クロスサイトリクエストフォージェリ(csrf)とその対策手法 (osc2015hokkaido版)
TRANSCRIPT
Copyright©2015JPCERT/CC(All(rights(reserved.
����
http://www.tomo.gr.jp/root/e9706.html
JPCERT/CCC C
C,( C……
rao
2
Copyright©2015JPCERT/CC(All(rights(reserved.
. ��
. : / :
MN��"�w4-FI9(Yx�h�sP�j!|%��"|§
3
Copyright©2015JPCERT/CC(All(rights(reserved.
. ���
4
Copyright©2015JPCERT/CC(All(rights(reserved.
�¢�OSC�u¿³ (4D=�$R����)
5
•OSC2014@Fukuoka
•Lessons((to(be)(Learned(from(Handling(OpenSSL Vulnerabilities
•OSC2013@Kyoto• g a Java C
•OSC2012@Fukuoka•Android C eAndroid g rg
•OSC2011@Nagoya• C (JAVA )
•OSC2010@Hokkaido•He g C C C
•OSC2009@Fukuoka• C
•OSC2008@Tokyo/Spring• C
•OSC2007@Fukuoka• C
•OSC2007@Niigata• P c
•OSC2007@Kansai• gR o cR w
•OSC2005@Tokyo/Fall• g p
Copyright©2015JPCERT/CC(All(rights(reserved.
JPCERT/CC-4-F'0�:(L/�0L9L8
6
www.jpcert.or.jp/securecoding/
Copyright©2015JPCERT/CC(All(rights(reserved.
slideshare ��¸e��4D=0L9L8����
7
www.slideshare.net/jpcert_securecoding/presentations
Copyright©2015JPCERT/CC(All(rights(reserved.
4-F'0�:(L/35L6�<
8
CMU/SEI(g the(CERT(Secure(Coding Initiative
v C C Chttps://www.securecoding.cert.org/
, 5 Ta o .
Copyright©2015JPCERT/CC(All(rights(reserved.9
CERT-C-0�:(L/35L6�<
CERT(C( C Chttps://www.jpcert.or.jp/research/materials.html#secure
JPCERT/CC( !!
https://www.jpcert.or.jp/sccrules/
Copyright©2015JPCERT/CC(All(rights(reserved.10
CERT-Oracle-Java-0�:(L/35L6�<
OSC2011@Nagoya( aohttp://www.ospn.jp/osc2011cnagoya/pdf/osc2011nagoyacJPCERT_CC.pdf
JPCERT/CC( !!https://www.jpcert.or.jp/javacrules/
Copyright©2015JPCERT/CC(All(rights(reserved.11
0�:(L/35L6�<(C++,-Perl,-Android)
“under(development”( )
Copyright©2015JPCERT/CC(All(rights(reserved.
0�:(L/35L6�<�y_T¹�O!C C
g aP ra o—Java, Android,(C,(C++,(……
— g g @— g @—Tw s…
12
gH @S P T !
Copyright©2015JPCERT/CC(All(rights(reserved.
NM�tv
! -‐‑‒ ( C ch! -‐‑‒ (! -‐‑‒ (! -‐‑‒ ( apvJ
! / / T g! ) T g
!ocr! ed
13
Copyright©2015JPCERT/CC(All(rights(reserved.
1.CSRF(.K31);I.+3;@,�2*I)��
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRF·m�] ">F�3�S
15
Copyright©2015JPCERT/CC(All(rights(reserved.16
CSRF·m�] ">F�3�S
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRF(Cross@Site@Request@Forgery)��
IPAF Web C @ 4c1
wg a@ gH dJ p e h@
gH a oJ H o RgvJe h@ gH v @
e T w a oJ H oIPAF e g 1.6(CSRF(v
Copyright©2015JPCERT/CC(All(rights(reserved.
`��X_@,�E��f(1)
18
GET(form.html
<form>……..
p
C w w aC
Copyright©2015JPCERT/CC(All(rights(reserved.
`��X_@,�E��f(2)
19
PUT(……..
<html>……..
