[B! XSS] potappoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

potappo id:potappo

XSSã«é–¢ã™ã‚‹potappoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (10)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

ãã‚Œ Unicode ã§
UTF-7 ã‚’ä½¿ã£ã¦ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚’è¨˜è¿° +ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-+AC8-SCRIPT+AD4- IE ã¯ã€æ–‡å—ã‚¨ãƒ³ã‚³ãƒ¼ãƒ‡ã‚£ãƒ³ã‚°ãŒä¸æ˜Žã§ UTF-7 ã£ã½ã„æ–‡å—åˆ—ãŒã‚ã‚Œã°ã€è‡ªå‹•åˆ¤åˆ¥ã§ UTF-7 ã¨ãªã‚‹ã€‚
potappo 2006/12/13
d:id:hasegawayosukeã•ã‚“ã«ã‚ˆã‚‹Unicodeçµ¡ã¿ã®XSSã«ã¤ã„ã¦ã®è³‡æ–™ã€‚

xss

security

Unicode

web

presentation

æ–‡å—ã‚³ãƒ¼ãƒ‰
ãƒªãƒ³ã‚¯
Error Messageã«ãŠã‘ã‚‹æœ€ã‚‚ã‚·ãƒ³ãƒ—ãƒ«ãªXSSå›žé¿æ³• : 404 Blog Not Found
2006å¹´12æœˆ02æ—¥04:30 ã‚«ãƒ†ã‚´ãƒªLightweight Languages Error Messageã«ãŠã‘ã‚‹æœ€ã‚‚ã‚·ãƒ³ãƒ—ãƒ«ãªXSSå›žé¿æ³• 404 Blog Not Found:perl+javascript - ã¯ã¦ãƒ–ã¨çŸç¸®URLã®Mashupã®ãƒã‚°ãƒ•ã‚£ãƒƒã‚¯ã‚¹ã€‚ æŠ€è¡“ãƒ¡ãƒ¢å¸³ - dankogaiã•ã‚“ã®ã‚¢ãƒ—ãƒªã®XSS ã‚¨ãƒ©ãƒ¼ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’å‡ºåŠ›ã™ã‚‹ã¨ãã« HTMLã‚¨ã‚¹ã‚±ãƒ¼ãƒ—ãŒã•ã‚Œã¦ãªã‹ã£ãŸã€‚ è¦‹è½ã¨ã™ã¨ã“ã‚ã ã£ãŸã€‚ã“ã†ã„ã†å ´åˆã¯ã€TBãªã„ã—Commentãªã©ã€å…ƒè¨˜äº‹ã‹ã‚‰ç›´æŽ¥è¦‹ãˆã‚‹å½¢ã§å ±å‘Šã—ã¦æ¬²ã—ã„ã€‚ ãã‚‚ãã‚‚text/htmlã¨ã—ã¦è§£é‡ˆã•ã‚Œã¦ã„ã‚‹ã®ã¯ãŠã‹ã—ã„ã¨æ€ã£ã¦headerã‚’è¦‹ãŸã‚‰ã€ % HEAD 'http://u.dan.co.jp/r.cgi/<script>alert('easy%20xss');</script>' 500 Internal Server Error Co
potappo 2006/12/05
security

