[CB16] 機械学習でWebアプリケーションの脆弱性を見つける方法 by 高江須勲

DESIGN TEMPLATES TO IMPROVE THE QUALITY AND PRODUCTIVITY

CODE BLUE 2016Presented by Isao Takaesu

WebWeb0

About the speaker: Web: : : http://www.mbsd.jp/blog/Black Hat Asia 2016 ArsenalAISECjp MBSD

CODE BLUE 2016

3Black Hat Asia ArsenalSAIVSAI1

AgendaSAIVSMBSDCODE BLUE 2016

MBSDCODE BLUE 2016

MBSDCODE BLUE 201624 (IPA)

2IPA244

MBSDCODE BLUE 2016

MBSDCODE BLUE 2016Web

WebMBSDCODE BLUE 2016Web

WebWeb8

WebMBSD

Web Server

Web Apps

CODE BLUE 2016Web

WebMBSD

Web Server

Web Apps

SQLi?XSS?

CODE BLUE 2016Web

WebSQLiXSSWeb10

WebMBSDCODE BLUE 2016

WebMBSD

Web Server

Web Apps

CODE BLUE 2016

SQLi?XSS?

WebAI12

AISAIVSMBSDCODE BLUE 2016WebAISAIVSSpider Artificial Intelligence Vulnerability Scanner

SAIVSAIAISAIVS13

SAIVSMBSD Web CODE BLUE 2016

MBSDCODE BLUE 2016

Register

Confirm

Contact Us

My Page

Complete

Send message

WebWeb16

MBSDCODE BLUE 2016

Register

Confirm

Contact Us

My Page

Complete

Send message

My pageLogin17

MBSDCODE BLUE 2016

Register

Confirm

Contact Us

My Page

Complete

Send message

Complete18

MBSDCODE BLUE 2016

Register

Confirm

Contact Us

My Page

Complete

Send message

Web1119

MBSDWebCODE BLUE 2016

CODE BLUE 2016

???????????????CODE BLUE 2016

NameEmail23

MBSDCODE BLUE 2016

3MBSD CODE BLUE 2016

MBSDCODE BLUE 2016

3MBSD CODE BLUE 2016

CODE BLUE 2016

Sign inEmailPassword31

MBSDCODE BLUE 2016

MBSD)WAFCODE BLUE 2016

MBSDSPAM0.672 HAM0.03SPAM10HAM 30http://wana.jpSPAM40HAM 10SPAM30HAM 40SPAM70HAM 50SPAM80HAM 5SPAMHAMCODE BLUE 2016

SPAM/HAMSPAM/HAMSPAMSPAM34

CODE BLUE 2016

MBSDSign in

Password

CODE BLUE 2016

HTMLHFORM36

MBSDEmail, User ID, Password, Sign in Email, Password, Confirm, Sign up Word, Text, String, Sort, Search Credit, Account, Expire, Purchase Password, Old Password, Change

CODE BLUE 2016 keywords : Sign in, Email, Password

50WebWebHTMLSign inEmailPassword37

MBSDEmail, User ID, Password, Sign in Email, Password, Confirm, Sign up Word, Text, String, Sort, Search Credit, Account, Expire, Purchase Password, Old Password, Change

CODE BLUE 2016

3MBSD () CODE BLUE 2016

MBSDCODE BLUE 2016

errorsdoesnt matchinvalid42

MBSDCODE BLUE 2016

MBSD2 errors prohibited this user from being saved There were problems with these fields:

Password doesn't match confirmation

Email is invalid ["Password doesn't match confirmation","Email is invalid"]

CODE BLUE 2016

MBSDgood, valid, success, normal, fine, clean, nice, can, match, confirmation, ok, finish, thank bad, invalid, failure, error, problem, unmatch, doesnt match, cant, too, wrong, ng, blank

CODE BLUE 2016 keywords : errors, problem, doesnt match, invalid

errorsproblemdoesnt match

MBSDgood, valid, success, normal, fine, clean, nice, can, match, confirmation, ok, finish, thank bad, invalid, failure, error, problem, wrong, doesnt match, cant, too, ng, blank

