\uc5ec\uae30\uc11c Request \ud5e4\ub354\uc5d0\ub294 \uc5b4\ub5a4 \uac12\uc774 \ub4e4\uc5b4\uac08\uae4c?
\ubb34\uc218\ud788 \ub9ce\uc9c0\ub9cc \uac00\uc7a5 \ud754\ud788 \uc0ac\uc6a9\ub418\ub294 \ud5e4\ub354\ub294 \uc774\uc804 \uc6f9 \ud398\uc774\uc9c0 \uc8fc\uc18c\ub97c \uc758\ubbf8\ud558\ub294 referer, \ud074\ub77c\uc774\uc5b8\ud2b8\uc758 \ube0c\ub77c\uc6b0\uc800\ub97c \uc758\ubbf8\ud558\ub294 user agent, \uadf8\ub9ac\uace0 \ucfe0\ud0a4\ub4f1\uc774 \uc788\ub2e4.<\/p>\n\n\n\n
\ucfe0\ud0a4\uc5d0 \ucd08\uc810\uc744 \ub450\uc5b4\ubcf4\uc790.<\/p>\n\n\n\n
\uc11c\ubc84\uc5d0\uc11c \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0 \ub0b4\ub824\uc8fc\ub294 \uc791\uc740 \ud14d\uc2a4\ud2b8 \uc870\uac01\uc744 \ucfe0\ud0a4\ub77c\uace0 \ubd80\ub978\ub2e4.
\ube0c\ub77c\uc6b0\uc800\ub294 \ucfe0\ud0a4\ub97c \uc800\uc7a5\ud574\ub450\uc5c8\ub2e4\uac00 HTTP Request\ub97c \ubcf4\ub0bc \ub54c \ud574\ub2f9 \ucfe0\ud0a4 \uc870\uac01\uc744 \ud5e4\ub354\ub85c \uc804\uc1a1\ud55c\ub2e4.<\/p>\n\n\n\n
\uc774 \ucfe0\ud0a4\uac00 \ube44\uc815\uc0c1\uc801\uc73c\ub85c \ud06c\uba74 \uc5b4\ub5a4\uc77c\uc774 \uc0dd\uae38\uae4c?
Request \ud5e4\ub354\uac00 \ub108\ubb34 \ucee4\uc838 \uc0ac\uc6a9\uc790\uac00 \ud574\ub2f9 \uc6f9\uc0ac\uc774\ud2b8\uc5d0 \uc544\ubb34\ub9ac \uc811\uc18d\uc744 \uc2dc\ub3c4\ud574\ub3c4 \uc5d0\ub7ec\uba54\uc138\uc9c0\ub9cc \ubcfc \uc218 \uc788\uc744 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
\uc790 \uadf8\ub807\ub2e4\uba74.
\ub9cc\uc57d \uacf5\uaca9\uc790\uac00 \uc6f9\uc0ac\uc774\ud2b8\uc758 \ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud574 \ubc29\ubb38\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0 \ube44\uc815\uc0c1\uc801\uc73c\ub85c \ud070 \ucfe0\ud0a4\ub97c \uc0dd\uc131\ud574\uc904 \uc218 \uc788\ub2e4\uba74,
\ud76c\uc0dd\uc790\ub294 \ucfe0\ud0a4\uac00 \uc0ad\uc81c\ub420\ub54c\uae4c\uc9c0 \uadf8 \uc6f9\uc0ac\uc774\ud2b8\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc5c6\uac8c \ub41c\ub2e4.<\/p>\n\n\n\n
\uc5b4\ub5bb\uac8c \ud0c0 \uc0ac\uc774\ud2b8\uc758 \ucfe0\ud0a4\ub97c \uc0dd\uc131\ud574\uc904 \uc218 \uc788\uc744\uae4c?<\/p>\n\n\n\n
\uba3c\uc800 \uc6b0\ub9ac\ub294 XSS \ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub2e4.
