Hi๐Ÿ‘‹๐Ÿผ Iโ€™m HAHWUL.

Offensive Security Engineer, Rubyist/Crystalist/Gopher and H4cker

Posts - Page 14 of 86

DOM XSS? ๊ทธ๋ ‡๋‹ค๋ฉด Eval Villain

  • 2 min read

์˜ฌํ•ด ์ดˆ Burpsuite์—์„  DOM Invador๋ผ๋Š” ๋„๊ตฌ๋ฅผ ๊ณต๊ฐœํ–ˆ์—ˆ์Šต๋‹ˆ๋‹ค. ์ œ๊ฐ€ ๊ฐ€๋ณ๊ฒŒ ๋ฆฌ๋ทฐํ•  ๋•Œ์—๋„ ์ด์•ผ๊ธฐ๋“œ๋ ธ์ง€๋งŒ DOM ๊ธฐ๋ฐ˜ ํ…Œ์ŠคํŒ…์—์„  ๊ต‰์žฅํžˆ ์œ ์šฉํ•˜๊ธฐ ๋•Œ๋ฌธ์— Burpsuite ์‚ฌ์šฉ์ž๋Š” ๋ฌผ๋ก  ZAP ๋“ฑ ๋‹ค๋ฅธ ๋„๊ตฌ ์‚ฌ์šฉ์ž๋„ ์ถฉ๋ถ„ํžˆ ๊ด€์‹ฌ๊ฐ€์ง€๊ณ  ํ…Œ์ŠคํŠธ ๋•Œ ์—ด์–ด์„œ ์จ๋ด์•ผํ•  ์ •๋„์˜ ๋„๊ตฌ์˜€์—ˆ์ฃ .

Read More

Go์—์„œ HTTP gzip response ์ฒ˜๋ฆฌํ•˜๊ธฐ

  • 1 min read

์ตœ๊ทผ dalfox์— ๋…ํŠนํ•œ ์ด์Šˆ๊ฐ€ ์ œ๋ณด๋ฌ๋Š”๋ฐ(์˜คํ”„๋ผ์ธ์œผ๋กœ๋„ ํ•œ๋ฒˆ ์ œ๋ณด๋ฐ›์€ ์‚ฌํ•ญ์ด๋ผ ์ด๋ฏธ ์‚ฝ์งˆ์„ ์ข€ ํ—€๋˜ ์ƒํƒœ์˜€๋„ค์š”) ์˜ค๋Š˜ ์ด๋ฅผ ํ•ด๊ฒฐํ•˜๊ณ  ์–ด๋–ป๊ฒŒ ํ•ด๊ฒฐํ–ˆ๋Š”์ง€ ๊ฐ„๋žตํ•˜๊ฒŒ ๊ณต์œ ํ• ๊นŒ ํ•ฉ๋‹ˆ๋‹ค. ํŠน๋ณ„ํ•œ ๋‚ด์šฉ์€ ์•„๋‹ˆ์ง€๋งŒ, golang์—์„œ http ๊ธฐ๋ฐ˜ ๊ฐœ๋ฐœ์„ ์ง„ํ–‰ํ•  ๋•Œ ์•Œ๊ณ  ์žˆ์œผ๋ฉด ์‹ค์ˆ˜๋ฅผ ์˜ˆ๋ฐฉํ•  ์ˆ˜ ์žˆ๋Š” ๋ถ€๋ถ„์ด์ฃ .

Read More

ZAP Browser์—์„œ Extension ์˜๊ตฌ ์ ์šฉํ•˜๊ธฐ

  • 1 min read

์ตœ๊ทผ ZAP์˜ Extension ์ค‘ selenium ๊ด€๋ จ ์—…๋ฐ์ดํŠธ๊ฐ€ ์žˆ์—ˆ์Šต๋‹ˆ๋‹ค. ๋ฌด์‹ฌํžˆ Change ๋‚ด์šฉ์„ ๋ดค๋‹ค๊ฐ€ โ€œSupport for browser extensionโ€ ๋ฌธ๊ตฌ๋ฅผ ๋ณด์ž๋งˆ์ž ๋ฐ˜๊ฐ€์šด ๋งˆ์Œ์— ๋ฐ”๋กœ ๊ธ€ ์ž‘์„ฑ์„ ์‹œ์ž‘ํ—€์ฃ  ๐Ÿ˜Ž

Read More

ZAP ์Šคํฌ๋ฆฝํŒ…์œผ๋กœ ๋น ๋ฅด๊ฒŒ Fake Response ๋งŒ๋“ค๊ธฐ

  • ~1 min read

Response ๋ณ€์กฐ๋Š” ์ธ์ฆ ์ ˆ์ฐจ๋‚˜ ๋น„์ฆˆ๋‹ˆ์Šค ๋กœ์ง์„ ์šฐํšŒํ•  ๋•Œ ์ž์ฃผ ์‚ฌ์šฉ๋˜๋Š” ๊ณต๊ฒฉ ๋ฐฉ๋ฒ• ์ค‘ ํ•˜๋‚˜์ž…๋‹ˆ๋‹ค. ๋ณดํ†ต์€ proxy๋กœ ์š”์ฒญ์„ ์žก์•„ ์ง์ ‘ response๋ฅผ ์ˆ˜์ •ํ•˜์—ฌ continue ํ•˜๋Š” ํ˜•ํƒœ๋กœ ํ…Œ์ŠคํŠธ๋ฅผ ์ง„ํ–‰ํ•ฉ๋‹ˆ๋‹ค.

