INTER-Mediatorが備えるセキュリティ機能

140 Views

August 24, 19

スライド概要

2019/08/24 INTER-Mediator《大》勉強会 2019発表資料

profile-image

Web Application Developer / kintone CERTIFIED App Design Specialist 2020 / kintone CERTIFIED Customization Specialist 2020

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

関連スライド

各ページのテキスト
1.

INTER-Mediator͕උ͑Δ ηΩϡϦςΟ‫ػ‬ೳ 2019/08/24 INTER-Mediatorʬେʭษ‫ڧ‬ձ 2019 দඌಞʢ‫ࣜג‬ձࣾΤϛοΫʣ

2.

Agenda • WebΞϓϦͰ‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • INTER-MediatorͷηΩϡϦςΟ‫ػ‬ೳ • INTER-Mediator Training Course

3.

WebΞϓϦͰ ‫͔ͭݟ‬Γ΍͍͢੬ऑੑ

4.

WebΞϓϦͷ੬ऑੑΛ஌Δ • ҆શͳ΢ΣϒαΠτͷ࡞ΓํΛࢀর https://www.ipa.go.jp/security/vuln/ websecurity.html ʢIPA ಠཱߦ੓๏ਓ ৘ใॲཧਪਐ‫ߏػ‬ʣ

5.

‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • SQLΠϯδΣΫγϣϯ • OSίϚϯυɾΠϯδΣΫγϣϯ • σΟϨΫτϦɾτϥόʔαϧ • ηογϣϯ؅ཧͷෆඋ

6.

‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • ΫϩεαΠτɾεΫϦϓςΟϯά ʢXSSʣ • ΫϩεαΠτɾϦΫΤετɾϑΥʔδΣ ϦʢCSRFʣ • HTTPϔομɾΠϯδΣΫγϣϯ

7.

‫͔ͭݟ‬Γ΍͍͢੬ऑੑ • ϝʔϧϔομɾΠϯδΣΫγϣϯ • ΫϦοΫδϟοΩϯά • όοϑΝΦʔόʔϑϩʔ • ΞΫηε੍‫ޚ‬΍ೝՄ੍‫ޚ‬ͷܽམ

8.

INTER-Mediatorͷ ηΩϡϦςΟ‫ػ‬ೳ

9.

XSSରࡦ • INTER-Mediator͸HTMLग़ྗ࣌ʹσϑΥ ϧτͰΤεέʔϓॲཧΛߟྀ <td colspan="3" class="grayback" dataim="messageauth@message">

10.

innerHTMLϓϩύςΟ • ࢓্༷ΤεέʔϓॲཧΛ͠ͳ͍৔߹͸ innerHTMLϓϩύςΟʹ୅ೖ <td colspan="3" class="grayback" dataim="messageauth@message@innerHTML">

11.

CSRFରࡦ • params.phpͰ$webServerNameΛઃఆ • σϑΥϧτͰ͸ະઃఆ • WebΞϓϦέʔγϣϯ͕Քಇ͍ͯ͠Δ ϗετͷυϝΠϯ໊΋͘͠͸FQDN ʢ‫׬‬શम০υϝΠϯ໊ʣΛ഑ྻͰࢦఆ

12.

CSRFରࡦ • params.phpͰͷ$webServerNameઃఆྫ $webServerName = array('intermediator.com', 'inter-mediator.info');

13.

CSRFରࡦ • ϦΫΤετϔομʔʹX-From͓Αͼ OriginΛར༻͢Δख๏Λར༻ http://hasegawa.hatenablog.com/entry/ 20130302/p1

14.

ΫϦοΫδϟοΩϯάରࡦ • params.phpͰ$xFrameOptionsΛઃఆ • ‫ࡏݱ‬ͷͱ͜ΖσϑΥϧτͰ͸ະઃఆ • ઃఆྫ $xFrameOptions = 'SAMEORIGIN';

15.

INTER-Mediatorͷೝূ‫ػ‬ೳ • ωΠςΟϒೝূ • σʔλϕʔεΤϯδϯʹ૊Έࠐ·Εͨ ϢʔβʔΛར༻͢Δํ๏ • Ϣʔβʔೝূ • σʔλϕʔεʹ‫·ؚ‬ΕΔςʔϒϧ͋Δ ͍͸ϏϡʔΛར༻͢Δํ๏

16.

INTER-Mediatorͷೝূ‫ػ‬ೳ • INTER-MediatorͰͷೝূ΍ΞΫηε‫ݖ‬ઃ ఆͰ͸Ϣʔβʔ΍άϧʔϓΛ࢖༻ • LDAP΍OAuth2ʹΑΔೝূʹ΋ରԠ

17.

INTER-Mediatorͷೝূ‫ػ‬ೳ • authuserɺauthgroupɺauthcorͷͦΕͧ Εͷςʔϒϧʹ‫ه‬࿥͓ͯ͘͠ͷ͕‫ج‬ຊ ʢωΠςΟϒೝূҎ֎ͷख๏Ͱ͸ʣ • ೝূΛνϟϨϯδ-ϨεϙϯεʹΑͬͯ ߦ͏ͨΊͷissuedhashςʔϒϧ΋ඞཁ

18.

ೝূ͸ఆٛϑΝΠϧͰઃఆ IM_Entry( array(array( 'name' => 'chat', 'key' => 'id', 'authentication' => array('all' => array('target' => 'field-user', 'field' => 'user',),), 'protect-writing' => array( 'user' ), ),), array( 'authentication' => array( // Φϓγϣϯઃఆ 'user' => array('user1'), // ϩάΠϯՄೳͳϢʔβʔ 'group' => array('group2'), // ϩάΠϯՄೳͳάϧʔϓ ), ), array('db-class' => 'PDO'), false );

19.