CODE BLUE 2016

MBSDCODE BLUE 2016

3MBSD () () CODE BLUE 2016

MBSDCODE BLUE 2016

Isao [email protected]

NameEmailPassword

MBSDCODE BLUE 2016(MLP)Q

QMLP51

MLPMBSD)CODE BLUE 2016

MLPMLP52

DataLabel012

CODE BLUE 2016MBSD

XXX784X0YYY300Y0ZZZ10

MLPMLPMLPMLPMLPMLP53

MLP014679425970401967CODE BLUE 2016MBSD

MLPMLP9MLP54

QQMBSD)CODE BLUE 2016

MBSDCODE BLUE 2016

a1 a2 a3 a4

s s ( a | s ) ( s | s, a ) r = R( s, a, s )

Q( s, a )

QQsassassaQQQQQ56

MBSDCODE BLUE 2016

p1=abc, xyzp1=123, 12ap1=abc@xxx

MLPQMLPWebMLPQMLPMLP57

MBSDCODE BLUE 2016

MBSDabc, abcdef, aBc, aBcdEf, ABCDEF 123, 12345, 4111111111111111 abc123, 123abc, aBc123, 1a2b3c abc!, abc!#$, abcdef!, abcdef!#$ 123!, 123!#$, 12345!, !#$12345 abc123!, 123abc!, abc!123, !#$%&a1 [email protected], [email protected]

CODE BLUE 2016INPUT TYPE text, password

MLPhiddencheckboxselectGUItextpasswordMLP59

MBSDMLPCODE BLUE 2016

MLPINDEXMLPINDEX60

MBSDCODE BLUE 2016

MBSDQCODE BLUE 2016

MBSD300CODE BLUE 2016

MBSDCODE BLUE 2016300

MBSDCODE BLUE 2016

WebMBSDOWASP Broken Web AppsCODE BLUE 2016

WebOWASP Broken Web Apps69

SAIVSMBSDCODE BLUE 2016

BodgeIt

peruggia

WackoPicko

YazdSAIVS 300Web Apps

Web30070

MBSDIDabc, abcdef, aBc, aBcdEf, ABCDEF Passwordabc123!, 123abc!, abc!123, !#$%&a1 FirstNameabc, abcdef, aBc, aBcdEf, ABCDEF LastNameabc, abcdef, aBc, aBcdEf, ABCDEF Email [email protected], [email protected] Usernameabc, abcdef, aBc, aBcdEf, ABCDEF Signatureabc, abcdef, aBc, aBcdEf, ABCDEF

CODE BLUE 2016

FirstNameabcdef171

MBSDCODE BLUE 2016

UsernameName72

MBSDCODE BLUE 2016

MBSDCODE BLUE 2016word2vec

Word2Vec74

word2vecMBSDCODE BLUE 2016)Input : e-mailwordcos distanceemail0.956302mail0.927386reply0.920610

formulaanswerIraq - ViolenceJordanHuman - AnimalEthicsJapan Tokyo + FranceParis

Word2Vec1e-mailemailmailreply175

MBSDCODE BLUE 2016)interpretation further. However, if anyone wishes to discuss this, Im certainly willing (either offline - e-mail - or Stephen In article [email protected] (Mathemagician) writes: Just what do gay people do that straightcarries archives of old alt.atheism.moderated articles and assorted other files. For more information, send mail to [email protected] saying help send atheism/index and it will mail back a reply. mathew Ansend mail to [email protected] saying help send atheism/index and it will mail back a reply. mathew An Introduction to Atheism by Mathew. This article attempts to provide a general introductione-mailmailreply

Word2VecWord2Vecsendarticlee-mailmailreply76

word2vecMBSDCODE BLUE 2016The 20 Newsgroups data set.2)Graphics, MS-Windows, HardwareCryptography, Electronics, SpaceMotorcycles, Baseball, Hockey

The 20 Newsgroups data set2Web77

Windows

Hardware

SpaceSAIVSThe 20 Newsgroups data setword2vec

SAIVS78

MBSDemail0.956302mail0.927386E-mail0.900249address0.893337reply0.865438contact0.846801message0.792930chat0.754903newsgroup0.747636

