Hi๐Ÿ‘‹๐Ÿผ Iโ€™m HAHWUL.

Offensive Security Engineer, Rubyist/Crystalist/Gopher and H4cker

Posts

PQ3 and PQC ๐Ÿ—๏ธ

  • 2 min read

Apple์—์„œ ์กฐ๋งŒ๊ฐ„ iMessage์— PQ3๋ผ๋Š” ์•”ํ˜ธํ™” ํ”„๋กœํ† ์ฝœ์„ ์ ์šฉํ•  ์˜ˆ์ •์ด๋ผ๊ณ  ๋ฐœํ‘œํ–ˆ์Šต๋‹ˆ๋‹ค.

Read More

Do you need a config? Now, Pkl

  • 1 min read

์ตœ๊ทผ์— Apple์ด ๋‚ด๋ถ€์—์„œ ์‚ฌ์šฉํ•˜๋˜ Configuration language๋ฅผ ์˜คํ”ˆ์†Œ์Šค๋กœ ๊ณต๊ฐœํ—€์Šต๋‹ˆ๋‹ค. ๋ฐ”๋กœ Pkl(ํ”ผํด)์ธ๋ฐ์š”, ๊ณผ์—ฐ Pkl์€ JSON๊ณผ YAML๊ณผ ํ•จ๊ป˜ Config๊ณ„์˜ ๋Œ€ํ‘œ ์ฃผ์ž๊ฐ€ ๋  ์ˆ˜ ์žˆ์„๊นŒ์š”?

Read More

Crystal-Lang is โค๏ธ

  • 2 min read

์ €๋Š” ์ตœ๊ทผ์— Crystal-lang์„ ์ฆ๊ธฐ๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ฐ„๋‹จํ•œ ํ† ์ด ํ”„๋กœ์ ํŠธ๋ถ€ํ„ฐ Noir๋ž€ ์‚ฌ์ด์ฆˆ๊ฐ€ ์ ์  ์ปค์ง€๊ณ  ์žˆ๋Š” ํ”„๋กœ์ ํŠธ๊นŒ์ง€ Crystal์„ ํ†ตํ•ด ๊ตฌํ˜„ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ์˜ค๋Š˜์€ ์ œ๊ฐ€ Crystal์„ ์ข‹์•„ํ•˜๊ฒŒ๋œ ์ด์œ ์— ๋Œ€ํ•ด ์ด์•ผ๊ธฐํ•˜๋ ค๊ณ  ํ•ฉ๋‹ˆ๋‹ค.

Read More

DOM Handling with MutationObserver

  • 3 min read

์ตœ๊ทผ ZAP์€ SPA ๊ธฐ๋ฐ˜์˜ ์•ฑ์„ ์‰ฝ๊ฒŒ ์‹๋ณ„ํ•˜๊ธฐ ์œ„ํ•ด Client Side Integration ์ด๋ž€ ๊ธฐ๋Šฅ์„ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค. ์ด ์ด ๋•Œ DOM์˜ ๋ณ€ํ™”๋ฅผ ์‹๋ณ„ํ•˜๊ธฐ ์œ„ํ•œ ์žฅ์น˜๋กœ MutationObserver๊ฐ€ ์‚ฌ์šฉ๋˜์—ˆ๋Š”๋ฐ์š”. ์˜ค๋Š˜์€ MutationObserver๊ฐ€ ๋ญ”์ง€ ๊ทธ๋ฆฌ๊ณ  ๋ณด์•ˆ ํ…Œ์ŠคํŒ… ์‹œ ์–ด๋–ป๊ฒŒ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ์„์ง€ ์ด์•ผ๊ธฐํ•ด๋ด…๋‹ˆ๋‹ค.

Read More

Lazy-loading iframe in Firefox

  • ~1 min read

์ตœ๊ทผ์— Firefox์ชฝ์—์„œ ํ•˜๋‚˜ ์—…๋ฐ์ดํŠธ๋ฅผ ์˜ˆ๊ณ  ํ–ˆ์Šต๋‹ˆ๋‹ค. ๊ณง img ํƒœ๊ทธ์—๋งŒ ์กด์žฌํ•˜๋˜ lazy-loading์ด iframe์—๋„ ์ ์šฉ๋˜๋Š”๋ฐ์š”. ์„ฑ๋Šฅ์ ์ธ ์žฅ์ ์€ ๋ถ„๋ช…ํžˆ ์žˆ๊ฒ ์ง€๋งŒ, img์™€ ๋‹ฌ๋ฆฌ XSS์˜ ๋ฆฌ์Šคํฌ๊ฐ€ ๋†’์€ iframe์˜ ๋กœ๋“œ ์‹œ์ ์„ ํ†ต์ œํ•  ์ˆ˜ ์žˆ๋Š” ํ˜•ํƒœ๋ผ ์žฌ๋ฏธ์žˆ๋Š” ์ด์Šˆ๊ฐ€ ๋‚˜์˜ฌ์ง€ ๊ธฐ๋Œ€๋˜๊ธฐ๋„, ๋ฐ˜๋Œ€๋กœ ๋˜ ๊ฑฑ์ •๋˜๊ธฐ๋„ ํ•ฉ๋‹ˆ๋‹ค.

