{"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00214547","sets":["6164:6165:6462:10749"]},"path":["10749"],"owner":"44499","recid":"214547","title":["マイクロサービスアーキテクチャにおけるDOM Based XSS攻撃に対するテストベースホワイトリストの有用性"],"pubdate":{"attribute_name":"公開日","attribute_value":"2021-10-19"},"_buckets":{"deposit":"a826644e-bc11-48c6-9bcc-7e0d5b7b1771"},"_deposit":{"id":"214547","pid":{"type":"depid","value":"214547","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"マイクロサービスアーキテクチャにおけるDOM Based XSS攻撃に対するテストベースホワイトリストの有用性","author_link":["551414","551412","551413","551416","551420","551408","551411","551407","551415","551409","551419","551418","551417","551410"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"マイクロサービスアーキテクチャにおけるDOM Based XSS攻撃に対するテストベースホワイトリストの有用性"},{"subitem_title":"Effectiveness of Examination-Based Whitelist for DOM Based XSS Attacks in Microservice Architectures","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"マイクロサービスアーキテクチャ，マイクロフロントエンド，DOMBasedXSS，テストベースホワイトリスト，セキュリティポリシ","subitem_subject_scheme":"Other"}]},"item_type_id":"18","publish_date":"2021-10-19","item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"item_18_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"静岡大学"},{"subitem_text_value":"静岡大学"},{"subitem_text_value":"静岡大学"},{"subitem_text_value":"静岡大学"},{"subitem_text_value":"静岡大学"},{"subitem_text_value":"静岡大学"},{"subitem_text_value":"静岡大学"}]},"item_18_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"},{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"},{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"},{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"},{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"},{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"},{"subitem_text_value":"Shizuoka University","subitem_text_language":"en"}]},"item_publisher":{"attribute_name":"出版者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/214547/files/IPSJCSS2021147.pdf","label":"IPSJCSS2021147.pdf"},"date":[{"dateType":"Available","dateValue":"2023-10-19"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJCSS2021147.pdf","filesize":[{"value":"1.0 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"30"},{"tax":["include_tax"],"price":"0","billingrole":"46"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"5bc8db2e-169a-401d-9e0e-8315444a2973","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2021 by the Information Processing Society of Japan"}]},"item_18_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"井坂, 佑介"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"天笠, 智哉"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"奥村, 紗名"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"佐々木, 葵"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"野崎, 真之介"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"大木, 哲史"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"西垣, 正勝"}],"nameIdentifiers":[{}]}]},"item_18_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Yusuke, Isaka","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tomoya, Amagasa","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Sana, Okumura","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Aoi, Sasaki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Shinnosuke, Nozaki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tetsushi, Ohki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Masakatsu, Nishigaki","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_5794","resourcetype":"conference paper"}]},"item_18_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"Web サービスの複雑化に伴い，マイクロサービスアーキテクチャ（MSA）型の Web アプリケーション開発へと移行している．しかし，MSA においては，マイクロサービス同士を組み上げる際に，各マイクロサービスが持つセキュリティポリシによってコンフリクトが発生し得るため，セキュリティバイデザインの実現に課題を抱えている．この課題に対処する方法としては，セキュリティガイドラインの運用によってマイクロサービス間のセキュリティポリシを共通化する方法や，APIGateway によってセキュリティポリシの調停を行う方法が挙げられる．しかし，セキュリティガイドラインの導入は，サービスの開発に注力したい開発者にとって技術的及び作業的負担が大きいという問題がある．また，DOMBasedXSS 攻撃のようにフロントエンドで攻撃が完結するものに対しては，APIGateway での調停が機能しないという問題がある．そこで，本稿では，MSA 型の Web アプリケーションの開発において，テストベースホワイトリストを採用することで，開発テストを通じてマイクロサービス同士の調停を開発者が意識せずに達成することを提案する．","subitem_description_type":"Other"}]},"item_18_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"As the complexity of Web services increases, Web application developments are migrating to microservice architecture (MSA). However, in MSA, the security policies of each microservice may conflict each other when assembling microservices, which poses a challenge in achieving security-by-design. There are two ways to deal with this challenge: one is to standardize security policies among microservices by implementing secure programing guidelines, and the other is to mediate security policies among microservices by using API Gateway. However, the introduction of secure programing guidelines is technically and operationally burdensome for developers. In addition, mediation using the API Gateway doesn't work for attacks that are completed in the front-end, such as DOM Based XSS attacks. Therefore, in this paper, we propose to apply Examination-based Whitelist in the development of MSA-based Web applications, where mediation of conflict in security policies between microservices is achieved through development tests without the developer taking care of it.","subitem_description_type":"Other"}]},"item_18_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1107","bibliographic_titles":[{"bibliographic_title":"コンピュータセキュリティシンポジウム2021論文集"}],"bibliographicPageStart":"1101","bibliographicIssueDates":{"bibliographicIssueDate":"2021-10-19","bibliographicIssueDateType":"Issued"}}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":214547,"updated":"2025-01-19T16:34:58.249863+00:00","links":{},"created":"2025-01-19T01:15:21.584779+00:00"}