[B! xss] jazzanovaã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

jazzanova id:jazzanova

xssã«é–¢ã™ã‚‹jazzanovaã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (27)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

æ˜Žæ—¥ã‹ã‚‰ä½¿ãˆã‚‹?! PATHã§XSSã™ã‚‹æŠ€è¡“/ Shibuya.XSS techtalk #7
Shibuya.XSS techtalk #7 ã®è³‡æ–™ã§ã™ã€‚
jazzanova 2016/03/29
xss
ãƒªãƒ³ã‚¯
XSSã¨ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒªã‚¹ã‚¯ã¨æ£ã—ã„è„†å¼±æ€§å ±å‘Šã®ã‚ã‚Šæ–¹ - æœ€é€Ÿè»¢è·ç ”ç©¶ä¼š
é©å½“ XSSãŒã‚ã‚‹=ãªã‚“ã§ã‚‚ã‚„ã‚Šæ”¾é¡Œã§ã¯ãªã„ ãƒ–ãƒã‚°ã‚µãƒ¼ãƒ“ã‚¹ãªã©è‡ªç”±ã«HTMLã‚’ã‹ã‘ã‚‹ã‚ˆã†ãªã‚µãƒ¼ãƒ“ã‚¹ã§ã¯ã€å®³ãŒåŠã°ãªã„ã‚ˆã†ã«è¡¨ç¤ºã‚’ä¸¸ã”ã¨åˆ¥ã®ãƒ‰ãƒ¡ã‚¤ãƒ³ã«åˆ†ã‘ã¦ã„ãŸã‚Šã€ã‚ã‚‹ã„ã¯åˆ¥ãƒ‰ãƒ¡ã‚¤ãƒ³ã®IFRAMEå†…ã§å®Ÿè¡Œã—ãŸã‚Šã—ã¦ã„ã‚‹ã®ãŒæ™®é€šã§ã™ã€‚å€‹äººæƒ…å ±ã‚’é ã‹ã£ã¦ã‚‹ã‚µã‚¤ãƒˆã¯ã€é‡è¦å€‹äººæƒ…å ±ã«ã¤ã„ã¦ã¯HTTPSã˜ã‚ƒãªã„ã¨å‚ç…§ã§ããªã‹ã£ãŸã‚Šã€ãã‚‚ãã‚‚è¡¨ç¤ºã—ãªã‹ã£ãŸã‚Š(ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚„ã‚«ãƒ¼ãƒ‰ç•ªå·ç‰)ã€æ±ºæ¸ˆç”¨ã®ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã‚„æš—è¨¼ç•ªå·ã‚’å…¥ã‚Œãªã„ã¨æ“ä½œã§ããªã‹ã£ãŸã‚Šã™ã‚‹ã€‚ å‚è€ƒã¾ã§ã« http://blog.bulknews.net/mt/archives/001274.html (2004å¹´ã®ã‚¢ãƒ¡ãƒ–ãƒè„†å¼±æ€§ã®è©±) http://d.hatena.ne.jp/yamaz/20090114 (ä¿¡é ¼ã§ããªã„ãƒ‡ãƒ¼ã‚¿ã‚’å–ã‚Šæ‰±ã†ãƒ‰ãƒ¡ã‚¤ãƒ³ã‚’åˆ†ã‘ã‚‹è©±) ç®¡ç†ç”¨ã¨åˆ¥ãƒ‰ãƒ¡ã‚¤ãƒ³ã«åˆ†ã‘ãŸã«ã‚‚é–¢ã‚ã‚‰ãšã€scriptå®Ÿè¡Œã§ãã‚‹ã“ã¨ã«å¯¾ã—ã¦DISã‚‰ã‚Œ
jazzanova 2010/02/23
xss

security
ãƒªãƒ³ã‚¯
TechCrunch | Startup and Technology News
Tech sovereignty has become a looming priority for a number of nations these days, and now, with the demand for compute power at its highest level yet, a startup workingâ€¦ Itâ€™s not the sexiest of subject matters, but someone needs to talk about it: The CFO tech stack â€” software used by the chief financial officers of the world â€” is ripe for disruption. Thatâ€™s according to Jonathan Sanders, CEO and
jazzanova 2009/09/07
rails

xss

security

twitter
ãƒªãƒ³ã‚¯
Twitter is 10
I bet 10 years ago none of us thought that 140 charactersÂ would change the landscape of Social Media quite so much. However,Â with close to 289,000,000 active users sending aroundÂ 6,000 tweets every second Twitter has provenÂ itsÂ critics wrong. Obviously, Â having gotten over the fact that 10 years of Twitter makes us all feel very old, we had to do something to mark this special day and we have had
jazzanova 2009/08/26
twitter

