{"id":430,"date":"2020-05-03T15:17:54","date_gmt":"2020-05-03T06:17:54","guid":{"rendered":"https:\/\/blog.rubiya.kr\/?p=430"},"modified":"2020-05-04T01:42:40","modified_gmt":"2020-05-03T16:42:40","slug":"side-channel-attack-on-www-2","status":"publish","type":"post","link":"https:\/\/blog.rubiya.kr\/index.php\/2020\/05\/03\/side-channel-attack-on-www-2\/","title":{"rendered":"Side Channel Attack on WWW 2"},"content":{"rendered":"\n

\uc774\uc804 \uac8c\uc2dc\ubb3c<\/a>\uc5d0\uc11c \ucfe0\ud0a4\uc758 Samesite \uc18d\uc131\uc774 Lax\uac00 \uc544\ub2d0 \uacbd\uc6b0\uc5d0 \uc5b4\ub5a4 Side Channel Attack \uacf5\uaca9\uc774 \uac00\ub2a5\ud55c\uc9c0 \uc54c\uc544\ubcf4\uc558\uc2b5\ub2c8\ub2e4.
\ud06c\ub86c\uc774 80\ubc84\uc804\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba74\uc11c Lax\uac00 \uae30\ubcf8\uac12\uc774 \ub418\uc5b4 \uc2ec\uac01\ub3c4\uac00 \ucda9\ubd84\ud788 \ub5a8\uc5b4\uc84c\ub2e4\uace0 \uc0dd\uac01\ud558\uc5ec \uacf5\uac1c\ud588\ub294\ub370, COVID-19\ub54c\ubb38\uc5d0 \ud574\ub2f9 \uc870\uce58\uac00 rollback \ub418\uc5c8\uc8e0.<\/p>\n\n\n\n

\uae30\uc655 \uacf5\uac1c\ud55c\uac70 \ud574\ub2f9 \ucde8\uc57d\uc810\uc744 \uc5ec\ub7ec \ubc84\uadf8\ubc14\uc6b4\ud2f0 \ud504\ub85c\uadf8\ub7a8\uc744 \ud1b5\ud574 \uc81c\ubcf4\ud55c \uacb0\uacfc\ub97c \ubcf4\uba74\uc11c, \uc774 \uae30\uc220 \ubd80\ucc44\uc758 \uc2ec\uac01\uc131\uc744 \uc9c1\uc811 \ub290\uaef4\ubd05\uc2dc\ub2e4.
\uac01 \uc0ac\ub840\uac00 \uc5b4\ub290 \ubca4\ub354\uc778\uc9c0\ub294 \uba85\uc2dc\ud558\uc9c0 \uc54a\uaca0\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uccab \ubc88\uc9f8 \uc0ac\ub840\uc785\ub2c8\ub2e4.
\uc751\ub2f5\ucf54\ub4dc\ub97c \uc0ac\uc6a9\ud574\uc11c \uad8c\ud55c \uc5ec\ubd80\ub97c \ud310\ubcc4\ud560 \uc218 \uc788\ub2e4\uace0 \uc801\uc5c8\uc5c8\uc8e0.
\ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ud2b9\uc815 \ud398\uc774\uc9c0\uc5d0 \uc811\uadfc\ud560 \uad8c\ud55c\uc774 \uc788\uc73c\uba74 \uc751\ub2f5\ucf54\ub4dc 200\uc744, \uc5c6\uc73c\uba74 404\uc744 \uc751\ub2f5\ud55c\ub2e4\uace0 \uac00\uc815\ud569\uc2dc\ub2e4.
script \ud0dc\uadf8\ub85c \ud574\ub2f9 \uc8fc\uc18c\ub97c \ubd88\ub7ec\uc624\uba74 \uac01\uac01 onload, onerror \uc774\ubca4\ud2b8 \ud578\ub4e4\ub7ec\uac00 \ud2b8\ub9ac\uac70\ub429\ub2c8\ub2e4.
onload \uc774\ubca4\ud2b8 \ud578\ub4e4\ub7ec\uac00 \ud2b8\ub9ac\uac70\ub418\uba74 \ud574\ub2f9 \ud398\uc774\uc9c0\uc5d0 \uc811\uadfc \uad8c\ud55c\uc744 \uac00\uc9c4 \uc0ac\ub78c\uc774\ub77c\ub294 \uc758\ubbf8\uc8e0.
\uc544\ub798\uc640 \uac19\uc774 PoC\ub97c \uc791\uc131\ud588\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

<script src=https:\/\/www.******.com\/community\/users\/rubiya1\/edit onload=”alert(‘you are rubiya1’)” onerror=”alert(‘you are not rubiya1’)”><\/script>
<script src=https:\/\/www.******.com\/community\/users\/rubiya2\/edit onload=”alert(‘you are rubiya2’)” onerror=”alert(‘you are not rubiya2’)”><\/script><\/p>\n\n\n\n

