[B! XSS] itboyã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

itboy id:itboy

XSSã«é–¢ã™ã‚‹itboyã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (12)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

PHPã®display_errorsãŒæœ‰åŠ¹ã ã¨ã‚«ã‚¸ãƒ¥ã‚¢ãƒ«ã«XSSè„†å¼±æ€§ãŒå…¥ã‚Šè¾¼ã‚€
å…ˆã«ã€ã€ŒCVE-2008-5814ã‚’å·¡ã‚‹å†’é™ºã€ã«ã¦ã€CVE-2008-5814è„†å¼±æ€§ãŒã‚ã‚‹ã¨display_errorsãŒOnã®ç’°å¢ƒä¸‹ã§XSSè„†å¼±æ€§ã¨ãªã‚‹å ´åˆãŒã‚ã‚‹ã“ã¨ã‚’èª¬æ˜Žã—ã¾ã—ãŸã€‚ã—ã‹ã—ã€display_errorsãŒOnã®ç’°å¢ƒä¸‹ã§ã¯CVE-2008-5814è„†å¼±æ€§ãŒãªãã¦ã‚‚ã€XSSè„†å¼±æ€§ã¨ãªã‚‹å ´åˆãŒã—ã°ã—ã°ã‚ã‚Šã¾ã™ã€‚ ã“ã‚Œã¯ã€display_errorsã«ã‚ˆã‚‹ã‚¨ãƒ©ãƒ¼ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸è¡¨ç¤ºãŒHTMLã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã•ã‚Œã¦ã„ãªã„ã“ã¨ãŒåŽŸå› ã§ã™ã€‚ç°¡å˜ãªã‚µãƒ³ãƒ—ãƒ«ã‚’ä»¥ä¸‹ã«ç¤ºã—ã¾ã™ã€‚ <?php ini_set('display_errors', 1); // display_errorsã‚’æœ‰åŠ¹ã«ã™ã‚‹ $a = array(); // é…åˆ—ã®ç”Ÿæˆ $index = $_GET['x']; // é…åˆ—ã®ã‚¤ãƒ³ãƒ‡ãƒƒã‚¯ã‚¹ã‚’å¾—ã‚‹ $b = $a[$index]; // é…åˆ—ã®è¦ç´ ã«ã‚¢ã‚¯ã‚»ã‚¹ ã“ã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆã«ã€x=<sc
itboy 2013/04/04
php

