安全なウェブサイトの作り方 - ipa.go.jp · PDF fileウェブサイトの安全性向上のための Õり組み 2015 年3 月ウェブアプリケーションのセキュリティ実装と

2015 3

URL
https://www.ipa.go.jp/security/vuln/websecurity.html

..................................................................................................................................................................................................... 1
............................................................................................................................................................................................. 2
................................................................................................................................................. 3
...................................................................................................................................................................................... 3
7 .......................................................................................................................................................... 3
............................................................................................ 4
1. ................................................................................................................. 5
1.1 SQL ................................................................................................................................................. 6
1.2 OS ............................................................................................................................... 10
1.3 .................................................................... 13
1.4 ............................................................................................................................................ 16
1.5 ............................................................................................................................. 22
1.6 CSRF ............................................................................................... 30
1.7 HTTP ............................................................................................................................ 34
1.8 ............................................................................................................................ 38
1.9 ................................................................................................................................................ 41
1.10 ......................................................................................................................................... 44
1.11 ....................................................................................................................... 46
2. ....................................................................................................... 48
2.1 ................................................................................................................................. 48
2.2 DNS .................................................................................................................................................. 49
2.3 ................................................................................................................................... 51
2.4 .................................................................................................... 53
2.5 ...................................................................................................................................... 55
2.6 WAF ..................................................................................................... 58
2.7 ....................................................................................................... 64
3. ................................................................................................................................................................................... 71
3.1 SQL ..................................................................................................................................... 71
3.2 OS ..................................................................................................................... 77
3.3 ................................................................................................................... 79
3.4 .............................................................................................................................. 81
3.5 ................................................................................................................... 84
3.6 CSRF ..................................................................................... 95
3.7 HTTP ................................................................................................................... 99
3.8 ................................................................................................................. 100
........................................................................................................................................................................................ 103
........................................................................................................................................................................................... 104
............................................................................................................................................................................... 105
CWE ................................................................................................................................................................................ 109
...................................................................................................................................................................................... 111

2
1
2015 1
IPA2
2014 12 10,655
SQL
OS
IPA
1
http://www.soumu.go.jp/johotsusintokei/statistics/statistics05.html 2 IPA
https://www.ipa.go.jp/security/vuln/report/index.html

3
IPA
3
1 SQL OS
11
2
7
3 1 8
CWE
7
7 1
URL
2
DNS URL

1.1 SQL
5
1.
3
SQL
OS
CSRF
HTTP
3

1.1 SQL
6
1.1 SQL
SQL
SQL
SQL
SQL
SQL
-
-
- 4
- OS
5
4 1.4 5 MySQL, PostgreSQL, Oracle, Microsoft SQL Server, DB2
SQL
SQL
SQL

1.1 SQL
7
6
SQL
2014 4 11%
IPA
DBD::PgPP SQL
http://jvndb.jvn.jp/jvndb/JVNDB-2014-000142
Piwigo SQL
SQL
SQL SQL SQL
SQL
SQL SQL
SQL
SQL ISO/JIS
(Prepared Statement)
SQL SQL
SQL 3.2
SQL SQL
'
''\\\
6 URL
https://www.ipa.go.jp/security/vuln/report/press.html
SQL
SQL
API SQL
1-(i)-a
1-(i)-b

1.1 SQL
8
API7
SQL 4.1
SQL
hidden SQL
SQL
SQL
SQL
SQL
SQL
7 API
SQL
1-(ii)
1-(iii)
1-(iv)

1.1 SQL
9
CWE
CWE-89 SQL http://jvndb.jvn.jp/ja/cwe/CWE-89.html
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (2.8) http://cwe.mitre.org/data/definitions/89.html
URL
IPA SQL https://www.ipa.go.jp/security/vuln/websecurity.html#sql
IPA () 1. SQL https://www.ipa.go.jp/security/vuln/vuln_contents/sql.html
https://www.ipa.go.jp/security/vuln/vuln_contents/sql_flash.html
IPA 2014 https://www.ipa.go.jp/security/fy26/reports/isec-survey/index.html

1.2 OS
10
1.2 OS
OS
OS
OS
OS
-
-
OS
-
-
8
8
Perl open(), system(), eval()
PHP exec(), passthru(), shell_exec(), system(), popen()
OSOS
OS
OS
OS
OS

1.2 OS
11
OS Perl
CGI
IPA
ASUS LAN OS
Usermin OS
Movable Type OS
Perl open Perl open |
OS
9Perl
sysopen
OS |
OS OS
9 3.2 13
2-(i)
2-(ii)

1.2 OS
12
CWE
CWE-78 OS http://jvndb.jvn.jp/ja/cwe/CWE-78.html
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection') http://cwe.mitre.org/data/definitions/78.html
URL
IPA () 5. OS https://www.ipa.go.jp/security/vuln/vuln_contents/oscmd.html
https://www.ipa.go.jp/security/vuln/vuln_contents/oscmd_flash.html

1.3 /
13
1.3
-

Documents

安全な ウェブサイトの 作り方 - ipa.go.jp · PDF fileウェブサイトの安全性向上のための Õり組み 2015 年3 月 ウェブアプリケーションのセキュリティ実装と

安全なウェブサイトの作り方 - ipa.go.jp · PDF fileウェブサイトの安全性向上のための Õり組み 2015 年3 月ウェブアプリケーションのセキュリティ実装と