์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

XSS - Cross Site Script

  • -
๋ฐ˜์‘ํ˜•
XSS๋ž€ ๋ฌด์—‡์ธ๊ฐ€ ?

๋™์  ์ฒ˜๋ฆฌ๊ฐ€ ์ด๋ฃจ์–ด์ง€๋Š” ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์— ๋Œ€ํ•ด ์•…์˜์ ์ธ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ

์‚ฌ์šฉ์ž์—๊ฒŒ ๋น„์ •์ƒ์ ์ธ ํ–‰์œ„๋ฅผ ๊ฐ•์ œ์ ์œผ๋กœ ์œ ๋„ํ•˜๋Š” ๊ณต๊ฒฉ

 

๋™์  ์ฒ˜๋ฆฌ๊ฐ€ ์ด๋ฃจ์–ด์ง€๋Š” ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜

๋™์  ์ฒ˜๋ฆฌ : ์‚ฌ์šฉ์ž์˜ ์ž…๋ ฅ ๊ฐ’์— ๋”ฐ๋ผ์„œ ๋‹ค๋ฅธ ๊ฒฐ๊ณผ๋‚˜ ์‘๋‹ต์„ ์ฃผ๋Š” ๊ฒƒ

์ž…๋ ฅ๊ฐ’/์„ธ์…˜/์‹œ๊ฐ„ ๋“ฑ ๋‹ค์–‘ํ•œ ๋ฐฉ๋ฒ•์œผ๋กœ ๋‹ค๋ฅธ ๊ฒฐ๊ณผ๋ฌผ์„ ์ถœ๋ ฅ

๊ฒŒ์‹œํŒ,๊ฒ€์ƒ‰,๋กœ๊ทธ์ธ

 

์•…์˜์ ์ธ ์Šคํฌ๋ฆฝํŠธ

Server Side Script : PHP, JSP

Client Side Script : Java Script

 

๋น„์ •์ƒ์ ์ธ ํ–‰์œ„

Java Script ๋ณ€์กฐํ•˜์—ฌ ๊ณต๊ฒฉ์ž์˜ ์›น ์‚ฌ์ดํŠธ๋กœ ์œ ๋„

์ฆ‰ XSS๋Š” ์‚ฌ์ดํŠธ ์ž์ฒด๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” SQL Injection ๊ฐ™์€ ๊ณต๊ฒฉ๊ณผ๋Š” ๋‹ค๋ฅด๊ฒŒ ํด๋ผ์ด์–ธํŠธ ์ธก์„ ๊ณต๊ฒฉํ•˜๋Š” ๊ธฐ๋ฒ•

์ตœ๊ทผ XSS๊ฐ€ ๋œจ๊ณ  ์žˆ๋Š” ์ด์œ  ์ค‘ ํ•˜๋‚˜๊ฐ€ ์ ์  ๋ณด์•ˆ์ด ๊ฐ•ํ™”๋˜๋ฉด์„œ server side ๊ณต๊ฒฉ์ด ์–ด๋ ค์›Œ์ง€๊ณ  ์žˆ์Œ

๋ฐฉํ™”๋ฒฝ, ์‹œํ์–ด์ฝ”๋”ฉ, WAF ๋“ฑ๋“ฑ

 

๊ณต๊ฒฉ ์œ ํ˜•

- ํ”ผ์‹ฑ : ์•…์˜์ ์ธ ์‚ฌ์šฉ์ž๊ฐ€ ์œ ๋„ํ•œ ์‚ฌ์ดํŠธ๋กœ ๋ฆฌ๋‹ค์ด๋ ‰์…˜

- ์•…์„ฑ์ฝ”๋“œ ์œ ํฌ : ๋žœ์„ฌ ์›จ์–ด ( Drive-by Download ) ์›น ๋ธŒ๋ผ์šฐ์ € ์ทจ์•ฝ์ ์„ ์ด์šฉํ•ด ์‚ฌ์šฉ์ž ๋ชฐ๋ž˜ ๋‹ค์šด๋กœ๋“œ ์‹คํ–‰

- ์›น ๋ธŒ๋ผ์šฐ์ € ๊ณต๊ฒฉ : ์‚ฌ์šฉ์ž์˜ ์›น ๋ธŒ๋ผ์šฐ์ € ๊ถŒํ•œ, ( ์œ„์น˜์ถ”์  ๋“ฑ ), ํ‚ค ๋กœ๊น…, ์‚ฌํšŒ ๊ณตํ•™ ๊ธฐ๋ฒ•