security

XSS
ãƒªãƒ³ã‚¯
æ‚ªã„ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã€è‰¯ã„(?)ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã€ãã—ã¦ä¾‹å¤–å‡¦ç†
å…ˆæ—¥ã®ã‚¨ãƒ³ãƒˆãƒªã€Œå‡¦ç†é–‹å§‹å¾Œã®ä¾‹å¤–å‡¦ç†ã§ã¯ã€Œã‚µãƒ‹ã‚¿ã‚¤ã‚ºã€ãŒæœ‰åŠ¹ãªå ´åˆã‚‚ã‚ã‚‹ã€ã¯ã€ç´ æã®æ¶ˆåŒ–ä¸è¶³ã€ç§ã®è¡¨ç¾ã®æœªç†Ÿç‰ã‹ã‚‰ã€ä¸€éƒ¨ã§èª¤è§£ã‚’æ‹›ã„ã¦ã—ã¾ã£ãŸã‚ˆã†ã§ç”³ã—è¨³ã‚ã‚Šã¾ã›ã‚“ã€‚ã‚¢ãƒ—ãƒãƒ¼ãƒã‚’å¤‰ãˆã¦ã€ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã«ã¤ã„ã¦ã‚‚ã†ä¸€åº¦è€ƒãˆã¦ã¿ãŸã„ã¨æ€ã„ã¾ã™ã€‚çµè«–ã‹ã‚‰è¨€ãˆã°ã€æ‚ªã„ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã¯ã‚ã£ã¦ã‚‚ã€ã€Œè‰¯ã„ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã€ã¯ãªã„ã¨è€ƒãˆã¾ã™ã€‚ã—ã‹ã—ãªãŒã‚‰ã€çŠ¶æ³ã«ã‚ˆã£ã¦ã¯å¦¥å”ã®ç”£ç‰©ã¨ã—ã¦ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã‚’ä½¿ã†ã“ã¨ã¯ã€ã‚ã‚Šå¾—ã‚‹ã¨è€ƒãˆã¾ã™ã€‚ æœ¬ç¨¿ã§ç”¨ã„ã‚‹ã€Œã‚µãƒ‹ã‚¿ã‚¤ã‚ºã€ã®å®šç¾© ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã¨ã„ã†ç”¨èªžã¯ã€æ´å²çš„ã«éƒ½åˆã®è‰¯ã„ã‚ˆã†ã«ä½¿ã‚ã‚Œã¦ããŸæ´å²ãŒã‚ã‚Šã€ã‚ã‚‰ãŸã‚ã¦ãƒãƒƒãƒˆæ¤œç´¢ã—ã¦è¦‹ã‚‹ã¨ã€æœ¬å½“ã«å¤šæ§˜ãªä½¿ã‚ã‚Œæ–¹ã‚’ã—ã¦ã„ã‚‹ã¨æ„Ÿã˜ã¾ã—ãŸã€‚ãã®æ§˜åã¯ã€é«˜æœ¨æµ©å…‰æ°ã®ãƒ–ãƒã‚°è¨˜äº‹ã€Žã€Œã‚µãƒ‹ã‚¿ã‚¤ã‚ºã€ã¨ã„ã†è¨€è‘‰ã¯ã‚‚ã†æ»ã‚“ã§ã„ã‚‹ã€ã‹ã‚‰ã‚‚ä¼ºãˆã¾ã™ã€‚ ã“ã“ã§ã¯ã€è°è«–ã®éƒ½åˆä¸Šã€ä»¥ä¸‹ã‚’ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã®å®šç¾©ã¨ã—ã¦ç”¨ã„ã‚‹ã“ã¨ã«ã—ã¾ã™ã€‚ ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã¨ã¯ã€ ä¸»ã«ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®ç›®çš„ã§
itboy 2012/04/04
php

security

xss
ãƒªãƒ³ã‚¯
SEãƒ»ãƒ—ãƒã‚°ãƒ©ãƒžãŒçŸ¥ã£ã¦ã‚‹ã¨ä¾¿åˆ©ãªè„†å¼±æ€§ãƒã‚§ãƒƒã‚¯ãƒ„ãƒ¼ãƒ« 5 ã¤ | ãƒã‚·ãƒ£ãƒã‚°ã€‚
æ±äº¬ãƒ©ãƒ¼ãƒ¡ãƒ³ã‚·ãƒ§ãƒ¼2011 ã„ãã¦ãƒ¼ãƒ¼ãƒ¼ï¼ã¿ãªã•ã‚“ã“ã‚“ã«ã¡ã¯ã€nakamura ã§ã™ã€‚ ä»Šæ—¥ã¯ãƒ—ãƒã‚°ãƒ©ãƒžã ã£ãŸã‚Šã‚µãƒ¼ãƒç®¡ç†è€…ã ã£ãŸã‚Šï¼ˆã‚‚ã—ãã¯ãã®ä¸¡æ–¹ã ã£ãŸã‚Šï¼‰ã™ã‚‹æ–¹ã«ãŠå‹§ã‚ã—ãŸã„ã‚µã‚¤ãƒˆã¨ãƒ„ãƒ¼ãƒ«ã‚’ã„ãã¤ã‹ã”ç´¹ä»‹ã—ã¾ã™ã€‚ç´°ã‹ã„è„†å¼±æ€§ã®ãƒã‚§ãƒƒã‚¯ç‰ã©ã†ã—ã¦ã‚‚æ‰‹é–“ãŒæŽ›ã‹ã‚‹ã‚‚ã®ãŒå¤šã„ã§ã™ãŒã€ä»Šå›žã”ç´¹ä»‹ã™ã‚‹ãƒ„ãƒ¼ãƒ«ã‚’ã†ã¾ãä½¿ã†ã¨ãã®è¾ºã‚Šã ã„ã¶åŠ¹çŽ‡ã‚ˆãã§ãã‚‹ã¨æ€ã„ã¾ã™ã‚ˆï¼ WEB ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³é–¢é€£ XSS Me XSS Me :: Add-ons for Firefox XSS ã®ãƒ†ã‚¹ãƒˆã‚’ã‚ã‚‹ç¨‹åº¦è‡ªå‹•åŒ–ã—ã¦ãã‚Œã‚‹ Firefox ã®ã‚¢ãƒ‰ã‚ªãƒ³ã§ã™ã€‚æ®‹å¿µãªãŒã‚‰ Firefox3.0.* ç³»ã®é ƒã«é–‹ç™ºãŒæ¢ã¾ã£ã¦ã—ã¾ã£ã¦ã„ã‚‹ã‚ˆã†ã§ã™ãŒã€åƒ•ã®ç’°å¢ƒã§ã¯ install.rdf ã®æ›¸ãæ›ãˆã§å•é¡Œãªãå‹•ä½œã—ã¦ã„ã¾ã™ã€‚ï¼ˆWindows7 64bit + Firefox7.0.1ï¼‰ SQL Inject Me SQL I
itboy 2011/11/02
XSS

