XAS(Cross Agent Scripting), XRS Ãë¾àÁ¡¿¡ ´ëÇØ | ÀÛ¼ºÀÏ : 2009/03/10 12:37 |
Á¶È¸¼ö : 9715 |
Á¦ ¸ñ : XAS(Cross Agent Scripting), XRS Ãë¾àÁ¡¿¡ ´ëÇØ ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ ) ÀÛ¼ºÀÏ : 2009.3.9(¿ù) À¥ÇÁ·Î±×·¡¹ÖÀ» ÇÒ ¶§, À¥ºê¶ó¿ìÀú¸í(Agent)À̳ª ·¹ÆÛ·¯(Referer) Á¤º¸¸¦ ȸ鿡 Ãâ·ÂÇÒ °æ¿ì°¡ ÀÖ´Ù. Request headerÀÇ À¥ºê¶ó¿ìÀú¸í, ·¹ÆÛ·¯¸¦ ´©±¸³ª ½±°Ô º¯°æ(À§Á¶)°¡ °¡´ÉÇÏ´Ù´Â °ÍÀ» ¾Ë¸é¼µµ Ưº°ÇÑ Á¶Ä¡¾øÀÌ ¹Ù·Î echoÇÏ´Â °æ¿ì°¡ ¸¹´Ù. ÀϹÝÀûÀÎ ºê¶ó¿ìÀú¸íÀ̶ó¸é ´ÙÀ½°ú °°Àº Çü½ÄÀÌ´Ù. ±×´ë·Î echoÇÑ´Ù°í Çصµ ¹®Á¦°¡ µÇÁö ¾ÊÀ» °ÍÀÌ´Ù.
±×·¯³ª ´ÙÀ½°ú °°ÀÌ, ºê¶ó¿ìÀú¸í¿¡ ÀÚ¹Ù½ºÅ©¸³Æ® µîÀÇ Äڵ带 ³ÖÀº´Ù¸é »óȲÀº ´Þ¶óÁú °ÍÀÌ´Ù. ÇÇÇØ´Â XSS³ª XSRF¿¡ ºñÇØ ¹ÌºñÇÒ ¼öµµ ÀÖ°ÚÁö¸¸ ¾ÇÀÇÀûÀÎ ÀÓÀÇÀÇ ÀÚ¹Ù½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÒ ¼ö ÀÖ´Ù.
ºê¶ó¿ìÀú¸í¿¡ ½ÇÇà°¡´ÉÇÑ ÇüÅÂÀÇ Äڵ峪 ÀÚ¹Ù½ºÅ©¸³Æ®¸¦ ³Ö´Â °ÍÀ» XAS(Cross Agent Scripting)¶ó°í Çϸç, ·¹ÆÛ·¯¿¡ ³Ö´Â °ÍÀ» XRS(Cross Referer Scripting)À̶ó°í ºÎ¸¥´Ù. ·¹ÆÛ·¯¸¦ º¯°æÇؼ Å×½ºÆ®Çغ¸ÀÚ. FireFox¿¡´Â ·¹ÆÛ·¯¸¦ º¯°æÇÒ ¼ö ÀÖ´Â 'RefControl' Addon( http://addons.mozilla.org/ko/firefox/addon/953 )ÀÌ ÀÖ´Ù. ¼³Ä¡ ÈÄ µµ±¸ -> RefControl Options -> Add Site ¸¦ Ŭ¸¯ÇÑ´Ù. ( Firefox RefControl Addon¿¡¼ Referer¸¦ »ç¿ëÀÚ°¡ ¼³Á¤Çϴ ȸé ) ´Ü¼øÈ÷ <? echo $_SERVER['HTTP_REFERER']; ?>¸¸ µÇ¾î ÀÖ´Â ÆäÀÌÁöÀÇ °æ¿ì ´ÙÀ½°ú °°ÀÌ ÀÚ¹Ù½ºÅ©¸³Æ®°¡ ½ÇÇàµÇ´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù. ( XRS Å×½ºÆ® °á°ú. ÀÌ ÆäÀÌÁö´Â Å×½ºÆ®¸¦ À§ÇØ Àӽ÷Π¸¸µë. ½ÇÁ¦ Á¸ÀçÇÏÁö ¾ÊÀ½ ) XAS, XRS¸¦ ¸·±âÀ§Çؼ phpÀÇ °æ¿ì htmlspecialchars() ÇÔ¼ö µîÀ¸·Î Ư¼ö¹®ÀÚ(<, > µî)¸¦ º¯È¯ÇØ¾ß ÇÑ´Ù. [ ÁÁÁö ¾ÊÀº php ÄÚµå ]
[ ¾ÈÀüÇÑ ÇüÅÂÀÇ php ÄÚµå ]
¡Ø XSS(Cross Site Scripting), CSRF/XSRF(Cross Site Request Forgery)¿¡ ´ëÇÑ ÇÑ±Û ¹®¼´Â ¸¹À¸³ª XAS, XRS¿¡ ´ëÇÑ ±ÛÀº °ÅÀÇ ¾ø¾î Á¤¸®Çß´Ù. |
Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ / URL : http://coffeenix.net/board_view.php?bd_code=1666 |