[B! XSS] restartrã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

restartr id:restartr

XSSã«é–¢ã™ã‚‹restartrã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (10)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

The 60+ Best Ecommerce Websites - Top Ecommerce Website Designs
restartr 2009/07/06
*é–‹ç™º

php

tips

security

xss

sanitize
ãƒªãƒ³ã‚¯
ã¨ãã¾ã‚‹ã²ã‚ã—ã®Session Fixationæ”»æ’ƒå…¥é–€ - ockeghem's blog
ã‚„ãã€ã¿ã‚“ãªï¼Œå…ƒæ°—ï¼Ÿã¨ãã¾ã‚‹ã²ã‚ã—ã§ã™ã€‚ä»Šæ—¥ã¯Session Fixationæ”»æ’ƒã®æ–¹æ³•ã‚’ã“ã£ãã‚Šæ•™ãˆã¡ã‚ƒã†ã‚ˆã€‚ ã„ã¤ã‚‚ã¯é˜²å¾¡å´ã§æ¼¢å—ã®åå‰ã§ã‚„ã£ã¦ã‚‹ã‚“ã ã‘ã©ï¼Œãã‚‡ã†ã¯æ”»æ’ƒå´ã¨ã„ã†ã“ã¨ã§ï¼Œåä¹—ã‚Šã‚‚ã²ã‚‰ãŒãªã«å¤‰ãˆãŸã‚“ã ã€‚ã ã£ã¦ã•ï¼Œä»Šåº¦ãƒ‡ãƒ–ã‚µãƒŸã§ã”ä¸€ç·’ã™ã‚‹ã¯ã›ãŒã‚ã‚ˆã†ã™ã‘ã•ã‚“ã¨ã‹ï¼Œã¯ã¾ã¡ã¡ã‚ƒã‚“ã¨ã‹ï¼Œã²ã‚‰ãŒãªã®äººãŸã¡ã®æ–¹ãŒæ ¼å¥½è‰¯ã•ãã†ã˜ã‚ƒãªã„ã‹ã€‚ ã§ã¯å§‹ã‚ã‚ˆã†ã€‚ ã“ã®ã‚¨ãƒ³ãƒˆãƒªã¯ã€http://blog.tokumaru.org/2009/01/introduction-to-session-fixation-attack.html ã«ç§»è»¢ã—ã¾ã—ãŸã€‚æã‚Œå…¥ã‚Šã¾ã™ãŒã€ç¶šãã¯ã€ãã¡ã‚‰ã‚’ã”è¦§ãã ã•ã„ã€‚
restartr 2009/02/02
*ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

cookie

xss
ãƒªãƒ³ã‚¯
PHPã§ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å¯¾ç–ã«ã¤ã„ã¦ã®ãƒ¡ãƒ¢ - Liner Note
restartr 2008/10/27
*é–‹ç™º

php

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

ã¾ã¨ã‚

xss

CSRF
ãƒªãƒ³ã‚¯
tralfamadore.com: Xsstc: Cross-site scripting through CSS
I've been doing a lot of reading on cross-domain scripting approaches. Generally speaking, the browser is sandboxed by the same-origin policy, and mashups that want to incorporate data from external sites, even if those sites are cooperating, need to provide server-side proxies. There are a couple of popular workarounds: (1) using the hash (#) portion of the URL, which can be read between frames,
restartr 2008/09/04
cssçµŒç”±ã§ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒˆå®Ÿè¡Œã§ãã‚‹Tipsã€‚ä½•ã§ã‚‚ã‚ã‚Šã ãªãã¨ã€‚

*é–‹ç™º

javascript

tips

xss

css
ãƒªãƒ³ã‚¯
Google Code Archive - Long-term storage for Google Code Project Hosting.
Code Archive Skip to content Google About Google Privacy Terms
restartr 2008/07/07
Googleã®è„†å¼±æ€§è¨ºæ–ãƒ„ãƒ¼ãƒ«ã€‚

