[B! ie][security] wozozoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

wozozo id:wozozo

ieã¨securityã«é–¢ã™ã‚‹wozozoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (1)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

IEã§jsonã«ã‚„ã‚‰ã‚ŒãŸ - åã£ãŸè¨€èªžä¿¡è€…ã®åž‚ã‚Œæµã—
ã¾ã‚IEã§ã™ã‹ã‚‰ã€‚jsonã®ãƒ¬ã‚¹ãƒãƒ³ã‚¹ã§ã‚¿ã‚°ã‚’ã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ã—ã¦ãªã„ã¨IEã§XSSã§ãã¦ã—ã¾ã†ã¨ã„ã†è©±ã€‚ {test: "<html><script>alert(document.cookie)</script></html>"}ã“ã‚“ãªæ„Ÿã˜ã®ãƒ¬ã‚¹ãƒãƒ³ã‚¹ã‚’è¿”ã™ãƒšãƒ¼ã‚¸ã‚’IEã§èªã¾ã›ã‚‹ã€‚ test.py #!/usr/bin/env python from wsgiref.simple_server import make_server def app(environ, start_response): start_response("200 OK", [('Content-Type','text/plain')]) return ["{test: \"<html><script>alert(document.cookie)</script></html>\"}"] if __name__ == '
wozozo 2009/01/06
security

ie

json
ãƒªãƒ³ã‚¯
1

ãŠçŸ¥ã‚‰ã›

ã‚‚ã£ã¨èªã‚€

å…¬å¼Twitter

@hatebu
æœ€æ–°ã®äººæ°—ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã®é…ä¿¡

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

jæ¬¡ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

kå‰ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

lã‚ã¨ã§èªã‚€

eã‚³ãƒ¡ãƒ³ãƒˆä¸€è¦§ã‚’é–‹ã

oãƒšãƒ¼ã‚¸ã‚’é–‹ã

è¨å®šã‚’å¤‰æ›´ã—ã¾ã—ãŸx

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ã‚¿ã‚°

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (1)

ieã¨securityã«é–¢ã™ã‚‹wozozoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (1)

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬4é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬3é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬2é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

ã‚¿ã‚°

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (1)

ieã¨securityã«é–¢ã™ã‚‹wozozoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (1)

IEã§jsonã«ã‚„ã‚‰ã‚ŒãŸ - åã£ãŸè¨€èªžä¿¡è€…ã®åž‚ã‚Œæµã—

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬4é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬3é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬2é€±ï¼‰

å…¬å¼Twitter

ã‚­ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (1)

ieã¨securityã«é–¢ã™ã‚‹wozozoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (1)

IEã§jsonã«ã‚„ã‚‰ã‚ŒãŸ - åã£ãŸè¨€èªžä¿¡è€…ã®åž‚ã‚Œæµã—

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬4é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬3é€±ï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2025å¹´3æœˆç¬¬2é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