- ์„ธ์…˜ ํ•˜์ด์žฌํ‚น : ์„ธ์…˜ ํƒˆ์ทจ๋ฅผ ํ†ตํ•ด ์‚ฌ์šฉ์ž ๊ณ„์ •์„ ๋ฌด๋‹จ์œผ๋กœ ์‚ฌ์šฉ

- CSRF( ํฌ๋กœ์Šค ์‚ฌ์ดํŠธ ์š”์ฒญ ๋ณ€์กฐ )

 

XSS๊ณต๊ฒฉ์€ ์‚ฌ์šฉ์ž์ธก ๊ณต๊ฒฉ์ด๋ฉฐ, ๋‹จ์ˆœํ•œ ์ˆ˜๋‹จ

๋ชจ์˜ํ•ดํ‚น ์ง„๋‹จ์„ ํ•  ๋•Œ ์„œ๋ฒ„ ์นจํˆฌ ์‹œ๋‚˜๋ฆฌ์˜ค ๊ณ„ํš

XSS๊ณต๊ฒฉ์€ ์ œ์•ฝ์‚ฌํ•ญ๊ณผ ๋Œ€๊ธฐ ์‹œ๊ฐ„, ๋ถˆํ™•์‹ค์„ฑ ๋“ฑ์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์— ๋งŽ์ด ์‚ฌ์šฉ๋˜์ง€๋Š” ์•Š์Œ

์ง„๋‹จ์„ ํ•  ๋•Œ alert์ฐฝ๋งŒ ๋„์›Œ์ฃผ๊ณ  ๋งˆ์น˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Œ

 

XSS ๊ณต๊ฒฉ๋„ ๋‹ค์–‘ํ•œ ๋ฐฉ๋ฒ•

๊ณต๊ฒฉ ์›๋ฆฌ๋งŒ ๋‹ค๋ฅผ ๋ฟ ๋ฐฉ๋ฒ•์€ ๊ฐ™๋‹ค

๊ณต๊ฒฉ ๋ฐฉ๋ฒ• ( ์„ธ์…˜ ํ•˜์ด์žฌํ‚น ) : <script> alert(document.cookie) </script>

DOM-based XSS : Document ๊ฐ์ฒด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ํด๋ผ์ด์–ธํŠธ๋‹จ์—์„œ ์ด๋ฃจ์–ด์ง„๋‹ค.

Reflected based XSS : ๊ณต๊ฒฉ์„ ๋ณด๋‚ด๊ณ  ์„œ๋ฒ„์—์„œ ํ•ด๋‹น ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ๋Œ์•„์˜จ๋‹ค

stored based XSS : ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ์•ˆ์— ์ €์žฅ๋œ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ๋ถˆ๋Ÿฌ์˜จ๋‹ค.

 

์ง„๋‹จ์„ ์™œ alert์œผ๋กœ ํ•˜๋Š”๊ฐ€ ?

alert(๊ฒฝ๊ณ ์ฐฝ)์ด ๋œฌ๋‹ค == Script ์ ์šฉ์ด ๋œ๋‹ค.

 

DOM-based XSS

DOM : Document Object Model

์•…์„ฑ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ๋‹ด๊ธด URL์„ ์‚ฌ์šฉ์ž ์›น ๋ธŒ๋ผ์šฐ์ €์—์„œ ํ˜ธ์ถœ์ด ๋˜๋Š” ๊ฒฝ์šฐ

์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ๋ฐœ์ƒ ๋  ๊ฒฝ์šฐ ์‹ค์ œ ์„œ๋ฒ„์ธก์—์„œ ํŽ˜์ด์ง€๋ฅผ ๊ตฌ์„ฑํ•˜์ง€ ์•Š๊ณ ,

==> Response์—์„œ 'test' ๋ฌธ์ž๊ฐ€ ๊ฒ€์ƒ‰๋˜์ง€ ์•Š๋Š”๋‹ค.

์›น ๋ธŒ๋ผ์šฐ์ €์—์„œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์„ ๋”ฐ๋ผ ํŽ˜์ด์ง€๋ฅผ ๊ตฌ์„ฑํ•œ๋‹ค.

==> ๋ฐ›์€ Response์—์„œ ๋ฌธ์ž์—ด์„ ๊ทธ๋Œ€๋กœ ์ž…๋ ฅ์ด ๋˜์–ด ์‚ฌ์šฉ์ž ์ธก์—์„œ ๊ณ„์‚ฐํ•˜๊ณ  ์ถœ๋ ฅํ•œ๋‹ค.