xss

web

webdev
ãƒªãƒ³ã‚¯
XSS - è¡¨ç¤ºç³»ãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã«å˜åœ¨ã™ã‚‹ç›²ç‚¹ :: ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼
ã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼ ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ã®æ™‚é–“ã§ã™ï¼ XSSã¨ã„ã†ã¨â€¦ï¼ ã¾ã£ã•ãã«æ€ã„ã¤ãã®ãŒã€å…¥åŠ›ãƒ‡ãƒ¼ã‚¿é€ä¿¡ â†’ ç¢ºèªè¡¨ç¤ºã®éƒ¨åˆ†ã§ã®ç„¡å®³åŒ–æ¼ã‚Œã§ã™ã‚ˆãï¼ ãŸã¨ãˆã°ã“ã‚“ãªæ„Ÿã˜ã®ãƒ•ã‚©ãƒ¼ãƒ ã‹ã‚‰å—ã‘å–ã£ãŸãƒ‘ãƒ©ãƒ¡ãƒ¼ã‚¿ã‚’ã€ ç¢ºèªã¨ã—ã¦è¡¨ç¤ºã™ã‚‹ãƒšãƒ¼ã‚¸ã¨ã‹ï¼ (å…¥åŠ›) <form action="register.cgi" method="post"> ã‚¿ã‚¤ãƒˆãƒ«ï¼š<input type="text" name="title"> â† ã€Œã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼ã€ã‚’å…¥åŠ› æœ¬æ–‡ï¼š<input type="text" name="body"> â† ã€Œã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼<script>alert(1)</script>ã€ã‚’å…¥åŠ› </form> (ç¢ºèª) <p>ã“ã®å†…å®¹ã§ç™»éŒ²ã—ã¦ã„ã„ï¼Ÿ</p> <p> ã‚¿ã‚¤ãƒˆãƒ«ï¼š ã¼ãã¯ã¾ã¡ã¡ã‚ƒã‚“ï¼<br> æœ¬æ–‡ï¼š ã“ã‚“ã«ã¡ã¯ã“ã‚“ã«ã¡ã¯ï¼ï¼<script>alert
potappo 2006/08/02
GETãƒªã‚¯ã‚¨ã‚¹ãƒˆã®ä¸èº«ã«æ³¨æ„ã€‚

security

hamachiya

XSS

webservice

cgi

hatena
ãƒªãƒ³ã‚¯
ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®eãƒ©ãƒ¼ãƒ‹ãƒ³ã‚°ã‚·ã‚¹ãƒ†ãƒ ã«XSSãªã©ã®è„†å¼±æ€§â€•â€•IPA
ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®eãƒ©ãƒ¼ãƒ‹ãƒ³ã‚°CMSã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã€ŒATutorã€ãŠã‚ˆã³ã€ŒACollabã€ã«ãŠã„ã¦ã€ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ï¼ˆXSSï¼‰ã‚„SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ã«é–¢ã™ã‚‹è„†å¼±æ€§ãŒç™ºè¦‹ã•ã‚ŒãŸã€‚ æƒ…å ±å‡¦ç†æŽ¨é€²æ©Ÿæ§‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆIPAï¼‰ãŠã‚ˆã³JPCERTã‚³ãƒ¼ãƒ‡ã‚£ãƒãƒ¼ã‚·ãƒ§ãƒ³ã‚»ãƒ³ã‚¿ãƒ¼ï¼ˆJPCERT/CCï¼‰ã¯7æœˆ5æ—¥ã€è„†å¼±æ€§æƒ…å ±ã‚µã‚¤ãƒˆJP Vendor Status Notesï¼ˆJVNï¼‰ã«ãŠã„ã¦ã€ã‚ªãƒ¼ãƒ—ãƒ³ã‚½ãƒ¼ã‚¹ã®eãƒ©ãƒ¼ãƒ‹ãƒ³ã‚°ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã€ŒATutorã€ãªã©ã«è„†å¼±æ€§ãŒã‚ã‚‹ã“ã¨ã‚’æ˜Žã‚‰ã‹ã«ã—ãŸã€‚ã“ã®è„†å¼±æ€§ã‚’çªã‹ã‚Œã‚‹ã¨ã€æƒ…å ±æ¼ãˆã„ã‚„ãªã‚Šã™ã¾ã—ã‚’è¨±ã—ã¦ã—ã¾ã†å±é™ºæ€§ãŒã‚ã‚‹ã€‚ è„†å¼±æ€§ãŒç™ºè¦‹ã•ã‚ŒãŸã®ã¯ã€eãƒ©ãƒ¼ãƒ‹ãƒ³ã‚°ç”¨ã®CMSï¼ˆã‚³ãƒ³ãƒ†ãƒ³ãƒ„ç®¡ç†ã‚·ã‚¹ãƒ†ãƒ ï¼‰ATutorãŠã‚ˆã³ATutorã®ã‚¢ãƒ‰ã‚ªãƒ³ã¨ã—ã¦å‹•ä½œã™ã‚‹ã‚³ãƒ©ãƒœãƒ¬ãƒ¼ã‚·ãƒ§ãƒ³ã‚½ãƒ•ãƒˆã€ŒACollabã€ã€‚ ATutorã§ã¯ã€1.5.2ä»¥å‰ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã«ãŠã„ã¦ã€ã‚¯ãƒã‚¹
potappo 2006/07/07
security