xss
ãƒªãƒ³ã‚¯
mixiæ—¥è¨˜ã«ã€Œ&amp;ã€ã£ã¦æ›¸ã“ã†ã¨æ€ã£ãŸã‚‰å¤§å¤‰ã
å‹äººã® mixi æ—¥è¨˜ã«ã‚³ãƒ¡ãƒ³ãƒˆã‚’ã¤ã‘ã¦ ãã®å¾Œã©ã†ã‚‚è©±ãŒã‹ã¿ã‚ã‚ãªã„ãªã€ã¨æ€ã£ãŸã‚‰ mixi æ—¥è¨˜ã®è¨˜äº‹ã‚„ã‚³ãƒ¡ãƒ³ãƒˆã§ã¯æ–‡å—å‚ç…§ãŒä½¿ãˆã‚‹ã‚“ã§ã™ãã€‚ ä½•ã‚‚è€ƒãˆãšã«å…¥åŠ›ã—ãŸã‹ã‚‰æ™®é€šã«å¤‰æ›ã•ã‚Œã¦ã—ã¾ã£ã¦ãŸã€‚ æ–‡å—å‚ç…§ã¨ã„ã†ã®ã¯ã€ ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‹ã‚‰ã¯ç›´æŽ¥å…¥åŠ›ã§ããªã‹ã£ãŸã‚Š å®Ÿã¯ã§ãã‚‹ã‘ã©æ™®é€šã¯çŸ¥ã‚‰ãªã‹ã£ãŸã‚Šã™ã‚‹ã‚ˆã†ãªæ–‡å—ã‚„ HTML ã®ç‰¹æ€§ã®éƒ½åˆã§ãã®ã¾ã¾æ›¸ã„ã¦ã¯ãƒžã‚ºã„æ–‡å—ã‚’ åˆ¥ã®æ–¹æ³•ã§å‚ç…§ã™ã‚‹ãŸã‚ã®ã‚‚ã®ã§ã™ãã€‚ å‰è€…ã¯ä¾‹ãˆã°ã€ŒÂ¾ã€ã¨ã‹ã€ŒÂ«ã€ã¨ã‹ã€‚ ã€ŒÂ¾ã€ã¯ã€Œ¾ã€ã¾ãŸã¯ã€Œ&fraq34;ã€ ã€ŒÂ«ã€ã¯ã€Œ«ã€ã¾ãŸã¯ã€Œ«ã€ ã¨ HTML å†…ã«æ›¸ã‘ã°ãƒ–ãƒ©ã‚¦ã‚¶ã«ã¯ç›®çš„ã®æ–‡å—ãŒè¡¨ç¤ºã•ã‚Œã¾ã™ãã€‚ å¾Œè€…ã§ã‚ˆãä½¿ã†ã®ã¯ãŸã¨ãˆã°ã€Œ<ã€ã‚„ã€Œ>ã€ã§ã€ ã“ã‚Œã¯ãã®ã¾ã¾è¨˜è¿°ã—ã¦ã—ã¾ã†ã¨ HTML ã‚¿ã‚°ã®é–‹å§‹ã‚„çµ‚äº†ã¨è§£é‡ˆã•ã‚Œã¦ã—ã¾ã†ã‹ã‚‰ ä»£ã‚ã‚Šã«ã€Œ<ã€ã‚„ã€Œ>ã€ã¨æ›¸ãã¾ã™ãã€‚ ã˜ã‚ƒã‚ã€Œ<
jazzanova 2009/06/15
mixi

xss
ãƒªãƒ³ã‚¯
mixiã®ã¿ã‚‡ã†ãªXSSå¯¾ç– - ikepyonã®ã ã‚äººé–“æ—¥è¨˜
http://www.msng.info/archives/2009/06/caracter_reference_on_mixi_diary.php ã¨è¨€ã†ã®ã‚’è¦‹ã¦ã€ç¢ºèªã—ã¦ã¿ãŸã€‚ mixiã§ã¯ã€ã‚³ãƒ¡ãƒ³ãƒˆã‚„æ—¥è¨˜ã®æœ¬æ–‡ã‚’ç¢ºèªã™ã‚‹ç”»é¢ãŒå‡ºã¦ãã‚‹ãŒã€å®Ÿéš›ã«æ›¸ãè¾¼ã¿ã™ã‚‹ãŸã‚ã«ã€hiddenãƒ•ã‚£ãƒ¼ãƒ«ãƒ‰ã§ãƒ‡ãƒ¼ã‚¿ã®ã‚„ã‚Šå–ã‚Šã‚’ã‚„ã£ã¦ã„ã‚‹ã€‚ã“ã‚Œã¯ã‚µãƒ¼ãƒã®è² è·ç‰ã‚’è€ƒãˆã¦ã®ã“ã¨ã ã‚ã†ã¨æ€ã‚ã‚Œã‚‹ã€‚ ã¨ã„ã†ã“ã¨ã§ã€ã‚³ãƒ¡ãƒ³ãƒˆã‚„æ—¥è¨˜ã®æœ¬æ–‡ã«ã€Œ&"><&ã€ã‚’å…¥ã‚Œã¦ã¿ãŸã€‚ ãã†ã™ã‚‹ã¨ã€ç¢ºèªç”»é¢ã§ã¯ä»¥ä¸‹ã®ã‚ˆã†ãªãƒ¬ã‚¹ãƒãƒ³ã‚¹ãŒå¾—ã‚‰ã‚Œã‚‹ã€‚ <p>&"><&</p> : <input type="hidden" name="comment_body" value="&"><&" />è¡¨ç¤ºéƒ¨åˆ†ã§ã¯ã€ã€Œ&ã€->ã€Œ&ã€ã€ã€Œ"ã€->ã€Œ"ã€ã€ã€Œ<ã€->ã€Œ<ã€ã€ã€Œ>ã€->ã€Œ>ã€ã¨å¤‰æ›ã—ã¦
jazzanova 2009/06/15
mixi