Read More

Fiber concurrency

  • 2 min read

๋™์‹œ์„ฑ ํ”„๋กœ๊ทธ๋ž˜๋ฐ์€ ์žฌ๋ฏธ์žˆ์ง€๋งŒ ๊ตฌ์กฐ๋‚˜ ์‚ฌ์ด์ฆˆ์— ๋”ฐ๋ผ ์–ด๋ ค์›€์„ ๋™๋ฐ˜ํ•ฉ๋‹ˆ๋‹ค. ๊ฐœ์ธ์ ์œผ๋กœ๋„ ๋„๊ตฌ ์ž‘์„ฑ ์‹œ ์ž์ฃผ ์‚ฌ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ œ๊ฐ€ ์ง„ํ–‰ํ•˜๋Š” ํ”„๋กœ์ ํŠธ์—์„œ ์ž์ฃผ ๋ณผ ์ˆ˜ ์žˆ๊ณ , ๋ธ”๋กœ๊ทธ์—๋„ Goroutine๊ณผ Sync, Ruby Concurrency ๋“ฑ ๋งค๋…„ ๋™์‹œ์„ฑ ๊ด€๋ จํ•ด์„œ ๊ธ€์„ ์ž‘์„ฑํ•œ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

Read More

WebAuthn๊ณผ Passkey

  • 4 min read

์—ฌ๋Ÿฌ๋ถ„๋“ค์€ ํŒจ์Šค์›Œ๋“œ ๋งค๋‹ˆ์ €๋ฅผ ์‚ฌ์šฉํ•˜์‹œ๋‚˜์š”? ์ €๋Š” ๊ฐœ์ธ์ ์œผ๋กœ Apple์˜ ์•”ํ˜ธ ๊ธฐ๋Šฅ์„ ์ฃผ๋กœ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค. ๋˜ํ•œ icloud+๋„ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ์–ด ์ด๋ฉ”์ผ ๊ฐ€๋ฆฌ๊ธฐ + ์•”ํ˜ธ ์กฐํ•ฉ์œผ๋กœ ๊ฐ€๊ธ‰์  ์„œ๋น„์Šค๋ณ„๋กœ ๊ณ„์ •๊ณผ ํŒจ์Šค์›Œ๋“œ๊ฐ€ ๊ฒน์น˜์ง€ ์•Š๋Š” ์ƒํƒœ๋กœ ์œ ์ง€ํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ตฌ๊ธ€์˜ ๊ฒฝ์šฐ Google password manager๋ฅผ ํ†ตํ•ด ๋น„์Šทํ•˜๊ฒŒ ์‚ฌ์šฉํ•˜์‹œ๋Š” ๋ถ„๋“ค๋„ ์žˆ์„๊ฑฐ๋ผ๊ณ  ์ƒ๊ฐํ•ฉ๋‹ˆ๋‹ค. Apple์ด๋‚˜ Google์˜ ์ด๋Ÿฌํ•œ ๊ธฐ๋Šฅ๋“ค๊ณผ FIDO ๊ด€๋ จ ์ธ์ฆ ๋ฐฉ์‹๋“ค์€ Passwordless์˜ ๋Œ€์ค‘ํ™”๋ฅผ ์•ž๋‹น๊ฒผ๊ณ  ์ด์ œ๋Š” Password๋ฅผ ์ž…๋ ฅํ•˜๋Š” ๊ฒƒ์ด ์ ์  ์–ด์ƒ‰ํ•ด์ง€๋Š” ์‹œ๊ธฐ๊ฐ€ ์˜จ ๊ฒƒ ๊ฐ™์Šต๋‹ˆ๋‹ค.

Read More

ZAP 2.14 Review โšก๏ธ

  • 3 min read

์ƒ๊ฐ๋ณด๋‹ค ์—„์ฒญ ๋น ๋ฅธ ์ฃผ๊ธฐ๋กœ ZAP 2.14 ๋ฆด๋ฆฌ์ฆˆ๊ฐ€ ๋ฐœํ‘œ๋˜์—ˆ์Šต๋‹ˆ๋‹ค ๐ŸŽ‰โšก๏ธ

Read More

XSS via reportError

  • 1 min read

reportError๋ž€ ํ•จ์ˆ˜๋ฅผ ์•„์‹œ๋‚˜์š”? Chrome 95, Firefox 93 ๋ฒ„์ „์— ์ถ”๊ฐ€๋œ ๊ธ€๋กœ๋ฒŒ ๋ฉ”์†Œ๋“œ๋กœ JS์˜ uncaught exception์„ ์ฝ˜์†”์ด๋‚˜ ๊ธ€๋กœ๋ฒŒ ์ด๋ฒคํŠธ ํ•ธ๋“ค๋Ÿฌ๋กœ ๋„˜๊ฒจ์ฃผ๋Š” ๊ธฐ๋Šฅ์„ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค. PortSwigger ์ธก์—์„œ reportError ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•œ ํŠธ๋ฆญ์„ ๊ณต๊ฐœํ–ˆ๊ณ  ์ž ๊น ์‹œ๊ฐ„๋‚ด์–ด ์‚ดํŽด๋ณธ ๋‚ด์šฉ ๊ณต์œ ๋“œ๋ ค๋ด…๋‹ˆ๋‹ค.

Read More

ZAP Map Local๋กœ ์‰ฝ๊ฒŒ Fake Response ๋งŒ๋“ค๊ธฐ

  • 2 min read

๋ณด์•ˆ ํ…Œ์ŠคํŒ…์—์„  HTTP Response๋ฅผ ์ž์ฃผ ๋ณ€๊ฒฝํ•ด์•ผํ•  ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค. ์ด๋Ÿด ๋•Œ ์ €๋Š” ๋ณดํ†ต ZAP์—์„  breakpoint์™€ replace ๊ธฐ๋Šฅ, ๊ทธ๋ฆฌ๊ณ  ์Šคํฌ๋ฆฝํŒ…์„ ์ฃผ๋กœ ์‚ฌ์šฉํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. (+Proxify์˜ DSL)

Read More