Ä¿ÇǴнº, ½Ã½ºÅÛ ¿£Áö´Ï¾îÀÇ ½°ÅÍ Ä¿ÇÇÇâÀÌ ³ª´Â *NIX
Ä¿ÇǴнº
½Ã½ºÅÛ/³×Æ®¿÷/º¸¾ÈÀ» ´Ù·ç´Â °÷
* HanIRCÀÇ #coffeenix ¹æ
[ Àåºñ ¹× ȸ¼± ÈÄ¿ø ]
HOME > º¸¾È(security) µµ¿ò¸»
°Ë»ö : »çÀÌÆ® WHOIS À¥¼­¹ö Á¾·ù

º¸¾È±Ç°í (1, ÀÚ·á 1)
º¸¾ÈÅø ¹× Àåºñ (13, ±Û 1, ÀÚ·á 11)
º¸¾È´º½º / Á¤º¸ (3)
¹æÈ­º®, ÆÐŶ ÇÊÅ͸µ / IDS (15, ±Û 6, ÀÚ·á 11)
º¸¾È¹®¼­ - ³×Æ®¿öÅ© º¸¾È (1, ÀÚ·á 12)
º¸¾È¹®¼­ - ½Ã½ºÅÛ º¸¾È (7, ±Û 1, ÀÚ·á 17)
º¸¾È¹®¼­ - ¹«¼±·£(WLAN) º¸¾È (ÀÚ·á 6)
º¸¾È¹®¼­ - ÇØÅ· / °ø°Ý (6, ÀÚ·á 13)
¹ÙÀÌ·¯½º(virus) / ¿ú / ¹é½Å (11, ±Û 4, ÀÚ·á 3)
º¸¾È Åë°è (ÀÚ·á 5)
¾Ïȣȭ ¹× ÀÎÁõ (3, ÀÚ·á 3)
¿ø°Ý OS ŽÁö / OS ÇΰÅÇÁ¸°Æà (4, ±Û 1, ÀÚ·á 6)

  XAS(Cross Agent Scripting), XRS Ãë¾àÁ¡¿¡ ´ëÇØ ÀÛ¼ºÀÏ : 2009/03/10 12:37
 
  • ±Û¾´ÀÌ : ÁÁÀºÁøÈ£ ( http://coffeenix.net/ )
  • Á¶È¸¼ö : 9713
          [ ÀÌÀüÈ­¸é / ¼öÁ¤ ]   ºñ¹Ð¹øÈ£ :     Àμâ¿ë È­¸é
      Á¦  ¸ñ : XAS(Cross Agent Scripting), XRS Ãë¾àÁ¡¿¡ ´ëÇØ
    ÀÛ¼ºÀÚ : ÁÁÀºÁøÈ£(truefeel, http://coffeenix.net/ )
    ÀÛ¼ºÀÏ : 2009.3.9(¿ù)

    À¥ÇÁ·Î±×·¡¹ÖÀ» ÇÒ ¶§, À¥ºê¶ó¿ìÀú¸í(Agent)À̳ª ·¹ÆÛ·¯(Referer) Á¤º¸¸¦ È­¸é¿¡ Ãâ·ÂÇÒ °æ¿ì°¡ ÀÖ´Ù. Request headerÀÇ À¥ºê¶ó¿ìÀú¸í, ·¹ÆÛ·¯¸¦ ´©±¸³ª ½±°Ô º¯°æ(À§Á¶)°¡ °¡´ÉÇÏ´Ù´Â °ÍÀ» ¾Ë¸é¼­µµ Ưº°ÇÑ Á¶Ä¡¾øÀÌ ¹Ù·Î echoÇÏ´Â °æ¿ì°¡ ¸¹´Ù. ÀϹÝÀûÀÎ ºê¶ó¿ìÀú¸íÀ̶ó¸é ´ÙÀ½°ú °°Àº Çü½ÄÀÌ´Ù. ±×´ë·Î echoÇÑ´Ù°í Çصµ ¹®Á¦°¡ µÇÁö ¾ÊÀ» °ÍÀÌ´Ù.

     
    Mozilla/5.0 (X11; U; Linux i686; ko; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
     


    ±×·¯³ª ´ÙÀ½°ú °°ÀÌ, ºê¶ó¿ìÀú¸í¿¡ ÀÚ¹Ù½ºÅ©¸³Æ® µîÀÇ Äڵ带 ³ÖÀº´Ù¸é »óȲÀº ´Þ¶óÁú °ÍÀÌ´Ù. ÇÇÇØ´Â XSS³ª XSRF¿¡ ºñÇØ ¹ÌºñÇÒ ¼öµµ ÀÖ°ÚÁö¸¸ ¾ÇÀÇÀûÀÎ ÀÓÀÇÀÇ ÀÚ¹Ù½ºÅ©¸³Æ®¸¦ ½ÇÇàÇÒ ¼ö ÀÖ´Ù.

     
    <script>alert('hello')</script>
     


    ºê¶ó¿ìÀú¸í¿¡ ½ÇÇà°¡´ÉÇÑ ÇüÅÂÀÇ Äڵ峪 ÀÚ¹Ù½ºÅ©¸³Æ®¸¦ ³Ö´Â °ÍÀ» XAS(Cross Agent Scripting)¶ó°í Çϸç,
    ·¹ÆÛ·¯¿¡ ³Ö´Â °ÍÀ» XRS(Cross Referer Scripting)À̶ó°í ºÎ¸¥´Ù.