    <script>
        function searchKeywordPrint(keyword) {
            var result1 = "<div class=\"panel panel-default\"><div class=\"panel-body\">\"" + keyword + "\"์— ๋Œ€ํ•œ ๊ฒ€์ƒ‰ ๊ฒฐ๊ณผ ์ž…๋‹ˆ๋‹ค.</div></div>";
            document.getElementById('searchResult1').innerHTML = result1;
            var result2 = "<div class=\"alert alert-warning alert-dismissible\" role=\"alert\"><button type=\"button\" class=\"close\" data-dismiss=\"alert\" aria-label=\"Close\"><span aria-hidden=\"true\">&times;</span></button><strong>Warning!</strong> ๊ฒ€์ƒ‰ ๊ฒฐ๊ณผ๊ฐ€ ์กด์žฌํ•˜์ง€ ์•Š์Šต๋‹ˆ๋‹ค.</div>";
            document.getElementById('searchResult2').innerHTML = result2;
        }
        var keyword = (new URLSearchParams(window.location.search)).get('keyword');
        if(keyword) {
            searchKeywordPrint(keyword);
        }
    </script>
    <!-- jQuery (๋ถ€ํŠธ์ŠคํŠธ๋žฉ์˜ ์ž๋ฐ”์Šคํฌ๋ฆฝํŠธ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ์œ„ํ•ด ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค) -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.2/jquery.min.js"></script>
    <!-- ๋ชจ๋“  ์ปดํŒŒ์ผ๋œ ํ”Œ๋Ÿฌ๊ทธ์ธ์„ ํฌํ•จํ•ฉ๋‹ˆ๋‹ค (์•„๋ž˜), ์›ํ•˜์ง€ ์•Š๋Š”๋‹ค๋ฉด ํ•„์š”ํ•œ ๊ฐ๊ฐ์˜ ํŒŒ์ผ์„ ํฌํ•จํ•˜์„ธ์š” -->
    <script src="./js/bootstrap.min.js"></script>

 

<script> alert ( "์Šคํฌ๋ฆฝํŠธ ์ถœ๋ ฅ์ž…๋‹ˆ๋‹ค." ) </script> # ๋™์ž‘ํ•˜์ง€ ์•Š๋Š”๋‹ค
# HTML5 ์ด์ƒ ๋ฒ„์ „๋ถ€ํ„ฐ Document ๊ฐ์ฒด์—์„œ ์Šคํฌ๋ฆฝํŠธ ํƒœ๊ทธ ์‚ฌ์šฉ ๊ธˆ์ง€๋ผ์„œ ๋™์ž‘ํ•˜์ง€ ์•Š์Œ

<img src=# onerror=alert('XSS๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค')> # ๋™์ž‘ํ•œ๋‹ค

<img src=# onerror=alert(document.cookie)>

board์˜ idx 8๋ฒˆ์ธ ๊ฒŒ์‹œ๊ธ€๋กœ ์ด๋™

<img src=# onerror=location.href='../board/view.php?idx=8'>

 

Reflected based XSS

์„œ๋ฒ„์ธก์—์„œ ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์„ ํ†ตํ•ด์„œ ๊ตฌ์„ฑ

์„œ๋ฒ„์—์„œ ๋ณ€์ˆ˜๋ฅผ ๋ฐ›์•„์˜จ ๋‹ค์Œ ์—ฐ์‚ฐ์„ ํ•˜์—ฌ ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ ๊ฒฐ๊ณผ๊ฐ’์„ ์ „๋‹ฌํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ด์šฉ

์ž๋ฐ”์Šคํฌ๋ฆฝํŠธ ๊ตฌ๋ฌธ์„ ์‚ฌ์šฉํ–ˆ์„์‹œ , ์ž๋ฐ” ์Šคํฌ๋ฆฝํŠธ ๊ตฌ๋ฌธ์œผ๋กœ ์ธ์‹ํ•จ

<script>alert('XSS ๊ณต๊ฒฉ์ž…๋‹ˆ๋‹ค.')</script>

 

Stored Based XSS

๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์Šคํฌ๋ฆฝํŠธ ์ฝ”๋“œ๋ฅผ ์ €์žฅ์‹œ์ผœ์„œ ๋ถˆ๋Ÿฌ์˜ค๋Š” ๋ฐฉ์‹

ํ•ด๋‹น ๋‚ด์šฉ์ด ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์— ์ €์žฅ๋œ๋‹ค.

 

์ถœ๋ ฅ ํฌ์ง€์…˜ ํ™•์ธํ•˜๊ธฐ

 

 

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

XSS ์šฐํšŒ ๊ณต๊ฒฉ  (0) 2022.07.14
XSS ๊ณต๊ฒฉ ํ”„๋กœ์„ธ์Šค  (0) 2022.07.13
Secure coding  (0) 2022.07.12
SQL Injection ์‹ค์Šต  (0) 2022.07.08
CODE Injection  (0) 2022.07.07
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.