxyProxy-Standardã®æ‹¡å¼µæ©Ÿèƒ½ã‚’インストール
ã„ãã¤ã‹ç¢ºèªç”»é¢ãŒå‡ºã¾ã™ãŒã€OK(Okey)をクリックã—ã¾ã™ã€‚
FoxyProxy-Standard ã®è¨å®šã‚’è¡Œã„ã¾ã™ã€‚
サãƒãƒ¼ãƒˆã‚µã‚¤ãƒˆã«ã€æœ€æ–°ï¼Ÿã®ã€ŒFoxyproxyã®è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ã€ãŒã‚ã‚‹ã®ã§ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã—ã¾ã™ã€‚ファイルåã¯ã€Œfoxyproxy7.jsonã€ã§ã™ã€‚ãŠãらãã€FoxyProxy-Standard ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 7 用ã®è¨å®šãƒ•ã‚¡ã‚¤ãƒ«ãªã‚“ã ã¨æ€ã„ã¾ã™ãŒã€ä»Šå›žã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—㟠FoxyProxy ã¯ã€ãƒãƒ¼ã‚¸ãƒ§ãƒ³ 8.9 ã§ã—ãŸã€‚
Firefox ã®æ‹¡å¼µæ©Ÿèƒ½ã®ã‚¢ã‚¤ã‚³ãƒ³ã‚’クリックã—ã¦ã€FoxyProxy をクリックã—ã¾ã™ã€‚ã™ã‚‹ã¨ã€Options ãŒã‚ã‚‹ã®ã§ã‚¯ãƒªãƒƒã‚¯ã—ã¾ã™ã€‚Import タブを開ãã€Import from older versions をクリックã—ã¾ã™ã€‚Import ボタンãŒã‚ã‚‹ã®ã§ã€ã‚¯ãƒªãƒƒã‚¯ã™ã‚‹ã¨ã€ãƒ•ã‚¡ã‚¤ãƒ«ã‚’é–‹ãダイアãƒã‚°ãŒå‡ºã‚‹ã®ã§ã€å…ˆã»ã©ãƒ€ã‚¦ãƒ³ãƒãƒ¼ãƒ‰ã—ãŸã€Œfoxyproxy7.jsonã€ã‚’é–‹ãã¾ã™ã€‚ã“ã‚Œã§è¨å®šãŒèªã¿è¾¼ã¾ã‚Œã¾ã—ãŸã€‚
Proxies タブを開ãã¾ã™ã€‚ZAP ã‚’é–‹ãã€ä¸‹ã®æ–¹ã« Pattern ã¨ã„ã†ã®ãŒã‚ã‚Šã¾ã™ãŒã€ã“ã“ãŒã†ã¾ãå‹•ã‹ãªã‹ã£ãŸã®ã§ä¿®æ£ã—ã¾ã—ãŸã€‚下図ã®ã‚ˆã†ã«è¨å®šã™ã‚‹ã“ã¨ã§å‹•ãã¾ã—ãŸã€‚
- *example.jp*
- *api.example.net*
- *trap.example.com*
FoxyProxyã®è¨å®š
ã¡ã‚‡ã£ã¨åˆ†ã‹ã‚Šã«ãã‹ã£ãŸã®ã§ã™ãŒã€FoxyProxy を有効ã«ã™ã‚‹ã«ã¯ã€ä¸‹å›³ã®ã¨ã“ã‚をクリックã—ã¦è¨å®šã—ã¦ãŠãå¿…è¦ãŒã‚ã‚Šã¾ã—ãŸã€‚
FoxyProxyã®è¨å®š
動作確èªã—ã¦ã¿ã¾ã™ã€‚
https://example.jp/ ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ãŸã¨ãã¯ã€OWASP ZAP ãŒèªè˜ã—ã¾ã™ãŒã€æ™®é€šã® Webサイト(Googleã¨ã‹ï¼‰ã«ã‚¢ã‚¯ã‚»ã‚¹ã—ã¦ã‚‚ OWASP ZAP ãŒèªè˜ã—ãªã‘ã‚Œã°æ£ã—ãè¨å®šã§ãã¦ã„ã‚‹ã‚“ã ã¨æ€ã„ã¾ã™ã€‚
FoxyProxyã®å‹•ä½œç¢ºèª
当é¢ã®ç’°å¢ƒæ§‹ç¯‰ã¯ã“ã‚Œã§å®Œäº†ã§ã™ã€‚脆弱性仮想マシンã¯ã€wasbook ã®ä»–ã«ã‚‚用æ„ã•ã‚Œã¦ã„るよã†ãªã®ã§ã™ãŒã€æ›¸ç±ã®å¾ŒåŠã«å‡ºã¦ãるよã†ãªã®ã§ã€ä»Šå›žã¯ã“ã“ã¾ã§ã«ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚
ãŠã‚ã‚Šã«
今回ã¯ã€ã€Œä½“系的ã«å¦ã¶ 安全ãªWebアプリケーションã®ä½œã‚Šæ–¹ 第2版 脆弱性ãŒç”Ÿã¾ã‚Œã‚‹åŽŸç†ã¨å¯¾ç–ã®å®Ÿè·µã€ï¼ˆé€šç§°ï¼šå¾³ä¸¸æœ¬ï¼‰ã®ç’°å¢ƒæ§‹ç¯‰ã‚’è¡Œã„ã¾ã—ãŸã€‚
次回ã‹ã‚‰ã¯ã€å¾³ä¸¸æœ¬ã«æ²¿ã£ã¦ã€é€²ã‚ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