C a
p
e o…
e o…
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFª¤(1)
20
GET(xxxx.html
<form>……..C w w aC
e
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFª¤(2)
21
PUT(……..
<html>……..
e
!!
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRF·m�¡g�#�WU�I3.a e T w
• Web a v @ h e• i@ H @ va e T w s
• H @ v a eT w s
22
��T
�µ�´����^{�dR
°R}�!!xxxxxxxx
l¦���i��dR
CSRF
Copyright©2015JPCERT/CC(All(rights(reserved.
·mS�$º (1)
23
https://cve.mitre.org/cve/cve.html https://nvd.nist.gov/https://web.nvd.nist.gov/view/vuln/search
Copyright©2015JPCERT/CC(All(rights(reserved.
·mS�$º (2)
24
https://jvn.jp/http://www.osvdb.org/
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRF·mS�2001 w2014 g CVEg (Description)
FCSRF sg@ h1039• CVE h a g h
T a e r@dg TCSRF P T a h we
• CVEg g ce foo.phpuBarServleted T @PHPuJava T a csH
JVNg C wh39" PHP:(13 @Perl:(2 @Ruby:(1 ed
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRF·mS� (JVN-µ¶��� ¨À)JVN�® 5);J CVE�®
JVN#32631078 gASUS( LAN( C C g CVEc2014c7270
JVN#94409737 WordPress( MailPoetNewsletters( C g CVEc2014c3907
JVN#42511610 acmailer C g CVEc2014c3896
JVN#36259412 Web C g CVEc2014c3881
JVN#05329568 WordPress( Login(rebuilder( C g CVEc2014c3882
JVN#13313061( ecStudio( C C g CVEc2014c1990
JVN#50943964 phpMyFAQ C g CVEc2014c0813
JVN#11221613 ECcCUBE( C g CVEc2013c5993
JVN#48108258 HP(ProCurve 1700( C g C g CVEc2012c5216
JVN#06251813 g C g CVEc2013c2305
JVN#59503133 gNEC( C C g CVEc2013c0717
JVN#53269985 Welcart C g CVEc2012c5178
JVN#44913777 SNS( C g CVEc2012c1237
JVN#83459967( Janetter C g CVEc2012c1236
Copyright©2015JPCERT/CC(All(rights(reserved.
2. CSRF(.K31);I.+3;@,�2*I)Yx
Copyright©2015JPCERT/CC(All(rights(reserved.
`���#
28
GET(
form.html
<form>……..
p
C w w aC
PUT(……..
<html>……..
C a
p
eo…
e o
…
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFª¤$q"WU
29
GET(xxxx.html
<form>……..C w w a C
e
PUT(……..
<html>……..
e
!!
CSRFh@P
sg.
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFYx�'):('
30
CSRF h@P sg.
g c Ti@ C
!
C ge@ ea iv !!
Copyright©2015JPCERT/CC(All(rights(reserved.
nonce-$���CSRFYxC Hw r²r(nonce) r
hnonceg¥�cQ±Rc @ g
:(IPAF @Web C 4
Web C C C g PhCSRFa
—“Most frameworks have builtcin CSRF support such as
Joomla, Spring, Struts, Ruby on Rails, .NET and others.”
—IPAF h RubyconcRailsg (2007 g d)
https://www.owasp.org/index.php/CSRF
Copyright©2015JPCERT/CC(All(rights(reserved.
3. CSRF(.K31);I.+3;@,�2*I)YxH)AHI
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFYxH)AHI��
C gnonce r p@ C gnonce edCSRF g rg
• OWASP(CSRFGuarded J Jsgw• dJ J peg?• Web C C C T a
sgc Jg?• sgew H
te ?
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFYxH)AHI��Java,(PHP,(Python CSRF g .
z� ~½ ¾k
JavaApache(Tomcat
CSRF(Prevention(FilterApache(Tomcatg C Filter gjc
Java OWASP(CSRFGuard C Web C pJava Spring(Security Spring(Framework ServletFilter
Java csrfcfilter C Web C pPHP OWASP(CSRFProtector PHPg @Apacheg C c as TPHP csrfcmagic PHP p ePython CSRF(Protection(middleware PythongWeb C C DjangogCSRF
Java,(PHP,(Pythonh@TIOBE v a@WebC T g h a
http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html
(2015 2 g hC,(Java,(C++,(ObjectivecC,(C#,(JavaScript,(PHP,(Pythonc P)
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRFYxH)AHI�d¯'BK�7Java(g— C C (tomcat)g c a—Web C C g web g
PHPg—PHPgob_start() a c a
35
Copyright©2015JPCERT/CC(All(rights(reserved.