\uc544\ub798\uc640 \uac19\uc740 \ucf54\ub4dc\ub97c \uc0bd\uc785\ud588\uc744 \ub54c \ud574\ub2f9 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc2e4\ud589\ud55c \ud074\ub77c\uc774\uc5b8\ud2b8\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0\ub294 4kb\uc9dc\ub9ac \ucfe0\ud0a4 100\uac1c\uac00 \uc0dd\uc131\ub420 \uac83\uc774\ub2e4.<\/p>\n\n\n\n
var base_domain = \"example.com\";\nvar pollution = Array(4000).join('a');\nfor(var i=0;i<100;i++){\n document.cookie='bomb'+i+'='+pollution+';domain='+base_domain;\n}<\/pre>\n\n\n\n\uc774 400kb\uc9dc\ub9ac \ucfe0\ud0a4 \ud3ed\ud0c4\uc740 HTTP Request \ud5e4\ub354\uc5d0 \ud3ec\ud568\ub418\uc5b4 \uc804\uc1a1\ub418\uba70, \uc774\uc815\ub3c4 \ud06c\uae30\uc758 \ud5e4\ub354\ub97c \ubc1b\uc544\uc8fc\ub294 \uc11c\ubc84\ub294 \ucc3e\uc544\ubcf4\uae30 \uc5b4\ub835\ub2e4.
\uc774\uc81c \ud76c\uc0dd\uc790\ub294 example.com\uc5d0 \uc811\uc18d\ud560 \uc218 \uc5c6\ub2e4.<\/p>\n\n\n\n
Cookie bomb\uc744 \uc704\ud574\uc11c \ubc18\ub4dc\uc2dc XSS\ub97c \uc0ac\uc6a9\ud574\uc57c \ud558\ub294\uac83\uc740 \uc544\ub2c8\ub2e4.
\uac80\uc0c9 \uae30\ub85d, \uc720\uc800 \ud2b8\ub798\ud0b9 \ub4f1\uc758 \uac04\ub2e8\ud55c \ub3d9\uc791\uc744 \uc704\ud574\uc11c \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0 \ucfe0\ud0a4\ub97c \ub0b4\ub824\uc8fc\ub294 \ud589\ub3d9\uc740 \ud754\ud558\uba70,
\ub0b4\ub824\uc8fc\ub294 \ucfe0\ud0a4\uc5d0 \uc720\uc800 \uc778\ud48b\uc774 \uc544\ubb34\ub7f0 \ud544\ud130\ub9c1 \uc5c6\uc774 \ud3ec\ud568\ub41c\ub2e4\uba74 Cookie bomb\uc774 \uac00\ub2a5\ud558\ub2e4.<\/p>\n\n\n\n
\uc774\uc81c \ud30c\uae09\ub825\uc744 \ub354 \ud0a4\uc6cc\ubcf4\uc790.<\/p>\n\n\n\n
example.com \ud558\uc704\uc5d0 \ub9ce\uc740 \uc11c\ube0c\ub3c4\uba54\uc778\uc774 \uc788\ub2e4\uace0 \uac00\uc815\ud558\uc790.
a.example.com
b.example.com
c.example.com…
xss \ucde8\uc57d\uc810\uc774 a.example.com\uc5d0\uc11c \ubc1c\uc0dd\ud588\uc744 \ub54c \ucfe0\ud0a4\uc758 domain\uc744 a.example.com\uc774 \uc544\ub2cc .example.com \uc73c\ub85c \uc124\uc815\ud558\uba74 example.com\uc758 \ubaa8\ub4e0 \uc11c\ube0c\ub3c4\uba54\uc778\uc5d0 \uc811\uadfc\uc774 \ubd88\uac00\ub2a5\ud574\uc9c4\ub2e4.<\/p>\n\n\n\n
\ub610\ud55c \ucfe0\ud0a4\uc758 \uc218\uba85\uc778 expires\ub97c \ud06c\uac8c \uc8fc\uba74 \ucfe0\ud0a4\uac00 \ub9cc\ub8cc\ub418\uae30\uae4c\uc9c0 \ub354 \uc624\ub798 \uac78\ub9b4\uac83\uc774\ub2e4.<\/p>\n\n\n\n
\uadf8\ub807\ub2e4\uba74 \ubc29\uc5b4\uc790\ub4e4\uc740 \uc774 \uacf5\uaca9\uc5d0 \uc5b4\ub5bb\uac8c \ub300\ucc98\ud558\uace0 \uc788\uc744\uae4c?<\/p>\n\n\n\n
\uba3c\uc800 Facebook\uc5d0\uc11c \ud574\ub2f9 \ud398\uc774\ub85c\ub4dc\ub97c \uc2e4\ud589\ud574\ubcf4\uc558\ub2e4.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2020\/10\/image.png\")
<\/figure>\n\n\n\n\uc544\ubb34\ub7f0 \ud78c\ud2b8 \uc5c6\uc774 \uc624\ub958\ub97c \ubc18\ud658\ud55c\ub2e4.
