[B! xss][teracc] ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ockeghem id:ockeghem

xssã¨teraccã«é–¢ã™ã‚‹ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

IE8ã®XSSãƒ•ã‚£ãƒ«ã‚¿ãŒè£ç›®ã«å‡ºã‚‹ä¾‹ - 2009-06-22 - T.Teradaã®æ—¥è¨˜
IE8ã®XSSãƒ•ã‚£ãƒ«ã‚¿ã¯ã€Webã‚¢ãƒ—ãƒªã«XSSè„†å¼±æ€§ãŒã‚ã£ãŸã¨ã—ã¦ã‚‚ã€ãã‚ŒãŒç™ºå‹•ã™ã‚‹å¯èƒ½æ€§ã‚’æ¸›ã‚‰ã—ã¦ãã‚Œã‚‹ã‚‚ã®ã§ã™ã€‚ ã—ã‹ã—ã€ãã®XSSãƒ•ã‚£ãƒ«ã‚¿ãŒè£ç›®ã«å‡ºã‚‹ã‚ˆã†ãªã“ã¨ã‚‚ã‚ã‚Šã¾ã™ã€‚ ä¾‹ãˆã°ã€ä»¥ä¸‹ã®ã‚ˆã†ãªé™çš„ãªHTMLãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆtest.htmlï¼‰ã‚’ä½œã£ã¦Webã‚µãƒ¼ãƒã«ãŠãã¾ã™ã€‚ <h3>ie8 test</h3>  <script> var u=document.URL; </script>  <script> u=u.replace(/&/g,'&').replace(/</g,'<'); </script>  <script> document.write('URL:'+u); </script> ä¸Šã®ãƒšãƒ¼ã‚¸ã¯é™çš„ãªãƒšãƒ¼ã‚¸ã§ã€DOM Based XSSã®è„†å¼±æ€§ã‚‚ã‚ã‚Šã¾ã›ã‚“ã€‚ã§ã™ãŒã€è¢«å®³è€…ã®ãƒ¦ãƒ¼ã‚¶ãŒIE8ã‚’ä½¿ã£ã¦ã„ã‚‹
ockeghem 2009/06/22
security

xss

IE

teracc
ãƒªãƒ³ã‚¯
JavaScript Hijack/JSON Hijackã®ãœã„å¼±æ€§
ä»Šå›žã§ï¼Œratproxyã§æ¤œå‡ºã§ãã‚‹ç‰¹å¾´çš„ãªãœã„å¼±æ€§ã®è§£èª¬ã¯çµ‚ã‚ã‚Šã§ã™ã€‚æœ€çµ‚å›žã¨ãªã‚‹ä»Šå›žã¯ï¼ŒJavaScript Hijackã«ã¤ã„ã¦ã§ã™ã€‚JavaScript Hijackï¼Œãã—ã¦JSON Hijackã¯ï¼ŒJavaScriptãƒ•ã‚¡ã‚¤ãƒ«ã‚„JSONãƒ‡ãƒ¼ã‚¿å†…ã«å«ã¾ã‚Œã‚‹æƒ…å ±ã‚’ç›—ã‚€æ”»æ’ƒã§ã™ã€‚ratproxyã¯ï¼Œã“ã®æ”»æ’ƒã‚’æˆç«‹ã•ã›ã¦ã—ã¾ã†ãœã„å¼±æ€§ã‚’è¦‹ä»˜ã‘ã‚„ã™ããªã£ã¦ã„ã¾ã™ã€‚ JavaScript Hijack ã¾ãšæœ€åˆã«JavaScript Hijackã«ã¤ã„ã¦èª¬æ˜Žã—ã¾ã—ã‚‡ã†ã€‚JavaScript Hijackæ”»æ’ƒã«ãœã„å¼±ã«ãªã‚‹ã®ã¯ï¼Œå€‹äººæƒ…å ±ãªã©ã®æ©Ÿå¯†æƒ…å ±ã‚’å†…å®¹ã¨ã—ã¦å«ã‚€JavaScriptãƒ•ã‚¡ã‚¤ãƒ«ã‚’å‹•çš„ã«ç”Ÿæˆã—ã¦ã„ã‚‹ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã§ã™ã€‚ç†è€…ãŒéŽåŽ»ã®æ¤œæŸ»ã§å®Ÿéš›ã«è¦‹ãŸã‚±ãƒ¼ã‚¹ã«ã¯ï¼Œä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚ã‚Šã¾ã—ãŸã€‚ ï¼ˆindex.htmlã®ä¸€éƒ¨ï¼‰ <script src="greeting.cgi"></
ockeghem 2008/09/12
security

