XSS\u653b\u6483\u3092\u4f53\u9a13\u3059\u308b\u3002<\/h2>\n\r\n<%@ page language="java" contentType="text\/html; charset=UTF8" pageEncoding="UTF-8" %>\r\n<html>\r\n <head>\r\n <title>Xss\u30b5\u30f3\u30d7\u30eb<\/title>\r\n <meta http-equiv="Content-Type" content="text\/html; charset=UTF-8">\r\n <\/head>\r\n <body>\r\n \r\n\r\n\r\n<form action='XssServlet' method='POST'>\r\n \u540d\u524d\uff1a<input type="text" name="name" value=''>\r\n\r\n <input type="submit" value="\u9001\u4fe1">\r\n <\/form>\r\n\r\n\r\n\r\n \r\n\r\n\r\n<hr>\r\n\r\n\r\n\r\n \u9001\u4fe1\u3057\u305f\u540d\u524d\uff1a<%= request.getAttribute("name") %>\r\n\r\n <\/body>\r\n<\/html>\r\n<\/pre>\n\r\npackage servlet;\r\n\r\nimport java.io.IOException;\r\n\r\nimport javax.servlet.RequestDispatcher;\r\nimport javax.servlet.ServletException;\r\nimport javax.servlet.annotation.WebServlet;\r\nimport javax.servlet.http.Cookie;\r\nimport javax.servlet.http.HttpServlet;\r\nimport javax.servlet.http.HttpServletRequest;\r\nimport javax.servlet.http.HttpServletResponse;\r\n\r\n@WebServlet("\/XssServlet")\r\npublic class XssServlet extends HttpServlet {\r\n\r\n@Override\r\nprotected void doGet(HttpServletRequest req,\r\nHttpServletResponse resp) throws ServletException,IOException{\r\n\r\nreq.setAttribute("name", "");\r\n\r\n\/\/ \u30af\u30c3\u30ad\u30fc\u8a2d\u5b9a\r\nresp.addCookie(new Cookie("xss", "xsstest"));\r\n\r\ncommon(req,resp);\r\n}\r\n\r\n@Override\r\nprotected void doPost(HttpServletRequest req,\r\nHttpServletResponse resp) throws ServletException,IOException{\r\n\r\n\/\/ \u6587\u5b57\u30b3\u30fc\u30c9\u8a2d\u5b9a\r\nreq.setCharacterEncoding("UTF-8");\r\n\r\nString name = req.getParameter("name");\r\n\r\nreq.setAttribute("name", name);\r\n\r\ncommon(req,resp);\r\n}\r\n\r\nprotected void common(HttpServletRequest req,\r\nHttpServletResponse resp) throws ServletException,IOException{\r\n\r\nRequestDispatcher disp = req.getRequestDispatcher("\/xss.jsp");\r\ndisp.forward(req, resp);\r\n}\r\n\r\n}\r\n<\/pre>\n\u4e0a\u8a18\u3001\u30bd\u30fc\u30b9\u3092Tomcat\u7b49\u3067\u5b9f\u884c\u3059\u308b\u3068\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306a\u8868\u793a\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n
![\"\"](\"http:\/\/www.code-magagine.com\/wp-content\/uploads\/2018\/04\/XSS1-1.png\")
<\/p>\n
\u592a\u90ce\u3068\u3001\u540d\u524d\u306e\u30c6\u30ad\u30b9\u30c8\u30dc\u30c3\u30af\u30b9\u306b\u5165\u529b\u3057\u3066\u3001\u300c\u9001\u4fe1\u300d\u30dc\u30bf\u30f3\u3092\u62bc\u3059\u3068\u4e0b\u8a18\u306e\u3088\u3046\u306b\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n
![\"\"](\"http:\/\/www.code-magagine.com\/wp-content\/uploads\/2018\/04\/XSS2.png\")
<\/p>\n
\u305d\u3053\u3067\u3001\u4e0b\u8a18\u306eJavaScript\u3092\u540d\u524d\u6b04\u306b\u5165\u529b\u3057\u3066\u3001\u300c\u9001\u4fe1\u300d\u3092\u62bc\u3057\u307e\u3057\u3087\u3046\u3002<\/p>\n
\r\n<script>alert(document.cookie);<\/script>\r\n<\/pre>\n\u3059\u308b\u3068\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306b\u3001\u7c21\u5358\u306b\u30af\u30c3\u30ad\u30fc\u3067\u8a2d\u5b9a\u3057\u305f\u60c5\u5831\u3092JavaScript\u3092\u4f7f\u7528\u3057\u3066\u76d7\u307f\u51fa\u305b\u3066\u3057\u307e\u3044\u307e\u3059\u3002<\/p>\n
![\"\"](\"http:\/\/www.code-magagine.com\/wp-content\/uploads\/2018\/04\/XSS3.png\")
<\/p>\n
\u5bfe\u7b56<\/h2>\n
