[B! tips][security] mumumu-tanã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

mumumu-tan id:mumumu-tan

tipsã¨securityã«é–¢ã™ã‚‹mumumu-tanã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

http://www.machu.jp/posts/20051101/p01/
mumumu-tan 2010/11/09
api

security

programming

tips
ãƒªãƒ³ã‚¯
XSSã«å¼·ã„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‚’ä½œã‚‹ â€“ ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã‚¨ãƒ³ã‚¸ãƒ³ã®é¸å®šåŸºæº–ã¨ã‚¹ãƒ‹ãƒšãƒƒãƒˆã®ç”Ÿæˆæ‰‹æ³•
3. å¾“æ¥ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã‚¨ãƒ³ã‚¸ãƒ³ ï®å¾“æ¥ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆï¼æ‰‹å‹•ã‚¨ã‚¹ã‚±ãƒ¼ãƒ— ï®<?php echo htmlspecialchars($var) ?> ï®XSSã®æ¸©åºŠï¼ˆã‚¨ã‚¹ã‚±ãƒ¼ãƒ—æ¼ã‚Œï¼‰ 2010å¹´10æœˆ26æ—¥ XSSã«å¼·ã„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‚’ä½œã‚‹ - ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã‚¨ãƒ³ã‚¸ãƒ³ã®é¸å®šåŸºæº–ã¨ã‚¹ãƒ‹ãƒšãƒƒãƒˆã®ç”Ÿæˆæ‰‹æ³• 3 4. å¾“æ¥ã®ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã‚¨ãƒ³ã‚¸ãƒ³ (2) ï®ä»£æ›¿æ‰‹æ³•ï¼å¸¸ã«ã‚¨ã‚¹ã‚±ãƒ¼ãƒ— ï®Smarty ã® default:modifiers ç‰ ï®å•é¡Œï¼šï¼’é‡ã«ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã—ã¦ã—ã¾ã† ï®çµå±€æµè¡Œã‚‰ãªã‹ã£ãŸ 2010å¹´10æœˆ26æ—¥ XSSã«å¼·ã„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‚’ä½œã‚‹ - ãƒ†ãƒ³ãƒ—ãƒ¬ãƒ¼ãƒˆã‚¨ãƒ³ã‚¸ãƒ³ã®é¸å®šåŸºæº–ã¨ã‚¹ãƒ‹ãƒšãƒƒãƒˆã®ç”Ÿæˆæ‰‹æ³• 4 5. è‡ªå‹•ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã®ç™»å ´ ï®åŸºæœ¬ã¯å¸¸ã«ã‚¨ã‚¹ã‚±ãƒ¼ãƒ— ï®ãŸã ã—ã€ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—æ¸ˆã‹ã©ã†ã‹ã‚’åž‹ã§åˆ¤å®š $var = '>_<'; <?= $var ?> => >_< ï®åž‹æƒ…å ±ãŒã‚ã‚‹ã‹ã‚‰ï¼’é‡
mumumu-tan 2010/11/02
programming

security

tips
ãƒªãƒ³ã‚¯
BASIC èªè¨¼ã§ãƒã‚°ã‚¢ã‚¦ãƒˆã‚’å¯èƒ½ã«ã™ã‚‹æ–¹æ³• - kazuhoã®ãƒ¡ãƒ¢ç½®ãå ´
Cookie ã§ãƒã‚°ã‚¤ãƒ³çŠ¶æ…‹ã‚’ç®¡ç†ã™ã‚Œã°ã„ã„ã‚“ã˜ã‚ƒã„ã®ã‹ãªã€‚ ã¾ãšã€ãƒã‚°ã‚¤ãƒ³ãƒœã‚¿ãƒ³ã‚’æŠ¼ã—ãŸæ™‚ã€Œã ã‘ã€is_logged_on ã‚’çœŸã«ã™ã‚‹ã€‚ HTTP/1.1 Authorization Required Set-Cookie: is_logged_on=1 WWW-Authenticate: Basic realm="Hoge123456" ...ã‚µãƒ¼ãƒå´ã§ã¯ã€Basic èªè¨¼ã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ãŒã‚ã‚Šã€ã‹ã¤ã€is_logged_on ã®å€¤ãŒçœŸã§ã‚ã‚‹ã“ã¨ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚Œã°ã„ã„ã€‚ GET / HTTP/1.1 Cookie: is_logged_on=1 Authorization: Basic ... ... HTTP/1.1 200 OK ...ã§ã€ãƒã‚°ã‚¢ã‚¦ãƒˆã®éš›ã«ã¯ã€Cookie ã‚’æ¶ˆã™ã€‚ HTTP/1.1 200 OK Set-Cookie: is_logged_on=0 ...ãã—ã¦ã€is_
mumumu-tan 2010/08/25
security

