IT |
気になる、記になる… |
LINEMO、新規契約で最大6,000円相当のPayPayボーナスが貰える「新生活応援!春のフィーバータイム」を開催中 |
https://taisy0.com/2022/04/06/155492.html
|
linemo |
2022-04-06 12:43:45 |
js |
JavaScriptタグが付けられた新着投稿 - Qiita |
シークレットキー作成 |
https://qiita.com/jeronimo34/items/edafb56d2184e56cab1e
|
quirecryptorandombytestos |
2022-04-06 21:04:26 |
Docker |
dockerタグが付けられた新着投稿 - Qiita |
WP REST APIのApplication Passwordsを使う |
https://qiita.com/aipacommander/items/ee998ab5409a8f8695d6
|
applicationpasswo |
2022-04-06 21:28:13 |
Docker |
dockerタグが付けられた新着投稿 - Qiita |
WSL2にdockerをインストールする方法 |
https://qiita.com/fake-deli-ca/items/f6b55115bf8ff27b966f
|
docker |
2022-04-06 21:12:59 |
Docker |
dockerタグが付けられた新着投稿 - Qiita |
WordPressのテーマをコーディング標準チェックできるようにする(phpcs) |
https://qiita.com/rowpure/items/0bb70fae7e7c8fa6fc7f
|
phpcs |
2022-04-06 21:06:58 |
Azure |
Azureタグが付けられた新着投稿 - Qiita |
Docker for Windows 環境で Linuxコンテナ版 Azure Cosmos DB emulator 起動 |
https://qiita.com/kazumihirose/items/24fc49843c763f799b46
|
azurecosmosdbemulator |
2022-04-06 21:54:21 |
Git |
Gitタグが付けられた新着投稿 - Qiita |
【Git】1つのコミットを2つに分割したい |
https://qiita.com/yudai_on_rails/items/c837f37981ccf900a0e3
|
lsabcda |
2022-04-06 21:15:48 |
Ruby |
Railsタグが付けられた新着投稿 - Qiita |
外部キー制約のついたカラムを削除する方法 |
https://qiita.com/Bjp8kHYYPFq8MrI/items/b68cfbaa4e20b92aa72a
|
genre |
2022-04-06 21:48:28 |
技術ブログ |
Developers.IO |
個人として目指していることや価値観をチームに公開してみる |
https://dev.classmethod.jp/articles/personal-mvvb/
|
統括 |
2022-04-06 12:19:56 |
海外TECH |
MakeUseOf |
8 Online Pilates Classes to Improve Your Strength and Control |
https://www.makeuseof.com/online-pilates-classes/
|
youtube |
2022-04-06 12:45:13 |
海外TECH |
MakeUseOf |
Should You Use Hushmail for Encrypted Email? |
https://www.makeuseof.com/should-you-use-hushmail-for-encrypted-email/
|
business |
2022-04-06 12:30:14 |
海外TECH |
DEV Community |
Which principle or saying is wrong and/or misused? |
https://dev.to/ben/which-principle-or-saying-is-wrong-andor-misused-29i7
|
Which principle or saying is wrong and or misused Software development gets passed down as an oral and written history of mistakes and learnings ーand we wind up with a lot of rules of thumb Some of them are not as universally useful as some make them out to be What are they |
2022-04-06 12:29:05 |
海外TECH |
DEV Community |
GraphQL and Security implications |
https://dev.to/nathan20/graphql-and-security-implications-3p8h
|
GraphQL and Security implicationsAmateurs hack systems professionals hack people There are many things in life that are beyond our control One of these is the fact that we are all vulnerable to attack This is something that we must accept and learn to deal with because it is a part of life There are many different types of vulnerabilities and each one of us has our own unique set Some people are more vulnerable to physical attacks while others are more vulnerable to emotional or mental attacks If you are vulnerable let s give us a star at As humans computers are vulnerable to physical exploitation or more vulnerable to misconfigurations We all have vulnerabilities and we all have the strength to overcome them Our Job is to reduce the surface attack In the previous article I introduced graphQL and explained how it works In this article I d like to focus on security flaws followed by concrete examples Security FlawsWith new technology comes new vulnerabilities With the growing popularity of GraphQL on the web I d like to talk about a specific type of vulnerability that is frequently overlooked in GraphQL implementations By default QraphQL does not implement authentication This means by default graphQL allows anyone to query it Any sensitive information will be available to attackers unauthenticated What types of attack As any API technology GraphQL is vulnerable to common API vulnerability But in this article I will be more specified Let s dive in details Recon IntrospectionGraphQl is introspective So the first step is usually to run an introspection query to obtain a copy of the schema The schema will help with understanding the attack surface of the exposed GraphQL API It is widely recommended to get all the fields names and types before attempting any attack try this command query schema types name fields name In order to understand how to query the database you can use the following command and you will extract all types and arguments query schema types name fields name args name description type name kind ofType name kind EnumerationNow we understand the architecture of the data we can query it and