�YxH)AHI�¾k���Z
36
Apache(Tomcat(CSRF(Prevention(Filter
OWASP(CSRFGuard
Spring(Security
csrfcfilter
OWASP(CSRFProtector
csrfcmagic
Django CSRF(Protection(middleware
Copyright©2015JPCERT/CC(All(rights(reserved.
�YxH)AHI�¾k���Z
37
Apache(Tomcat(CSRF(Prevention(Filter
OWASP(CSRFGuard
Spring(Security
csrfcfilter
OWASP(CSRFProtector
csrfcmagic
Django CSRF(Protection(middleware
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFGuard¾kOWASP(CSRFGuard
— URL https://www.owasp.org/index.php/CSRFGuard
— URL https://www.owasp.org/index.php/CSRFGuard_3_User_Manual
" OWASP C gCSRF" CSRF c anonce J" C gnonceg r p JavaScript a r@JavaScript e
h e" jar c a T a r@ C g e
— Java C gFilter a c C g p@gnonce @ gnonce J
1. C g classpath g jar(
2. Web C g web.xml
3. Owasp.CsrfGuard.properties
4. Web C JSP(
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFGuard«gZb(1)
1. C g classpath Owasp.CsrfGuard.jar(
# iWeb C g /WEBcINF/lib(
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFGuard«gZb(2)
2. Web C g web.xml
<!– OWASP CSRFGuard�Listener�2A --><listener><listener-class>org.owasp.csrfguard.CsrfGuardServletContextListener</listener-class></listener><listener><listener-class>org.owasp.csrfguard.CsrfGuardHttpSessionListener</listener-class></listener><!– B1�� �����41 :�!��D6 --><context-param>
<param-name>Owasp.CsrfGuard.Config</param-name><param-value>WEB-INF/Owasp.CsrfGuard.properties</param-value>
</context-param><!– OWASP CSRFGuard�Filter�2A --><filter>
<filter-name>CSRFGuard</filter-name><filter-class>org.owasp.csrfguard.CsrfGuardFilter</filter-class>
</filter><!–- 2A��CSRF Prevention Filter�J;>-�B1 --><filter-mapping>
<filter-name>CSRFGuard</filter-name> <url-pattern>/*</url-pattern>
</filter-mapping><!–- �!���!� 5%�JavaScript�Servlet�2A --><servlet>
<servlet-name>JavaScriptServlet</servlet-name><servlet-class>org.owasp.csrfguard.servlet.JavaScriptServlet</servlet-class>
</servlet><!–- JavaScript�Servlet���41 --><servlet-mapping>
<servlet-name>JavaScriptServlet</servlet-name><url-pattern>/JavaScriptServlet</url-pattern>
</servlet-mapping>
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFGuard«gZb(3)
3. WEBcINF/Owasp.CsrfGuard.properties
o[-� �aorg.owasp.csrfguard.NewTokenLandingPage C Corg.owasp.csrfguard.TokenPerPage C Sc Corg.owasp.csrfguard.ProtectedMethods CSRF w HTTP
org.owasp.csrfguard.UnprotectedMethods CSRF w e HTTP
org.owasp.csrfguard.unprotected.* CSRF w eorg.owasp.csrfguard.protected.* CSRF worg.owasp.csrfguard.action.* gorg.owasp.csrfguard.TokenName Corg.owasp.csrfguard.SessionKey Corg.owasp.csrfguard.TokenLength C g Torg.owasp.csrfguard.PRNG g (SHA1PRNG )(
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFGuard«gZb(4)
4. JSP ghead o hbody gnonce rgJavaScript(OWASP( CSRFGuardgServlet)
script
<script src="/path/to/webapp/JavaScriptServlet"></script>
Copyright©2015JPCERT/CC(All(rights(reserved.