security

development
ãƒªãƒ³ã‚¯
ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®çµ‚äº†æ—¥ã‚’2020å¹´1æœˆ31æ—¥(é‡‘)ã«æ±ºå®šã—ã¾ã—ãŸ - ã¯ã¦ãªã®å‘ŠçŸ¥
ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®çµ‚äº†æ—¥ã‚’2020å¹´1æœˆ31æ—¥(é‡‘)ã«æ±ºå®šã—ã¾ã—ãŸ ä»¥ä¸‹ã®ã‚¨ãƒ³ãƒˆãƒªã®é€šã‚Šã€ä»Šå¹´æœ«ã‚’ç›®å‡¦ã«ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã‚’çµ‚äº†äºˆå®šã§ã‚ã‚‹æ—¨ã‚’ãŠçŸ¥ã‚‰ã›ã—ã¦ãŠã‚Šã¾ã—ãŸã€‚ 2019å¹´æœ«ã‚’ç›®å‡¦ã«ã€ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®æä¾›ã‚’çµ‚äº†ã™ã‚‹äºˆå®šã§ã™ - ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—æ—¥è¨˜ ã“ã®ãŸã³ã€æ£å¼ã«çµ‚äº†æ—¥ã‚’æ±ºå®šã„ãŸã—ã¾ã—ãŸã®ã§ã€ä»¥ä¸‹ã®é€šã‚Šã”ç¢ºèªãã ã•ã„ã€‚ çµ‚äº†æ—¥: 2020å¹´1æœˆ31æ—¥(é‡‘) ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆå¸Œæœ›ç”³è«‹æœŸé™:2020å¹´1æœˆ31æ—¥(é‡‘) çµ‚äº†æ—¥ä»¥é™ã¯ã€ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®é–²è¦§ãŠã‚ˆã³æŠ•ç¨¿ã¯è¡Œãˆã¾ã›ã‚“ã€‚æ—¥è¨˜ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆãŒå¿…è¦ãªæ–¹ã¯ä»¥ä¸‹ã®è¨˜äº‹ã«ã—ãŸãŒã£ã¦æ‰‹ç¶šãã‚’ã—ã¦ãã ã•ã„ã€‚ ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã«æŠ•ç¨¿ã•ã‚ŒãŸæ—¥è¨˜ãƒ‡ãƒ¼ã‚¿ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆã«ã¤ã„ã¦ - ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—æ—¥è¨˜ ã”åˆ©ç”¨ã®ã¿ãªã•ã¾ã«ã¯ã”è¿·æƒ‘ã‚’ãŠã‹ã‘ã„ãŸã—ã¾ã™ãŒã€ã©ã†ãžã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ã€‚ 2020-06-25 è¿½è¨˜ ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—æ—¥è¨˜ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆãƒ‡ãƒ¼ã‚¿ã¯2020å¹´2æœˆ28
itboy 2011/06/28
jquery