    ·¹ÆÛ·¯¸¦ º¯°æÇؼ­ Å×½ºÆ®Çغ¸ÀÚ. FireFox¿¡´Â ·¹ÆÛ·¯¸¦ º¯°æÇÒ ¼ö ÀÖ´Â 'RefControl' Addon( http://addons.mozilla.org/ko/firefox/addon/953 )ÀÌ ÀÖ´Ù. ¼³Ä¡ ÈÄ µµ±¸ -> RefControl Options -> Add Site ¸¦ Ŭ¸¯ÇÑ´Ù.


    ( Firefox RefControl Addon¿¡¼­ Referer¸¦ »ç¿ëÀÚ°¡ ¼³Á¤ÇÏ´Â È­¸é )

    ´Ü¼øÈ÷ <? echo $_SERVER['HTTP_REFERER']; ?>¸¸ µÇ¾î ÀÖ´Â ÆäÀÌÁöÀÇ °æ¿ì ´ÙÀ½°ú °°ÀÌ ÀÚ¹Ù½ºÅ©¸³Æ®°¡ ½ÇÇàµÇ´Â °ÍÀ» È®ÀÎÇÒ ¼ö ÀÖ´Ù.


    ( XRS Å×½ºÆ® °á°ú. ÀÌ ÆäÀÌÁö´Â Å×½ºÆ®¸¦ À§ÇØ Àӽ÷Π¸¸µë. ½ÇÁ¦ Á¸ÀçÇÏÁö ¾ÊÀ½ )

    XAS, XRS¸¦ ¸·±âÀ§Çؼ­ phpÀÇ °æ¿ì htmlspecialchars() ÇÔ¼ö µîÀ¸·Î Ư¼ö¹®ÀÚ(<, > µî)¸¦ º¯È¯ÇØ¾ß ÇÑ´Ù.

    [ ÁÁÁö ¾ÊÀº php ÄÚµå ]
     
    <?
    echo $_SERVER['HTTP_USER_AGENT'];
    echo $_SERVER['HTTP_REFERER'];
    ?>
     


    [ ¾ÈÀüÇÑ ÇüÅÂÀÇ php ÄÚµå ]
     
    <?
    echo htmlspecialchars($_SERVER['HTTP_USER_AGENT']);
    echo htmlspecialchars($_SERVER['HTTP_REFERER']);
    ?>
     


    ¡Ø XSS(Cross Site Scripting), CSRF/XSRF(Cross Site Request Forgery)¿¡ ´ëÇÑ ÇÑ±Û ¹®¼­´Â ¸¹À¸³ª XAS, XRS¿¡ ´ëÇÑ ±ÛÀº °ÅÀÇ ¾ø¾î Á¤¸®Çß´Ù.
      Ä¿ÇǴнº Ä«Æä ÃÖ±Ù ±Û
    [03/24] Youtube òÁ&#2
    [03/20] Re: ¿Â¶óÀΰÔÀÓÀÇ Á¾ÁÖ±¹ ´ëÇѹα¹
    [03/20] ½ÇÁ¦&#4
    [03/18] ±¹°¡&#5
    [10/20] Cross Compiler ±ò
    [07/14] SSL ¬¡¬°
    [04/26] Re: µµ½ºÈ­¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
    [04/25] µµ½ºÈ­¸é ¿ø°ÝÁ¶Á¾ ¿©ºÎ
    [10/30] Cshell¿¡¼­ ³­¼ö ¼³Á¤
    [10/23] °øÇ×öµµÁÖ½Äȸ»ç SE ±¸ÀÎ Ëì
    [01/26] Re: wgetÀ¸·Î ´Ù¸¥¼­¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
    [01/25] wgetÀ¸·Î ´Ù¸¥¼­¹ö¿¡ÀÖ´Â µð·ºÅ丮¸¦ °¡Á®¿À·Á°íÇÕ´Ï´Ù.
    [01/11] ƯÁ¤ ¾Èµå·ÎÀ̵å WebView ¹öÀü¿¡¼­ SSL ¹®Á¦ (WebView ¹ö±×)
    [08/01] DNS forwarder (Àü´ÞÀÚ) ¼­¹ö¸¦ ÅëÇؼ­ Äõ¸®ÇÏ¸é ¿ª¹æÇâÀ» ¹Þ¾Æ¿ÀÁú ¸øÇÕ´Ï´Ù.
    [05/16] (ÁÖ)ÈÄÀÌÁî ½Ã½ºÅÛ¿£Áö´Ï¾î (°æ·ÂÀÚ) ¸ðÁý
      New!   ÃÖ±Ù¿¡ µî·ÏÇÑ ÆäÀÌÁö
      KiCad EDA Suite project (Free/Libre/Open-Source EDA Suite) (CAD)
      ¿ÀÇÂij½ºÄÉÀ̵å ijµå (OpenCASCADE CAD)
      QCad for Windows --- GNU GPL (Free Software)
      The Hello World Collection
      IPMI¸¦ È°¿ëÇÑ ¸®´ª½º ¼­¹ö°ü¸®
      DNS ¼³Á¤ °Ë»ç
      nagiosgraph ¼³Ä¡ ¹æ¹ý
      Slony-I ¼³Ä¡ ¹æ¹ý (postgresql replication tool)
      Qmail±â¹ÝÀÇ Anti spam ½Ã½ºÅÛ ±¸ÃàÇϱâ
      clusterssh

    [ ÇÔ²²ÇÏ´Â »çÀÌÆ® ]




    ¿î¿µÁø : ÁÁÀºÁøÈ£(truefeel), ¾ß¼ö(yasu), ¹ü³ÃÀÌ, sCag
    2003³â 8¿ù 4ÀÏ~