xss
ãƒªãƒ³ã‚¯
ç‹™ã‚ã‚ŒãŸâ€œã¤ã¶ã‚„ãâ€â€•â€•Twitterã«ä»•æŽ›ã‘ã‚‰ã‚ŒãŸãƒ¯ãƒŠ
Twitterã®ã¤ã¶ã‚„ããŒç‹™ã‚ã‚ŒãŸã€‚ã—ã‹ã—ã€ã“ã‚Œã¯æ°·å±±ã®ä¸€è§’ã‹ã‚‚ã—ã‚Œãªã„ã€‚ãã‚Œã ã‘æ‹¡å¤§ã—ãŸTwitterã¯ã€ã“ã‚Œã‹ã‚‰ã©ã®ã‚ˆã†ãªæ–¹å‘ã«é€²ã‚“ã§ã„ãã®ã ã‚ã†ã‹ã€‚ 2008å¹´4æœˆ23æ—¥ã«æ—¥æœ¬ç‰ˆã‚µãƒ¼ãƒ“ã‚¹ãŒé–‹å§‹ã•ã‚Œã¦ã€ã¾ã‚‚ãªã1å‘¨å¹´ã‚’è¿Žãˆã‚‹ãƒŸãƒ‹ãƒ–ãƒã‚°ã‚µãƒ¼ãƒ“ã‚¹ã€ŒTwitterã€ã€‚ç±³comScoreã®èª¿æŸ»ã«ã‚ˆã‚Œã°ã€å…¨ä¸–ç•Œã®Twitterã®ãƒˆãƒ©ãƒ•ã‚£ãƒƒã‚¯ã¯ã“ã“æ•°ã‚«æœˆã§æ€¥å¢—ã—ã€2æœˆã«ã¯ä¼¸ã³çŽ‡ãŒ700ï¼…ã‚’è¶…ãˆãŸã¨ã„ã†ã€‚ã—ã‹ã‚‚ã€çˆ†ç™ºçš„ãªæˆé•·ã®èƒŒæ™¯ã«ã¯ã€å¾“æ¥ã®ä¸»ãªãƒ¦ãƒ¼ã‚¶ãƒ¼å±¤ã§ã‚ã‚‹18ï½ž24æ³ã‚ˆã‚Šã‚‚ã€20ä»£å¾ŒåŠï½ž50ä»£ã®ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒæ€¥å¢—ã—ã¦ã„ã‚‹ã“ã¨ã‚‚ã‚ã‚‹ã‚ˆã†ã ã€‚ ãã—ã¦ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼ãŒå¢—ãˆã‚‹ã¨ã¨ã‚‚ã«ã€ã•ã¾ã–ã¾ãªçŠ¯ç½ªã®æ¨™çš„ã«ã‚‚ãªã£ã¦ãã¦ã„ã‚‹ã€‚ã“ã®ã“ã¨ã¯ã€ä»¥å‰ã‚‚ä¼ãˆãŸé€šã‚Šã ãŒã€ãã®æ™‚ã¯æƒ³åƒã—å¾—ãªã„ã»ã©ã®æ€¥å¢—ã¶ã‚Šãªã®ã ã€‚ ãƒªãƒ³ã‚¯ã‚’ã‚€ã‚„ã¿ã«ã‚¯ãƒªãƒƒã‚¯ã—ã¦ã¯ã„ã‘ãªã„ï¼Ÿ 4æœˆ12æ—¥ã€ç±³Twitterã¯XSSè„†å¼±æ€§ã‚’çªã„ãŸãƒ¯ãƒ¼ãƒ æ”»æ’ƒã‚’å—ã‘ãŸ
jazzanova 2009/04/20
twitter

xss

security
ãƒªãƒ³ã‚¯
How to prevent XSS attacks - amix blog
jazzanova 2009/04/16
xss
ãƒªãƒ³ã‚¯
Twitterã®XSSè„†å¼±æ€§ã‚’æ”»æ’ƒã™ã‚‹Mikeyyãƒ¯ãƒ¼ãƒ ã«æ„ŸæŸ“ã—ãŸ - F.Ko-Jiã®ã€Œä¸€ç§’å¾Œã¯æœªæ¥ã€
æ˜¨æ—¥Twitterã‚’ä½¿ã£ã¦ã„ãŸã‚‰ã€çªç„¶ã‚¿ã‚¤ãƒ ãƒ©ã‚¤ãƒ³ã®è‡ªåˆ†ã®ç™ºè¨€ã«ã€è¦šãˆã®ãªã„è‹±æ–‡ãŒæŠ•ç¨¿ã•ã‚Œã¦ã„ã‚‹ã®ã«æ°—ã¥ãã¾ã—ãŸã€‚ã¾ã•ã‹ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã§ã‚‚ç›—ã¾ã‚ŒãŸã®ã‹ã¨æ€ã„settingç”»é¢ã‚’è¦‹ã¦ã¿ã‚‹ã¨ã€ãƒ—ãƒãƒ•ã‚£ãƒ¼ãƒ«æ¬„ãŒã‹ãªã‚ŠãŠã‹ã—ãªã“ã¨ã«ãªã£ã¦ã„ã¾ã—ãŸã€‚ ã©ã†ã‚„ã‚‰Twitterã«XSSè„†å¼±æ€§ãŒå˜åœ¨ã—ã¦ã„ã¦ã€ãã®è„†å¼±æ€§ã‚’ã¤ã„ãŸã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒå®Ÿè¡Œã•ã‚Œã¦ã—ã¾ã£ãŸã‚ˆã†ãªã®ã§ã™ã€‚ ãã®æ”»æ’ƒã‚³ãƒ¼ãƒ‰ã®ä»•çµ„ã¿ã¯ã“ã‚“ãªæ„Ÿã˜ã§ã—ãŸã€‚ ãƒ—ãƒãƒ•ã‚£ãƒ¼ãƒ«ã®ã€ŒNameã€ã« script ã‚¿ã‚°ã‚’ document.write ã§æ›¸ãå‡ºã™ã‚³ãƒ¼ãƒ‰ã‚’è¨å®š ãã®ãƒ¦ãƒ¼ã‚¶ã®ãƒšãƒ¼ã‚¸ã‚’è¡¨ç¤ºã™ã‚‹ã¨ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒå®Ÿè¡Œã•ã‚Œã‚‹ å®Ÿè¡Œã•ã‚ŒãŸã‚¹ã‚¯ãƒªãƒ—ãƒˆã«ã‚ˆã£ã¦ã€å‹æ‰‹ã«ã¤ã¶ã‚„ããŒæŠ•ç¨¿ã•ã‚Œã‚‹ ã•ã‚‰ã«ãƒ—ãƒãƒ•ã‚£ãƒ¼ãƒ«ã®ã€ŒNameã€ã‚„ã€ŒURLã€ã‚„ã€ŒèƒŒæ™¯è‰²ã€ãªã©ãŒæ›¸ãæ›ãˆã‚‰ã‚Œã‚‹ ãã®ãƒ¦ãƒ¼ã‚¶ã®ãƒšãƒ¼ã‚¸ã‚’ä»–ã®ãƒ¦ãƒ¼ã‚¶ãŒè¦‹ã‚‹ã¨ã€ã•ã‚‰ã«æ„ŸæŸ“ ã©ã®ã‚ˆã†ãªã€Œåå‰ã€ãŒè¨å®šã•ã‚Œã¦ã„ãŸã‹ã‚’ãƒ¡ãƒ¢ã—å¿˜ã‚Œã¦ã„ãŸ
jazzanova 2009/04/15
twitter