XSS

security
ãƒªãƒ³ã‚¯
Evernote ã® XSS è„†å¼±æ€§ã«é–¢ã—ã¦ mala æ°ã®ã¤ã¶ã‚„ã
è¦ã™ã‚‹ã«ã€è§£æ±ºã•ã‚Œã‚‹ã¾ã§ã¯ãƒã‚°ã‚¢ã‚¦ãƒˆã—ã¨ã‘ã¨ã„ã†ã“ã¨ã ãã†ãƒ‡ã‚¹ã€‚ ã€2011/04/20 12:20 è¿½è¨˜ã€‘ã²ã‚ƒã£ã¯ãƒ¼çš„ãªãŠã¾ã‘ã‚’è¿½åŠ ã—ã¾ã—ãŸã€‚ ã€2011/04/20 00:30 è¿½è¨˜ã€‘å¤šåˆ†ã“ã‚Œã§æœ€å¾Œã€‚ä»¥é™ã¯ Evernote ã®æ£å¼ç™ºè¡¨ã‚’å¾…ã£ãŸä¸Šã§ã€ãã‚Œã‚’ä¿¡ç”¨ã—ã¦åˆ©ç”¨ã™ã‚‹ã‹ã©ã†ã‹ã¯å„å€‹äººã®åˆ¤æ–ã«ãŠä»»ã›ã—ã¾ã™ã€‚ ã€2011/04/19 17:05 è¿½è¨˜ã€‘åˆå¾Œã®éƒ¨è¿½è¨˜ã€‚ãªãŠã€ã‚¨ãƒ³ãƒˆãƒªã‚’èµ·ã“ã•ã‚Œã¦ã„ã‚‹æ–¹ãŒãŠã‚Šã¾ã—ãŸã®ã§ã”ç´¹ä»‹ã€‚ï¼žã€Žbulkneetsæ°ã«ã‚ˆã£ã¦å ±å‘Šã•ã‚ŒãŸEvernoteã®XSSè„†å¼±æ€§ã¨ã¯ å±é™ºã¨å¯¾ç–ã€( http://d.hatena.ne.jp/pichikupachiku/20110419/1303158373 ) ç¶šãã‚’èªã‚€
itboy 2011/04/19
XSS

evernote

Security
ãƒªãƒ³ã‚¯
ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®çµ‚äº†æ—¥ã‚’2020å¹´1æœˆ31æ—¥(é‡‘)ã«æ±ºå®šã—ã¾ã—ãŸ - ã¯ã¦ãªã®å‘ŠçŸ¥
ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®çµ‚äº†æ—¥ã‚’2020å¹´1æœˆ31æ—¥(é‡‘)ã«æ±ºå®šã—ã¾ã—ãŸ ä»¥ä¸‹ã®ã‚¨ãƒ³ãƒˆãƒªã®é€šã‚Šã€ä»Šå¹´æœ«ã‚’ç›®å‡¦ã«ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã‚’çµ‚äº†äºˆå®šã§ã‚ã‚‹æ—¨ã‚’ãŠçŸ¥ã‚‰ã›ã—ã¦ãŠã‚Šã¾ã—ãŸã€‚ 2019å¹´æœ«ã‚’ç›®å‡¦ã«ã€ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®æä¾›ã‚’çµ‚äº†ã™ã‚‹äºˆå®šã§ã™ - ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—æ—¥è¨˜ ã“ã®ãŸã³ã€æ£å¼ã«çµ‚äº†æ—¥ã‚’æ±ºå®šã„ãŸã—ã¾ã—ãŸã®ã§ã€ä»¥ä¸‹ã®é€šã‚Šã”ç¢ºèªãã ã•ã„ã€‚ çµ‚äº†æ—¥: 2020å¹´1æœˆ31æ—¥(é‡‘) ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆå¸Œæœ›ç”³è«‹æœŸé™:2020å¹´1æœˆ31æ—¥(é‡‘) çµ‚äº†æ—¥ä»¥é™ã¯ã€ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã®é–²è¦§ãŠã‚ˆã³æŠ•ç¨¿ã¯è¡Œãˆã¾ã›ã‚“ã€‚æ—¥è¨˜ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆãŒå¿…è¦ãªæ–¹ã¯ä»¥ä¸‹ã®è¨˜äº‹ã«ã—ãŸãŒã£ã¦æ‰‹ç¶šãã‚’ã—ã¦ãã ã•ã„ã€‚ ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—ã«æŠ•ç¨¿ã•ã‚ŒãŸæ—¥è¨˜ãƒ‡ãƒ¼ã‚¿ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆã«ã¤ã„ã¦ - ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—æ—¥è¨˜ ã”åˆ©ç”¨ã®ã¿ãªã•ã¾ã«ã¯ã”è¿·æƒ‘ã‚’ãŠã‹ã‘ã„ãŸã—ã¾ã™ãŒã€ã©ã†ãžã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ã€‚ 2020-06-25 è¿½è¨˜ ã¯ã¦ãªã‚°ãƒ«ãƒ¼ãƒ—æ—¥è¨˜ã®ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆãƒ‡ãƒ¼ã‚¿ã¯2020å¹´2æœˆ28
itboy 2011/04/14
javascript