\u4e0b\u8a18\u306e\u6587\u5b57\u3092\u3001\u8868\u793a\u3055\u305b\u308b\u7b87\u6240\u3092\u30a8\u30b9\u30b1\u30fc\u30d7\u3059\u308b\u51e6\u7406\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002<\/p>\n
\u300c<\u300d\u300c>\u300d\u300c&\u300d\u300c\u201d\u300d\u300c\u2019\u300d<\/div>\n\u4fee\u6b63\u5f8c\u306e\u30b5\u30fc\u30d6\u30ec\u30c3\u30c8\uff08\u30e1\u30bd\u30c3\u30c9\u300cescape\u300d\u3092\u8ffd\u52a0\u3057\u3066\u3001\u30a8\u30b9\u30b1\u30fc\u30d7\u3057\u3066\u3044\u307e\u3059\u3002\uff09 <\/p>\n
package servlet; import java.io.IOException; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @WebServlet("\/XssServlet") public class XssServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException{ req.setAttribute("name", ""); \/\/ \u30af\u30c3\u30ad\u30fc\u8a2d\u5b9a resp.addCookie(new Cookie("xss", "xsstest")); common(req,resp); } @Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException{ \/\/ \u6587\u5b57\u30b3\u30fc\u30c9\u8a2d\u5b9a req.setCharacterEncoding("UTF-8"); String name = req.getParameter("name"); req.setAttribute("name", escape(name)); common(req,resp); } protected void common(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException{ RequestDispatcher disp = req.getRequestDispatcher("\/xss.jsp"); disp.forward(req, resp); } private static String escape(String val) { if (val == null) return ""; val = val.replaceAll("&", "& amp;"); val = val.replaceAll("<", "& lt;"); val = val.replaceAll(">", "& gt;"); val = val.replaceAll("\\"", """); val = val.replaceAll("'", "'"); return val; } } <\/pre>\n\u305d\u3046\u3059\u308b\u3053\u3068\u3067\u3001\u540c\u3058JavaScript\u3092\u5b9f\u884c\u3057\u3066\u3082\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306b\u30bf\u30b0\u304c\u30a8\u30b9\u30b1\u30fc\u30d7\u3055\u308c\u308b\u306e\u3067\u3001JavaScript\u304c\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3002<\/strong><\/span><\/p>\n![\"\"](\"http:\/\/www.code-magagine.com\/wp-content\/uploads\/2018\/04\/XSS4.png\")
<\/p>\n
\u307e\u305f\u3001\u5b9f\u969b\u306e\u653b\u6483\u3067\u306f\u3001\u3053\u306e\u3088\u3046\u306b\u81ea\u5206\u306e\u30af\u30c3\u30ad\u30fc\u60c5\u5831\u3092\u76d7\u3093\u3067\u3082\u610f\u5473\u304c\u3042\u308a\u307e\u305b\u3093<\/strong>\u306e\u3067\u3001\u653b\u6483\u7528\u306e\u4ed6\u30b5\u30a4\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u305f\u3089\u3001iframe\u3067\u672c\u8a18\u4e8b\u306e\u3088\u3046\u306a\u8106\u5f31\u6027\u30b5\u30a4\u30c8\u3092\u57cb\u3081\u8fbc\u3093\u3067\u3001\u30af\u30c3\u30ad\u30fc\u60c5\u5831\u3092\u76d7\u307f\u51fa\u3057\u307e\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"\u305d\u308c\u3067\u306f\u3001\u5b9f\u969b\u306b\u3001XSS(\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0\uff09\u3092Java\u30b5\u30fc\u30d6\u30ec\u30c3\u30c8\u3067\u3001\u4f53\u9a13\u3057\u3066\u307f\u307e\u3057\u3087\u3046\u3002\u767e\u805e\u306f\u4e00\u898b\u306b\u5982\u304b\u305a\u3068\u3044\u3044\u307e\u3059\u3057\u306d\u3002 \u306a\u304a\u3001Chrome\u3060\u3068\u3001XSS\u304c\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u52d5\u304d\u307e\u305b\u3093\u306e\u3067\u3001IE\u3067\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u3057 […]","protected":false},"author":1,"featured_media":607,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,9],"tags":[],"_links":{"self":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts\/577"}],"collection":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=577"}],"version-history":[{"count":20,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts\/577\/revisions"}],"predecessor-version":[{"id":19246,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts\/577\/revisions\/19246"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/media\/607"}],"wp:attachment":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=577"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\r\npackage servlet;\r\n\r\nimport java.io.IOException;\r\n\r\nimport javax.servlet.RequestDispatcher;\r\nimport javax.servlet.ServletException;\r\nimport javax.servlet.annotation.WebServlet;\r\nimport javax.servlet.http.Cookie;\r\nimport javax.servlet.http.HttpServlet;\r\nimport javax.servlet.http.HttpServletRequest;\r\nimport javax.servlet.http.HttpServletResponse;\r\n\r\n@WebServlet("\/XssServlet")\r\npublic class XssServlet extends HttpServlet {\r\n\r\n@Override\r\nprotected void doGet(HttpServletRequest req,\r\nHttpServletResponse resp) throws ServletException,IOException{\r\n\r\nreq.setAttribute("name", "");\r\n\r\n\/\/ \u30af\u30c3\u30ad\u30fc\u8a2d\u5b9a\r\nresp.addCookie(new Cookie("xss", "xsstest"));\r\n\r\ncommon(req,resp);\r\n}\r\n\r\n@Override\r\nprotected void doPost(HttpServletRequest req,\r\nHttpServletResponse resp) throws ServletException,IOException{\r\n\r\n\/\/ \u6587\u5b57\u30b3\u30fc\u30c9\u8a2d\u5b9a\r\nreq.setCharacterEncoding("UTF-8");\r\n\r\nString name = req.getParameter("name");\r\n\r\nreq.setAttribute("name", name);\r\n\r\ncommon(req,resp);\r\n}\r\n\r\nprotected void common(HttpServletRequest req,\r\nHttpServletResponse resp) throws ServletException,IOException{\r\n\r\nRequestDispatcher disp = req.getRequestDispatcher("\/xss.jsp");\r\ndisp.forward(req, resp);\r\n}\r\n\r\n}\r\n<\/pre>\n\u4e0a\u8a18\u3001\u30bd\u30fc\u30b9\u3092Tomcat\u7b49\u3067\u5b9f\u884c\u3059\u308b\u3068\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306a\u8868\u793a\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n
<\/p>\n
\u592a\u90ce\u3068\u3001\u540d\u524d\u306e\u30c6\u30ad\u30b9\u30c8\u30dc\u30c3\u30af\u30b9\u306b\u5165\u529b\u3057\u3066\u3001\u300c\u9001\u4fe1\u300d\u30dc\u30bf\u30f3\u3092\u62bc\u3059\u3068\u4e0b\u8a18\u306e\u3088\u3046\u306b\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/p>\n
<\/p>\n
\u305d\u3053\u3067\u3001\u4e0b\u8a18\u306eJavaScript\u3092\u540d\u524d\u6b04\u306b\u5165\u529b\u3057\u3066\u3001\u300c\u9001\u4fe1\u300d\u3092\u62bc\u3057\u307e\u3057\u3087\u3046\u3002<\/p>\n
\r\n<script>alert(document.cookie);<\/script>\r\n<\/pre>\n\u3059\u308b\u3068\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306b\u3001\u7c21\u5358\u306b\u30af\u30c3\u30ad\u30fc\u3067\u8a2d\u5b9a\u3057\u305f\u60c5\u5831\u3092JavaScript\u3092\u4f7f\u7528\u3057\u3066\u76d7\u307f\u51fa\u305b\u3066\u3057\u307e\u3044\u307e\u3059\u3002<\/p>\n
<\/p>\n
\u5bfe\u7b56<\/h2>\n
\u4e0b\u8a18\u306e\u6587\u5b57\u3092\u3001\u8868\u793a\u3055\u305b\u308b\u7b87\u6240\u3092\u30a8\u30b9\u30b1\u30fc\u30d7\u3059\u308b\u51e6\u7406\u3092\u8ffd\u52a0\u3057\u307e\u3059\u3002<\/p>\n
\u300c<\u300d\u300c>\u300d\u300c&\u300d\u300c\u201d\u300d\u300c\u2019\u300d<\/div>\n\u4fee\u6b63\u5f8c\u306e\u30b5\u30fc\u30d6\u30ec\u30c3\u30c8\uff08\u30e1\u30bd\u30c3\u30c9\u300cescape\u300d\u3092\u8ffd\u52a0\u3057\u3066\u3001\u30a8\u30b9\u30b1\u30fc\u30d7\u3057\u3066\u3044\u307e\u3059\u3002\uff09 <\/p>\n