XSS
ãƒªãƒ³ã‚¯
Yahoo!ãƒ¡ãƒ¼ãƒ«ã®è„†å¼±æ€§ã‚’çªãâ€œã‚¼ãƒãƒ‡ã‚¤â€ã‚¦ã‚¤ãƒ«ã‚¹å‡ºç¾ï¼Œãƒ¡ãƒ¼ãƒ«ã‚’é–‹ãã ã‘ã§æ„ŸæŸ“
ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£çµ„ç¹”ã®ç±³SANS Instituteãªã©ã¯ç¾åœ°æ™‚é–“6æœˆ12æ—¥ï¼Œç±³Yahoo!ãŒæä¾›ã™ã‚‹Webãƒ¡ãƒ¼ãƒ«ãƒ»ã‚µãƒ¼ãƒ“ã‚¹ã®è„†å¼±æ€§ï¼ˆã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ»ãƒ›ãƒ¼ãƒ«ï¼‰ã‚’çªã„ã¦æ„ŸæŸ“ã‚’åºƒã’ã‚‹ã‚¦ã‚¤ãƒ«ã‚¹ãŒå‡ºå›žã£ã¦ã„ã‚‹ã¨ã—ã¦æ³¨æ„ã‚’å‘¼ã³ã‹ã‘ãŸã€‚ãƒ¡ãƒ¼ãƒ«æœ¬æ–‡ã‚’èªã‚‚ã†ã¨ã™ã‚‹ã ã‘ã§æ„ŸæŸ“ã—ï¼Œã‚¢ãƒ‰ãƒ¬ã‚¹ãƒ»ãƒªã‚¹ãƒˆã®æƒ…å ±ã‚’ç›—ã¾ã‚Œã‚‹ã¨ã¨ã‚‚ã«ã‚¦ã‚¤ãƒ«ã‚¹ãƒ»ãƒ¡ãƒ¼ãƒ«ã‚’é€ä¿¡ã•ã›ã‚‰ã‚Œã‚‹ã€‚Yahoo!ã§ã¯ç¾åœ¨å¯¾å‡¦ä¸ã§ã‚ã‚‹ã¨ã—ã¦ã„ã‚‹ã€‚ Yahoo!ã®Webãƒ¡ãƒ¼ãƒ«ãƒ»ã‚µãƒ¼ãƒ“ã‚¹ï¼ˆYahoo!ãƒ¡ãƒ¼ãƒ«ï¼‰ã«ã¯ï¼Œãƒ¡ãƒ¼ãƒ«ã«ç´°å·¥ãŒæ–½ã•ã‚Œã¦ã„ã‚‹ã¨ï¼Œãƒ¡ãƒ¼ãƒ«æœ¬æ–‡ã‚’é–‹ãã ã‘ã§ï¼Œæ·»ä»˜ã•ã‚ŒãŸHTMLãƒ•ã‚¡ã‚¤ãƒ«ã‚’å‹æ‰‹ã«é–‹ã„ã¦ã—ã¾ã†è„†å¼±æ€§ãŒè¦‹ã¤ã‹ã£ãŸã€‚HTMLãƒ•ã‚¡ã‚¤ãƒ«ã«ã‚¹ã‚¯ãƒªãƒ—ãƒˆï¼ˆJavaScriptï¼‰ãŒå«ã¾ã‚Œã¦ã„ã‚‹å ´åˆã«ã¯ï¼Œãã®ã‚¹ã‚¯ãƒªãƒ—ãƒˆã‚‚å‹æ‰‹ã«å®Ÿè¡Œã•ã‚Œã¦ã—ã¾ã†ã€‚ä»Šå›žã®ã‚¦ã‚¤ãƒ«ã‚¹ã¯ã“ã®è„†å¼±æ€§ã‚’æ‚ªç”¨ã™ã‚‹ã‚‚ã®ã§ï¼ŒHTMLãƒ•ã‚¡ã‚¤ãƒ«ã«å«ã¾ã‚Œã‚‹ã‚¹ã‚¯ãƒªãƒ—ãƒˆãŒã‚¦ã‚¤ãƒ«ã‚¹ã®å®Ÿä½“ã§ã‚ã‚‹ã€‚ãªãŠï¼Œä»Šå›žã®è„†å¼±æ€§ã¯
potappo 2006/06/15
security