ಛఆϢʔβʔͷΈϩάΠϯ • ΦϓγϣϯઃఆͷauthenticationΩʔʹ userΩʔͷ഑ྻΛࢦఆ

20.

ಛఆάϧʔϓͷΈϩάΠϯ • ΦϓγϣϯઃఆͷauthenticationΩʔʹ groupΩʔͷ഑ྻΛࢦఆ

21.

Ϩίʔυ୯ҐͷΞΫηε‫ݖ‬ • ίϯςΩετఆٛͷauthenticationΩʔͷ ഑ྻͷதͰɺૢ࡞໊ΛΩʔʹͨ͠഑ྻ ͰɺtargetΩʔͱfieldΩʔΛࢦఆ

22.

Ϩίʔυ୯ҐͷΞΫηε‫ݖ‬ • targetΩʔͷ஋͕ʮfield-userʯͳΒfield ΩʔͰࢦఆͨ͠ϑΟʔϧυʹ͋Δ໊લ ͷϢʔβʔʹରͯ͠‫ݶݖ‬Λ෇༩ • targetΩʔͷ஋͕ʮfield-groupʯͳΒfield ΩʔͰࢦఆͨ͠ϑΟʔϧυʹ͋Δ໊લ ͷάϧʔϓʹରͯ͠‫ݶݖ‬Λ෇༩

23.

ͦͷଞͷઃఆ߲໨ • params.phpͰ‫ه‬ड़͢ΔηΩϡϦςΟؔ࿈ ͷઃఆ߲໨ • $contentSecurityPolicy • $generatedPrivateKey • $passwordPolicy

24.

ৄࡉʹ͍ͭͯ͸ • INTER-Mediator Training CourseΛࢀর • Chapter 7ʮηΩϡϦςΟͱೝূɾΞ Ϋηε‫ݖ‬ʯ • Chapter 8ʮαʔόʔαΠυͰͷϓϩ άϥϛϯάʯ

25.

ͦͷଞ஌͓͖͍ͬͯͨ͜ͱ • ҉߸Խ௨৴ͷͨΊͷSSL/TLS • HTTPͰ͸௨৴͸҉߸Խ͞Εͳ͍ • SSL/TLSΛ༗ޮԽͨ͠HTTPSΛ༻͍Δ

26.

ৗ࣌SSL • ༻్ɾ໨తʹԠͯ͡HTTPΛ࢖༻Ͱ͸ͳ ͘ৗʹHTTPSͷར༻͕ਪ঑͞ΕΔঢ়‫گ‬ • SSL/TLSΛ༗ޮʹ͢Δʹ͸ೝূ‫͔ہ‬Β SSLαʔόʔূ໌ॻΛཁߪೖ • ແྉͷূ໌ॻʢLet's Encryptʣ΋ଘࡏ

27.

INTER-Mediator Training Course

28.

τϨʔχϯάίʔε • INTER-Mediatorͷ։ൃख๏Λԋश‫Ͱࣜܗ‬ ࣗश͢Δ༗ঈͷτϨʔχϯάίʔε • ePub‫ࣜܗ‬ͷిࢠग़൛෺ • INTER-Mediator-Server VMΛར༻͠ͳ ͕ΒԋशΛਐΊΒΕΔ

29.

αʔόʔαΠυͰग़ྗௐ੔ ʢఆٛϑΝΠϧͰͷઃఆʣ • ίϯςΩετఆٛʹextending-classΩʔ Ͱ‫ه‬ड़ • Ϋϥε໊ʹʮ.phpʯΛ͚ͭͨϑΝΠϧ໊ ͷϑΝΠϧΛఆٛϑΝΠϧͱಉҰ֊૚ ʹ഑ஔ

30.

αʔόʔαΠυͰग़ྗௐ੔ ʢఆٛϑΝΠϧͰͷઃఆྫʣ IM_Entry( array( array( "name" => "salesitems", "view" => "items", "query" => array( array("field" => "year", "operator" => "=", "value" => "2016"), ), "extending-class" => "AdditionalProccess", ),

31.

αʔόʔαΠυͰग़ྗௐ੔ ʢPHPʹΑΔ֦ுྫʣ <?php class AdditionalProccess implements Extending_Interface_BeforeRead, Extending_Interface_AfterRead { public function doBeforeReadFromDB() { } public function doAfterReadFromDB($result) { /* ͜͜ʹಠࣗͷॲཧΛ‫ه‬ड़ */ return $result; } }

32.

αʔόʔαΠυͰग़ྗௐ੔ • ৄࡉ͸INTER-Mediator Training Courseͷ Chapter 8ʮαʔόʔαΠυͰͷϓϩά ϥϛϯάʯΛࢀর

33.

·ͱΊ

34.

·ͱΊ • WebΞϓϦέʔγϣϯͷ੬ऑੑΛͳ ͘͢ҰൠతͳղܾࡦΛ஌Δ • ϑϨʔϜϫʔΫ͕ఏ‫͢ڙ‬ΔηΩϡϦςΟ ‫ػ‬ೳͱલఏ৚݅Λ೺Ѳ͢Δ • σʔλϕʔειϑτ΢ΣΞ͕උ͑Δη ΩϡϦςΟ‫ػ‬ೳΛཧղ͢Δ