[B! css][XSS] ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ockeghem id:ockeghem

cssã¨XSSã«é–¢ã™ã‚‹ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (5)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

ã¯ã¦ãªã®expressionã®XSSãŒä¿®æ£ã•ã‚ŒãŸ | æ°´ç„¡æœˆã°ã‘ã‚‰ã®ãˆã³æ—¥è¨˜
ã¨æ›¸ãã¨ã€ã€Œå±é™ºãªæ–‡å—ã€ã¨ã¿ãªã•ã‚ŒãŸ "expression" ã¨ "cookie" ãŒã‚µãƒ‹ã‚¿ã‚¤ã‚ºã•ã‚Œã¦ä»¥ä¸‹ã®ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚
ockeghem 2009/03/30
security

xss

ã°ã‘ã‚‰

css
ãƒªãƒ³ã‚¯
ã¾ã ã¾ã ã‚ã‚‹ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°æ”»æ’ƒæ³•
å‰å›žã¯ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ã®ãœã„å¼±æ€§ã‚’çªãæ”»æ’ƒã®å¯¾ç–ã¨ã—ã¦ã®HTMLã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã®æœ‰åŠ¹æ€§ã‚’è¿°ã¹ãŸã€‚ãŸã ï¼ŒHTMLã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã ã‘ã§ã¯ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°æ”»æ’ƒã‚’å®Œå…¨ã«é˜²å¾¡ã™ã‚‹ã“ã¨ã¯ã§ããªã„ã€‚ãã“ã§ä»Šå›žã¯ï¼ŒHTMLã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã§å¯¾å‡¦ã§ããªã„ã‚¿ã‚¤ãƒ—ã®ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°æ”»æ’ƒã®æ‰‹å£ã¨ï¼Œãã®å¯¾ç–ã«ã¤ã„ã¦è§£èª¬ã™ã‚‹ã€‚ HTMLã‚¨ãƒ³ã‚³ãƒ¼ãƒ‰ã§å¯¾å‡¦ã§ããªã„æ”»æ’ƒã«ã¯ï¼Œæ¬¡ã®ã‚ˆã†ãªã‚‚ã®ãŒã‚ã‚‹ã€‚ ã‚¿ã‚°æ–‡å—ã®å…¥åŠ›ã‚’è¨±å®¹ã—ã¦ã„ã‚‹å ´åˆï¼ˆWebãƒ¡ãƒ¼ãƒ«ï¼Œãƒ–ãƒã‚°ãªã©ï¼‰ CSSï¼ˆã‚«ã‚¹ã‚±ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ãƒ»ã‚¹ã‚¿ã‚¤ãƒ«ã‚·ãƒ¼ãƒˆï¼‰ã®å…¥åŠ›ã‚’è¨±å®¹ã—ã¦ã„ã‚‹å ´åˆï¼ˆãƒ–ãƒã‚°ãªã©ï¼‰ æ–‡å—ã‚³ãƒ¼ãƒ‰ã‚’æ˜Žç¤ºã—ã¦ã„ãªã„ã‚±ãƒ¼ã‚¹ã§UTF-7æ–‡å—ã‚³ãƒ¼ãƒ‰ã«ã‚ˆã‚‹ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚° <SCRIPT>ã®å†…å®¹ã‚’å‹•çš„ã«ç”Ÿæˆã—ã¦ã„ã‚‹å ´åˆ Aã‚¿ã‚°ãªã©ã®URLã‚’å‹•çš„ã«ç”Ÿæˆã—ã¦ã„ã‚‹å ´åˆæ³¨ï¼‰ ä»¥ä¸‹ã§ã¯ï¼ŒHTMLã‚¿ã‚°ã‚„CSSã®å…¥åŠ›ã‚’è¨±å®¹ã—ã¦ã„ã‚‹å ´åˆã¨ï¼Œæ–‡å—ã‚³ãƒ¼ãƒ‰ã‚’æ˜Ž
ockeghem 2007/04/17
ç†è€…ã§ã™ã€‚å›³5)ç¢ºã‹ã«ãã†ã§ã™ãã€‚ç·¨é›†éƒ¨ã«è¨‚æ£ã‚’ä¾é ¼ã—ã¾ã™>HiromitsuTakagi

css

xss

ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒª
ãƒªãƒ³ã‚¯
IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å›
IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å› 2006-08-31-1: [Security] http://archive.openmya.devnull.jp/2006.08/msg00369.html IE ã§ã¯ expression(å¼) ã‚’ã‚¹ã‚¿ã‚¤ãƒ«ã‚·ãƒ¼ãƒˆå†…ã§è¨˜è¿°ã™ã‚‹ã“ã¨ã§ JavaScript ã‚’è¨˜è¿°ã™ã‚‹ã“ã¨ãŒã§ãã‚‹ã®ã¯æœ‰åã§ã™ãŒï¼Œ IE ã«ã‚ˆã‚‹ expression ã®æ¤œå‡ºãŒã‚„ãŸã‚‰éŽå‰°ã§ XSS ã‚’å¼•ãèµ·ã“ã—ã‚„ã™ã„ã¨ã„ã†ã“ã¨ã‚‰ã—ã„ï¼Ž å®Ÿæ…‹å‚ç…§ã‚„ã‚³ãƒ¡ãƒ³ãƒˆã®æŒ¿å…¥ï¼ŒUnicode æ–‡å—ï¼Œå…¨è§’æ–‡å—ã§è¨˜è¿°ã—ã¦ã‚‚ expression ã¨ã—ã¦æ¤œå‡ºã•ã‚Œã‚‹ï¼Ž è©³ç´°ã¯ï¼Œä¸Šè¨˜ã‚µã‚¤ãƒˆã‚ˆã‚Šå¼•ç”¨ï¼Ž IE ã§ã¯ã€ä»¥ä¸‹ã®ã‚ˆã†ãªã‚¹ã‚¿ã‚¤ãƒ«ã‚’è¨˜è¿°ã™ã‚‹ã“ã¨ã§ã€JavaScript ã‚’å‹•ä½œã•ã›ã‚‹ ã“ã¨ãŒå¯èƒ½ã§ã™ã€‚ 1) <style>ãƒ–ãƒãƒƒã‚¯å†…ã§ã®å®šç¾© <style>input { l
ockeghem 2007/03/04
XSS