mail

web

XSS

webservice

yahoo

virus
ãƒªãƒ³ã‚¯
ã€ŒYahoo!ãƒ¡ãƒ¼ãƒ«ã®ã‚¦ã‚¤ãƒ«ã‚¹ãŒæ‚ªç”¨ã—ãŸã®ã¯ã€ŽXSSè„†å¼±æ€§ã€ï¼Œã‚µã‚¤ãƒˆç®¡ç†è€…ã¯æ³¨æ„ã‚’ã€---å°‚é–€å®¶ãŒè¦å‘Š
ã€ŒYahoo!ãƒ¡ãƒ¼ãƒ«ã®ã‚¦ã‚¤ãƒ«ã‚¹ãŒæ‚ªç”¨ã—ãŸã®ã¯ã€ŽXSSè„†å¼±æ€§ã€ï¼Œã‚µã‚¤ãƒˆç®¡ç†è€…ã¯æ³¨æ„ã‚’ã€---å°‚é–€å®¶ãŒè¦å‘Š ã€Œã€ŽYahoo!ãƒ¡ãƒ¼ãƒ«ã€ã‚’ç‹™ã£ãŸã‚¦ã‚¤ãƒ«ã‚¹ã¯ï¼ŒåŒã‚µã‚¤ãƒˆã®ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆãƒ»ã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ï¼ˆXSSï¼‰è„†å¼±æ€§ã‚’æ‚ªç”¨ã—ãŸã€‚åŒæ§˜ã®è„†å¼±æ€§ã¯å¤šãã®Webã‚µã‚¤ãƒˆã«å˜åœ¨ã™ã‚‹ã€‚ã“ã®ã‚¦ã‚¤ãƒ«ã‚¹ã®ã‚½ãƒ¼ã‚¹ãƒ»ã‚³ãƒ¼ãƒ‰ã‚‚å‡ºå›žã£ã¦ã„ã‚‹ã®ã§ï¼Œä»Šå¾Œï¼ŒåŒæ§˜ã®æ”»æ’ƒãŒé »ç™ºã™ã‚‹å¯èƒ½æ€§ã¯é«˜ã„ã€‚Webã‚µã‚¤ãƒˆã®ç®¡ç†è€…ã‚„é–‹ç™ºè€…ã¯ååˆ†ã«æ³¨æ„ã™ã‚‹å¿…è¦ãŒã‚ã‚‹ã€---ã€‚äº¬ã‚»ãƒ©ã‚³ãƒŸãƒ¥ãƒ‹ã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚·ã‚¹ãƒ†ãƒ ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£äº‹æ¥éƒ¨ å‰¯äº‹æ¥éƒ¨é•·ã§ã‚ã‚‹å¾³ä¸¸æµ©æ°ã¯6æœˆ15æ—¥ï¼ŒITproã®å–æã«å¯¾ã—ã¦è¦å‘Šã—ãŸã€‚ Yahoo!ãƒ¡ãƒ¼ãƒ«ã®ã‚¦ã‚¤ãƒ«ã‚¹ã¯â€œå˜ç´”â€ 6æœˆ12æ—¥ã”ã‚ã«ç¢ºèªã•ã‚Œã¦ã€ŒYamannerã€ãªã©ã¨åä»˜ã‘ã‚‰ã‚ŒãŸã‚¦ã‚¤ãƒ«ã‚¹ã¯ï¼Œç±³Yahoo!ãŒæä¾›ã™ã‚‹ãƒ¡ãƒ¼ãƒ«ãƒ»ã‚µãƒ¼ãƒ“ã‚¹ã€ŒYahoo! Mailï¼ˆYahoo!ãƒ¡ãƒ¼ãƒ«ï¼‰ã€ã§æ„ŸæŸ“ã‚’åºƒã’ã‚‹ï¼ˆé–¢é€£è¨˜äº‹ï¼šYahoo!ãƒ¡ãƒ¼ãƒ«ã®è„†å¼±æ€§ã‚’çª
potappo 2006/06/15
XSS