security

XSS
ãƒªãƒ³ã‚¯
1åˆ†ã§ã‚ã‹ã‚‹ã€ŒX-ãƒŠãƒ³ãƒˆã‚«ã€HTTPãƒ¬ã‚¹ãƒãƒ³ã‚¹ãƒ˜ãƒƒãƒ€ - è‘‰ã£ã±æ—¥è¨˜
æœ€è¿‘ã®ãƒ¢ãƒ€ãƒ³ãªWebãƒ–ãƒ©ã‚¦ã‚¶ãŒã‚µãƒãƒ¼ãƒˆã—ã¦ã„ã‚‹ã€ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«é–¢é€£ã—ãã†ãª X- ãªHTTPãƒ¬ã‚¹ãƒãƒ³ã‚¹ãƒ˜ãƒƒãƒ€ã‚’ã¾ã¨ã‚ã¦ã¿ã¾ã—ãŸã€‚ãã‚Œä»¥å¤–ã«ã‚‚ã‚ã£ãŸã‚‰æ•™ãˆã¦ãã ã•ã„ã€‚ X-XSS-Protection 0:XSSãƒ•ã‚£ãƒ«ã‚¿ã‚’ç„¡åŠ¹ã«ã™ã‚‹ã€‚ 1:XSSãƒ•ã‚£ãƒ«ã‚¿ã‚’æœ‰åŠ¹ã«ã™ã‚‹ã€‚ XSSãƒ•ã‚£ãƒ«ã‚¿ã‚’æœ‰åŠ¹ã«ã™ã‚‹ã“ã¨ã§ã‚¨ãƒ³ãƒ‰ãƒ¦ãƒ¼ã‚¶ãŒXSSã®è¢«å®³ã«ã‚ã†å¯èƒ½æ€§ãŒä½Žæ¸›ã™ã‚‹ãŒã€ã¾ã‚Œã«èª¤æ¤œçŸ¥ã™ã‚‹ã“ã¨ã§ç”»é¢ã®è¡¨ç¤ºãŒä¹±ã‚Œã‚‹ã“ã¨ã‚‚ã‚ã‚‹ã€‚IE8+ã€Safariã€Chrome(å¤šåˆ†) ã§æœ‰åŠ¹ã€‚IEã§ã¯ã€ŒX-XSS-Protection: 1; mode=blockã€ã¨ã„ã†æŒ‡å®šã‚‚å¯èƒ½ã€‚ 2008/7/2 - IE8 Security Part IV: The XSS FilterBug 27312 â€“ [XSSAuditor] Add support for header X-XSS-Protection X-Content-Ty
itboy 2011/01/09
XSS