package servlet; import java.io.IOException; import javax.servlet.RequestDispatcher; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.Cookie; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @WebServlet("\/XssServlet") public class XssServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException{ req.setAttribute("name", ""); \/\/ \u30af\u30c3\u30ad\u30fc\u8a2d\u5b9a resp.addCookie(new Cookie("xss", "xsstest")); common(req,resp); } @Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException{ \/\/ \u6587\u5b57\u30b3\u30fc\u30c9\u8a2d\u5b9a req.setCharacterEncoding("UTF-8"); String name = req.getParameter("name"); req.setAttribute("name", escape(name)); common(req,resp); } protected void common(HttpServletRequest req, HttpServletResponse resp) throws ServletException,IOException{ RequestDispatcher disp = req.getRequestDispatcher("\/xss.jsp"); disp.forward(req, resp); } private static String escape(String val) { if (val == null) return ""; val = val.replaceAll("&", "& amp;"); val = val.replaceAll("<", "& lt;"); val = val.replaceAll(">", "& gt;"); val = val.replaceAll("\\"", """); val = val.replaceAll("'", "'"); return val; } } <\/pre>\n\u305d\u3046\u3059\u308b\u3053\u3068\u3067\u3001\u540c\u3058JavaScript\u3092\u5b9f\u884c\u3057\u3066\u3082\u3001\u4e0b\u8a18\u306e\u3088\u3046\u306b\u30bf\u30b0\u304c\u30a8\u30b9\u30b1\u30fc\u30d7\u3055\u308c\u308b\u306e\u3067\u3001JavaScript\u304c\u5b9f\u884c\u3055\u308c\u307e\u305b\u3093\u3002<\/strong><\/span><\/p>\n<\/p>\n
\u307e\u305f\u3001\u5b9f\u969b\u306e\u653b\u6483\u3067\u306f\u3001\u3053\u306e\u3088\u3046\u306b\u81ea\u5206\u306e\u30af\u30c3\u30ad\u30fc\u60c5\u5831\u3092\u76d7\u3093\u3067\u3082\u610f\u5473\u304c\u3042\u308a\u307e\u305b\u3093<\/strong>\u306e\u3067\u3001\u653b\u6483\u7528\u306e\u4ed6\u30b5\u30a4\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3057\u305f\u3089\u3001iframe\u3067\u672c\u8a18\u4e8b\u306e\u3088\u3046\u306a\u8106\u5f31\u6027\u30b5\u30a4\u30c8\u3092\u57cb\u3081\u8fbc\u3093\u3067\u3001\u30af\u30c3\u30ad\u30fc\u60c5\u5831\u3092\u76d7\u307f\u51fa\u3057\u307e\u3059\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"\u305d\u308c\u3067\u306f\u3001\u5b9f\u969b\u306b\u3001XSS(\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0\uff09\u3092Java\u30b5\u30fc\u30d6\u30ec\u30c3\u30c8\u3067\u3001\u4f53\u9a13\u3057\u3066\u307f\u307e\u3057\u3087\u3046\u3002\u767e\u805e\u306f\u4e00\u898b\u306b\u5982\u304b\u305a\u3068\u3044\u3044\u307e\u3059\u3057\u306d\u3002 \u306a\u304a\u3001Chrome\u3060\u3068\u3001XSS\u304c\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u52d5\u304d\u307e\u305b\u3093\u306e\u3067\u3001IE\u3067\u5b9f\u884c\u3059\u308b\u3088\u3046\u306b\u3057 […]","protected":false},"author":1,"featured_media":607,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5,9],"tags":[],"_links":{"self":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts\/577"}],"collection":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=577"}],"version-history":[{"count":20,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts\/577\/revisions"}],"predecessor-version":[{"id":19246,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/posts\/577\/revisions\/19246"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=\/wp\/v2\/media\/607"}],"wp:attachment":[{"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=577"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=577"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.code-magagine.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=577"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}