extract some values When you start enumerating keep an eye on the output because data may leak You can also try to query with a non existent field and hope to receive useful information from the server You can use Kiwi com graphQL to understand how GraphQL queries work and extract data We can also search a specific city with passing search as argument and the city as value You can check my previous article if you want to get more basic info Authentication Vulnerabilities and BatchingAs mentioned before GraphQL does not implement authentication by default which can lead to authentication flaws In addition GraphQL allows you to brute force the login with one API request This attack is named Batching Brute force This approach would trick external security monitoring into thinking that there is no brute force A simple example of brute force login the input parameter should have the credential s value You can also use this technique to brute force FA SQL Injection in GraphQLInjection attacks are a type of attack where malicious code is injected into a vulnerable input field such as a form field and then executed by the application Injection attacks can be used to exploit vulnerabilities in an application to gain access to sensitive data execute arbitrary code or perform other malicious actions SQL injection is quite well known but it can also occur in our context Any field that has a string type is a potential candidate for string injection Also it is worth noting that the ID default scalar is serialized in the same way as a string making it vulnerable to injections type Post id ID title String content String type Query post id ID Post The resolver back end request function post id return query SELECT FROM POSTS WHERE id id injection looks like or In this case is always true so the server will give back all existing posts I won t deal to the remediation you can check OWASP article about it CSRF in GRAPHQLCSRF is an acronym for Cross Site Request Forgery It is a type of attack that occurs when a malicious web site email blog instant message or program causes a user s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated Generally GraphQL use POST request usually used to change application state But GraphQL endpoint accept Content Type set to application json which is invulnerable to CSRF At first glance GraphQL seems to be invulnerable to this type of attack but the truth GraphQl implementation are often affected by CSRF You just need to change to content type to text plain for example and the middleware will convert it to application json Another problem because chrome browser has by default Samesite attribute set to Lax the browser will send cookie only for GET request So let s say you find a graphQL endpoint configured without CSRF tokens and change content type the last thing is to try to send it as GET request to by pass chrome mechanism Not a problem in fact GraphiQL does allow mutations via GET requests Traversal AttackA traversal attack occurs when an access control list is not configured well This type of attack is very simple to exploit but not easy to find Let s take an example with a user and a customer user id username customers id username Here is simple request that take from an authenticate user his Id and username in order to get the customer s id and usernames By default the user is authorize to get only his customers But if the authenticated user try to fetch the customers of his customers user id username customers id username customers id username With a bad configuration an authenticated user is able to fetch all customers and their customers Securing GraphQL from this type of attack seems pretty hard I suggest you to use a whitelist approach when validating user input for both the GraphQL query and variables parameter to help prevent this type of attack I found an interesting article that talk about it in more details Broken Object level AuthorizationBroken Object level authorization is when an object is given permissions to perform an action such as read write or execute Broken object level authorization is when an object does not have the correct permissions to perform an action This can happen if the object s permissions are not set correctly or if the object is not given the correct permissions when it is created OWASP API security top has BOLA Broken Object level authorization at top as I told before authorization is the headache of the developers explicitly for GraphQL developers When you pen test an GraphQL