CODE BLUE 2016names0.962508username0.939661nickname0.933694naming0.898254surname0.863966initials0.861093firstname0.849641lastname0.847604title0.782467

homepage0.794415blog0.752945site0.708534webpage0.701838portal0.701374forum0.692067com0.641086archive0.537914org0.531096

10Target websiteTarget nameTarget e-mail

e-mailemailmailaddressnamenamesusernamefirstname1079

Target websiteTarget nameTarget e-mail

[email protected] aBcdEf http://hoge.comTarget websiteTarget nameTarget e-mail

3MBSD () () ()CODE BLUE 2016

MBSDTargetOWASP Broken Web Apps CycloneCODE BLUE 2016

WebOWASP Broken Web AppsCyclone83

MBSDCODE BLUE 2016

Register

Confirm

User Search

CompleteRegister

WebLoginUser Search84

MBSDCODE BLUE 2016

Register

Confirm

User Search

CompleteRegister

MBSDCODE BLUE 2016

Register

Confirm

User Search

CompleteRegister

MBSDCODE BLUE 2016

Register

Confirm

User Search

CompleteRegister

MBSDCODE BLUE 2016

Register

Confirm

User Search

CompleteRegister

User Search88

MBSDCODE BLUE 2016

SAIVSMBSD Web CODE BLUE 2016

SAIVS90

MBSDCODE BLUE 2016

MBSDCODE BLUE 2016Web

MBSDCODE BLUE 2016Reflected Cross-Site Scripting (RXSS)

RXSSMBSD

Case 3 - RXSS

http://xxx/case3/?input=testDataINPUTVALUECODE BLUE 2016

XSSinputINPUTVALUE94

RXSS: MBSD

Case 3 - RXSS

alert('XSS');">

http://xxx/case3/?input="/>alert(XSS');HTMLCODE BLUE 2016

inputINPUTVALUEINPUTJavaScriptXSSJavaScript95

RXSSMBSD

Case 4 - RXSS

alert('XSS');">

SCRIPThttp://xxx/case4/?input="/>alert(XSS');CODE BLUE 2016

inputSCRIPTJavaScriptXSS96

RXSSMBSD

Case 4 - RXSS

http://xxx/case4/?input=onmouseout=alert(XSS')CODE BLUE 2016

inputSCRIPTJavaScriptSCRIPTJavaScriptXSSHTMLJavaScript97

RXSS3MBSD HTML JavaScript CODE BLUE 2016

MBSDCODE BLUE 2016

XSS100

MBSDCODE BLUE 2016

HTMLJavaScriptHTMLJavaScript102

MBSDHTMLJavaScriptLSTMCODE BLUE 2016

LSTM103

LSTMLong-Short Term MemoryMBSD)CODE BLUE 2016

LSTM104

LSTMLong-Short Term MemoryMBSD)CODE BLUE 2016

MBSDCODE BLUE 2016from Andrej Karpathy blog)static int indicate_policy(void){ int error; if (fd == MARN_EPT) { if (ss->segment < mem_total) unblock_set_blocked(); else ret = 1; goto bail; } segaddr = in_SB(in.addr); selector = seg / 16;static void settings(struct *tty){ if (tty == tty) disable_single_st_p(dev); pci_disable_spool(port); return 0;}

static void command(struct seq_file *m){ int column = 32 : noquoteJavaScript xxxHTML xxx

CODE BLUE 2016

MLPsCriPtURL encode

Event handlerQ

CODE BLUE 2016

MLP120

MBSD" '>alert();alert();

CODE BLUE 2016

MLPsCriPtURL encode

Event handlerQ

CODE BLUE 2016

MLP122

MBSD'noquoteHTML event handler">xxx">xxxxxxJavaScript ";alert();//[CR][LF]alert();";alert();//

