๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
Java

[Java] ์›น ์ทจ์•ฝ์„ฑ XSS

by cheezzz 2022. 4. 12.
๋ฐ˜์‘ํ˜•

ํฌ๋กœ์Šค ์‚ฌ์ดํŠธ ์Šคํฌ๋ฆฝํŠธ(XSS : cross-site scripting)

๊ฒ€์ฆ๋˜์ง€ ์•Š์€ ์™ธ๋ถ€ ์ž…๋ ฅ๊ฐ’์„ ์‘๋‹ต์˜ ์ผ๋ถ€๋กœ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ ์‚ฌ์šฉ์ž ๋ธŒ๋ผ์šฐ์ €์—์„œ ์•…์˜์ ์ธ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ์‹คํ–‰๋  ์ˆ˜ ์žˆ๋Š” ๋ณด์•ˆ ์•ฝ์ 

<%
	String errmsg = request.getParameter("errmsg");
%>

....

<td>
	<b>Message</b>
</td>
<td>
	<%=errmsg%>
</td>

์œ„์˜ ์ฝ”๋“œ์™€ ๊ฐ™์ด request.getParameter("errmsg") ์„ ํ†ตํ•ด ๊ฐ€์ ธ์˜จ parameter ๊ฐ’์„
jsp ํŒŒ์ผ์˜ <%=errmsg%> ๋กœ ๋ฐ”๋กœ ์‚ฌ์šฉํ•˜๋Š” ๊ฒฝ์šฐ XSS ๋ณด์•ˆ ์ด์Šˆ๋ฅผ ๋ฐœ์ƒ์‹œํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

 

 

ํ•ด๊ฒฐ๋ฐฉ์•ˆ

1. XSS ๋ฐฉ์ง€ ํ•„ํ„ฐ ์‚ฌ์šฉ

<%
	String errmsg = request.getParameter("errmsg");
	errmsg = errmsg.replaceAll("<(/)?([a-zA-Z]*)(\\s[a-zA-Z]*=[^>]*)?(\\s)*(/)?>","").replaceAll("\r|\n|&nbsp;","");
%>

....

<td>
	<b>Message</b>
</td>
<td>
	<%=errmsg%>
</td>

errmsg = errmsg.replaceAll("<(/)?([a-zA-Z]*)(\\s[a-zA-Z]*=[^>]*)?(\\s)*(/)?>","").replaceAll("\r|\n|&nbsp;",""); 
parameter ์ •๋ณด replaceAllํ•˜๋Š” ์ฝ”๋“œ ์ถ”๊ฐ€

 

2. JSTL <c:out> ํƒœ๊ทธ ์‚ฌ์šฉ

<%
	String errmsg = request.getParameter("errmsg");
%>

....

<td>
	<b>Message</b>
</td>
<td>
	<c:out value="${errmsg}"/>
</td>

<%=errmsg%> ์„ <c:out value="${errmsg}"/> ๋กœ ๋ณ€๊ฒฝ

 

์ฐธ๊ณ : https://www.devkuma.com/docs/secure-coding-guide/xss/

๋ฐ˜์‘ํ˜•
์ €์ž‘์žํ‘œ์‹œ ๋น„์˜๋ฆฌ ๋™์ผ์กฐ๊ฑด

'Java' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Java] Unsupported major.minor version 52.0 Error  (1) 2022.06.10
[Java] javax.net.ssl.SSLHandshakeException: connection during handshake  (0) 2022.03.23
[Java] log4j Log ๋ ˆ๋ฒจ  (0) 2022.01.07
[Java] Reflection์„ ์ด์šฉํ•œ private ์ ‘๊ทผํ•˜๊ธฐ  (2) 2021.12.23
[Java] jar ํŒŒ์ผ ์ƒ์„ฑํ•˜๊ธฐ (Eclipse / bat ํŒŒ์ผ)  (1) 2021.12.16

๊ด€๋ จ๊ธ€

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”