\uac04\ub2e8\ud558\uc8e0?
\uacf5\uaca9\uc790\ub294 \uc790\uc2e0\uc758 \uc6f9 \uc0ac\uc774\ud2b8\uc5d0 \uc811\uc18d\ud55c \uc0ac\uc6a9\uc790\uac00 rubiya1\uc778\uc9c0, \ud639\uc740 rubiya2\uc778\uc9c0 \uc2dd\ubcc4\ud560 \uc218 \uc788\uac8c \ub418\uc5c8\uc2b5\ub2c8\ub2e4.
\uc0ac\uc804\uc5d0 \uc218\uc9d1\ud55c \uc544\uc774\ub514 \ubaa9\ub85d\uc744 \ubc30\uc5f4\uc5d0 \ub123\uc5b4\ub450\uace0 \ubb34\ucc28\ubcc4\uc801\uc73c\ub85c \uac80\uc0ac\ud558\uba74 \ub0b4 \uc6f9\uc0ac\uc774\ud2b8\uc5d0 \uc811\uc18d\ud55c \uc0ac\ub78c\uc774 \ud2b9\uc815\uc778\uc778\uc9c0 \ud30c\uc545\uc774 \uc2dd\ubcc4\ud560 \uc218 \uc788\uaca0\uc8e0.<\/p>\n\n\n\n

\ubca4\ub354\uc5d0\uc11c\ub294 \ubb50\ub77c\uace0 \ub2f5\ubcc0\ud588\uc744\uae4c\uc694?<\/p>\n\n\n\n

Although your finding might appear to be a security vulnerability, this behavior does not really pose a concrete and exploitable risk to the platform. It’s more likely a best practice issue.<\/strong><\/p>\n\n\n\n

\ud50c\ub7ab\ud3fc\uc5d0 \uc9c1\uc811\uc801\uc778 \uc704\ud611\uc744 \uac00\ud558\ub294\uac8c \uc544\ub2c8\ubbc0\ub85c, best practice issue\uc5d0 \ud574\ub2f9\ud55c\ub2e4 \ub77c\uace0 \ud569\ub2c8\ub2e4.
\ud655\uc2e4\ud788 \ud50c\ub7ab\ud3fc\uc744 \uacf5\uaca9\uc758 \ub3c4\uad6c\ub85c \uc0ac\uc6a9\ud560 \ubfd0, \ud50c\ub7ab\ud3fc \uc790\uccb4\uc5d0 \uc601\ud5a5\uc744 \ub07c\uce58\ub294 \uacf5\uaca9\uc740 \uc544\ub2d9\ub2c8\ub2e4.
\ub3c8 \uc8fc\uace0 \uace0\uce58\uae30\uc5d0\ub294 \uc544\uae4c\uc6b4 \ucde8\uc57d\uc810\uc774\ub77c\uace0 \uc0dd\uac01\ud560 \uc218 \uc788\uc8e0.<\/p>\n\n\n\n

\ub2e4\ub978 \ubca4\ub354\uc758 \uc0ac\ub840\ub3c4 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4.
\uc774\ubc88\uc5d0\ub294 \uc790\uc2e0\uc758 \ud504\ub85c\ud544 \ubbf8\ub9ac\ubcf4\uae30 \uae30\ub2a5\uc5d0\uc11c \ubc1c\uc0dd\ud55c \ucde8\uc57d\uc810\uc785\ub2c8\ub2e4.
\ubbf8\ub9ac\ubcf4\uae30 \uae30\ub2a5\uc740 https:\/\/www.******.com\/******?view=182716 \uc640 \uac19\uc740 URI\ub97c \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4.
\uc774 \ubbf8\ub9ac\ubcf4\uae30\ub294 \uc790\uc2e0\uc758 \ud504\ub85c\ud544\ub9cc \uac00\ub2a5\ud558\uace0 \ud0c0\uc778\uc758 \ud504\ub85c\ud544\uc740 \ubbf8\ub9ac\ubcf4\uae30\ub97c \ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc5ec\uae30\uc11c \uc0c1\uc0c1\ud574\ubd05\uc2dc\ub2e4.
\ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ud2b9\uc815\uc778\uc758 \ubbf8\ub9ac\ubcf4\uae30 \uc8fc\uc18c\uc5d0 \uc811\uc18d\ud588\uc744 \ub54c \uc11c\ubc84\uc5d0\uc11c\ub294 \ubbf8\ub9ac\ubcf4\uae30 \uad8c\ud55c\uc774 \uc788\ub294\uc9c0\ub97c \uccb4\ud06c\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