CODE BLUE 2016

SAIVS123

MLPsCriPtURL encode

Event handlerQ

MLPCODE BLUE 2016

MLPINDEX124

MLPsCriPtURL encode

Event handlerQ

CODE BLUE 2016

MLP125

MLPsCriPtURL encode

Event handlerQ

MLPCODE BLUE 2016

MLP126

MLPsCriPtURL encode

Event handlerQ

CODE BLUE 2016

MLPsCriPtURL encode

Event handlerQ

QCODE BLUE 2016

MLP128

MLPsCriPtURL encode

Event handlerQ

MLPCODE BLUE 2016

MLP129

MLPsCriPtURL encode

Event handlerQ

100CODE BLUE 2016

100130

MBSDCODE BLUE 2016100

100131

MBSDCODE BLUE 2016

WebMBSDWAVSEPCODE BLUE 2016ReflectedXSS GET Input VectorCase06IMG SRC < , > < , >"onmouseover=alert(3122);"Case10SCRIPT onClick , < , > " , < , >';alert(3122);//Case27JavaScript [CR][LF]alert(3122);//

WAVSEPXSS133

Case06

Case08

Case10

Case27SAIVSWAVSEP100

WAVSEP100

RXSS135

MBSDSAIVS 1 2CODE BLUE 2016

SAIVSRXSSSAIVS2136

Web Server

Web AppsSAIVS

CODE BLUE 20161

Web Server

Web AppsSAIVS

CODE BLUE 20161

Web Server

Web AppsSAIVS

CODE BLUE 20161

HTML/JS(LSTMMBSD

Web Server

Web AppsSAIVS

CODE BLUE 20161

LSTMHTMLJavaScriptHTML140

HTML / JavaScriptMBSD

Web Server

Web AppsSAIVS

CODE BLUE 20161

alert(3122);

LSTM141

RXSSMBSD

Web Server

Web AppsSAIVS

CODE BLUE 20161

alert(3122);

RXSS 2MBSD

Web Server

Web AppsSAIVS

CODE BLUE 20161

RXSS1RXSSRXSS143

Web Server

Web AppsSAIVS

CODE BLUE 20162

D0i7Q"VW53N'nT7t0alert(3122);kc5i3ueFj8

http://xxx/reflect/full1?in=lasther=''%3E%3C/form%3ED0i7Q%22VW53N'nT7t0%3Cscript%3Ealert(3122);kc5i3%3C/script%3EueFj81Case1CODE BLUE 2016

RXSSSAIVS1151

MBSDCase1CODE BLUE 2016

RXSSMBSDTargetwebseclabCODE BLUE 2016Case/reflect/full1BODY /reflect/textarea1TEXTAREA /reflect/onmouseoverINPUT/reflect/js4_dqSCRIPT

MBSDReflected XSS in textarea (textarea1)Textarea injection test

saivs12345

http://xxx/reflect/textarea1?in=saivs12345TEXTAREACase2CODE BLUE 2016

TEXTAREATEXTAREA154

MBSDReflected XSS in textarea (textarea1)Textarea injection test

7Q7pN"MBPcc'PA6tzalert(3122);WKr8JfowCP

http://xxx/reflect/textarea1?in=%3C/textarea%3E7Q7pN%22MBPcc'PA6tz%3Cscript%3Ealert(3122);WKr8J%3C/script%3EfowCP1Case2CODE BLUE 2016

SAIVSTEXTAREATEXTAREA1RXSS155

MBSDCase2CODE BLUE 2016

RXSSMBSDTargetwebseclabCODE BLUE 2016Case/reflect/full1BODY /reflect/textarea1TEXTAREA /reflect/onmouseoverINPUT/reflect/js4_dqSCRIPT

Reflected XSS - attribute injection in tags (dq.2)Update Your Preferences

Homepage: alert()" name="in" size="40">
http://xxx/xss/reflect/onmouseover?in=>alert()INPUTCase3CODE BLUE 2016

INPUTVALUESCRIPTRXSS158

Reflected XSS - attribute injection in tags (dq.2)Update Your Preferences

Homepage:

Technology

[CB16] 機械学習でWebアプリケーションの脆弱性を見つける方法 by 高江須 勲

[CB16] 機械学習でWebアプリケーションの脆弱性を見つける方法 by 高江須勲