security

browser
ãƒªãƒ³ã‚¯
X-Content-Type-Options: nosniff ã¤ã‹ã‚ãªã„ã‚„ã¤ã¯æ»ãã°ã„ã„ã®ã«! - è‘‰ã£ã±æ—¥è¨˜
2011-01-06: IE8ã¨ã„ã†ã“ã¨ã‚’è¿½è¨˜ & ã¡ã‚‡ã£ã¨é–“é•ã„ã‚’ä¿®æ£ã€‚ã‚ã‘ã¾ã—ã¦ãŠã‚ã§ã¨ã†ã”ã–ã„ã¾ã™ã€‚ å¹´æ˜Žã‘æ—©ã€…ã§ã™ãŒã€Internet Explorerã®è©±é¡Œã§ã™ã€‚IEã¯ã”å˜ã˜ã®é€šã‚Šã€Content-Type ã ã‘ã§ãªãã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã®å†…å®¹ãªã©ã‚‚ sniff ã™ã‚‹ã“ã¨ã§ãƒ•ã‚¡ã‚¤ãƒ«ã‚¿ã‚¤ãƒ—ã‚’æ±ºå®šã—ã¦ã„ã‚‹ãŸã‚ã€ç”»åƒãƒ•ã‚¡ã‚¤ãƒ«ã‚„ãƒ†ã‚ã‚¹ãƒˆãƒ•ã‚¡ã‚¤ãƒ«ã‚’HTMLã¨åˆ¤å®šã—ã¦ã—ã¾ã„ã€ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ãŒç™ºç”Ÿã™ã‚‹ã“ã¨ãŒæ˜”ã‹ã‚‰ãŸã³ãŸã³å ±å‘Šã•ã‚Œã¦ã„ã¾ã—ãŸ*1ã€‚ç¾åœ¨ã¯å¹¾åˆ†ãƒžã‚·ã«ãªã£ãŸã¨ã¯ã„ãˆã€IEã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚¿ã‚¤ãƒ—ã®åˆ¤å®šã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã¯éžå¸¸ã«é›£è§£ã§ã‚ã‚Šã€ç¾åœ¨ã§ã‚‚çŠ¶æ³ã«ã‚ˆã£ã¦ã¯Webã‚µã‚¤ãƒˆé‹å–¶è€…ã®ã¾ã£ãŸãæ„å›³ã—ã¦ã„ãªã„ã‹ãŸã¡ã§ã®XSSãŒç™ºç”Ÿã™ã‚‹å¯èƒ½æ€§ãŒã‚ã£ãŸã‚Šã—ã¾ã™ã€‚ãã†ã„ã†ã‚ã‘ã§ã€IEãŒã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã‚’ sniff ã—ã¦HTMLä»¥å¤–ã®ã‚‚ã®ã‚’HTMLæ‰±ã„ã—ã¦ã—ã¾ã†ã“ã¨ã‚’é˜²ããŸã‚ã«ã€å‹•çš„ã«ã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã‚’ç”Ÿæˆã—ã¦ã„ã‚‹å ´åˆã«
itboy 2011/01/06
XSS

IE

programming
ãƒªãƒ³ã‚¯
Geekãªãºãƒ¼ã˜ : ãƒ¡ã‚¿æƒ…å ±ã«ã‚ˆã‚‹XSS
å…ˆæ—¥ã€ãªã‹ãªã‹å¼·çƒˆãªXSSæ”»æ’ƒæ‰‹æ³•ãŒå…¬é–‹ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚ DNSã¸ã®å•ã„åˆã‚ã›çµæžœã«JavaScriptã‚’åŸ‹ã‚è¾¼ã‚“ã§ã—ã¾ãŠã†ã¨ã„ã†ã‚‚ã®ã§ã™ã€‚ SkullSecurity: Stuffing Javascript into DNS names DarkReading: Researcher Details New Class Of Cross-Site Scripting Attack nCircle: Meta-Information Cross Site Scripting (PDF) è‡ªå‹•ç”Ÿæˆã•ã‚Œã‚‹Webãƒšãƒ¼ã‚¸ä¸ã«ã€DNSã«ã‚ˆã‚‹åå‰è§£æ±ºçµæžœãŒã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã•ã‚Œãªã„çŠ¶æ…‹ã§å«ã¾ã‚Œã¦ã„ã‚‹ã¨ã€JavaScriptãŒå®Ÿè¡Œã•ã‚Œã¦ã—ã¾ã†ã¨ã„ã†ä»•æŽ›ã‘ã§ã™ã€‚ ã€Œhogehoge.example.comã€ãŒæœ¬æ¥ãªã‚‰ã°ã€Œ198.1.100.3ã€ã¨ã„ã†ã‚ˆã†ãªIPã‚¢ãƒ‰ãƒ¬ã‚¹ãŒçµæžœã¨ã—ã¦è¿”ã‚‹ã¨ã“ã‚ã‚’ã€DNSã«ç´°å·¥ã‚’è¡Œã£
itboy 2010/10/07
security

javascript

XSS
ãƒªãƒ³ã‚¯
XSS (Cross Site Scripting) Cheat Sheet
XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion By RSnake Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to
itboy 2010/05/11
XSS