google

xss

javascript

json

teracc
ãƒªãƒ³ã‚¯
JavaScriptã‚¹ã‚¯ãƒªãƒ—ãƒˆã«æ½œã‚€XSSã®ãœã„å¼±æ€§ã‚‚æ¤œå‡º
ä»Šå›žã¯ï¼ŒratproxyãŒæ¤œå‡ºã™ã‚‹ç‰¹å¾´çš„ãªãœã„å¼±æ€§ã¨ã—ã¦ï¼ŒJavaScripté–¢æ•°ã«é–¢ã™ã‚‹ã‚‚ã®ã‚’ç´¹ä»‹ã—ã¾ã—ã‚‡ã†ã€‚DOMï¼ˆdocument object modelï¼‰ã®ä»•çµ„ã¿ã‚’ä½¿ã£ãŸã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ï¼ˆXSSï¼‰ã®ãœã„å¼±æ€§ï¼ˆDOM Based XSSï¼‰ã§ã™ã€‚ DOM Based XSSã¯ï¼ŒXSSã®ä¸ã§ã¯æ¯”è¼ƒçš„æ–°ã—ã„ã‚¿ã‚¤ãƒ—ã®ãœã„å¼±æ€§ã§ï¼Œæ¥ç•Œå›£ä½“ã®ã‚µã‚¤ãƒˆãªã©ã§ç´¹ä»‹ã•ã‚Œã¦ã„ã¾ã™ã€‚ã“ã“ã§ã¯è©³ç´°ãªèª¬æ˜Žã¯å‰²æ„›ã—ã¾ã™ãŒï¼Œç°¡å˜ã«è¨€ã†ã¨ï¼ŒWebã‚µãƒ¼ãƒãƒ¼ã‚’çµŒç”±ã•ã›ãšã«æ¨™çš„ãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒ–ãƒ©ã‚¦ã‚¶ä¸Šã§æ‚ªæ„ã‚ã‚‹ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’å®Ÿè¡Œã•ã›ã‚‰ã‚Œã‚‹ãœã„å¼±æ€§ã§ã™ã€‚ ãœã„å¼±æ€§ã®ã‚ã‚‹ç°¡å˜ãªã‚µãƒ³ãƒ—ãƒ«JavaScriptã‚³ãƒ¼ãƒ‰ã‚’ä»¥ä¸‹ã«ç¤ºã—ã¾ã™ã€‚ã“ã‚Œã¯ï¼Œã‹ã¤ã¦Bugzillaã§ç™ºè¦‹ã•ã‚ŒãŸãœã„å¼±æ€§ã§ã™ã€‚ ã“ã®ã‚³ãƒ¼ãƒ‰ã§ã¯ï¼ŒlocationãŒãã®ã¾ã¾ï¼ˆã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã•ã‚Œãšã«ï¼‰HTMLã«å‡ºåŠ›ã•ã‚Œã¦ã„ã¾ã™ã€‚ãã®ãŸã‚ï¼Œlocationã«ã€Œ<scrip
ockeghem 2008/09/11
security

teracc

xss

javascript
ãƒªãƒ³ã‚¯
[ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£]javascript://ã®XSS 00:17 - 2008-07-30 - T.Teradaã®æ—¥è¨˜
ã“ã‚“ãªå ´åˆã€æ™®é€šã¯javascriptã‚„dataã‚¹ã‚ãƒ¼ãƒ ãªã©ã‚’ä½¿ã£ã¦XSSã•ã›ã‚‹ã®ã§ã—ã‚‡ã†ã€‚ <a href="ã“ã“ã«HTMLã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã•ã‚Œã¦å…¥ã‚‹">link</a> ã—ã‹ã—ã€ã“ã®ã‚¢ãƒ—ãƒªã¯ã€Œjavascript://...ã€ã®ã‚ˆã†ã«ã€å…ˆé ã‹ã‚‰ã‚¢ãƒ«ãƒ•ã‚¡ãƒ™ãƒƒãƒˆæ•°æ–‡å—ãŒç¶šãã€ãã®ç›´å¾Œã«ã€Œ://ã€ãŒä»˜ã„ã¦ã„ã‚‹å€¤ä»¥å¤–ã¯ã€ã‚¨ãƒ©ãƒ¼ã§ã¯ã˜ã„ã¦ã—ã¾ã„ã¾ã™ã€‚ ã“ã®ã€Œ:ã€ã®ã‚ã¨ã®ã€Œ//ã€ãŒæ›²è€…ã§ã™ã€‚ dataã‚¹ã‚ãƒ¼ãƒžã‚’è©¦ã—ã¦ã¿ã¾ã—ãŸãŒã€ã€Œ//ã€ãŒã‚ã‚‹ã¨ã©ã†ã‚„ã‚‰ãƒ€ãƒ¡ã‚‰ã—ã„ã¨ã„ã†ã“ã¨ã§ã€javascriptã‚¹ã‚ãƒ¼ãƒ ã§é ‘å¼µã£ã¦ã¿ã¾ã™ã€‚ ã¾ãšã¯ã“ã‚“ãªæ„Ÿã˜ã§ã™ã€‚ <a href="javascript://hoge[0x0A]alert(111)">link</a> ã€Œ//ã€ãŒè¡Œã‚³ãƒ¡ãƒ³ãƒˆã®é–‹å§‹ã«ãªã‚‹ãŸã‚ã€[0x0A]ï¼ˆLFï¼‰ã‚„[0x0D][0x0A]ï¼ˆCRLFï¼‰ã‚’å…¥ã‚Œã¦ã¿ã¦ã€ãã®å¾Œã«å‹•ã‹ã—ãŸã„JavaScriptã‚³ãƒ¼ãƒ‰ã‚’
ockeghem 2008/07/31
security

