ȥå   Խ ʬ Хåå ź ʣ ̾ѹ   ñ측 ǽ   إ   ǽRSS

XSS

Last-modified: 2016-12-30 () 16:30:05 (175d)
Top / XSS

狼䤹PHPΥȥץƥ(XSS)

ȥץƥ꤬ɤΤ褦ʤΤ

  • 桼ǤդϤǽʾ硢ɽͳ˲Ѥǽ롣
    • Ǥ⿮ѤפʥȤǤ̿Ū
  • JavascriptλѤǽȤʤ뤿ᡢåǽˤʤ롣
    • ̾ϼǤʤǽˡ
      • åͳƥåIDʤɤǽ롣
    • ¾ȤؤΥŪ˹Ԥ˻Ѥ뤳Ȥ⤢롣

  • 桼ӳϤѤƤϤʤ
  • äƥ桼ӳϤ򤽤ΤޤɽƤϤʤ
  • ǽǤ򼰤ˤ롣ѰդͤˤƤϤƻѤ롣
  • ǿåѲ뤳Ȥ򤷾Ԥ
  • ñкˡǤϤʤHTMLJavascriptXSSᥫ˥ȤкˡȤͳ򤭤İ롣

кˡ

  • ˡꤹ롣
    • ͳ:ͳǤϤʤޤäեޥåȤΤߤĤHTMLJavascriptɤ
    • : 1977/08/18פʤɷޤäϤǤ뤫å뤿ṶȤʤ븶ʤ
  • ɽˡꤹ롣
    • ͳ:ͳʥƥϤĤ̾HTMLʸ(HTMLǤ)Τߤ˻Ѥ롣ä˲Τ褦ʥǤ򤱤롣(Javascriptμ¹Ԥ֥饦ˤäƤϲǽȤʤ뤿ᡣ)
      • style script ˳Ϥ
      • °ʬ˳ѿ
  • 󥳡ɤSJISѤʤ(UTF-8򶯤侩)
    • ͳ:ޥХʸ򰷤Զ̷¿¿ʸ󥳡ɤǤ뤿ᡣ
    • :Ȥˤ¿SJIS˵Ǥ롣
  • ϤνϤˤɬhtmlspecialcharsʤɤΥ׽Ԥ(ܺ٤ϥޥ˥奢dzǧ http://bit.ly/9PCb3Y)
    • ͳ:HTMLJavascriptμ¹Ԥ򤹤뤿ˡHTMLǻѤʸHTMLȤƤɽʤ褦ˡüʸ HTML ƥƥѴ
  • htmlspecialchars ENT_QUOTES() ӡʸɻ(軰)ɬԤ
    • ͳ:ENT_QUOTESϡ֥󥰥륯Ȥȥ֥륯Ȥ򶦤Ѵޤסꤷʤ祷󥰥륯ȤѴޤ(ޥ˥奢뻲)
      • ꤹ֤դ븶ˤʤꡢΨʤἫؿǴñ˼¹ԤǤ褦פ롣(CakePHPhؿ)
   ///CakePHPhؿ
   function h($text, $charset = null) {
 		if (is_array($text)) {
 			return array_map('h', $text);
 		}
 		
 		/*
   		if (empty($charset)) {
   			$charset = Configure::read('App.encoding'); //եǤʸɻɤ߹ߡ㤦ĶǤɤ߹ߤʤ
   		}
 		*/
 		
 		if (empty($charset)) {
 			$charset = 'UTF-8';
 		}
 		return htmlspecialchars($text, ENT_QUOTES, $charset);
	  }
 

äȤʤ

$_SERVER['HTTP_USER_AGENT'];

ʤɤΥ֥饦Υ桼Ȥ桼ͳѹǤ뤿XSSкɬפǤ

ͤˤĺ