{"updated":"2025-01-20T02:22:16.473736+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00187199","sets":["6164:6165:6462:9463"]},"path":["9463"],"owner":"11","recid":"187199","title":["OGNLの実行に起因するStruts 2の脆弱性に対する防御手法の提案"],"pubdate":{"attribute_name":"公開日","attribute_value":"2017-10-16"},"_buckets":{"deposit":"50580c20-a772-437c-b330-170f62e619ee"},"_deposit":{"id":"187199","pid":{"type":"depid","value":"187199","revision_id":0},"owners":[11],"status":"published","created_by":11},"item_title":"OGNLの実行に起因するStruts 2の脆弱性に対する防御手法の提案","author_link":["422531","422533","422534","422532","422536","422535"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"OGNLの実行に起因するStruts 2の脆弱性に対する防御手法の提案"},{"subitem_title":"A Method for Defending Vulnerabilities of Struts 2 Caused by OGNL","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"Webセキュリティ，フィルタリング，脆弱性，Struts 2，OGNL","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2017-10-16","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"東京大学情報学環セキュア情報化社会研究グループ"},{"subitem_text_value":"東京大学情報学環セキュア情報化社会研究グループ"},{"subitem_text_value":"東京大学情報学環セキュア情報化社会研究グループ"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"The University of Tokyo, Secure information society research group","subitem_text_language":"en"},{"subitem_text_value":"The University of Tokyo, Secure information society research group","subitem_text_language":"en"},{"subitem_text_value":"The University of Tokyo, Secure information society research group","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/187199/files/IPSJCSS2017024.pdf","label":"IPSJCSS2017024.pdf"},"date":[{"dateType":"Available","dateValue":"2019-10-16"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJCSS2017024.pdf","filesize":[{"value":"780.0 kB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"c6c3a42b-c888-4550-a714-ee09d454e6a4","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2017 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"藤本, 万里子"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"松田, 亘"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"満永, 拓邦"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Mariko, Fujimoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Wataru, Matsuda","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Takuho, Mitsunaga","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_18_relation_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_relation_type_id":{"subitem_relation_type_select":"NCID","subitem_relation_type_id_text":"ISSN　1882-0840"}}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"Struts 2はWebアプリケーション開発フレームワークで日本の多くのWebサイトで用いられている． 近年，Struts 2が利用する式言語であるObject Graph Navigation Language（OGNL）を悪用してリモートから任意のコード実行が可能となる複数の脆弱性が見つかっている．脆弱性公開とほぼ同時に攻撃コードが公開されることもあるため，十分な備えを行っていても防御が難しい状況にあり，国内で被害が多数確認されている． そこで本稿では，OGNLの記法に着目したStruts2の防御方法を提案する．サーブレットフィルタを用いて，特徴的なパターンをブロックすることにより，未知の脆弱性であっても関連する攻撃の検知と遮断が可能となることを検証する．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Apache Struts 2 is an open-source web application framework for development and widely used in Japan. Recently, some vulnerabilities leveraging Object Graph Navigation Language (OGNL) used by Struts 2 that allow Remote code execution are found. Protecting web applications is becoming difficult if there are some countermeasures for attacking, because sometimes exploit codes are published almost the same time that vulnerabilities are published. For that reason, we observed many attacks in Japan. Therefore, in this study, we propose protecting method that focus on expression of OGNL. We tested whether it is possible to detect and protect from attacks by using Servlet Filter which blocks specific patterns even if it is unknown vulnerabilities.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2017論文集"}],"bibliographicIssueDates":{"bibliographicIssueDate":"2017-10-16","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"2","bibliographicVolumeNumber":"2017"}]},"relation_version_is_last":true,"weko_creator_id":"11"},"created":"2025-01-19T00:53:53.396563+00:00","id":187199,"links":{}}