XSS(Cross-Site Scripting)

alert(1) prompt(1) confirm(1)

๐Ÿ” Introduction

XSS

Non-persistent XSS (Reflected XSS)

์˜๋ฌธ ํ’€์ด ๊ทธ๋Œ€๋กœ ๋น„ ์ง€์†์ ์ธ XSS๋ฅผ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ๊ฒ€์ƒ‰, ์กฐํšŒ ๊ธฐ๋Šฅ๊ณผ ๊ฐ™์ด ์‚ฌ์šฉ์ž๋กœ ๋ถ€ํ„ฐ ์ž…๋ ฅ ๋ฐ›์€ ๋ฐ์ดํ„ฐ๊ฐ€ ํŽ˜์ด์ง€์— ๋ฐ˜์‚ฌ๋˜์–ด ๋…ธ์ถœ๋˜๋Š” ๊ฒฝ์šฐ, ๊ณต๊ฒฉ์ฝ”๋“œ๊ฐ€ ํฌํ•จ๋œ URL์„ ํƒ€ ์‚ฌ์šฉ์ž์—๊ฒŒ ์ „๋‹ฌํ•˜๋Š” ๋ฐฉ์‹์œผ๋กœ ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค.

Persistent XSS (Stored XSS)

์ง€์†์ ์ธ XSS๋ฅผ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ๋ณดํ†ต Stored XSS๋กœ ๋งŽ์ด ํ‘œํ˜„ํ•˜๋ฉฐ ๊ฒŒ์‹œ๊ธ€, ์‚ฌ์šฉ์ž ์ •๋ณด ๋“ฑ ํ•œ๋ฒˆ ์ €์žฅ๋˜๋ฉด ์žฅ๊ธฐ์ ์œผ๋กœ XSS ๊ณต๊ฒฉ์ฝ”๋“œ๊ฐ€ ์›น ์„œ๋น„์Šค์— ๋‚จ์•„ ์‚ฌ์šฉ์ž์—๊ฒŒ ์ง€์†์ ์œผ๋กœ ํ”ผํ•ด๋ฅผ ์ค„ ์ˆ˜ ์žˆ๋Š” XSS๋ฅผ ์˜๋ฏธํ•ฉ๋‹ˆ๋‹ค. ๋ณดํ†ต ์„œ๋น„์Šค ๊ธฐ๋Šฅ ์ƒ ์žฅ๊ธฐ์ ์œผ๋กœ ๋ฐ์ดํ„ฐ๊ฐ€ ๋‚จ๋Š” ํ”„๋กœํ•„ ์ €์žฅ, ๊ฒŒ์‹œ๊ธ€ ์ž‘์„ฑ, ๋Œ“๊ธ€ ์ž‘์„ฑ๋“ฑ์˜ ๊ธฐ๋Šฅ์—์„œ ๋‚˜ํƒ€๋‚˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Šต๋‹ˆ๋‹ค.

๐Ÿ—ก Offensive techniques

asdf

๐Ÿ›ก Defensive techniques

asdf

๐Ÿ•น Tools

๐Ÿ“š Articles

asdf

๐Ÿ“Œ References