*é–‹ç™º

xss

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

google

OSS
ãƒªãƒ³ã‚¯
XSS (Cross Site Scripting) Cheat Sheet
XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion By RSnake Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to
restartr 2008/04/10
XSSãƒã‚§ãƒƒã‚¯ã‚’è¡Œã†ãªã‚‰ã“ã‚Œã€‚

*é–‹ç™º

*ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

XSS

cheetsheet

ã¾ã¨ã‚
ãƒªãƒ³ã‚¯
ç¬¬8å›žã€€ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°å¯¾ç–ã®è½ã¨ã—ç©´ | gihyo.jp
ä»Šå›žã¯ç†Ÿç·´ã—ãŸWebã‚¢ãƒ—ãƒªé–‹ç™ºè€…ãªã‚‰å¸¸è˜ã®ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°å¯¾ç–ã®è½ã¨ã—ç©´ã‚’ç´¹ä»‹ã—ã¾ã™ã€‚ JavaScriptã‚’æŽ’é™¤ã—ã¦ã„ã‚‹ã¤ã‚‚ã‚Šã§æŽ’é™¤ã«å¤±æ•—ï¼Ÿï¼ æœ€è¿‘ã¯Sanitizeï¼ˆã‚µãƒ‹ã‚¿ã‚¤ã‚ºï¼‰ã¨ã„ã†è¨€è‘‰ã®ä»£ã‚ã‚Šã«Validationï¼ˆæ¤œè¨¼ï¼‰ã¨ã„ã†è¨€è‘‰ã‚’ã‚ˆãèžãã‚ˆã†ã«ãªã£ãŸã¨æ€ã„ã¾ã™ã€‚Sanitizeã®æ„å‘³ã‚’è¾žæ›¸ã§èª¿ã¹ã‚‹ã¨ã€Œæ±šã‚Œã¦ã„ã‚‹ç‰©ã‚’ãã‚Œã„ã«ã™ã‚‹ã“ã¨ã€ã¨ã•ã‚Œã¦ã„ã¾ã™ã€‚ã“ã®æ„å‘³ã®é€šã‚Šæ±šã‚ŒãŸå¤‰æ•°ã‚’ãã‚Œã„ã«ã—ã¦ä½¿ãˆã°å®‰å…¨ã«åˆ©ç”¨ã§ãã‚‹ã¨ã™ã‚‹è€ƒãˆæ–¹ã«åŸºã¥ãã®ãŒã‚µãƒ‹ã‚¿ã‚¤ã‚ºæ‰‹æ³•ã§ã™ã€‚å…¸åž‹çš„ãªä¾‹ã¯ã€ã€Œâ ãƒ†ã‚ã‚¹ãƒˆã‚’å‡ºåŠ›ã™ã‚‹å‰ã«"<"ã¨">"ã‚’å–ã‚Šé™¤ãã€æ–¹æ³•ãŒã‚ã‚Šã¾ã™ã€‚ ä¾‹1ã€€"<"ã¨">"ã‚’ereg_replaceã§å–ã‚Šé™¤ã $safe_text = ereg_replace($_GET['text'], '[<>]', ''); ã“ã®$safe_textã‚’ <a href="/script.php?t
restartr 2007/08/14
çµå±€ã€ã€Œã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ã¯Webã‚µãƒ¼ãƒå´ã®ãƒ—ãƒã‚°ãƒ©ãƒ ã ã‘ã§ã¯å¯¾å‡¦ã§ãã¾ã›ã‚“ã€‚ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ï¼ã‚·ã‚¹ãƒ†ãƒ å…¨ä½“ã¨ã—ã¦å¯¾å‡¦ã—ãªã‘ã‚Œã°ãªã‚Šã¾ã›ã‚“ã€‚ã€ã¨ã„ã†ã‚ªãƒã€‚

*ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

XSS

PHP

javascript
ãƒªãƒ³ã‚¯
Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚’ä½œã‚‹å‰ã«çŸ¥ã‚‹ã¹ã10ã®è„†å¼±æ€§ â€• ï¼ IT
Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãŒæ”»æ’ƒè€…ã«ä»˜ã‘è¾¼ã¾ã‚Œã‚‹è„†å¼±æ€§ã®å¤šãã¯ã€è¨è¨ˆè€…ã‚„é–‹ç™ºè€…ã®ãƒ¬ãƒ™ãƒ«ã§æŽ’é™¤ã™ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚å®Ÿè£…ã«å¿™ã—ã„æ–¹ã‚‚ã€æœ€è¿‘ã‚ˆãç‹™ã‚ã‚Œã‚‹è„†å¼±æ€§ã®ãƒˆãƒƒãƒ—10ã‚’çŸ¥ã‚‹ã“ã¨ã§æ‰‹ã£å–ã‚Šæ—©ãæ¦‚è¦ã‚’çŸ¥ã‚Šã€é–‹ç™ºã®éš›ã«ãã®å˜åœ¨ã‚’æ„è˜ã—ã¦ã‚»ã‚ãƒ¥ã‚¢ãªWebã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã«ã—ã¦ã„ãŸã ã‘ã‚Œã°å¹¸ã„ã§ã™ã€‚ Webã®ä¸–ç•Œã‚’è„…ã‹ã™è„†å¼±æ€§ã‚’é †ä½ä»˜ã‘ OWASPï¼ˆOpen Web Application Security Projectï¼‰ã¯ã€ä¸»ã«Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å‘ä¸Šã‚’ç›®çš„ã¨ã—ãŸã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ã§ã€ãã“ã§ã®èª¿æŸ»ã‚„é–‹ç™ºã®æˆæžœç‰©ã‚’èª°ã§ã‚‚åˆ©ç”¨ã§ãã‚‹ã‚ˆã†ã«å…¬é–‹ã—ã¦ã„ã¾ã™ã€‚ ãã®ä¸ã®ã€ŒOWASP Top Ten Projectã€ã¨ã„ã†ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã§ã¯ã€å¹´ã«1å›žWebã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®è„†å¼±æ€§ãƒˆãƒƒãƒ—10ã‚’æŽ²è¼‰ã—ã¦ã„ã¾ã™ã€‚2004å¹´ç‰ˆã¯æ—¥æœ¬èªžã‚’å«ã‚€å„å›½èªžç‰ˆãŒæä¾›ã•ã‚Œã¦ã„ã¾ã™ãŒã€2007å¹´ç‰ˆã¯ç¾åœ¨ã®ã¨ã“ã‚è‹±èªžç‰ˆã®ã¿ãŒæä¾›ã•
restartr 2007/06/18
web

*ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

CSRF

SQL

XSS
ãƒªãƒ³ã‚¯
ï¼»CRYPTO-GRAMæ—¥æœ¬èªžç‰ˆï¼½JavaScriptãƒã‚¤ã‚¸ãƒ£ãƒƒã‚ãƒ³ã‚°
JavaScriptãƒã‚¤ã‚¸ãƒ£ãƒƒã‚ãƒ³ã‚°ã¯ï¼ŒAjaxã‚¹ã‚¿ã‚¤ãƒ«ã®Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚’ç‹™ã†æ–°æ‰‹ã®ç›—è´æ”»æ’ƒã§ã‚ã‚‹ã€‚Ajaxã‚³ãƒ¼ãƒ‰ã«çš„ã‚’çµžã£ãŸåˆã‚ã¦ã®æ”»æ’ƒã¨æ–è¨€ã—ã¦ã‚‚ã„ã„ã ã‚ã†ã€‚ã“ã®æ”»æ’ƒãŒå¯èƒ½ãªã®ã¯ï¼ŒWebãƒ–ãƒ©ã‚¦ã‚¶ãŒHTMLã»ã©ã«ã¯JavaScriptã‚’ä¿è·ã—ãªã„ã‹ã‚‰ã ã€‚Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãŒJavaScriptã«ã‚ˆã‚‹ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã§æ©Ÿå¯†ãƒ‡ãƒ¼ã‚¿ã‚’é€ä¿¡ã™ã‚‹ã¨ï¼Œå ´åˆã«ã‚ˆã£ã¦ã¯ã“ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ãŒæ”»æ’ƒè€…ã«èªã¿å–ã‚‰ã‚Œã¦ã—ã¾ã†ã€‚ äººæ°—ã®é«˜ã„Ajaxãƒ—ãƒã‚°ãƒ©ãƒŸãƒ³ã‚°ãƒ»ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã®å¤šãã¯ï¼ŒJavaScriptãƒã‚¤ã‚¸ãƒ£ãƒƒã‚ãƒ³ã‚°ã‚’é˜²ãæ‰‹ç«‹ã¦ã‚’æŒãŸãªã„ã€‚å®Ÿéš›ã®ã¨ã“ã‚ï¼Œã†ã¾ãæ©Ÿèƒ½ã•ã›ã‚‹ã“ã¨ã‚’å„ªå…ˆã—ã¦ï¼Œãœã„å¼±æ€§ã‚’æŠ±ãˆãŸWebã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚’æ§‹ç¯‰ã™ã‚‹ã‚ˆã†ã«ãƒ—ãƒã‚°ãƒ©ãƒžã«â€œè¦æ±‚â€ã—ã¦ã„ã‚‹ã‚‚ã®ã‚‚ã‚ã‚‹ã®ã ã€‚ ä¼¼ãŸã‚ˆã†ãªå¤šãã®ãœã„å¼±æ€§ã¨åŒã˜ãï¼Œã“ã®æ‰‹ã®æ”»æ’ƒã¯å®¹æ˜“ã«é˜²ã’ã‚‹ã€‚å¤§æŠµã¯ï¼Œã‚ãšã‹æ•°è¡Œã®ã‚³ãƒ¼ãƒ‰ã‚’åŠ ãˆã‚‹ã ã‘ã§æ¸ˆã‚€ã€‚ã¾ãŸï¼Œã‚½ãƒ•ãƒˆã‚¦ã‚¨ã‚¢
restartr 2007/05/21
Ajax

javascript

é–‹ç™º

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

XSS
ãƒªãƒ³ã‚¯
XSS - è¡¨ç¤ºç³»ãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã«å˜åœ¨ã™ã‚‹ç›²ç‚¹ :: ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼
ã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼ ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ã®æ™‚é–“ã§ã™ï¼ XSSã¨ã„ã†ã¨â€¦ï¼ ã¾ã£ã•ãã«æ€ã„ã¤ãã®ãŒã€å…¥åŠ›ãƒ‡ãƒ¼ã‚¿é€ä¿¡ â†’ ç¢ºèªè¡¨ç¤ºã®éƒ¨åˆ†ã§ã®ç„¡å®³åŒ–æ¼ã‚Œã§ã™ã‚ˆãï¼ ãŸã¨ãˆã°ã“ã‚“ãªæ„Ÿã˜ã®ãƒ•ã‚©ãƒ¼ãƒ ã‹ã‚‰å—ã‘å–ã£ãŸãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã‚’ã€ ç¢ºèªã¨ã—ã¦è¡¨ç¤ºã™ã‚‹ãƒšãƒ¼ã‚¸ã¨ã‹ï¼ (å…¥åŠ›) <form action="register.cgi" method="post"> ã‚¿ã‚¤ãƒˆãƒ«ï¼š<input type="text" name="title"> â† ã€Œã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼ã€ã‚’å…¥åŠ› æœ¬æ–‡ï¼š<input type="text" name="body"> â† ã€Œã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼<script>alert(1)</script>ã€ã‚’å…¥åŠ› </form> (ç¢ºèª) <p>ã“ã®å†…å®¹ã§ç™»éŒ²ã—ã¦ã„ã„ï¼Ÿ</p> <p> ã‚¿ã‚¤ãƒˆãƒ«ï¼š ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼<br> æœ¬æ–‡ï¼š ã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼<script>alert
restartr 2007/05/14
ãƒ•ã‚©ãƒ¼ãƒ ã ã‘ã§ãªãã€GETã®ãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã‚‚å±ãªã„ã‚ˆã€‚

ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£

é–‹ç™º

XSS
ãƒªãƒ³ã‚¯
1