security

web

webdev

webservice

javascript

virus
ãƒªãƒ³ã‚¯
Cookieï¼ˆã‚¯ãƒƒã‚ãƒ¼ï¼‰
Cookieï¼ˆã‚¯ãƒƒã‚ãƒ¼ï¼‰ã¨ã¯ï¼ŒWebã‚¢ã‚¯ã‚»ã‚¹ã®ã¨ãã«Webã‚µãƒ¼ãƒãƒ¼ãŒãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’è˜åˆ¥ã™ã‚‹ãŸã‚ã«ä½¿ã†æ¯”è¼ƒçš„å°ã•ãªãƒ†ã‚ã‚¹ãƒˆãƒ»ãƒ‡ãƒ¼ã‚¿ã®ã“ã¨ã€‚ç±³ãƒãƒƒãƒˆã‚¹ã‚±ãƒ¼ãƒ—ãƒ»ã‚³ãƒŸãƒ¥ãƒ‹ã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã‚ºãŒè‡ªç¤¾ã®Webãƒ–ãƒ©ã‚¦ã‚¶/ã‚µãƒ¼ãƒãƒ¼ãƒ»ã‚½ãƒ•ãƒˆã«å®Ÿè£…ã—ãŸã®ãŒå§‹ã¾ã‚Šã ã€‚Webã‚µãƒ¼ãƒãƒ¼å´ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼ã‚’è˜åˆ¥ã—ãŸã„ã¨ãï¼ŒWebãƒšãƒ¼ã‚¸ã®ãƒ‡ãƒ¼ã‚¿ã‚’é€å—ä¿¡ã™ã‚‹ã®ã¨ã„ã£ã—ã‚‡ã«Cookieã‚‚ã‚„ã‚Šã¨ã‚Šã•ã‚Œã‚‹ã€‚ã¾ãŸï¼ŒCookieã‚’ã‚„ã‚Šã¨ã‚Šã™ã‚‹ã—ãã¿ã®ã“ã¨ã‚‚ã€ŒCookieã€ã¨å‘¼ã¶ã€‚ Cookieã«ã¯ï¼Œãƒãƒƒãƒˆã‚¹ã‚±ãƒ¼ãƒ—ãŒä½œæˆã—ãŸä»•æ§˜ã®ã»ã‹ã«RFC2965ãŒã‚ã‚‹ã€‚ãŸã ã—ï¼ŒRFC2965ã¯ã‚ã¾ã‚Šä½¿ã‚ã‚Œã¦ã„ãªã„ã€‚ã“ã“ã§ã¯ï¼Œãƒãƒƒãƒˆã‚¹ã‚±ãƒ¼ãƒ—ã®ä»•æ§˜ã«ã¤ã„ã¦ç´¹ä»‹ã™ã‚‹ã€‚ ã¾ãšï¼ŒCookieã®ä½¿ã„æ–¹ã‚’è¦‹ã¦ã„ã“ã†ã€‚ä¾‹ãˆã°ï¼ŒAã•ã‚“ãŒã‚ã‚‹Webã‚µãƒ¼ãƒãƒ¼ã«ãƒ¦ãƒ¼ã‚¶ãƒ¼ç™»éŒ²ã—ãŸã¨ãï¼ŒWebã‚µãƒ¼ãƒãƒ¼ã¯ãã®å¿œç”ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã«ç›¸æ‰‹ãŒAã•ã‚“ã ã¨ã‚ã‹ã‚‹ã‚ˆã†ãªãƒ‡ãƒ¼ã‚¿ã‚’å«ã¾ã›ã‚‹ã€‚ã“ã®è˜åˆ¥ãƒ‡ãƒ¼ã‚¿ãŒCoo
potappo 2006/05/04
Cookieã®ã‚ã‹ã‚Šã‚„ã™ã„è§£èª¬ã€‚