\uad8c\ud55c\uc774 \uc788\uc744\uacbd\uc6b0 : \ud0c0\uc778\uc758 \uad00\uc810\uc5d0\uc11c \ud504\ub85c\ud544\uc774 \uc5b4\ub5bb\uac8c \ubcf4\uc774\ub294\uc9c0\ub97c \uc54c\ub824\uc8fc\uae30 \uc704\ud574\uc11c \uc5ec\ub7ec\uac00\uc9c0 \uc815\ubcf4\uc758 \uacf5\uac1c\ubc94\uc704\ub97c \ud655\uc778\ud558\uace0, \ud0c0\uc778\uc5d0\uac8c \ubcf4\uc5ec\uc918\ub3c4 \ub418\ub294 \uc815\ubcf4\ub9cc \ucd9c\ub825\ud569\ub2c8\ub2e4.
\uac01 \uac8c\uc2dc\ubb3c\uc758 \uacf5\uac1c \uad8c\ud55c, \uc0dd\ub144\uc6d4\uc77c, \uc774\uba54\uc77c\uc8fc\uc18c, \uc6f9\uc0ac\uc774\ud2b8, \uc5f0\ub77d\ucc98 \ub4f1… \uc544\uc774\uace0 \ub9ce\uae30\ub3c4 \ud558\uad70\uc694.<\/p>\n\n\n\n

\uad8c\ud55c\uc774 \uc5c6\uc744\uacbd\uc6b0 : \uad8c\ud55c\uc774 \uc5c6\ub2e4\ub294 \uba54\uc138\uc9c0\ub97c \ucd9c\ub825\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n

\ubb38\uc81c\uc810\uc774 \ubcf4\uc774\uc2dc\ub098\uc694?
\uc11c\ubc84\uc5d0\uc11c \ucc98\ub9ac\ud574\uc57c \ud558\ub294 \uc815\ubcf4\uc758 \uc591\uc774 \ud655\uc5f0\ud788 \ucc28\uc774\uac00 \ub098\uba74\uc11c \uc751\ub2f5\uc2dc\uac04\uc5d0 \ucc28\uc774\uac00 \uc0dd\uae30\uac8c \ub429\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc81c\uac00 \uc791\uc131\ud55c PoC\uc758 \uc2e4\ud589\uacb0\uacfc\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\ud604\uc7ac \uc2dc\uac01\uc744 before \ubcc0\uc218\uc5d0 \ub123\uace0 img \ud0dc\uadf8\ub85c \uac01 \uc0ac\uc774\ud2b8\ub97c \ubd88\ub7ec\uc628 \ud6c4 onload \uc774\ubca4\ud2b8 \ud578\ub4e4\ub7ec\uac00 \ud2b8\ub9ac\uac70\ub418\uba74 \ub2e4\uc2dc \ud604\uc7ac \uc2dc\uac01\uc744 after\uc5d0 \ub123\uc5b4 \ub458\uc744 \ube84\uc148\ud588\uc2b5\ub2c8\ub2e4.
\uc624\ucc28\ub97c \uc904\uc774\uae30 \uc704\ud574 5\ubc88\uc529 \uc694\uccad\uc744 \ud558\uc600\uc73c\uba70 \uac01 \uc751\ub2f5\uc2dc\uac04\uc744 \ud3c9\uade0\ub0b8 \uacb0\uacfc\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc751\ub2f5\uc2dc\uac04\uc774 \uc720\uc758\ubbf8\ud558\uac8c \ucc28\uc774\ub098\ub294\uac8c \ubcf4\uc774\uc2dc\ub098\uc694?
\ub9cc\uc57d \uc778\ud130\ub137 \uc0c1\ud0dc\uac00 \uc548\uc88b\uc544\uc11c \uc624\ucc28\uac00 \uc2ec\ud558\ub2e4\uba74 \uc694\uccad\uc758 \ud69f\uc218\ub97c \ub298\ub824\uc11c \ud574\uacb0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uadf8\ub807\ub2e4\uba74 \uc5b4\ub5bb\uac8c \ud328\uce58\ud574\uc57c \ud560\uae4c\uc694?
\uac00\uc7a5 \uc26c\uc6b4 \ubc29\ubc95\uc740 Samesite \uc635\uc158\uc744 \uac74\ub4dc\ub9ac\ub294 \uac83\uc774\uc9c0\ub9cc, \uc774\ub294 \uc11c\ube44\uc2a4\uc758 \uc815\uc0c1\uc801\uc778 \uae30\ub2a5\uc744 \ubc29\ud574\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.
\uc120\ub73b \uac00\ubcbc\uc6b4 \ub9c8\uc74c\uc73c\ub85c \uac74\ub4dc\ub9b4 \uc218 \uc5c6\ub294 \uc635\uc158\uc774\uc8e0.<\/p>\n\n\n\n

