Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ
  XAS(Cross Agent Scripting), XRS Ãë¾àÁ¡¿¡ ´ëÇØ ÀÛ¼ºÀÏ : 2009/03/10 12:37
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 9715
     
    Á¦  ¸ñ : XAS(Cross Agent Scripting), XRS Ãë¾àÁ¡¿¡ ´ëÇØ
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2009.3.9(¿ù)

    À¥ÇÁ·Î±×·¡¹ÖÀ» ÇÒ ¶§, À¥ºê¶ó¿ìÀú¸í(Agent)À̳ª ·¹ÆÛ·¯(Referer) Á¤º¸¸¦ È­¸é¿¡ Ãâ·ÂÇÒ °æ¿ì°¡ ÀÖ´Ù. Request headerÀÇ À¥ºê¶ó¿ìÀú¸í, ·¹ÆÛ·¯¸¦ ´©±¸³ª ½±°Ô º¯°æ(À§Á¶)°¡ °¡´ÉÇÏ´Ù´Â °ÍÀ» ¾Ë¸é¼­µµ Ưº°ÇÑ Á¶Ä¡¾øÀÌ ¹Ù·Î echoÇÏ´Â °æ¿ì°¡ ¸¹´Ù. ÀϹÝÀûÀÎ ºê¶ó¿ìÀú¸íÀ̶ó¸é ´ÙÀ½°ú °°Àº Çü½ÄÀÌ´Ù. ±×´ë·Î echoÇÑ´Ù°í Çصµ ¹®Á¦°¡ µÇÁö ¾ÊÀ» °ÍÀÌ´Ù.

     
    Mozilla/5.0 (X11; U; Linux i686; ko; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
     


    ±×·¯³ª ´ÙÀ½°ú °°ÀÌ, ºê¶ó¿ìÀú¸í¿¡ ÀÚ¹Ù½ºÅ©¸³Æ® µîÀÇ Äڵ带 ³ÖÀº´Ù¸é »óȲÀº ´Þ¶óÁú °ÍÀÌ´Ù. ÇÇÇØ´Â XSS³ª XSRF¿¡ ºñÇØ ¹ÌºñÇÒ ¼öµµ ÀÖ°ÚÁö¸¸ ¾ÇÀÇÀûÀÎ ÀÓÀÇÀÇ ÀÚ¹Ù½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÒ ¼ö ÀÖ´Ù.

     
    <script>alert('hello')</script>
     


    ºê¶ó¿ìÀú¸í¿¡ ½ÇÇà°¡´ÉÇÑ ÇüÅÂÀÇ Äڵ峪 ÀÚ¹Ù½ºÅ©¸³Æ®¸¦ ³Ö´Â °ÍÀ» XAS(Cross Agent Scripting)¶ó°í Çϸç,
    ·¹ÆÛ·¯¿¡ ³Ö´Â °ÍÀ» XRS(Cross Referer Scripting)À̶ó°í ºÎ¸¥´Ù.

    ·¹ÆÛ·¯¸¦ º¯°æÇؼ­ Å×½ºÆ®Çغ¸ÀÚ. FireFox¿¡´Â ·¹ÆÛ·¯¸¦ º¯°æÇÒ ¼ö ÀÖ´Â 'RefControl' Addon( http://addons.mozilla.org/ko/firefox/addon/953 )ÀÌ ÀÖ´Ù. ¼³Ä¡ ÈÄ µµ±¸ -> RefControl Options -> Add Site ¸¦ Ŭ¸¯ÇÑ´Ù.


    ( Firefox RefControl Addon¿¡¼­ Referer¸¦ »ç¿ëÀÚ°¡ ¼³Á¤ÇÏ´Â È­¸é )

    ´Ü¼øÈ÷ <? echo $_SERVER['HTTP_REFERER']; ?>¸¸ µÇ¾î ÀÖ´Â ÆäÀÌÁöÀÇ °æ¿ì ´ÙÀ½°ú °°ÀÌ ÀÚ¹Ù½ºÅ©¸³Æ®°¡ ½ÇÇàµÇ´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù.


    ( XRS Å×½ºÆ® °á°ú. ÀÌ ÆäÀÌÁö´Â Å×½ºÆ®¸¦ À§ÇØ Àӽ÷Π¸¸µë. ½ÇÁ¦ Á¸ÀçÇÏÁö ¾ÊÀ½ )

    XAS, XRS¸¦ ¸·±âÀ§Çؼ­ phpÀÇ °æ¿ì htmlspecialchars() ÇÔ¼ö µîÀ¸·Î Ư¼ö¹®ÀÚ(<, > µî)¸¦ º¯È¯ÇØ¾ß ÇÑ´Ù.

    [ ÁÁÁö ¾ÊÀº php ÄÚµå ]
     
    <?
    echo $_SERVER['HTTP_USER_AGENT'];
    echo $_SERVER['HTTP_REFERER'];
    ?>
     


    [ ¾ÈÀüÇÑ ÇüÅÂÀÇ php ÄÚµå ]
     
    <?
    echo htmlspecialchars($_SERVER['HTTP_USER_AGENT']);
    echo htmlspecialchars($_SERVER['HTTP_REFERER']);
    ?>
     


    ¡Ø XSS(Cross Site Scripting), CSRF/XSRF(Cross Site Request Forgery)¿¡ ´ëÇÑ ÇÑ±Û ¹®¼­´Â ¸¹À¸³ª XAS, XRS¿¡ ´ëÇÑ ±ÛÀº °ÅÀÇ ¾ø¾î Á¤¸®Çß´Ù.


    Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ / URL : http://coffeenix.net/board_view.php?bd_code=1666