�YxH)AHI�¾k���Z
43
Apache(Tomcat(CSRF(Prevention(Filter
OWASP(CSRFGuard
Spring(Security
csrfcfilter
OWASP(CSRFProtector
csrfcmagic
Django CSRF(Protection(middleware
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFProtector¾kOWASP(CSRFProtector
— https://www.owasp.org/index.php/CSRFProtector_Project
— https://github.com/mebjas/CSRFcProtectorcPHP
" PHP cApacheg C" CSRF c anonce a
" PHPg ob_start aWeb C wg @nonce(
" C g JPHP g CSRFProtector CRc @ o nonce
# :(http://php.net/manual/ja/function.obcstart.php
1. form gH PHP g p p2. /libs/config.php a
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFProtector«gZb(1)
1. form gH PHP gp p@
2. /libs/config.php ah g
include_once __DIR__ .'/libs/csrf/csrfprotector.php';csrfProtector::init();
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFProtector«gZb(2)
o[-� �a :@,J; CSRFP_TOKEN Cookieu C C g C ""(( h"csrfp_token"c T
)
noJs JavaScriptg false((nocjs g )
logDirectory "../log“((Rg pa P)
failedAuthAction C cC
• 0:(HTTP(403(Forbidden)• 1:(GET/POST a ($_POST
)• 2:( C C (errorRedirectionPage)• 3:( C C (customErrorMessage
)
• 4: HTTP(500(Internal(Server(Error()
• GET: 0(HTTP(403)• POST: 0(HTTP(403)
errorRedirectionPage C C g URL ""(( )
customErrorMessage C C ""(( )
jsPath JavaScript gconfig.php wg "../js/csrfprotector.js"
jsUrl JavaScript g URL "http://localhost/test/csrf/js/csrfprotector.js"
tokenLength C g T 10 ( )
disabledJavascriptMessage JavaScript g C ( :RgWeb hCSRF aJavaScript aP T c J
g )
verifyGetFor GET g JURL Farray() ( g )
Copyright©2015JPCERT/CC(All(rights(reserved.
4. CSRFYxH)AHI$«g�����
Copyright©2015JPCERT/CC(All(rights(reserved.
4.1-JAVA¬:-SPACEWALK
48
Copyright©2015JPCERT/CC(All(rights(reserved.
Spacewalk�.K31);I.+3;@,�2*I
Spacewalk
Red(Hat( Linux g C H Red(Hat(Network(SatellitegOSS
URL http://spacewalk.redhat.com/
CVE CVEc2009c4139
URL
" http://www.redhat.com/support/errata/RHSAc2011c0879.html
" http://securitytracker.com/id?1025674
" https://bugzilla.redhat.com/show_bug.cgi?id=529483
" http://xforce.iss.net/xforce/xfdb/68074
C 1.2.39
C 1.2.39c85
Spacewalkh@ CVEg 1.5
" C 1.5.46c1
" C 1.5.47c1
Copyright©2015JPCERT/CC(All(rights(reserved.
·�0�<�C)L;
g h@ C Ctestuser CT a
<form method="POST" action="/rhn/users/DeleteUserSubmit.do?uid=2"><div align="right">
<hr /><input type="submit" value="�!�!�(K" />
</div></form>
Copyright©2015JPCERT/CC(All(rights(reserved.
Spacewalk������CSRF�©p$����
C 1.5.47c1 h@ @g C a
" C JSP (348 )
<form method="POST“action="/rhn/users/DeleteUserSubmit.do?uid=${param.uid}">
<rhn:csrf /><html:submit styleClass="btn btn-danger">
<bean:message key="deleteuser.jsp.delete"/></html:submit>
</form>
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRFGuard�«g
1. Spacewalkg C C1. web.xml(
2. jsp javascript g2. C C Spacewalk C3. C C
Spacewalk(h Java( Pw a r@RR hJava( g CSRF H OWASP(CSRFGuard g p
Copyright©2015JPCERT/CC(All(rights(reserved.