\uadf8\ub807\ub2e4\uba74 \ub79c\ub364\ud558\uac8c \uc751\ub2f5 \uc2dc\uac04\uc744 \ub298\ub9b4\uae4c\uc694?
\uc694\uccad\uc758 \ud69f\uc218\ub97c \ub298\ub824\uc11c \ub300\uc751\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uadf8\ub7ec\uba74… \uadf8\ub0e5 \uc6f9 \uc0ac\uc774\ud2b8 \uc790\uccb4\ub97c \ub290\ub9ac\uac8c \ub9cc\ub4e4\uae4c\uc694?
\ub9d0\ub3c4 \uc548\ub418\uc8e0.
\uc6f9 \uc0ac\uc774\ud2b8\uc758 \uc751\ub2f5\uc2dc\uac04\uc744 \uc870\uae08\uc774\ub77c\ub3c4 \ub354 \uc904\uc774\uae30 \uc704\ud574 \uac1c\ubc1c\uc790\ub4e4\uc740 \uc624\ub298\ub3c4 \ub208\ubb3c\uaca8\uc6b4 \ub178\ub825\uc744 \ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\ubca4\ub354\uc5d0\uc11c\ub294 \ubb50\ub77c\uace0 \ub2f5\ubcc0\ud588\uc744\uae4c\uc694?<\/p>\n\n\n\n

We are working with browser vendors to implement these mitigations as they become available, to defend against this unexpected behavior. Because of these ongoing efforts, submissions involving known side-channel techniques are generally treated as duplicate reports under our program.<\/p>\n\n\n\n

\uc774\ub7ec\ud55c \uc885\ub958\uc758 \uacf5\uaca9\uc744 \ub9c9\uae30\uc704\ud574 \ube0c\ub77c\uc6b0\uc800 \ubca4\ub354\ub4e4\uacfc \ucda9\ubd84\ud55c \ud611\ub825\uc744 \ud558\uace0 \uc788\uc73c\ubbc0\ub85c, \uc0ac\uc774\ub4dc \ucc44\ub110\ub958 \uacf5\uaca9\uc5d0 \ub300\ud574\uc11c\ub294 \ubcf4\ud1b5 duplicate\ub85c \ucc98\ub9ac\ud55c\ub2e4.
\uc989 \ube0c\ub77c\uc6b0\uc800\ub2e8\uc5d0\uc11c\uc758 \ubc29\uc5b4\ub97c \uae30\ub300\ud558\ub294 \uac83\ucc98\ub7fc \ubcf4\uc785\ub2c8\ub2e4.<\/p>\n\n\n\n

\uae00\uc758 \uc11c\ub450\uc5d0\uc11c \uae30\uc220 \ubd80\ucc44\ub77c\ub294 \ub2e8\uc5b4\ub97c \uc5b8\uae09\ud55c \uc774\uc720\uc785\ub2c8\ub2e4.
\uc774 \ucde8\uc57d\uc810\uc740 \uc6f9 \uc11c\ube44\uc2a4 \ud50c\ub7ab\ud3fc\uc5d0 \uc9c1\uc811\uc801\uc778 \uc601\ud5a5\uc744 \ub07c\uce58\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.
\ubc84\uadf8\ubc14\uc6b4\ud2f0\ub97c \uc6b4\uc601\ud558\ub294 \uc6f9 \uc11c\ube44\uc2a4 \uacf5\uae09\uc5c5\uccb4 \uc785\uc7a5\uc5d0\uc11c\ub294 \ud30c\uae09\ub825\uc740 \uc801\uc740 \uc8fc\uc81c\uc5d0 \ub9c9\uae30\ub294 \uae4c\ub2e4\ub86d\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uc6f9 \uc11c\ube44\uc2a4 \uacf5\uae09\uc5c5\uccb4 vs \uc6f9 \ube0c\ub77c\uc6b0\uc800 \uc81c\uc870\uc5c5\uccb4\uac04\uc758 \ucc45\uc784 \uc18c\uc7ac\ub3c4 \ubd88\uba85\ud655\ud569\ub2c8\ub2e4.
Samesite \uc635\uc158\uc740 \uc774\ub7ec\ud55c \uacf5\uaca9\uc744 \ub9c9\ub294\ub370\uc5d0 \uc0c1\ub2f9\ud55c \ud6a8\uacfc\uac00 \uc788\uc9c0\ub9cc, \uc774 \uc774\uc0c1\uc758 \ubc29\uc5b4\ub294 \uc6f9 \ube0c\ub77c\uc6b0\uc800\uc758 \uc131\ub2a5\uc5d0 \uc9c1\uc811\uc801\uc778 \uc601\ud5a5\uc744 \ub07c\uce58\uae30 \ub54c\ubb38\uc5d0 \uc774\uc640 \uc720\uc0ac\ud55c \uacf5\uaca9\ub4e4\uc744 known-issue\ub85c \ub450\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n\n\n\n

\uadf8 \ub204\uad6c\ub3c4 \ud328\uce58\ud558\uae30\ub97c \uc6d0\ud558\uc9c0 \uc54a\ub294 \uc560\ubb3c\ub2e8\uc9c0\uac19\uc740 \ucde8\uc57d\uc810\uc774\uc9c0\ub9cc, \uc0ac\uc6a9\uc790\uc5d0\uac8c\ub294 \uc704\ud611\uc774 \ub418\ub294.
\ud604\ub300 \uc6f9 \uc804\ubc18\uc5d0 \uac78\uce5c \uae30\uc220 \ubd80\ucc44\uac00 \uc544\uc9c1\ub3c4 \uc0b4\uc544 \uc228\uc26c\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"