API always check if the user is authorized to access the resource audit the GraphQL queries and mutations There are many ways to mitigate broken object level authorization Some common methods are Implement a least privilege model where users only have access to the resources they need Use access control lists ACLs to explicitly define which users have access to which resources Monitor user activity and look for any unusual or unauthorized access Regularly audit your system with DAST dynamic application testing use CherryBomb an useful cli tool for audit your API against logical flaws Failure Rate LimitingAs the complexity of a GraphQL API grows it becomes more difficult to protect against denial of service attacks REST APIs limit the number of HTTP requests that can be made but a GraphQL query can take many actions which can use a lot of server resources Rate limiting strategies for REST APIs which limit the number of HTTP requests are not adequate for protecting a GraphQL API There are two general ways to defend against denial of service attacks of this type The first option is to limit recursion depth so that queries that return large sets of results will be rejected The second solution is to implement a complexity scoring system in which each part of a query is given a complexity score Any request with a total complexity greater than the maximum value allowed would be rejected GraphQL as API GatewaysIt is common to see GraphQL servers used as API Gateways or proxies for other APIs or micro services The GraphQL interface acts as a front end interface to an internal API If implemented badly an attacker may be able to inject parameters or change the path to the back end API Let s take a scenario of an endpoint that fetches another user s profile type Query me User userID id ID User type User id ID name String Users User The resolver looks like export const userID async id string gt let results await req get id return results data By injecting delete into the id parameter the Back end API may translate the request in this way GET In this case in order to mitigate these issues make sure that the variable is exactly what you expect and is not trying to exploit an underlying system You can define a Regex pattern or other rules to verify the inputs before injecting them into subsequent requests database queries etc As GraphQL continues to grow in popularity it s important for organizations to be aware of the potential security risks involved in using this technology Adequate authentication and authorization should be implemented to mitigate these risks By implementing proper authentication and authorization measures as well as correctly validating client inputs organizations can help mitigate these risks In conclusion GraphQL has the potential to become the new standard for API design or to become a new font end API but it has some inherent risks that need to be mitigated |
2022-04-06 12:17:25 |
海外TECH |
Engadget |
Uber plans to add train, bus and flight bookings to its UK app |
https://www.engadget.com/uber-plans-to-add-trains-coaches-and-flight-bookings-to-its-app-in-the-uk-120521257.html?src=rss
|
Uber plans to add train bus and flight bookings to its UK appUber is planning to add travel booking via flights trains and more in the UK this year to expand its ride hailing business The Financial Times has reported The new service is designed to provide a quot seamless door to door experience quot so that you can book your flight train and Uber all on the same app To do so the company will integrate its software with airlines inter city bus and rail operators include Eurostar Channel Tunnel tips and car rental companies according to CNBC The UK is one of the company s largest markets outside the US so the expansion is a big step quot You have been able to book rides bikes boat services and scooters on the Uber app for a number of years so adding trains and coaches is a natural progression quot said Uber UK general manager Jamie Heywood quot Later this year we plan to incorporate flights and in the future hotels by integrating leading partners into the Uber app to create a seamless door to door travel experience quot This quot super app quot strategy isn t new as CEO Dara Khosrowshahi said he wanted Uber to be the quot Amazon of transportation quot when he first joined the company Prior to the pandemic around percent of Uber trips were higher margin rides to or from airports quot With COVID behind us with this big push into new modes of