xss
ãƒªãƒ³ã‚¯
Twitter XSS é¨’å‹• - Yaks
(2009/04/12 6ï¼š40 pm è¿½è¨˜ã—ã¾ã—ãŸ) (2009/04/12 7ï¼š24 pm å†åº¦è¿½è¨˜ã—ã¾ã—ãŸ) å…ˆã»ã©ã‹ã‚‰ Twitterä¸Šã«ã¦ XSS ã®ã‚ˆã‚‹è¢«å®³ãŒå‡ºã¦ã„ã¾ã™ã€‚ æ—¢ã«æµ·å¤–ã®ãƒ–ãƒã‚°ãªã©ã§ã‚‚å–ã‚Šä¸Šã’ã‚‰ã‚Œã¦ã„ã¾ã™ã€‚ HOWTO: Remove StalkDaily.com Auto-Tweets From Your Infected Twitter Profile (Twittercsm) Warning: Twitter Hit By StalkDaily Worm (TechCrunch) æ—¢ã« XSS ã®éƒ¨åˆ†ã¯æ”¹ä¿®ã•ã‚Œã¦å¤§åˆ†åŽã¾ã£ãŸã‚ˆã†ã§ã™ãŒã€å¿µã®ãŸã‚ã«æ›¸ã„ã¦ãŠãã¾ã™ã€‚ å†…å®¹ã¨ã—ã¦ã¯ã€ 1. StalkDaily.com ã‚’å®£ä¼ã™ã‚‹ã¤ã¶ã‚„ããŒå‹æ‰‹ã«æŠ•ç¨¿ã•ã‚Œã‚‹ 2. ãƒ—ãƒãƒ•ã‚£ãƒ¼ãƒ«ã® Web ãŒæ”¹ã–ã‚“ã•ã‚Œã‚‹ 3. æ”¹ã–ã‚“ã•ã‚ŒãŸãƒ¦ãƒ¼ã‚¶ãƒ¼ã®ãƒšãƒ¼ã‚¸ã‚’è¦‹ã‚‹ã¨ã€è‡ªåˆ†ã®ãƒ—ãƒãƒ•ã‚£ãƒ¼ãƒ«ã‚‚
jazzanova 2009/04/12
twitter

xss
ãƒªãƒ³ã‚¯
ä¸–é–“ã®èªè˜ã¨è„…å¨ãƒ¬ãƒ™ãƒ«ã®ã‚®ãƒ£ãƒƒãƒ—â€•â€•XSSã¯æœ¬å½“ã«å±ãªã„ã‹ï¼Ÿ
çš†ã•ã‚“ã“ã‚“ã«ã¡ã¯ã€å·å£ã§ã™ã€‚ã‚³ãƒ©ãƒ ã®ç¬¬6å›žã€ŒIPSã¯â€œé”æ³•ã®ç®±â€ã‹ã€ã§ã¾ã£ã¡ã‚ƒï¼‘ï¼“ï¼™ã§è¬›æ¼”ã‚’ã—ãŸãŠè©±ã‚’æ›¸ãã¾ã—ãŸãŒã€ä»Šåº¦ã¯é–¢æ±ã§ã‚„ã£ã¦ã„ã‚‹ã€Œã¾ã£ã¡ã‚ƒï¼”ï¼”ï¼•ã€ã«ãŠæ‹›ãã„ãŸã ãã€ãŠè©±ã—ã—ã¦ãã¾ã—ãŸã€‚ ã¾ã£ã¡ã‚ƒï¼”ï¼”ï¼•ã¯å‹Ÿé›†é–‹å§‹ã‹ã‚‰å®šå“¡ãŒåŸ‹ã¾ã‚‹ã¾ã§ãŒã¨ã¦ã‚‚é€Ÿãã€ä»Šã¾ã§å‚åŠ ã—ãŸã“ã¨ãŒãªã‹ã£ãŸã®ã§ã™ãŒã€ä»Šå›žã¯é‹è‰¯ãï¼ˆï¼Ÿï¼‰è¬›å¸«å´ã¨ã„ã†ã“ã¨ã§ã‚ãƒ£ãƒ³ã‚»ãƒ«å¾…ã¡ã«ãªã‚‰ãšã«å‚åŠ ã™ã‚‹ã“ã¨ãŒã§ãã¾ã—ãŸã€‚ãƒãƒƒã‚¯ã‚ªãƒ³ã®ç¦ç”°ã•ã‚“ãŒã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®ECã‚µã‚¤ãƒˆæ§‹ç¯‰ã‚·ã‚¹ãƒ†ãƒ ã€ŒEC-CUBEã€ã«è„†å¼±ï¼ˆãœã„ã˜ã‚ƒãï¼‰æ€§ãŒç™ºè¦‹ã•ã‚ŒãŸéš›ã®ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆãƒãƒ³ãƒ‰ãƒªãƒ³ã‚°ã®ãŠè©±ã‚’ã•ã‚Œã¦ã„ã¾ã—ãŸã€‚EC-CUBEã«SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã¨ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ï¼ˆä»¥ä¸‹ã€XSSï¼‰ãŒç™ºè¦‹ã•ã‚ŒãŸã‚ã¨ã®å¯¾å¿œã®ãŠè©±ã§ã™ã€‚JSOCã§æ—¥ã€…ã‚¤ãƒ³ã‚·ãƒ‡ãƒ³ãƒˆã«ã‹ã‹ã‚ã£ã¦ã„ã‚‹ã„ã‚‹è‡ªåˆ†ã¨ã—ã¦ã¯ã¨ã¦ã‚‚èˆˆå‘³æ·±ã„å†…å®¹ã§ã—ãŸã€‚ æ—¥æœ¬ã®ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£æ„è˜ã¯éŽå‰°ï¼Ÿ ä»Šå›žã®ã‚ˆã†
jazzanova 2009/03/27
xss