\uc774\uc804 \uac8c\uc2dc\ubb3c\uc5d0\uc11c \ucfe0\ud0a4\uc758 Samesite \uc18d\uc131\uc774 Lax\uac00 \uc544\ub2d0 \uacbd\uc6b0\uc5d0 \uc5b4\ub5a4 Side Channel Attack \uacf5\uaca9\uc774 \uac00\ub2a5\ud55c\uc9c0 \uc54c\uc544\ubcf4\uc558\uc2b5\ub2c8\ub2e4.\ud06c\ub86c\uc774 80\ubc84\uc804\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ub418\uba74\uc11c Lax\uac00 \uae30\ubcf8\uac12\uc774 \ub418\uc5b4 \uc2ec\uac01\ub3c4\uac00 \ucda9\ubd84\ud788 \ub5a8\uc5b4\uc84c\ub2e4\uace0 \uc0dd\uac01\ud558\uc5ec \uacf5\uac1c\ud588\ub294\ub370, COVID-19\ub54c\ubb38\uc5d0 \ud574\ub2f9 \uc870\uce58\uac00 rollback \ub418\uc5c8\uc8e0. \uae30\uc655 \uacf5\uac1c\ud55c\uac70 \ud574\ub2f9 \ucde8\uc57d\uc810\uc744 \uc5ec\ub7ec \ubc84\uadf8\ubc14\uc6b4\ud2f0 \ud504\ub85c\uadf8\ub7a8\uc744 \ud1b5\ud574 \uc81c\ubcf4\ud55c \uacb0\uacfc\ub97c \ubcf4\uba74\uc11c, \uc774 \uae30\uc220 \ubd80\ucc44\uc758 \uc2ec\uac01\uc131\uc744 \uc9c1\uc811 \ub290\uaef4\ubd05\uc2dc\ub2e4.\uac01 \uc0ac\ub840\uac00 \uc5b4\ub290 \ubca4\ub354\uc778\uc9c0\ub294 \uba85\uc2dc\ud558\uc9c0 \uc54a\uaca0\uc2b5\ub2c8\ub2e4. \uccab \ubc88\uc9f8 \uc0ac\ub840\uc785\ub2c8\ub2e4.\uc751\ub2f5\ucf54\ub4dc\ub97c \uc0ac\uc6a9\ud574\uc11c \uad8c\ud55c \uc5ec\ubd80\ub97c \ud310\ubcc4\ud560 \uc218 \uc788\ub2e4\uace0 \uc801\uc5c8\uc5c8\uc8e0.\ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ud2b9\uc815 \ud398\uc774\uc9c0\uc5d0 \uc811\uadfc\ud560 \uad8c\ud55c\uc774 \uc788\uc73c\uba74 \uc751\ub2f5\ucf54\ub4dc 200\uc744, \uc5c6\uc73c\uba74 404\uc744 \uc751\ub2f5\ud55c\ub2e4\uace0 \uac00\uc815\ud569\uc2dc\ub2e4.script \ud0dc\uadf8\ub85c \ud574\ub2f9 \uc8fc\uc18c\ub97c \ubd88\ub7ec\uc624\uba74 \uac01\uac01 onload, onerror \uc774\ubca4\ud2b8 \ud578\ub4e4\ub7ec\uac00 \ud2b8\ub9ac\uac70\ub429\ub2c8\ub2e4.onload \uc774\ubca4\ud2b8 \ud578\ub4e4\ub7ec\uac00 \ud2b8\ub9ac\uac70\ub418\uba74 \ud574\ub2f9 \ud398\uc774\uc9c0\uc5d0 \uc811\uadfc \uad8c\ud55c\uc744 \uac00\uc9c4 \uc0ac\ub78c\uc774\ub77c\ub294 \uc758\ubbf8\uc8e0.\uc544\ub798\uc640 \uac19\uc774 PoC\ub97c \uc791\uc131\ud588\uc2b5\ub2c8\ub2e4. <script src=https:\/\/www.******.com\/community\/users\/rubiya1\/edit onload=”alert(‘you are rubiya1’)” onerror=”alert(‘you are not rubiya1’)”><\/script><script src=https:\/\/www.******.com\/community\/users\/rubiya2\/edit onload=”alert(‘you are rubiya2’)” onerror=”alert(‘you are not rubiya2’)”><\/script> \uac04\ub2e8\ud558\uc8e0?\uacf5\uaca9\uc790\ub294 \uc790\uc2e0\uc758 \uc6f9 \uc0ac\uc774\ud2b8\uc5d0 \uc811\uc18d\ud55c \uc0ac\uc6a9\uc790\uac00 rubiya1\uc778\uc9c0, \ud639\uc740 rubiya2\uc778\uc9c0 \uc2dd\ubcc4\ud560 \uc218 \uc788\uac8c \ub418\uc5c8\uc2b5\ub2c8\ub2e4.