JSP@&)J��JavaScript�¼�ÁX
code/webapp/WEBcINF/decorators/layout_c.jsp gOWASP(CSRFGuardgJavaScriptServletglayout_c.jsp h C g C ce a @1g nag C
</div><!-- end bottom-wrap --></div><!-- end wrap -->
<script src="/rhn/JavaScriptServlet"></script></body>
</html:html>
Copyright©2015JPCERT/CC(All(rights(reserved.
H)AHI«g���
C C C gform gaction c@OWASP_CSRFTOKENc J input T
<form method="POST" action="/rhn/users/DeleteUserSubmit.do?uid=3&OWASP_CSRFTOKEN=FWJ8-NCD0-0KUN-3BIV-DGLI-U6UU-1XNT-9K4N">
<div align="right"><hr><input value="�!�!�(K" type="submit">
</div><input value="FWJ8-NCD0-0KUN-3BIV-DGLI-U6UU-1XNT-9K4N" name="OWASP_CSRFTOKEN" type="hidden"></form>
Copyright©2015JPCERT/CC(All(rights(reserved.
H)AHI«g���
Spacewalk g C w c@H Spacewalkg403 C
(http://website/errors/403.html) T
※ Tomcatg catalina.out hCSRF T3.: CsrfGuard analyzing request /rhn/users/DeleteUserSubmit.do2015/02/20 12:53:32 org.owasp.csrfguard.log.JavaLogger logF,: potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:192.168.80.1, method:POST, uri:/rhn/users/DeleteUserSubmit.do, error:required token is missing from the request)
Copyright©2015JPCERT/CC(All(rights(reserved.
Spacewalk��OWASP CSRFGuard«g��£(1)
" Spacewalk CSRF h@nonce g cC JSP g (JSP 348 g a )
" OWASP CSRFGuard CSRF h@nonceg JavaScript
J r@ C JSP 1 gpRc
# @OWASP CSRFGuardg hJavaScript eh T r@ g
" Spacewalk h g403 C H r@OWASP CSRFGuardga h403 C vJ @Spacewalk
JvJ
Copyright©2015JPCERT/CC(All(rights(reserved.
Spacewalk��OWASP CSRFGuard«g��£(2)
" Spacewalk Struts a sH @OWASP CSRFGuardgg h e
# StrutshAction JSPg H @JSP URL
o e r@ gJSP H# Tomcatg T JSP as@
T gh T JSP g r@h T e
# g r@ C C Spacewalkg C g@ C aTomcat H
" w@ Spacewalk gOWASP CSRFGuardg h@Strutsga @Spacewalk CSRF c o h
g CSRF Rc
Copyright©2015JPCERT/CC(All(rights(reserved.
4.2-PHP¬:-LOGIN-REBUILDER
58
Copyright©2015JPCERT/CC(All(rights(reserved.
PHP�d¯�#�����CSRFYxH)AHI�«g
Login(Rebuilder
C gwpclogin.php wWordPress
URL
" https://wordpress.org/plugins/logincrebuilder/
" http://plugins.svn.wordpress.org/logincrebuilder
CVE CVEc2014c3882
URL
" http://wordpress.org/plugins/logincrebuilder/changelog/
" http://12net.jp/news/n20140623_01.html
" http://jvndb.jvn.jp/jvndb/JVNDBc2014c000062
" http://jvn.jp/en/jp/JVN05329568/index.html
C 1.1.3( 868421)
C 1.2.0( 914619)
Copyright©2015JPCERT/CC(All(rights(reserved.