xss

unicode

utf-8

teracc
ãƒªãƒ³ã‚¯
å…¥åŠ›å€¤æ¤œè¨¼ã®è©± - T.Teradaã®æ—¥è¨˜ - 2007-09-08
Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å¯¾ç–ã¨ã—ã¦ã®å…¥åŠ›å€¤æ¤œè¨¼ã«ã¤ã„ã¦è°è«–ã•ã‚Œã¦ã„ã¾ã™ã€‚ ãã‚ãã‚å…¥åŠ›å€¤æ¤œè¨¼ã«é–¢ã—ã¦ä¸€è¨€ã„ã£ã¨ãã‹: Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³è„†å¼±æ€§å¯¾ç–ã¨ã—ã¦ã®å…¥åŠ›å€¤æ¤œè¨¼ã«ã¤ã„ã¦ - å¾³ä¸¸æµ©ã®æ—¥è¨˜(2007-09-05) æ€ã£ãŸã“ã¨ã‚’ã„ãã¤ã‹æ›¸ãã¾ã™ã€‚ å¾³ä¸¸ã•ã‚“ã®æ—¥è¨˜ã¯ã€ãƒ¦ãƒ¼ã‚¶ãŒãƒ†ã‚ã‚¹ãƒˆãƒœãƒƒã‚¯ã‚¹ãªã©ã§è‡ªç”±ã«å€¤ã‚’å…¥åŠ›ã§ãã‚‹ä½æ‰€ãªã©ã®ãƒ‡ãƒ¼ã‚¿ã‚’ä¸»ã«å¯¾è±¡ã¨ã—ãŸã‚‚ã®ã ã¨æ€ã†ã€‚ ãŸã ã€ãƒ¦ãƒ¼ã‚¶ã®è‡ªç”±ãªå…¥åŠ›ã‚’èµ·æºã¨ã—ãªã„ãƒ‡ãƒ¼ã‚¿ã‚‚å˜åœ¨ã™ã‚‹ï¼ˆã“ã“ã§ã¯ã€Œã‚·ã‚¹ãƒ†ãƒ èµ·æºã®ãƒ‡ãƒ¼ã‚¿ã€ã¨å‘¼ã¶ï¼‰ã€‚ hiddenã€ãƒªãƒ³ã‚¯URLã«åŸ‹ã‚è¾¼ã¾ã‚Œã¦ã„ã‚‹GETãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã€Cookieãªã©ã«ã¯ã€ã“ã®æ‰‹ã®ãƒ‡ãƒ¼ã‚¿ãŒå…¥ã‚‹ã“ã¨ãŒå¤šã„ã€‚ ã‚·ã‚¹ãƒ†ãƒ èµ·æºã®ãƒ‡ãƒ¼ã‚¿ã®å¤šãã¯ã€ã‚ã‚‹åž‹ã«å¾“ã†ã“ã¨ãŒæœŸå¾…ã•ã‚Œã‚‹ã‚‚ã®ã§ã€åŽŸå‰‡çš„ã«å…¥åŠ›å€¤æ¤œè¨¼ã‚’ã™ã¹ãã‚‚ã®ï¼ˆBMPã®ã€Œãƒ”ã‚¯ã‚»ãƒ«ã‚ãŸã‚Šãƒ“ãƒƒãƒˆæ•°ã€ã¨åŒã˜ã‚ˆã†ãªæ„Ÿè¦šï¼‰ã€‚ ã‚·ã‚¹ãƒ†ãƒ èµ·æºã®ãƒ‡ãƒ¼ã‚¿ã‚‚ã€ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã•ãˆã™ã‚Œã°ã‚¤ãƒ³
ockeghem 2007/09/09
ã€Œã‚·ã‚¹ãƒ†ãƒ èµ·æºã®ãƒ‡ãƒ¼ã‚¿ã€ã‚’hiddenãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ãªã©æ ¼ç´ã™ã‚‹ã“ã¨ã®æ˜¯éžã«ã¤ã„ã¦ã¯ãã®ã†ã¡æ›¸ã