security
ãƒªãƒ³ã‚¯
Cross Site Scripting Prevention - OWASP Cheat Sheet Series
Introduction Index Alphabetical Index ASVS Index MASVS Index Proactive Controls Index Top 10 Cheatsheets Cross Site Scripting Prevention Cheat SheetÂ¶ IntroductionÂ¶ This cheat sheet helps developers prevent XSS vulnerabilities. Cross-Site Scripting (XSS) is a misnomer. Originally this term was derived from early versions of the attack that were primarily focused on stealing data cross-site. Since t
jazzanova 2009/03/23
xss
ãƒªãƒ³ã‚¯
æ–‡å—ã‚³ãƒ¼ãƒ‰ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã¯ã©ã†å¯¾ç–ã™ã¹ãã‹: U+00A5ã‚’ç”¨ã„ãŸXSSã®å¯èƒ½æ€§ - å¾³ä¸¸æµ©ã®æ—¥è¨˜(2009-03-11)
_U+00A5ã‚’ç”¨ã„ãŸXSSã®å¯èƒ½æ€§ å‰å›žã®æ—¥è¨˜ã§ã¯ã€æ˜¨å¹´ã®Black Hat Japanã«ãŠã‘ã‚‹é•·è°·å·é™½ä»‹æ°ã®è¬›æ¼”ã«ã€Œè¶£å‘³ã¨å®Ÿç›Šã®æ–‡å—ã‚³ãƒ¼ãƒ‰æ”»æ’ƒ(è¬›æ¼”è³‡æ–™)ã€ã«åˆºæ¿€ã•ã‚Œã‚‹å½¢ã§ã€Unicodeã®å††è¨˜å·U+00A5ã«ã‚ˆã‚‹SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã®å¯èƒ½æ€§ã«ã¤ã„ã¦æŒ‡æ‘˜ã—ãŸã€‚ ã¯ã›ãŒã‚æ°ã®å…ƒè³‡æ–™ã§ã¯ãƒ‘ã‚¹ãƒˆãƒ©ãƒãƒ¼ã‚µãƒ«ã®å¯èƒ½æ€§ã‚’æŒ‡æ‘˜ã—ã¦ãŠã‚‰ã‚Œã‚‹ã®ã§ã€æ®‹ã‚‹è„†å¼±æ€§ãƒ‘ã‚¿ãƒ¼ãƒ³ã¨ã—ã¦ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°(XSS)ã®å¯èƒ½æ€§ãŒã‚ã‚‹ã‹ã©ã†ã‹ãŒãšã£ã¨æ°—ã«ãªã£ã¦ã„ãŸã€‚ç‹¬è‡ªã®èª¿æŸ»ã«ã‚ˆã‚Šã€XSSæ”»æ’ƒã®èµ·ç‚¹ã¨ãªã‚‹ã€Œ<ã€ã‚„ã€Œ"ã€ã€ã€Œ'ã€ãªã©ã«ã¤ã„ã¦ã€Œå¤šå¯¾ä¸€ã®å¤‰æ›ã€ãŒã•ã‚Œã‚‹æ–‡å—ã‚’æŽ¢ã—ã¦ããŸãŒã€ç¾å®Ÿçš„ãªWebã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã§å‡ºç¾ã—ãã†ãªçµ„ã¿åˆã‚ã›ã¯è¦‹ã¤ã‘ã‚‰ã‚Œã¦ã„ãªã„ã€‚ ä¸€æ–¹ã€U+00A5ãŒå‡¦ç†ç³»ã«ã‚ˆã£ã¦ã¯0x5Cã€Œ\ã€ã«å¤‰æ›ã•ã‚Œã‚‹ã“ã¨ã«èµ·å› ã—ã¦XSSãŒç™ºç”Ÿã™ã‚‹å¯èƒ½æ€§ã¯ã‚ã‚‹ã€‚JavaScriptãŒã‹ã‚‰ã‚€å ´åˆãŒãã‚Œã ã€‚ã—ã‹ã—ã€
jazzanova 2009/03/11
security