·�@,�E�Wn
WordPress gLogin(Rebuilderg C (F →F C )
http://website/wordpress/wpcadmin/optionscgeneral.php?page=logincrebuildercproperties
e Ch her@ H Rc w
T a
Copyright©2015JPCERT/CC(All(rights(reserved.
form5/\�\�<form method="post" action="/wordpress/wp-admin/options-general.php?page=login-rebuilder-properties">(=<)<input type="radio" name="properties[response]" id="properties_response_1" value="1“ checked='checked' /><input type="radio" name="properties[response]" id="properties_response_2" value="2“ /><input type="radio" name="properties[response]" id="properties_response_3" value="3“ />(=<)<input type="text" name="properties[keyword]" id="properties_keyword" value="login-keyword" class="regular-text code" />(=<)<input type="text" name="properties[page]" id="properties_page" value="wprdpress-login.php" class="regular-text code" />(=<)<textarea name="properties[content]" id="login_page_content" rows="4" cols="60" style="font-family:monospace;" readonly="readonly"></textarea>(=<)<input type="text" name="properties[page_subscriber]" id="properties_page_subscriber" value="wprdpress-login-r.php" class="regular-text code" />(=<)<input type="radio" name="properties[status]" id="properties_status_0" value="0" checked='checked' /><input type="radio" name="properties[status]" id="properties_status_1" value="1" />(=<)<input type="submit" name="submit" value="/7$0" class="button-primary" /></form>
Copyright©2015JPCERT/CC(All(rights(reserved.
Login-Rebuilder�CSRF©p?�2GL�C)L;WordPressgwp_create_nonce() a e $nonce( @ Cg g C(properties[response])
nonce
input gname g g (properties[page]g @ s )
nonceg (POST g C g )
$nonce = wp_create_nonce(self::LOGIN_REBUILDER_PROPERTIES_NAME.'@'.$wp_version.'@'.LOGIN_REBUILDER_DB_VERSION);
<input type="text" name="properties_<?php echo $nonce; ?>[page]" id="properties_page" value="<?php _e( $this->properties['page'] ); ?>" class="regular-text code" />
if ( isset( $_POST['properties_'.$nonce] ) ) {
Copyright©2015JPCERT/CC(All(rights(reserved.
Login-Rebuilder�CSRF©p?�2GL�C)L;
gHTMLginput (properties[page]g )
<input type="text" name="properties_c6808428a6[page]" id="properties_page" value="wprdpress-login.php" class="regular-text code" />
Login(Rebuildergnonce CSRF g h@input heP ginput gname g
c J H
" inputgname Fproperties[response] wFproperties_c6808428a6[response] c esg vJ
T" C wPOSTT g C properties_c6808428a6 he h
e
Copyright©2015JPCERT/CC(All(rights(reserved.
��:-WordPressNc�nonce$j!»�]r
WordPresshnonce J T a @u C
" WordPressgnonce Chttp://codex.wordpress.org/WordPress_Nonces
" http://wpdocs.sourceforge.jp/
# nonce( J h nonce(c Jo
Copyright©2015JPCERT/CC(All(rights(reserved.
��:-WordPressNc�nonce$j!»�]r
( v )
" nonceg (wp_create_nonce ) URL nonce a
" nonceg (wp_verify_nonce ) w (die)
<?php $nonce= wp_create_nonce ('my-nonce'); ><a href='myplugin.php?_wpnonce=<?php echo $nonce ?>'>
<?php$nonce=$_REQUEST['_wpnonce'];if (! wp_verify_nonce($nonce, 'my-nonce') )die('Security check');
?>
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRF-Protector-�«g
1. OWASP(CSRF(Protector(g C C Login(
Rebuilder( w P2. Login(Rebuilder(g C C @CSRF(
Protector( p vJ
Login(Rebuilder(h PHP( Pw a r@RRh PHP( g CSRF H
OWASP(CSRF(Protector(g p
Copyright©2015JPCERT/CC(All(rights(reserved.
OWASP-CSRF-Protector�o�
wordpress/ ←WordPress ��!�������+ wp-content/plugins/ ←WordPress��� ������+ login-rebuilder/ ←Login Rebuilder ��!�������+ languages/ ←AC�� �������("G=<)+ csrfp/ ←OWASP CSRF ProtectorB?������+ js/+ csrfprotector.js ←�!� 5%;�JavaScript+ index.php
+ libs/+ csrf/ ←OWASP CSRF Protector9#������+ csrfpJsFileBase.php+ csrfprotector.php+ index.php
+ config.sample.php ←B1�� �� ��+ index.php
+ log/ ←��&)������+ .htaccess
+ login-rebuilder.php ←Login Rebuilder9#+ uninstall.php
WordPress g Login(Rebuilder(
C OWASP(CSRF(Protector(
Copyright©2015JPCERT/CC(All(rights(reserved.