web

tips

programming
ãƒªãƒ³ã‚¯
æƒ…å ±å‡¦ç†æŽ¨é€²æ©Ÿæ§‹ï¼šæƒ…å ±ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ï¼šè„†å¼±æ€§å¯¾ç–ï¼šå®‰å…¨ãªã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®ä½œã‚Šæ–¹
ã€Œå®‰å…¨ãªã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®ä½œã‚Šæ–¹ã€ã¯ã€IPAãŒå±Šå‡º(*1)ã‚’å—ã‘ãŸè„†å¼±æ€§é–¢é€£æƒ…å ±ã‚’åŸºã«ã€å±Šå‡ºä»¶æ•°ã®å¤šã‹ã£ãŸè„†å¼±æ€§ã‚„æ”»æ’ƒã«ã‚ˆã‚‹å½±éŸ¿åº¦ãŒå¤§ãã„è„†å¼±æ€§ã‚’å–ã‚Šä¸Šã’ã€ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆé–‹ç™ºè€…ã‚„é‹å–¶è€…ãŒé©åˆ‡ãªã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚’è€ƒæ…®ã—ãŸã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã‚’ä½œæˆã™ã‚‹ãŸã‚ã®è³‡æ–™ã§ã™ã€‚ ã€Œå®‰å…¨ãªã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®ä½œã‚Šæ–¹ã€æ”¹è¨‚ç¬¬7ç‰ˆã®å†…å®¹ ç¬¬1ç« ã§ã¯ã€ã€Œã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å®Ÿè£…ã€ã¨ã—ã¦ã€SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ ã€OSã‚³ãƒžãƒ³ãƒ‰ãƒ»ã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ ã‚„ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚° ç‰11ç¨®é¡žã®è„†å¼±æ€§ã‚’å–ã‚Šä¸Šã’ã€ãã‚Œãžã‚Œã®è„†å¼±æ€§ã§ç™ºç”Ÿã—ã†ã‚‹è„…å¨ã‚„ç‰¹ã«æ³¨æ„ãŒå¿…è¦ãªã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®ç‰¹å¾´ç‰ã‚’è§£èª¬ã—ã€è„†å¼±æ€§ã®åŽŸå› ãã®ã‚‚ã®ã‚’ãªãã™æ ¹æœ¬çš„ãªè§£æ±ºç–ã€æ”»æ’ƒã«ã‚ˆã‚‹å½±éŸ¿ã®ä½Žæ¸›ã‚’æœŸå¾…ã§ãã‚‹å¯¾ç–ã‚’ç¤ºã—ã¦ã„ã¾ã™ã€‚ ç¬¬2ç« ã§ã¯ã€ã€Œã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã®å®‰å…¨æ€§å‘ä¸Šã®ãŸã‚ã®å–ã‚Šçµ„ã¿ã€ã¨ã—ã¦ã€ã‚¦ã‚§ãƒ–ã‚µãƒ¼ãƒã®é‹ç”¨ã«é–¢ã™ã‚‹å¯¾ç–ã‚„ã‚¦ã‚§ãƒ–ã‚µã‚¤ãƒˆã«ãŠã‘ã‚‹ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®å–æ‰±ã„ã«é–¢ã™
mumumu-tan 2010/01/20
security