transport we want to signal that this is a very important growth lever for us over the coming years quot Heywood said nbsp It s not yet clear to what extent Uber will compete directly with other travel booking services but Khosrowshahi was CEO at Expedia before coming to Uber The company might have a leg up on rivals in that it could also offer a ride from airport to hotel essentially owning the whole process Uber recently announced that it would let New York City users book Yellow Cab taxis directly through its app with passengers paying around the same as they would for an Uber X ride The company also plans to offer a similar service in San Francisco It s not clear yet though when or if Uber will offer its expanded travel booking service in the US nbsp |
2022-04-06 12:05:21 |
Cisco |
Cisco Blog |
The Wait is Over for Secure Firewall 3100 Series |
https://blogs.cisco.com/security/the-wait-is-over-for-secure-firewall-3100-series
|
The Wait is Over for Secure Firewall SeriesThe wait is over for the Cisco Secure Firewall series Make hybrid work and zero trust practical with the flexibility to ensure strong return on investment with this new firewall series |
2022-04-06 12:00:52 |
海外TECH |
WIRED |
The Best Laptop Backpacks for Work (and Life) |
https://www.wired.com/gallery/the-best-backpacks-for-work
|
wired |
2022-04-06 13:00:00 |
金融 |
RSS FILE - 日本証券業協会 |
FACT BOOK |
https://www.jsda.or.jp/shiryoshitsu/toukei/factbook/index.html
|
fact |
2022-04-06 13:50:00 |
金融 |
RSS FILE - 日本証券業協会 |
個人株主の動向について |
https://www.jsda.or.jp/shiryoshitsu/toukei/kojin_doukou.html
|
個人株主 |
2022-04-06 13:18:00 |
ニュース |
BBC News - Home |
Ukraine war: Bucha deaths 'not far short of genocide' - PM |
https://www.bbc.co.uk/news/uk-61011022?at_medium=RSS&at_campaign=KARANGA
|
ukrainian |
2022-04-06 12:19:50 |
ニュース |
BBC News - Home |
Man arrested after scared York woman pretended to ring for pizza |
https://www.bbc.co.uk/news/uk-england-york-north-yorkshire-61012000?at_medium=RSS&at_campaign=KARANGA
|
police |
2022-04-06 12:37:53 |
ニュース |
BBC News - Home |
Looe sand drawing remembers Falklands War veterans |
https://www.bbc.co.uk/news/uk-england-cornwall-61008094?at_medium=RSS&at_campaign=KARANGA
|
anniversary |
2022-04-06 12:11:18 |
ニュース |
BBC News - Home |
Prime Minister Boris Johnson says transgender women should not compete in women's sport |
https://www.bbc.co.uk/sport/61012030?at_medium=RSS&at_campaign=KARANGA
|
Prime Minister Boris Johnson says transgender women should not compete in women x s sportUK Prime Minister Boris Johnson says he does not believe transgender women should compete in female sporting events |
2022-04-06 12:28:23 |
ニュース |
BBC News - Home |
Ukrainian President Volodymyr Zelensky addresses the Irish parliament |
https://www.bbc.co.uk/news/world-europe-61011108?at_medium=RSS&at_campaign=KARANGA
|
ireland |
2022-04-06 12:12:42 |
北海道 |
北海道新聞 |
広1―2巨(6日) 吉川が逆転2ラン |
https://www.hokkaido-np.co.jp/article/666530/
|
逆転 |
2022-04-06 21:20:00 |
北海道 |
北海道新聞 |
夕張市の人口7千人割れ 見当たらぬ打開策 コンパクトシティー化急務 |
https://www.hokkaido-np.co.jp/article/666525/
|
住民基本台帳 |
2022-04-06 21:17:06 |
北海道 |
北海道新聞 |
体操のベルニャエフ、軍入隊か ウクライナ、内村さんと金争い |
https://www.hokkaido-np.co.jp/article/666529/
|
個人総合 |
2022-04-06 21:14:00 |
北海道 |
北海道新聞 |
道、ヤングケアラー支援に本腰 本年度も実態調査 相談窓口開設も |
https://www.hokkaido-np.co.jp/article/666528/
|
実態調査 |
2022-04-06 21:13:00 |
北海道 |
北海道新聞 |
コンサドーレ、鳥栖に完敗 0―5 |
https://www.hokkaido-np.co.jp/article/666524/
|
鳥栖 |
2022-04-06 21:10:00 |
北海道 |
北海道新聞 |
胆振管内159人感染 新型コロナ |
https://www.hokkaido-np.co.jp/article/666522/
|
新型コロナウイルス |
2022-04-06 21:08:00 |
北海道 |
北海道新聞 |
道内で「おれおれ詐欺」相次ぐ 4~5日で4件計600万円 |
https://www.hokkaido-np.co.jp/article/666521/
|
道内 |
2022-04-06 21:08:00 |
北海道 |
北海道新聞 |
3回接種でイベント入場料割引へ 政府、2千円上限に代金の2割 |
https://www.hokkaido-np.co.jp/article/666520/
|
新型コロナウイルス |
2022-04-06 21:06:00 |
北海道 |
北海道新聞 |
政府の「大学ファンド」計画に反対 北大大学院准教授らが声明 |
https://www.hokkaido-np.co.jp/article/666517/
|
世界トップレベル |
2022-04-06 21:00:56 |
海外TECH |
reddit |
Boris Johnson says he DOESN'T 'think that biological men should be competing in female sporting events' and children are 'not competent' to make decisions about their gender |
https://www.reddit.com/r/worldnews/comments/txktzf/boris_johnson_says_he_doesnt_think_that/
|
Boris Johnson says he DOESN x T x think that biological men should be competing in female sporting events x and children are x not competent x to make decisions about their gender submitted by u cartstanza to r worldnews link comments |
2022-04-06 12:17:32 |
コメント
コメントを投稿