security

XSS

browser

webservice

è‰¯ã„å›³è¡¨
ãƒªãƒ³ã‚¯
é–‹ç™ºè€…ã®ãŸã‚ã®æ£ã—ã„CSRFå¯¾ç–
è‘—è€…: é‡‘åºŠ <anvil@jumperz.net> http://www.jumperz.net/ â– ã¯ã˜ã‚ã« ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³é–‹ç™ºè€…ã®ç«‹å ´ã‹ã‚‰è¦‹ãŸCSRFå¯¾ç–ã«ã¤ã„ã¦ã€ã•ã¾ã–ã¾ãªæƒ…å ±ãŒå…¥ã‚Šä¹±ã‚Œã¦ã„ã‚‹ã€‚ç†è€…ãŒ2006å¹´3æœˆã®æ™‚ç‚¹ã«ãŠã„ã¦å›½å†…ã®ã‚¦ã‚§ãƒ–ã‚µ ã‚¤ãƒˆã‚„ã‚³ãƒ³ãƒ”ãƒ¥ãƒ¼ã‚¿æ›¸ç±ãƒ»é›‘èªŒãªã©ã§CSRFå¯¾ç–ã«ã¤ã„ã¦æ›¸ã‹ã‚Œã¦ã„ã‚‹è¨˜äº‹ã‚’èª¿ã¹ãŸçµæžœã€ãŠã©ã‚ãã¹ãã“ã¨ã«ã€ãã®ã»ã¨ã‚“ã©ãŒèª¤ã‚Šã‚’å«ã‚“ã§ã„ãŸã‚Šã€ç¾å®Ÿçš„ ã«ã¯ä½¿ç”¨ã§ããªã„æ–¹æ³•ã‚’ç´¹ä»‹ã—ãŸã‚Šã—ã¦ã„ãŸã€‚ãã“ã§æœ¬ç¨¿ã§ã¯ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³é–‹ç™ºè€…ã«ã¨ã£ã¦ã®æœ¬å½“ã«æ£ã—ã„CSRFå¯¾ç–ã«ã¤ã„ã¦ã¾ã¨ã‚ã‚‹ã“ã¨ã¨ã™ ã‚‹ã€‚ã¾ãŸã€æŽ¡ç”¨ã™ã¹ãã§ãªã„CSRFå¯¾ç–ã¨ãã®ç†ç”±ã‚‚åˆã‚ã›ã¦ç´¹ä»‹ã™ã‚‹ã€‚ â– ã‚ã‚‰ã‚†ã‚‹æ©Ÿèƒ½ãŒã‚¿ãƒ¼ã‚²ãƒƒãƒˆã¨ãªã‚Šã†ã‚‹ ã‚¦ã‚§ãƒ–ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®æŒã¤å…¨ã¦ã®æ©Ÿèƒ½ãŒCSRFæ”»æ’ƒã®å¯¾è±¡ã¨ãªã‚Šã†ã‚‹ã€‚ã¾ãšã“ã®ã“ã¨ã‚’èªè˜ã—ã¦ãŠãå¿…è¦ãŒã‚ã‚‹ã€‚ Amaz
potappo 2006/03/31
web2.0æ™‚ä»£ã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã€‚