\uc0ac\uc804\uc5d0 \uc218\uc9d1\ud55c \uc544\uc774\ub514 \ubaa9\ub85d\uc744 \ubc30\uc5f4\uc5d0 \ub123\uc5b4\ub450\uace0 \ubb34\ucc28\ubcc4\uc801\uc73c\ub85c \uac80\uc0ac\ud558\uba74 \ub0b4 \uc6f9\uc0ac\uc774\ud2b8\uc5d0 \uc811\uc18d\ud55c \uc0ac\ub78c\uc774 \ud2b9\uc815\uc778\uc778\uc9c0 \ud30c\uc545\uc774 \uc2dd\ubcc4\ud560 \uc218 \uc788\uaca0\uc8e0. \ubca4\ub354\uc5d0\uc11c\ub294 \ubb50\ub77c\uace0 \ub2f5\ubcc0\ud588\uc744\uae4c\uc694? Although your finding might appear to be a security vulnerability, this behavior does not really pose a concrete and exploitable risk to the platform. It’s more likely a best practice issue. \ud50c\ub7ab\ud3fc\uc5d0 \uc9c1\uc811\uc801\uc778 \uc704\ud611\uc744 \uac00\ud558\ub294\uac8c \uc544\ub2c8\ubbc0\ub85c, best practice issue\uc5d0 \ud574\ub2f9\ud55c\ub2e4 \ub77c\uace0 \ud569\ub2c8\ub2e4.\ud655\uc2e4\ud788 \ud50c\ub7ab\ud3fc\uc744 \uacf5\uaca9\uc758 \ub3c4\uad6c\ub85c \uc0ac\uc6a9\ud560 \ubfd0, \ud50c\ub7ab\ud3fc \uc790\uccb4\uc5d0 \uc601\ud5a5\uc744 \ub07c\uce58\ub294 \uacf5\uaca9\uc740 \uc544\ub2d9\ub2c8\ub2e4.\ub3c8 \uc8fc\uace0 \uace0\uce58\uae30\uc5d0\ub294 \uc544\uae4c\uc6b4 \ucde8\uc57d\uc810\uc774\ub77c\uace0 \uc0dd\uac01\ud560 \uc218 \uc788\uc8e0. \ub2e4\ub978 \ubca4\ub354\uc758 \uc0ac\ub840\ub3c4 \ubcf4\uaca0\uc2b5\ub2c8\ub2e4.\uc774\ubc88\uc5d0\ub294 \uc790\uc2e0\uc758 \ud504\ub85c\ud544 \ubbf8\ub9ac\ubcf4\uae30 \uae30\ub2a5\uc5d0\uc11c \ubc1c\uc0dd\ud55c \ucde8\uc57d\uc810\uc785\ub2c8\ub2e4.\ubbf8\ub9ac\ubcf4\uae30 \uae30\ub2a5\uc740 https:\/\/www.******.com\/******?view=182716 \uc640 \uac19\uc740 URI\ub97c \uac00\uc9c0\uace0 \uc788\uc2b5\ub2c8\ub2e4.\uc774 \ubbf8\ub9ac\ubcf4\uae30\ub294 \uc790\uc2e0\uc758 \ud504\ub85c\ud544\ub9cc \uac00\ub2a5\ud558\uace0 \ud0c0\uc778\uc758 \ud504\ub85c\ud544\uc740 \ubbf8\ub9ac\ubcf4\uae30\ub97c \ud560 \uc218 \uc5c6\uc2b5\ub2c8\ub2e4. \uc5ec\uae30\uc11c \uc0c1\uc0c1\ud574\ubd05\uc2dc\ub2e4.\ud074\ub77c\uc774\uc5b8\ud2b8\uac00 \ud2b9\uc815\uc778\uc758 \ubbf8\ub9ac\ubcf4\uae30 \uc8fc\uc18c\uc5d0 \uc811\uc18d\ud588\uc744 \ub54c \uc11c\ubc84\uc5d0\uc11c\ub294 \ubbf8\ub9ac\ubcf4\uae30 \uad8c\ud55c\uc774 \uc788\ub294\uc9c0\ub97c \uccb4\ud06c\ud569\ub2c8\ub2e4. \uad8c\ud55c\uc774 \uc788\uc744\uacbd\uc6b0 : \ud0c0\uc778\uc758 \uad00\uc810\uc5d0\uc11c \ud504\ub85c\ud544\uc774 \uc5b4\ub5bb\uac8c \ubcf4\uc774\ub294\uc9c0\ub97c \uc54c\ub824\uc8fc\uae30 \uc704\ud574\uc11c \uc5ec\ub7ec\uac00\uc9c0 \uc815\ubcf4\uc758 \uacf5\uac1c\ubc94\uc704\ub97c \ud655\uc778\ud558\uace0, \ud0c0\uc778\uc5d0\uac8c \ubcf4\uc5ec\uc918\ub3c4 \ub418\ub294 \uc815\ubcf4\ub9cc \ucd9c\ub825\ud569\ub2c8\ub2e4.\uac01 \uac8c\uc2dc\ubb3c\uc758 \uacf5\uac1c \uad8c\ud55c, \uc0dd\ub144\uc6d4\uc77c, \uc774\uba54\uc77c\uc8fc\uc18c, \uc6f9\uc0ac\uc774\ud2b8, \uc5f0\ub77d\ucc98 \ub4f1… \uc544\uc774\uace0 \ub9ce\uae30\ub3c4 \ud558\uad70\uc694. \uad8c\ud55c\uc774 \uc5c6\uc744\uacbd\uc6b0 : \uad8c\ud55c\uc774 \uc5c6\ub2e4\ub294 \uba54\uc138\uc9c0\ub97c \ucd9c\ub825\ud569\ub2c8\ub2e4. \ubb38\uc81c\uc810\uc774 \ubcf4\uc774\uc2dc\ub098\uc694?