perl

xss

unicode
ãƒªãƒ³ã‚¯
perl - Encodeã§XSSã‚’é˜²ã : 404 Blog Not Found
2009å¹´03æœˆ03æ—¥19:00 ã‚«ãƒ†ã‚´ãƒªLightweight Languages perl - Encodeã§XSSã‚’é˜²ã è‰¯è¨˜äº‹ã€‚ ç¬¬7å›žâ– æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ãŒç”Ÿã¿å‡ºã™ãœã„å¼±æ€§ã‚’çŸ¥ã‚‹ï¼šITpro ã ã‘ã©ã€å•é¡Œç‚¹ã®ã¿å…·ä½“ä¾‹ãŒã‚ã£ã¦ã€å¯¾ç–ã«ãªã„ã®ãŒç‰‡æ‰‹è½ã¡ã«æ„Ÿã˜ã‚‰ã‚ŒãŸã®ã§ã€ãã®ç‚¹ã‚’è£œè¶³ã€‚ çµè«–ã ã‘è¨€ã£ã¦ã—ã¾ãˆã°ã€Perlãªã‚‰ä»¥ä¸‹ã®åŽŸå‰‡ã‚’å®ˆã‚‹ã ã‘ã§ã™ã€‚ 404 Blog Not Found:perl - Encode å…¥é–€ ã™ã§ã«OSCONã§ã‚‚YAPCã§ã‚‚ã€ã‚ã¡ã“ã¡ãã¡ã“ã¡ã§ã“ã®åŸºæœ¬æ–¹é‡ã«é–¢ã—ã¦ã¯è©±ã—ãŸã®ã§ã™ãŒã€ã“ã“ 404 Blog Not Found ã§ã‚‚æ”¹ã‚ã¦ã€‚ Perl ã§ utf8 åŒ–ã‘ã—ãŸã¨ãã«ã©ã†ã—ãŸã‚‰ã„ã„ã‹ - TokuLog æ”¹ã‚ ã ã¾ã£ã¦ã‚³ãƒ¼ãƒ‰ã‚’æ›¸ã‘ã‚ˆãƒã‚²å…¥ã‚Šå£ã§ decode ã—ã¦ã€å†…éƒ¨ã§ã¯ã™ã¹ã¦ flagged utf8 ã§æ‰±ã„ã€å‡ºå£ã§ encode ã™ã‚‹ã€‚ã“ã‚ŒãŒ
jazzanova 2009/03/04
perl

xss

encode
ãƒªãƒ³ã‚¯
XSSã¯ãã®ã‚µã‚¤ãƒˆã‚’ä¿¡é ¼ã—ã¦ã„ã‚‹äººãŒå¤šã„ã»ã©è„…å¨ã«ãªã‚Šã†ã‚‹ - ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼(Hatena)
ã¯ã„ï¼ ã“ã‚“ã«ã¡ã¯ï¼ ä»Šæ—¥ã¯çã—ãã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã«ã¤ã„ã¦ä¸€è¨€ã§ã™ï¼ ã‚¿ã‚¤ãƒˆãƒ«ã«ã‚ã‚‹é€šã‚Šã€ XSSã¯ãã®ã‚µã‚¤ãƒˆã‚’ä¿¡é ¼ã—ã¦ã„ã‚‹äººãŒå¤šã„ã»ã©è„…å¨ã«ãªã‚Šã†ã‚‹ ã£ã¦ã“ã¨ãªã‚“ã ã‘ã©â€¦ã€‚ã“ã‚Œã ã‘ã ã¨ã€ã‚ãŸã‚Šã¾ãˆã£ã½ã„ã‚ˆãã€‚ ã¾ãšXSSè„†å¼±æ€§ã£ã¦ãªã«ï¼Ÿ ã£ã¦äººã®ãŸã‚ã«ç°¡å˜ã«èª¬æ˜Žã—ã¡ã‚ƒã†ã¨ã€ã“ã‚Œ ã‚µã‚¤ãƒˆã‚’ä½œã£ãŸäººä»¥å¤–ã®äººã§ã‚‚ã€å¥½ããªã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’å®Ÿè¡Œã§ãã¡ã‚ƒã†çŠ¶æ…‹ ã£ã¦ã“ã¨ãªã‚“ã ã‚ˆãã€‚ ã§ã‚‚ã‚ˆãè€ƒãˆã¦ã¿ã¦ã»ã—ã„ã€‚ ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒå®Ÿè¡Œã§ãã‚‹ã€‚ã¸ã‚“ãªã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒå®Ÿè¡Œã•ã‚Œã¡ã‚ƒã†ã‹ã‚‚ã—ã‚Œãªã„ãƒšãƒ¼ã‚¸ã€‚ ã“ã‚Œã£ã¦åˆ¥ã«ã€ã€Œãµã¤ã†ã«ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’è¨±å¯ã•ã‚Œã¦ã„ã‚‹ã€ãã“ã‚‰ã¸ã‚“ã®ãƒ–ãƒã‚°ã‚„ãƒ›ãƒ¼ãƒ ãƒšãƒ¼ã‚¸ã¨åŒã˜ã€ã˜ã‚ƒãªã„ï¼Ÿ ã„ã‚„ã€å¾®å¦™ã«é•ã†ã‹ãªã€‚ é•ã†ç‚¹ã¯ã²ã¨ã¤ã€‚ ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’åŸ‹ã‚è¾¼ã‚ã‚‹ã®ãŒã€Œã‚µã‚¤ãƒˆã®ç®¡ç†è€…ã‚ªãƒ³ãƒªãƒ¼ã€ãªã®ã‹ã€Œèª°ã§ã‚‚ã€ãªã®ã‹ã®é•ã„ãŒã‚ã‚‹ã‚“ã ã‚ˆãã€‚ â€¦ ã˜ã‚ƒã‚ã€ã€Œåã‚‚ãªãã‚µã‚¤ãƒˆã®ç®¡ç†è€…ã€ã¨ã€Œèª°ã§ã‚‚ã€ã®é•ã„ã£ã¦ãªã‚“ã ã‚ã†ï¼Ÿ ãªã‚“ã ã‚
jazzanova 2008/10/02
xss

