Masato Kinugawa Security Blog: ユーザ入力を使ã£ãŸæ£è¦è¡¨ç¾ã‹ã‚‰ç”Ÿã˜ã‚‹DOM based XSS
ãŠä¹…ã—ã¶ã‚Šã§ã™ï¼†ã‚ã‘ã¾ã—ã¦ãŠã‚ã§ã¨ã†ã”ã–ã„ã¾ã™ã€‚昨年ã¯ãƒ–ãƒã‚°ã‚’書ã時間をã†ã¾ã作るã“ã¨ãŒã§ããšã€ã‚ã¾ã‚Šè¨˜äº‹ã‚’書ã‘ã¾ã›ã‚“ã§ã—ãŸã€‚今年ã¯ã§ãã‚‹ã ã‘月ã«1回程度何ã‹æ›¸ã„ã¦ã„ããŸã„ã¨æ€ã£ã¦ã„ã¾ã™ã€‚今年もよã‚ã—ããŠé¡˜ã„ã—ã¾ã™ï¼ ã•ã¦ã€ãƒ–ãƒã‚°ã‚’書ã‹ãªã‹ã£ãŸé–“ã«XSSã‹ã‚‰SQLインジェクションã¸èˆˆå‘³ãŒç§»ã£ãŸã€ãªã‚“ã¦ã“ã¨ã¯ã‚ã‚Šã¾ã›ã‚“ã§ã—ãŸã®ã§ã€ä»Šæ—¥ã‚‚ã„ã¤ã‚‚通り大好ããªXSSã®è©±ã‚’ã—ãŸã„ã¨æ€ã„ã¾ã™ï¼ 最近ã€æ£è¦è¡¨ç¾ã«ãƒ¦ãƒ¼ã‚¶å…¥åŠ›ã‚’使ã£ã¦ã„ã‚‹ã“ã¨ã«èµ·å› ã™ã‚‹DOM based XSSã«é€£ç¶šã—ã¦éé‡ã—ã¾ã—ãŸã€‚ã‚ã¾ã‚Šè¦‹æ…£ã‚Œã¦ã„ãªã„注æ„ãŒå¿…è¦ãªå•é¡Œã ã¨æ€ã†ã®ã§ã€ã“ã®è¨˜äº‹ã§ã¯ã€è¦‹ã¤ã‘ãŸã‚‚ã®2ã¤ãŒã©ã®ã‚ˆã†ã«ç”Ÿã˜ãŸã‹ã€ã¾ãŸã€å•é¡Œã‚’èµ·ã“ã•ãªã„ãŸã‚ã«ã©ã†ã™ã‚Œã°ã‚ˆã„ã‹ã‚’紹介ã—ã¾ã™ã€‚ ãã®ã†ã¡ã®1ã¤ã¯LINEã®Bug Bounty Programを通ã˜ã¦å ±å‘Šã—ãŸå•é¡Œã§ã™ã€‚ 賞金ã¨ã€"LINE SECURITY BUG BOUNTY"
WinRARã®è‡ªå·±è§£å‡ã‚¦ã‚¤ãƒ³ãƒ‰ã‚¦ã«è¡¨ç¤ºã™ã‚‹ãƒ†ã‚ストã®XSS – (n)
Tweet圧縮・解å‡ãƒ¦ãƒ¼ãƒ†ã‚£ãƒªãƒ†ã‚£ã€ŒWinRARã€ã®ã™ã¹ã¦ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã«XSSãŒã‚ã‚‹ã¨ã®ã“ã¨ãªã®ã§è©¦ã—ã¦ã¿ã¾ã—ãŸã€‚ 試ã—ãŸç’°å¢ƒã¯ Windows 8.1上ã«ã‚¤ãƒ³ã‚¹ãƒˆãƒ¼ãƒ«ã—㟠日本語版ã®æœ€æ–°ç‰ˆã§ã‚ã‚‹[5.01] 英語版ã®æœ€æ–°ç‰ˆã§ã‚ã‚‹[5.21] ã§ã™ã€‚ 以下ã¯å†ç¾ã®æ‰‹é †ã§ã™ã€‚ (日本語版ã€è‹±èªžç‰ˆã®ä½µè¨˜ã‚’ã—ã¦ã„ã¾ã™ã€‚) 1. é©å½“ãªãƒ•ã‚¡ã‚¤ãƒ«ã‚’å³ã‚¯ãƒªãƒƒã‚¯ã—ã¦[書庫ã«åœ§ç¸®][Add to archive]ã‚’é¸æŠžã€‚ 2. é–‹ã„ãŸã‚¦ã‚¤ãƒ³ãƒ‰ã‚¦ã§[自己解å‡æ›¸åº«ã‚’作æˆ][Create SFX archive]ã«ãƒã‚§ãƒƒã‚¯ 3. [高度][Advanced]タブを開ã[自己解å‡ã‚ªãƒ—ション][SFX options]をクリック 4. [テã‚ストã¨ã‚¢ã‚¤ã‚³ãƒ³][Text and icon]タブを開ã [自己解å‡ã‚¦ã‚¤ãƒ³ãƒ‰ã‚¦ã«è¡¨ç¤ºã™ã‚‹ãƒ†ã‚スト][Text to display in SFX windows]内ã«ä»»æ„ã®XS
Analysis on Internet Explorer's UXSS
Status: Fixed (as of Jan 13, 2016) Recently a Universal Cross-Site Scripting(UXSS) vulnerability (CVE-2015-0072) was disclosed on the Full Disclosure mailing list. This unpatched 0day vulnerability discovered by David Leo results in a full bypass of the Same-Origin Policy(SOP) on the latest version of Internet Explorer. This article will briefly explain the technical details behind the vulnerabili
1
リリースã€éšœå®³æƒ…å ±ãªã©ã®ã‚µãƒ¼ãƒ“スã®ãŠçŸ¥ã‚‰ã›
最新ã®äººæ°—エントリーã®é…ä¿¡
処ç†ã‚’実行ä¸ã§ã™
j次ã®ãƒ–ックマーク
kå‰ã®ãƒ–ックマーク
lã‚ã¨ã§èªã‚€
eコメント一覧を開ã
oページを開ã
Security Advisory: Stored XSS in Akismet WordPress Plugin
{{#tags}}- {{label}}
{{/tags}}