Read More

Dalfox 2.6 Released ๐ŸŽ‰

  • 2 min read

Wow! Dalfox 2.6.0 has finally been released! This time, I improved the focus on Result and PoC object. and a new global flag called โ€“poc-type was added. Letโ€™s play it quickly ๐Ÿ˜Ž

Read More

Hugo aliases์—์„œ noindex๋กœ ์ธํ•œ SEO ๋ฌธ์ œ ํ•ด๊ฒฐํ•˜๊ธฐ

  • 1 min read

Hugo์—์„œ aliases๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด ํ•ด๋‹น ์ฃผ์†Œ๋Š” meta tag๋ฅผ ์ด์šฉํ•œ redirect๋ฅผ ํŽ˜์ด์ง€๊ฐ€ ์ƒ์„ฑ๋ฉ๋‹ˆ๋‹ค. ์ด๋Ÿฌํ•œ ํ˜•ํƒœ๋Š” ์ผ๋ฐ˜์ ์œผ๋กœ url์„ ์ด๋™ํ•˜๊ธฐ์—” ์ ํ•ฉํ•˜์ง€๋งŒ, 30x์˜ status code๊ฐ€ ์•„๋‹ˆ๊ณ  200์ด๊ธฐ ๋•Œ๋ฌธ์— ๊ตฌ๊ธ€ ๋“ฑ ๊ฒ€์ƒ‰ ๋ด‡์ด ํ•ด๋‹น ํŽ˜์ด์ง€๋ฅผ ์ˆ˜์ง‘ํ•˜๊ฒŒ ๋ฉ๋‹ˆ๋‹ค.

Read More

pkg.go.dev์— go ํŒจํ‚ค์ง€ ์ฆ‰์‹œ ์—…๋ฐ์ดํŠธํ•˜๊ธฐ

  • ~1 min read

golang์œผ๋กœ ๊ฐœ๋ฐœ๋œ ์•ฑ์€ pkg.go.dev์— ์ €์žฅ๋˜๋ฉฐ ํ•ด๋‹น ์‚ฌ์ดํŠธ๋ฅผ ํ†ตํ•ด ํŒจํ‚ค์ง€ ์ •๋ณด๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๊ณ  ์‹ค์ œ go get ์œผ๋กœ ํŒจํ‚ค์ง€๋ฅผ ๊ฐ€์ ธ์˜ฌ ๋•Œ ์ด๊ณณ์˜ latest ๋ฒ„์ „์„ ๊ฐ€์ ธ์˜ค๊ฒŒ ๋ฉ๋‹ˆ๋‹ค. ๊ทธ๋ž˜์„œ ์ด ์‚ฌ์‹ค์„ ์ž˜ ๋ชฐ๋ž๋˜ ๊ณผ๊ฑฐ์˜ ์ €๋Š” ์ด๋Ÿฐ ์‹ค์ˆ˜๋„ ํ–ˆ์—ˆ๋˜ ๊ธฐ์–ต์ด ๋‚˜๋„ค์š”.

Read More

Kubernetes ingress์—์„œ์˜ 413 ์—๋Ÿฌ ํ•ด๊ฒฐ ๋ฐฉ๋ฒ•

  • ~1 min read

Kubernetes์—์„œ nginx-ingress๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค๋ฉด ํŒŒ์ผ ์—…๋กœ๋“œ ๋“ฑ ํฐ ๋ฐ์ดํ„ฐ๋ฅผ ์ „์†กํ•  ๋•Œ 413 Request Entity Too Large ์—๋Ÿฌ๊ฐ€ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” nginx-ingress์—์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ๊ฐ€์ง€๊ณ  ์žˆ๋Š” ์ตœ๋Œ€ body size๊ฐ€ ํฌ์ง€ ์•Š๊ฒŒ ์ถ”๊ฐ€๋˜์–ด ์žˆ์–ด์„œ ๋ฐœ์ƒํ•˜๋Š” ๋ฌธ์ œ๋กœ ์•„๋ž˜์™€ ๊ฐ™์ด ingress์˜ annotation์„ ์„ค์ •ํ•˜์—ฌ ํ•ด๊ฒฐํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

Read More