Login-RebuilderNc�¬�
" Login(Rebuilder(g logincrebuilder.php @OWASP(CSRF(Protector g csrfprotector.php p
" gdefine g(=<)define( 'LOGIN_REBUILDER_DOMAIN', 'login-rebuilder' );define( 'LOGIN_REBUILDER_DB_VERSION_NAME', 'login-rebuilder-db-version' );define( 'LOGIN_REBUILDER_DB_VERSION', '1.1.3' );define( 'LOGIN_REBUILDER_PROPERTIES', 'login-rebuilder' );
// I*:Login Rebuilder ��!����1@define( 'LOGIN_REBUILDER_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );// I*:OWASP CSRF Protector�E�H��'8+require_once( LOGIN_REBUILDER_PLUGIN_DIR . 'csrfp/libs/csrf/csrfprotector.php' );csrfProtector::init();
$plugin_login_rebuilder = new login_rebuilder();(=<)
Copyright©2015JPCERT/CC(All(rights(reserved.
CSRF Protector-«g���
T HTML h@form nonce Tcsrfp_tokenc J ginput T
<form method="post" action="/wordpress/wp-admin/options-general.php?page=login-rebuilder-properties">(=<)<input type='hidden' name='csrfp_token' value='559e21982a' />
{"timestamp":1423729288,"HOST":"192.168.80.129","REQUEST_URI":"\/wordpress\/wp-admin\/options-general.php?page=login-rebuilder-properties","requestType":"POST","query":{"properties":{"response":"3","keyword":"CSRF","page":"csrf.php","content":"","page_subscriber":"csrf2.php","status":"1"},"submit":"\u5909\u66f4\u3092\u4fdd\u5b58"},"cookie":[]}
c@ C C J g@WordPress g C (http://website/wordpress/)T
T hCSRF gg T
Copyright©2015JPCERT/CC(All(rights(reserved.
Login-Rebuilder��OWASP- CSRF-Protector«g��£(1)
" Login(Rebuilder CSRF h@nonceg C g Cg c a c Jsg" WordPress hCSRF nonce J
a @ Login(Rebuilderhnonce gp a @h g a
" OWASP(CSRF(Protector CSRF h@ CPHP OWASP( CSRF(Protector p og v 11 g g gp
Copyright©2015JPCERT/CC(All(rights(reserved.
Login-Rebuilder��OWASP- CSRF-Protector«g��£(2)
" OWASP(CSRF(Protector(hWordPressg gvJeg s H Rc
" OWASP(CSRF(Protectorg J v @ hWordPressg C vJ
" g h@ HTTP 403 caWordPressg he gT
" Login(Rebuilderg v g eT w@nonce JvJ Login( Rebuilder
CSRF v s CSRF @c ag he ?
Copyright©2015JPCERT/CC(All(rights(reserved.
5. ���
Copyright©2015JPCERT/CC(All(rights(reserved.
���(1)
"CSRF( C)c J g c g
e
" g"" Web C C gCSRF
" CSRF
Copyright©2015JPCERT/CC(All(rights(reserved.
���(2)
" CSRF a" JavauPHP CSRF g C
g" CSRF g
# Spacewalk OWASPCSRFGuard
# Login Rebuilder OWASPCSRFProtector
" CSRF g h o hH (c a g he ?)
" :(CSRF g @ @ ah
Copyright©2015JPCERT/CC(All(rights(reserved.
���w
IPA— e g— @Web C
OWASP—CrosscSite(Request(Forgery((CSRF)(
—CrosscSite(Request(Forgery((CSRF)(Prevention(Cheat(Sheet
Wikipedia—( )(Crosscsite(request(forgery
https://en.wikipedia.org/wiki/Crosscsite_request_forgery
—( )( Chttps://ja.wikipedia.org/wiki/ C
75
Copyright©2015JPCERT/CC(All(rights(reserved.76
. C C C: :
C: : :
hR w dJ E: : :