tutorial

web

development

programming

tips

documentation
ãƒªãƒ³ã‚¯
ã‚¦ãƒŽã‚¦ãƒ©ãƒœ Unoh Labs: PHPã§æš—å·åŒ–ãƒ»å¾©å·åŒ–ã‚ã‚Œã“ã‚Œ
GT Nitro: Car Game Drag Raceã¯ã€å…¸åž‹çš„ãªã‚«ãƒ¼ã‚²ãƒ¼ãƒ ã§ã¯ã‚ã‚Šã¾ã›ã‚“ã€‚ã“ã‚Œã¯ã‚¹ãƒ”ãƒ¼ãƒ‰ã€ãƒ‘ãƒ¯ãƒ¼ã€ã‚¹ã‚ãƒ«å…¨é–‹ã®ã‚«ãƒ¼ãƒ¬ãƒ¼ã‚¹ã‚²ãƒ¼ãƒ ã§ã™ã€‚ãƒ–ãƒ¬ãƒ¼ã‚ã¯å¿˜ã‚Œã¦ã€ã“ã‚Œã¯ãƒ‰ãƒ©ãƒƒã‚°ãƒ¬ãƒ¼ã‚¹ã€ãƒ™ã‚¤ãƒ“ãƒ¼ï¼å¤å…¸çš„ãªã‚¯ãƒ©ã‚·ãƒƒã‚¯ã‹ã‚‰æœªæ¥çš„ãªãƒ“ãƒ¼ã‚¹ãƒˆã¾ã§ã€æœ€ã‚‚ã‚¯ãƒ¼ãƒ«ã§é€Ÿã„è»Šã¨ã‚«ãƒ¼ãƒ¬ãƒ¼ã‚¹ã§ãã¾ã™ã€‚ã‚¹ãƒ†ã‚£ãƒƒã‚¯ã‚·ãƒ•ãƒˆã‚’ãƒžã‚¹ã‚¿ãƒ¼ã—ã€ãƒ‹ãƒˆãƒã‚’è³¢ãä½¿ã£ã¦ç«¶äº‰ã‚’æ‰“ã¡ç ´ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ã“ã®ã‚«ãƒ¼ãƒ¬ãƒ¼ã‚¹ã‚²ãƒ¼ãƒ ã¯ãã®ãƒªã‚¢ãƒ«ãªç‰©ç†å¦ã¨ç´ æ™´ã‚‰ã—ã„ã‚°ãƒ©ãƒ•ã‚£ãƒƒã‚¯ã‚¹ã§ã‚ãªãŸã®å¿ƒã‚’çˆ†ç™ºã•ã›ã¾ã™ã€‚ã“ã‚Œã¾ã§ãƒ—ãƒ¬ã‚¤ã—ãŸã“ã¨ã®ãªã„ã‚ˆã†ãªã‚‚ã®ã§ã™ã€‚ GT Nitroã¯ã€ãƒªãƒ•ãƒ¬ãƒƒã‚¯ã‚¹ã¨ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã‚’è©¦ã™ã‚«ãƒ¼ãƒ¬ãƒ¼ã‚¹ã‚²ãƒ¼ãƒ ã§ã™ã€‚æ£ã—ã„çž¬é–“ã«ã‚®ã‚¢ã‚’ã‚·ãƒ•ãƒˆã—ã€ã‚¬ã‚¹ã‚’æ€ã„åˆ‡ã‚Šè¸ã‚€å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ã¾ãŸã€å¤§ç‰©ãŸã¡ã¨ç«¶ã„ã¤ã¤ã€è»Šã®ãƒãƒ¥ãƒ¼ãƒ‹ãƒ³ã‚°ã¨ã‚¢ãƒƒãƒ—ã‚°ãƒ¬ãƒ¼ãƒ‰ã‚‚è¡Œã‚ãªã‘ã‚Œã°ãªã‚Šã¾ã›ã‚“ã€‚ä¸–ç•Œä¸ã§æœ€é«˜ã®ãƒ‰ãƒ©ã‚¤ãƒãƒ¼ã¨è»Šã¨ã‚«ãƒ¼ãƒ¬ãƒ¼ã‚¹ã«æŒ‘ã‚€ã“ã¨ã«ãªã‚Šã€ãƒ‰ãƒ©ãƒƒã‚°ãƒ¬ãƒ¼ã‚¹ã®çŽ‹å†
mumumu-tan 2010/01/17
programming