security
ãƒªãƒ³ã‚¯
å€‹äººã ã‹ã‚‰ç”˜ã„ã®ã‹ãª - ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼
ã‚ã‚‰ã‚ã‚‰äºˆå‘ŠinãŒXSSã‚„ã‚‰ã‚Œã¡ã‚ƒã£ãŸã‚‰ã—ã„ã§ã™ãï¼ ä½¿ã„å¤ã•ã‚ŒãŸæ‰‹æ³•ï¼Ÿ ã„ã¾ã©ãã‚¨ã‚¹ã‚±ãƒ¼ãƒ—å‡¦ç†ã™ã‚‰ã—ã¦ãªãã¦ãƒ€ã‚µã„ï¼Ÿ é–¢é€£ã®è¨˜äº‹ã«å¯¾ã—ã¦ã€ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ã§ã‚‚è‰²ã€…è¨€ã‚ã‚Œã¦ã„ãŸã‚Šã€ http://b.hatena.ne.jp/t/%E4%BA%88%E5%91%8A.in?threshold=1 ãƒ‹ãƒ¥ãƒ¼ã‚¹ã‚µã‚¤ãƒˆã§ã‚‚ã€ã“ã‚“ãªç…½ã‚Šè¨˜äº‹ã‚’æ›¸ã‹ã‚Œã¦ã„ãŸã‚Šã™ã‚‹ã‘ã‚Œã©â€¦ ä»Šå›žã®ä»¶ã«ã¤ã„ã¦ITä¼æ¥ã«å‹¤ã‚ã‚‹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã«èžã„ã¦ã¿ã‚‹ã¨ã€ ã€Œã“ã‚Œã¯åˆæ©ä¸ã®åˆæ©ã€‚XSSã‚³ãƒ¼ãƒ‰æ›¸ã„ãŸæ–¹ã‚‚10åˆ†ã‚‚æŽ›ã‹ã£ã¦ãªã„ã‚ˆã€‚ãã‚Œã‚’äº‹å‰ã«å¯¾ç–ã—ã¦ãªã‹ã£ãŸäºˆå‘Šinã«ã¯ã‚‚ã£ã¨ãƒ“ãƒƒã‚¯ãƒªã ã‘ã©ã€ã€ã€ç´ äººãªã®ï¼Ÿã€ ã¨èªžã‚‹ã€‚ äºˆå‘Šinã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è„†å¼±æ€§ã‚’ç‹™ã£ãŸã‚³ãƒ¼ãƒ‰!?ã€€ã€Œäºˆå‘Šiné–‹ç™ºè€…ã¯ç´ äººã€ http://news.livedoor.com/article/detail/3759632/ ãã‚Œã£ã¦ã©ã†ã ã‚ã†ãã€‚ Googleã‚„Amazo
jazzanova 2008/08/04
xss

security
ãƒªãƒ³ã‚¯
XSS (Cross Site Scripting) Cheat Sheet
XSS (Cross Site Scripting) Cheat Sheet Esp: for filter evasion By RSnake Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to
jazzanova 2007/12/19
xss

security
ãƒªãƒ³ã‚¯
TAKESAKO @ Yet another Cybozu Labs: ç¬¬1å›žXSSç¥ã‚Š(ã‚µãƒ‹ã‚¿ã‚¤ã‚ºå‹‰å¼·ä¼šï¼‰
ã¤ã„ã‚«ãƒƒã¨ãªã£ã¦ä¼ç”»ã•ã‚ŒãŸç¬¬1å›žXSSç¥ã‚Šã€ãƒã‚¿ã‹ã¨æ€ã£ã¦ã„ã¾ã—ãŸãŒã€å…ˆæ—¥ã®æ—¥æ›œæ—¥ã«é–‹å‚¬ã•ã‚Œã€ç„¡äº‹çµ‚äº†ã—ã¾ã—ãŸã€‚ XSSæœ¬ã®æ´‹æ›¸ XSS Attacks: Cross Site Scripting Exploits and Defense ãŒæ—¥æœ¬ã«å±Šã„ãŸã®ã§ã€ ã“ã®ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã«æœ€è¿‘ã®XSSã®å‚¾å‘ã‚’æ•´ç†ã—ã¦ã€ãã‚Œã‚‰ã®æ”»æ’ƒã‚’é˜²å¾¡ã™ã‚‹æ‰‹æ³•ã«ã¤ã„ã¦ã¿ã‚“ãªã§å‹‰å¼·ã—ã¾ã—ãŸã€‚ å®Ÿéš›ã€æœ¬ã®å†…å®¹ã«ã¯ã‚ã‚“ã¾ã‚Šè§¦ã‚Œãªã‹ã£ãŸã§ã™ã‘ã©ã€‚ãƒã‚¿ã§Anti-Anti-Antiã¨ã‹ã€‚ çµ‚å§‹ã¾ã£ãŸã‚Šã¨ã—ãŸé›°å›²æ°—ã®ä¸ã€å‚åŠ è€…ã®é£›ã³å…¥ã‚Šãƒ—ãƒ¬ã‚¼ãƒ³ã‚„Skypeä¸ç¶™ã‚‚ã‚ã£ãŸã‚Šã¨ã€å¤§å¤‰æ¥½ã—ã„å‹‰å¼·ä¼šã§ã—ãŸã€‚ å‚åŠ è€…ãŒå‚åŠ è€…ã ã‘ã«ã€å›½å†…ï¼ˆä¸–ç•Œçš„ã«ã‚‚ï¼‰æœ€å…ˆç«¯ã®è©±ã‚’å…±æœ‰ã™ã‚‹ã“ã¨ãŒã§ãã¦ã€æœ‰æ„ç¾©ãªæ™‚é–“ã‚’éŽã”ã™ã“ã¨ãŒã§ãã¾ã—ãŸã€‚ ï¼ˆè©³ç´°ã¯ã‚ã¨ã§æ›¸ãã€‚ï¼‰ ã‚ã–ã‚ã–ã€ã“ã®å‹‰å¼·ä¼šã®ãŸã‚ã ã‘ã«æ–°å¹¹ç·šã§ä¸Šäº¬ã•ã‚ŒãŸæ–¹ã‚‚ã„ã‚‰ã£ã—ã‚ƒã£ãŸã¨ã®ã“ã¨ã§ã€ ãã®ç†±æ„ã«ã¯æ„Ÿ
jazzanova 2007/06/05
XSS