\uc11c\ubc84\uc5d0\uc11c \ucc98\ub9ac\ud574\uc57c \ud558\ub294 \uc815\ubcf4\uc758 \uc591\uc774 \ud655\uc5f0\ud788 \ucc28\uc774\uac00 \ub098\uba74\uc11c \uc751\ub2f5\uc2dc\uac04\uc5d0 \ucc28\uc774\uac00 \uc0dd\uae30\uac8c \ub429\ub2c8\ub2e4. \uc81c\uac00 \uc791\uc131\ud55c PoC\uc758 \uc2e4\ud589\uacb0\uacfc\ub294 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4. \ud604\uc7ac \uc2dc\uac01\uc744 before \ubcc0\uc218\uc5d0 \ub123\uace0 img \ud0dc\uadf8\ub85c \uac01 \uc0ac\uc774\ud2b8\ub97c \ubd88\ub7ec\uc628 \ud6c4 onload \uc774\ubca4\ud2b8 \ud578\ub4e4\ub7ec\uac00 \ud2b8\ub9ac\uac70\ub418\uba74 \ub2e4\uc2dc \ud604\uc7ac \uc2dc\uac01\uc744 after\uc5d0 \ub123\uc5b4 \ub458\uc744 \ube84\uc148\ud588\uc2b5\ub2c8\ub2e4.\uc624\ucc28\ub97c \uc904\uc774\uae30 \uc704\ud574 5\ubc88\uc529 \uc694\uccad\uc744 \ud558\uc600\uc73c\uba70 \uac01 \uc751\ub2f5\uc2dc\uac04\uc744 \ud3c9\uade0\ub0b8 \uacb0\uacfc\uc785\ub2c8\ub2e4. \uc751\ub2f5\uc2dc\uac04\uc774 \uc720\uc758\ubbf8\ud558\uac8c \ucc28\uc774\ub098\ub294\uac8c \ubcf4\uc774\uc2dc\ub098\uc694?\ub9cc\uc57d \uc778\ud130\ub137 \uc0c1\ud0dc\uac00 \uc548\uc88b\uc544\uc11c \uc624\ucc28\uac00 \uc2ec\ud558\ub2e4\uba74 \uc694\uccad\uc758 \ud69f\uc218\ub97c \ub298\ub824\uc11c \ud574\uacb0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uadf8\ub807\ub2e4\uba74 \uc5b4\ub5bb\uac8c \ud328\uce58\ud574\uc57c \ud560\uae4c\uc694?\uac00\uc7a5 \uc26c\uc6b4 \ubc29\ubc95\uc740 Samesite \uc635\uc158\uc744 \uac74\ub4dc\ub9ac\ub294 \uac83\uc774\uc9c0\ub9cc, \uc774\ub294 \uc11c\ube44\uc2a4\uc758 \uc815\uc0c1\uc801\uc778 \uae30\ub2a5\uc744 \ubc29\ud574\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.\uc120\ub73b \uac00\ubcbc\uc6b4 \ub9c8\uc74c\uc73c\ub85c \uac74\ub4dc\ub9b4 \uc218 \uc5c6\ub294 \uc635\uc158\uc774\uc8e0. \uadf8\ub807\ub2e4\uba74 \ub79c\ub364\ud558\uac8c \uc751\ub2f5 \uc2dc\uac04\uc744 \ub298\ub9b4\uae4c\uc694?\uc694\uccad\uc758 \ud69f\uc218\ub97c \ub298\ub824\uc11c \ub300\uc751\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uadf8\ub7ec\uba74… \uadf8\ub0e5 \uc6f9 \uc0ac\uc774\ud2b8 \uc790\uccb4\ub97c \ub290\ub9ac\uac8c \ub9cc\ub4e4\uae4c\uc694?\ub9d0\ub3c4 \uc548\ub418\uc8e0.