programming

Security

tips
ãƒªãƒ³ã‚¯
ç¬¬7å›žâ– æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ãŒç”Ÿã¿å‡ºã™ãœã„å¼±æ€§ã‚’çŸ¥ã‚‹
æ–‡å—ã‚³ãƒ¼ãƒ‰ã«é–¢ã™ã‚‹å•é¡Œã¯å¤§åˆ¥ã™ã‚‹ã¨æ–‡å—é›†åˆã®å•é¡Œã¨æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã®å•é¡Œã«åˆ†é¡žã§ãã‚‹ã€‚å‰å›žã¯æ–‡å—é›†åˆã®å–ã‚Šæ‰±ã„ã«èµ·å› ã™ã‚‹ãœã„å¼±æ€§ã«ã¤ã„ã¦èª¬æ˜Žã—ãŸã®ã§ã€ä»Šå›žã¯æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã«èµ·å› ã™ã‚‹ãœã„å¼±æ€§ã«ã¤ã„ã¦èª¬æ˜Žã—ã‚ˆã†ã€‚ æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã«ä¾å˜ã™ã‚‹å•é¡Œã‚’ã•ã‚‰ã«åˆ†é¡žã™ã‚‹ã¨2ç¨®é¡žã‚ã‚‹ã€‚ï¼ˆ1ï¼‰æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã¨ã—ã¦ä¸æ£ãªãƒ‡ãƒ¼ã‚¿ã‚’ç”¨ã„ã‚‹ã¨æ”»æ’ƒãŒæˆç«‹ã—ã¦ã—ã¾ã†ç‚¹ã¨ï¼Œï¼ˆ2ï¼‰æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã®å‡¦ç†ãŒä¸ååˆ†ãªãŸã‚ã«ãœã„å¼±æ€§ãŒç”Ÿã˜ã‚‹ã“ã¨ãŒã‚ã‚‹ç‚¹ã ã€‚ ä¸æ£ãªæ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ï¼ˆ1ï¼‰â€•â€•å†—é•·ãªUTF-8ç¬¦å·åŒ–å•é¡Œ ã¾ãšï¼Œï¼ˆ1ï¼‰ã®ä¸æ£ãªæ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ã®ä»£è¡¨ã¨ã—ã¦ï¼Œå†—é•·ãªUTF-8ç¬¦å·åŒ–å•é¡Œã‹ã‚‰èª¬æ˜Žã—ã‚ˆã†ã€‚å‰ã€…å›žã«è§£èª¬ã—ãŸUTF-8ã®ãƒ“ãƒƒãƒˆãƒ»ãƒ‘ã‚¿ãƒ¼ãƒ³ï¼ˆè¡¨1ã«å†æŽ²ï¼‰ã‚’è¦‹ã‚‹ã¨ï¼Œã‚³ãƒ¼ãƒ‰ãƒ»ãƒã‚¤ãƒ³ãƒˆã®ç¯„å›²ã”ã¨ã«ãƒ“ãƒƒãƒˆãƒ»ãƒ‘ã‚¿ãƒ¼ãƒ³ãŒå‰²ã‚Šå½“ã¦ã‚‰ã‚Œã¦ã„ã‚‹ãŒï¼Œãƒ“ãƒƒãƒˆãƒ»ãƒ‘ã‚¿ãƒ¼ãƒ³ä¸Šã¯ï¼Œã‚ˆã‚Šå¤šãã®ãƒã‚¤ãƒˆæ•°ã‚’ä½¿ã£ã¦ã‚‚åŒã˜ã‚³ãƒ¼
itboy 2009/03/04
security

programming

XSS

é–‹ç™º
ãƒªãƒ³ã‚¯
Pixy: XSS and SQLI Scanner for PHP
Welcome to Pixy! The Probl em: Finding XSS and SQLI vulnerabilities Cross-site scripting (XSS) and SQL injection (SQLI) vulnerabilities are present in many modern web applications, and are reported continuously on pages such as BugTraq. In the past, finding such vulnerabilities usually involved manual source code audits. Unfortunately, this manual vulnerability search is a very tiresome and error-
itboy 2007/06/22
php

XSS

ãƒ†ã‚¹ãƒˆãƒ„ãƒ¼ãƒ«
ãƒªãƒ³ã‚¯
1