tips

php

development

security
ãƒªãƒ³ã‚¯
æºå¸¯é›»è©±å‘ã‘Webã‚¢ãƒ—ãƒªã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã¯ã©ã†ãªã£ã¦ã„ã‚‹ã‹ - ockeghem's blog
æœ€è¿‘è³¼å…¥ã—ãŸPHPÃ—æºå¸¯ã‚µã‚¤ãƒˆ å®Ÿè·µã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³é›†ã‚’èªã‚“ã§ã„ã¦å¦™ãªæ„Ÿã˜ãŒã—ãŸã®ã§ã€ã“ã®æ„Ÿè¦šã¯ãªã‚“ã ã‚ã†ã¨æ€ã£ã¦ã„ãŸã‚‰ã€ãã®ç†ç”±ã«æ°—ã¥ã„ãŸã€‚æœ¬æ›¸ã«å‡ºã¦ãã‚‹ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã¯ã€PHPã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†æ©Ÿæ§‹ã‚’ä½¿ã£ã¦ã„ãªã„ã®ã ã€‚ãã‚“ãªé¦¬é¹¿ãªã¨æ€ã£ãŸãŒã€ç›®æ¬¡ã«ã‚‚ç´¢å¼•ã«ã‚‚ã€Œã‚»ãƒƒã‚·ãƒ§ãƒ³ã€ã‚„ã€Œsessionã€ã¨ã„ã†èªžã¯å‡ºã¦ã“ãªã„ã€‚ã‚µãƒ³ãƒ—ãƒ«ãƒ—ãƒã‚°ãƒ©ãƒ ã®CD-ROMä¸Šã§ session ã‚’æ¤œç´¢ã—ã¦ã‚‚å‡ºã¦ã“ãªã„ã®ã§ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³ã¯ã©ã“ã§ã‚‚ä½¿ã£ã¦ã„ãªã„ã®ã ã‚ã†ã€‚ ãã†ã¯è¨€ã£ã¦ã‚‚ã€æœ¬æ›¸ã«ã¯ãƒ–ãƒã‚°ã‚„SNSãªã©èªè¨¼ãŒå¿…è¦ãªã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚‚ç™»å ´ã™ã‚‹ã€‚æœ¬æ›¸ã§æŽ¡ç”¨ã—ã¦ã„ã‚‹èªè¨¼æ–¹å¼ã¯ã“ã†ã ã€‚ æºå¸¯é›»è©±ã®å€‹ä½“è˜åˆ¥ç•ªå·ã‚’ç”¨ã„ãŸã€ã„ã‚ã‚†ã‚‹ã€Œã‹ã‚“ãŸã‚“ãƒã‚°ã‚¤ãƒ³ã€ã®ã¿ã‚’ä½¿ã† èªè¨¼çŠ¶æ…‹ã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†æ©Ÿæ§‹ã§ç¶æŒã—ãªã„ã€‚å…¨ã¦ã®ãƒšãƒ¼ã‚¸ã§æ¯Žå›žèªè¨¼ã™ã‚‹ ãã®ãŸã‚ã€ã€Œiãƒ¢ãƒ¼ãƒ‰IDã€ãªã©ã€ãƒ¦ãƒ¼ã‚¶ã«ç¢ºèªã›ãšã«è‡ªå‹•çš„ã«é€ä¿¡ã•ã‚Œã‚‹IDã‚’ç”¨ã„ã‚‹ ã¤ã¾ã‚Šã€å…¨ã¦
mumumu-tan 2009/07/14
mobile

security

php

tips
ãƒªãƒ³ã‚¯
1