\uc6f9 \uc0ac\uc774\ud2b8\uc758 \uc751\ub2f5\uc2dc\uac04\uc744 \uc870\uae08\uc774\ub77c\ub3c4 \ub354 \uc904\uc774\uae30 \uc704\ud574 \uac1c\ubc1c\uc790\ub4e4\uc740 \uc624\ub298\ub3c4 \ub208\ubb3c\uaca8\uc6b4 \ub178\ub825\uc744 \ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4. \ubca4\ub354\uc5d0\uc11c\ub294 \ubb50\ub77c\uace0 \ub2f5\ubcc0\ud588\uc744\uae4c\uc694? We are working with browser vendors to implement these mitigations as they become available, to defend against this unexpected behavior. Because of these ongoing efforts, submissions involving known side-channel techniques are generally treated as duplicate reports under our program. \uc774\ub7ec\ud55c \uc885\ub958\uc758 \uacf5\uaca9\uc744 \ub9c9\uae30\uc704\ud574 \ube0c\ub77c\uc6b0\uc800 \ubca4\ub354\ub4e4\uacfc \ucda9\ubd84\ud55c \ud611\ub825\uc744 \ud558\uace0 \uc788\uc73c\ubbc0\ub85c, \uc0ac\uc774\ub4dc \ucc44\ub110\ub958 \uacf5\uaca9\uc5d0 \ub300\ud574\uc11c\ub294 \ubcf4\ud1b5 duplicate\ub85c \ucc98\ub9ac\ud55c\ub2e4.\uc989 \ube0c\ub77c\uc6b0\uc800\ub2e8\uc5d0\uc11c\uc758 \ubc29\uc5b4\ub97c \uae30\ub300\ud558\ub294 \uac83\ucc98\ub7fc \ubcf4\uc785\ub2c8\ub2e4. \uae00\uc758 \uc11c\ub450\uc5d0\uc11c \uae30\uc220 \ubd80\ucc44\ub77c\ub294 \ub2e8\uc5b4\ub97c \uc5b8\uae09\ud55c \uc774\uc720\uc785\ub2c8\ub2e4.\uc774 \ucde8\uc57d\uc810\uc740 \uc6f9 \uc11c\ube44\uc2a4 \ud50c\ub7ab\ud3fc\uc5d0 \uc9c1\uc811\uc801\uc778 \uc601\ud5a5\uc744 \ub07c\uce58\uc9c0 \uc54a\uc2b5\ub2c8\ub2e4.\ubc84\uadf8\ubc14\uc6b4\ud2f0\ub97c \uc6b4\uc601\ud558\ub294 \uc6f9 \uc11c\ube44\uc2a4 \uacf5\uae09\uc5c5\uccb4 \uc785\uc7a5\uc5d0\uc11c\ub294 \ud30c\uae09\ub825\uc740 \uc801\uc740 \uc8fc\uc81c\uc5d0 \ub9c9\uae30\ub294 \uae4c\ub2e4\ub86d\uc2b5\ub2c8\ub2e4. \uc6f9 \uc11c\ube44\uc2a4 \uacf5\uae09\uc5c5\uccb4 vs \uc6f9 \ube0c\ub77c\uc6b0\uc800 \uc81c\uc870\uc5c5\uccb4\uac04\uc758 \ucc45\uc784 \uc18c\uc7ac\ub3c4 \ubd88\uba85\ud655\ud569\ub2c8\ub2e4.Samesite \uc635\uc158\uc740 \uc774\ub7ec\ud55c \uacf5\uaca9\uc744 \ub9c9\ub294\ub370\uc5d0 \uc0c1\ub2f9\ud55c \ud6a8\uacfc\uac00 \uc788\uc9c0\ub9cc, \uc774 \uc774\uc0c1\uc758 \ubc29\uc5b4\ub294 \uc6f9 \ube0c\ub77c\uc6b0\uc800\uc758 \uc131\ub2a5\uc5d0 \uc9c1\uc811\uc801\uc778 \uc601\ud5a5\uc744 \ub07c\uce58\uae30 \ub54c\ubb38\uc5d0 \uc774\uc640 \uc720\uc0ac\ud55c \uacf5\uaca9\ub4e4\uc744 known-issue\ub85c \ub450\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uadf8 \ub204\uad6c\ub3c4 \ud328\uce58\ud558\uae30\ub97c \uc6d0\ud558\uc9c0 \uc54a\ub294 \uc560\ubb3c\ub2e8\uc9c0\uac19\uc740 \ucde8\uc57d\uc810\uc774\uc9c0\ub9cc, \uc0ac\uc6a9\uc790\uc5d0\uac8c\ub294 \uc704\ud611\uc774 \ub418\ub294.\ud604\ub300 \uc6f9 \uc804\ubc18\uc5d0 \uac78\uce5c \uae30\uc220 \ubd80\ucc44\uac00 \uc544\uc9c1\ub3c4 \uc0b4\uc544 \uc228\uc26c\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/430"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=430"}],"version-history":[{"count":31,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/430\/revisions"}],"predecessor-version":[{"id":465,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/430\/revisions\/465"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}