csrf

security

web2.0

webdev

0ã‚ã¨ã§èªã‚€

XSS

webservice

WebUI

ie

reference
ãƒªãƒ³ã‚¯
æ—¥æœ¬ãƒ–ãƒã‚°å”ä¼šã‹ã‚‰ã®ãƒ¡ãƒ¼ãƒ«é–¢é€£ - ripjyr's blog
ã¤ã£ã“ã¿ã©ã“ã‚æº€è¼‰ã¿ãŸã„ã§ã™ãï½—ï¼žid:sonodamã‚µãƒ¡ http://d.hatena.ne.jp/yama_r/20060304/1141407252 è„†å¼±æ€§ã‚ˆã‚Šã‚‚ã•â€¦ - ç„¡é¡Œãƒ‰ã‚ãƒ¥ãƒ¡ãƒ³ãƒˆ æ—¥æœ¬ãƒ–ãƒã‚°å”ä¼šã®è„†å¼±æ€§ã«ã¤ã„ã¦ - ã‚ˆãããŸã¯ã¦ãƒ€ æ—¥æœ¬ãƒ–ãƒã‚°å”ä¼šã®å¤±æ…‹ - å…¨è„³è‡ªç”±å¸³ å¾’ç„¶"ã‚„ã‚ã‚‰ã‹"Blogæ—¥è¨˜:æ—¥æœ¬ãƒ–ãƒã‚°å”ä¼šã®ãŠç²—æœ«ãªã‚¹ã‚¿ãƒ¼ãƒˆ - livedoor Blogï¼ˆãƒ–ãƒã‚°ï¼‰ æ—¥æœ¬ãƒ–ãƒã‚°å”ä¼š - ç¸å´ã§ãŠèŒ¶ ã•ã£ããã‚„ã£ã¦ãã‚ŒãŸã€‚ãã‚Œã«ã¯ã¦ãªãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ã«ã‚ˆã‚‹ã¨ã€ä¼šå“¡ã«é…å¸ƒã—ã¦ã„ãŸIDã¨ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã¯ã©ã†ã‚„ã‚‰å…¨å“¡ã«å…±é€šã®ã‚‚ã®ã§ã‚ã£ãŸã‚‰ã—ã„ã€‚ãã†ã„ã†äººãŸã¡ãŒã€Œãƒ–ãƒã‚°ã®æ™®åŠä¿ƒé€²ã€ã‚’ã‚„ã‚‹ã®ã‹ã€‚æ—©ãã€Œå…¨éƒ¨ãƒã‚¿ã§ã—ãŸã€ã¨è¨€ã£ã¦ã»ã—ã„ã€‚ ã¦ã‹ã€ã‰ãƒã‰ãƒãƒ»ãƒ»ãƒ»ï¼
potappo 2006/03/06
æ˜”ã€JBAã¨ã„ã†ã®ãŒã‚ã£ãŸãŒã‚ãƒ¼ãƒ¯ãƒ¼ãƒ‰ã«ã‚ˆã‚‹ã¨ãã‚Œã¨ã¯é•ã†ã‚‰ã—ã„ã€‚

blog

security

mail

æ—¥æœ¬ãƒ–ãƒã‚°å”ä¼š

XSS
ãƒªãƒ³ã‚¯
1