security
ãƒªãƒ³ã‚¯
XSS - è¡¨ç¤ºç³»ãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã«å˜åœ¨ã™ã‚‹ç›²ç‚¹ :: ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼
ã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼ ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ã®æ™‚é–“ã§ã™ï¼ XSSã¨ã„ã†ã¨â€¦ï¼ ã¾ã£ã•ãã«æ€ã„ã¤ãã®ãŒã€å…¥åŠ›ãƒ‡ãƒ¼ã‚¿é€ä¿¡ â†’ ç¢ºèªè¡¨ç¤ºã®éƒ¨åˆ†ã§ã®ç„¡å®³åŒ–æ¼ã‚Œã§ã™ã‚ˆãï¼ ãŸã¨ãˆã°ã“ã‚“ãªæ„Ÿã˜ã®ãƒ•ã‚©ãƒ¼ãƒ ã‹ã‚‰å—ã‘å–ã£ãŸãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã‚’ã€ ç¢ºèªã¨ã—ã¦è¡¨ç¤ºã™ã‚‹ãƒšãƒ¼ã‚¸ã¨ã‹ï¼ (å…¥åŠ›) <form action="register.cgi" method="post"> ã‚¿ã‚¤ãƒˆãƒ«ï¼š<input type="text" name="title"> â† ã€Œã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼ã€ã‚’å…¥åŠ› æœ¬æ–‡ï¼š<input type="text" name="body"> â† ã€Œã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼<script>alert(1)</script>ã€ã‚’å…¥åŠ› </form> (ç¢ºèª) <p>ã“ã®å†…å®¹ã§ç™»éŒ²ã—ã¦ã„ã„ï¼Ÿ</p> <p> ã‚¿ã‚¤ãƒˆãƒ«ï¼š ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼<br> æœ¬æ–‡ï¼š ã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼<script>alert
jazzanova 2006/08/02
XSS

security

webservice
ãƒªãƒ³ã‚¯
SNSãŒXSSæ”»æ’ƒã®æ ¼å¥½ã®æ¨™çš„ã«â€•â€•F-Secure
MySpaceã‚’ç‹™ã£ãŸæ”»æ’ƒãŒç›¸æ¬¡ã„ã ã“ã¨ã‚’å—ã‘ã€F-SecureãŒã»ã‹ã®äººæ°—SNSã‚’èª¿ã¹ãŸã¨ã“ã‚ã€ãƒ¯ãƒ¼ãƒ ä½œæˆã«åˆ©ç”¨ã§ãã‚‹è„†å¼±æ€§ãŒå¹¾ã¤ã‚‚è¦‹ã¤ã‹ã£ãŸã¨ã„ã†ã€‚ äººæ°—ã‚½ãƒ¼ã‚·ãƒ£ãƒ«ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚ãƒ³ã‚°ã‚µã‚¤ãƒˆï¼ˆSNSï¼‰ã®MySpaceã‚’æ¨™çš„ã¨ã—ãŸæ”»æ’ƒãŒç›¸æ¬¡ã„ã§æµ®ä¸Šã™ã‚‹ä¸ã€ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ä¼æ¥ã®F-Secureã¯ã€ã»ã‹ã®SNSã«ã‚‚ã“ã†ã—ãŸæ”»æ’ƒã«æ‚ªç”¨ã•ã‚Œã‹ããªã„è„†å¼±æ€§ãŒå¤šæ•°å˜åœ¨ã™ã‚‹ã¨å ±å‘Šã—ãŸã€‚ F-Secureã«ã‚ˆã‚‹ã¨ã€Webã‚µã‚¤ãƒˆã«å˜åœ¨ã™ã‚‹ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ï¼ˆXSSï¼‰ã®è„†å¼±æ€§ã‚’çªã„ãŸWebã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ãƒ¯ãƒ¼ãƒ ãŒã€æ–°æ‰‹ã®ãƒžãƒ«ã‚¦ã‚§ã‚¢ã¨ã—ã¦æµ®ä¸Šã€‚SNSãŒæ ¼å¥½ã®æ¨™çš„ã«ãªã£ã¦ãŠã‚Šã€MySpaceã‚’æ¨™çš„ã¨ã—ãŸãƒ¯ãƒ¼ãƒ ã¯æ—¢ã«2ä»¶å‡ºç¾ã—ã¦ã„ã‚‹ã¨ã„ã†ã€‚ ã“ã®ã†ã¡æ˜¨å¹´10æœˆã«å•é¡Œã«ãªã£ãŸã€ŒSamyã€ã¯MySpaceã§å‹æ‰‹ã«å‹é”ã‚’å¢—ã‚„ã—ã¦ã—ã¾ã†ãƒ¯ãƒ¼ãƒ ã€‚æ•°æ—¥å‰ã«ç™»å ´ã—ãŸã€ŒFlashã€ãƒ¯ãƒ¼ãƒ ã¯Flashã®è„†å¼±æ€§ã‚’çªã„ã¦ã€ãƒ¦ãƒ¼ã‚¶ãƒ¼
jazzanova 2006/07/30
XSS

security

webservice
ãƒªãƒ³ã‚¯
1 2 æ¬¡ã®ãƒšãƒ¼ã‚¸