CSS
ãƒªãƒ³ã‚¯
[openmya:035806] IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å›
ockeghem 2007/03/04
XSS

CSS
ãƒªãƒ³ã‚¯
ã¯ã¦ãªãƒ€ã‚¤ã‚¢ãƒªãƒ¼ã®ãƒ˜ãƒ«ãƒ— - ã¯ã¦ãªãƒ€ã‚¤ã‚¢ãƒªãƒ¼XSSå¯¾ç–
ã¯ã¦ãªãƒ–ãƒã‚°ã®ãƒ˜ãƒ«ãƒ—ã§ã™
ockeghem 2007/03/04
XSS

CSS

ã¯ã¦ãª
ãƒªãƒ³ã‚¯
1

ãŠçŸ¥ã‚‰ã›

ã‚‚ã£ã¨èªã‚€

å…¬å¼Twitter

@hatebu
æœ€æ–°ã®äººæ°—ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã®é…ä¿¡

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

jæ¬¡ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

kå‰ã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

lã‚ã¨ã§èªã‚€

eã‚³ãƒ¡ãƒ³ãƒˆä¸€è¦§ã‚’é–‹ã

oãƒšãƒ¼ã‚¸ã‚’é–‹ã

è¨å®šã‚’å¤‰æ›´ã—ã¾ã—ãŸx

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ã‚¿ã‚°

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (6)

cssã¨XSSã«é–¢ã™ã‚‹ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (5)

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´12æœˆç¬¬1é€±ï¼‰

æœˆé–“ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆç¬¬5é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

ã‚¿ã‚°

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (6)

cssã¨XSSã«é–¢ã™ã‚‹ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (5)

ã¯ã¦ãªã®expressionã®XSSãŒä¿®æ­£ã•ã‚ŒãŸ | æ°´ç„¡æœˆã°ã‘ã‚‰ã®ãˆã³æ—¥è¨˜

ã¾ã ã¾ã ã‚ã‚‹ã‚¯ãƒ­ã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°æ”»æ’ƒæ³•

IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å›

[openmya:035806] IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å›

ã¯ã¦ãªãƒ€ã‚¤ã‚¢ãƒªãƒ¼ã®ãƒ˜ãƒ«ãƒ— - ã¯ã¦ãªãƒ€ã‚¤ã‚¢ãƒªãƒ¼XSSå¯¾ç­–

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2024å¹´12æœˆç¬¬1é€±ï¼‰

æœˆé–“ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚­ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆç¬¬5é€±ï¼‰

å…¬å¼Twitter

ã‚­ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹

é–¢é€£ã‚¿ã‚°ã§çµžã‚Šè¾¼ã‚€ (6)

cssã¨XSSã«é–¢ã™ã‚‹ockeghemã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (5)

ã¯ã¦ãªã®expressionã®XSSãŒä¿®æ£ã•ã‚ŒãŸ | æ°´ç„¡æœˆã°ã‘ã‚‰ã®ãˆã³æ—¥è¨˜

ã¾ã ã¾ã ã‚ã‚‹ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°æ”»æ’ƒæ³•

IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å›

[openmya:035806] IE ã«ãŠã‘ã‚‹ "expression" ã®éŽå‰°æ¤œå‡ºã«ã‚ˆã‚‹ XSS ã® èª˜å›

ã¯ã¦ãªãƒ€ã‚¤ã‚¢ãƒªãƒ¼ã®ãƒ˜ãƒ«ãƒ— - ã¯ã¦ãªãƒ€ã‚¤ã‚¢ãƒªãƒ¼XSSå¯¾ç–

ãŠçŸ¥ã‚‰ã›

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´12æœˆç¬¬1é€±ï¼‰

æœˆé–“ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆï¼‰

ä»Šé€±ã®ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯æ•°ãƒ©ãƒ³ã‚ãƒ³ã‚°ï¼ˆ2024å¹´11æœˆç¬¬5é€±ï¼‰

å…¬å¼Twitter

ã‚ãƒ¼ãƒœãƒ¼ãƒ‰ã‚·ãƒ§ãƒ¼ãƒˆã‚«ãƒƒãƒˆä¸€è¦§

ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

å…¬å¼Twitter

ã¯ã¦ãªã®ã‚µãƒ¼ãƒ“ã‚¹