security

xss

sqlã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³

validation

å…¥åŠ›å€¤æ¤œè¨¼

teracc
ãƒªãƒ³ã‚¯
T.Teradaã®æ—¥è¨˜ HTML Purifierã‚’è©¦ã—ãŸ
Webãƒ¡ãƒ¼ãƒ«ã§ã¯ã€å—ä¿¡ã—ãŸHTMLãƒ¡ãƒ¼ãƒ«ã®ã‚¿ã‚°ã‚’æ®‹ã—ã¦ã€ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã‚µã‚¤ãƒ‰ã‚¹ã‚¯ãƒªãƒ—ãƒˆï¼ˆJavaScriptãªã©ï¼‰ã®ã¿ã‚’é™¤åŽ»ã™ã‚‹ã‚µãƒ‹ã‚¿ã‚¤ã‚ºå‡¦ç†ã‚’è¡Œãªã„ã¾ã™ã€‚ ã“ã®ã‚ˆã†ãªã‚¹ã‚¯ãƒªãƒ—ãƒˆé™¤åŽ»å‡¦ç†ã¯ã€Blogã€æŽ²ç¤ºæ¿ãªã©ã§ã‚‚è¡Œãªã‚ã‚Œã‚‹ã€æ¯”è¼ƒçš„ãƒãƒ”ãƒ¥ãƒ©ãƒ¼ãªã‚‚ã®ã§ã‚ã‚‹ãŸã‚ã€ãã‚Œç”¨ã®ãƒ©ã‚¤ãƒ–ãƒ©ãƒªãŒã„ãã¤ã‹å˜åœ¨ã—ã¾ã™*1ã€‚ HTML Purifierã‚‚ãã®ä¸€ã¤ã§ã™ã€‚PHP4/5ã§å‹•ä½œã—ã¾ã™ã€‚ãƒãƒ¼ã‚¸ãƒ§ãƒ³1.0.0ã®ãƒªãƒªãƒ¼ã‚¹ã¯2006å¹´9æœˆã§ã™ã‹ã‚‰ã€æ¯”è¼ƒçš„æ–°ã—ã„ã‚‚ã®ã§ã™ã€‚ç§ã¯æ˜¨å¹´æœ«ã«åˆã‚ã¦è§¦ã£ã¦ã¿ã¾ã—ãŸï¼ˆãƒãƒ¼ã‚¸ãƒ§ãƒ³1.3.2ã§ã™ï¼‰ã€‚ ã“ã‚Œã¾ã§ã®ã‚‚ã®ã¨æ¯”ã¹ã¦ã€éžå¸¸ã«ã‚ˆãå‡ºæ¥ã¦ã„ã‚‹ãªã¨æ€ã„ã¾ã—ãŸã®ã§ã€æ—¥è¨˜ã«æ›¸ã„ã¦ã¿ã¾ã™ã€‚ HTML Purifierã®æ¦‚è¦ ç‰¹å¾´ã¨ã—ã¦ã¯ã€ä»¥ä¸‹ãŒæŒ™ã’ã‚‰ã‚Œã‚‹ã¨æ€ã„ã¾ã™ã€‚ ãƒ¦ãƒ‹ã‚³ãƒ¼ãƒ‰å¯¾å¿œ UTF-8ã®HTMLã«å¯¾å¿œï¼ˆæ—¢å˜ã®ãƒ©ã‚¤ãƒ–ãƒ©ãƒªã®å¤šãã¯latin1ã‚’æš—é»™ã®å‰æã¨ã—ã¦ã„ã¾ã—ãŸï¼‰ã€‚EUC-JP
ockeghem 2007/06/30
php

security

xss

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

ãƒ©ã‚¤ãƒ–ãƒ©ãƒª

teracc
ãƒªãƒ³ã‚¯
1