\uc77c\ubc18\uc778\uc774 \uc774 \uc624\ub958 \uba54\uc138\uc9c0\ub97c \ubcf4\uace0 \ucfe0\ud0a4 \uc0ad\uc81c\ub97c \ub5a0\uc62c\ub9b4 \uac00\ub2a5\uc131\uc740?
\uc5c6\ub2e4.<\/p>\n\n\n\n
\ud2b8\uc704\ud130, \ub137\ud50c\ub9ad\uc2a4, \ub124\uc774\ubc84 \ubaa8\ub450 \uc544\ubb34\ub7f0 \ub300\ube44\uac00 \ub418\uc5b4\uc788\uc9c0 \uc54a\ub2e4.<\/p>\n\n\n\n
\ud558\uc9c0\ub9cc \uad6c\uae00\uc740 \ub2ec\ub790\ub2e4.<\/p>\n\n\n\n![\"\"](\"https:\/\/blog.rubiya.kr\/wp-content\/uploads\/2020\/10\/image-1.png\")
<\/figure>\n\n\n\n\uc704\uc640 \uac19\uc740 413 \uc624\ub958\ub97c \ubc18\ud658\ud55c \ub4a4 \uba54\uc778\ud398\uc774\uc9c0\ub85c \ub3cc\uc544\uac00\uace0, \uc989\uc2dc \uc815\uc0c1\uc801\uc73c\ub85c \uc11c\ube44\uc2a4\uc758 \uc774\uc6a9\uc774 \uac00\ub2a5\ud588\ub2e4.<\/p>\n\n\n\n
\ubd84\uc11d\uacb0\uacfc \uc544\ub798\uc640 \uac19\uc740 \ucf54\ub4dc\uac00 413 \uc624\ub958 \ud398\uc774\uc9c0\uc5d0 \uc2ec\uc5b4\uc838 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n
(function() { \/*\n Copyright The Closure Library Authors.\n SPDX-License-Identifier: Apache-2.0\n*\/\nvar c=function(a,d,b){a=a+\"=deleted; path=\"+d;null!=b&&(a+=\"; domain=\"+b);document.cookie=a+\"; expires=Thu, 01 Jan 1970 00:00:00 GMT\"};var g=function(a){var d=e,b=location.hostname;c(d,a,null);c(d,a,b);for(var f=0;;){f=b.indexOf(\".\",f+1);if(0>f)break;c(d,a,b.substring(f+1))}};var h;if(4E3<unescape(encodeURI(document.cookie)).length){for(var k=document.cookie.split(\";\"),l=[],m=0;m<k.length;m++){var n=k[m].match(\/^\\s*([^=]+)\/);n&&l.push(n[1])}for(var p=0;p<l.length;p++){var e=l[p];g(\"\/\");for(var q=location.pathname,r=0;;){r=q.indexOf(\"\/\",r+1);if(0>r)break;var t=q.substring(0,r);g(t);g(t+\"\/\")}\"\/\"!=q.charAt(q.length-1)&&(g(q),g(q+\"\/\"))}h=!0}else h=!1;\nh&&setTimeout(function(){if(history.replaceState){var a=location.href;history.replaceState(null,\"\",\"\/\");location.replace(a)}},1E3); })();<\/pre>\n\n\n\nbeautifier\ub97c \ub3cc\ub9b0 \uacb0\uacfc\ub294 \uc544\ub798\uc640 \uac19\ub2e4.<\/p>\n\n\n\n
(function() {\n \/*\n\n Copyright The Closure Library Authors.\n SPDX-License-Identifier: Apache-2.0\n*\/\n var c = function(a, d, b) {\n a = a + \"=deleted; path=\" + d;\n null != b && (a += \"; domain=\" + b);\n document.cookie = a + \"; expires=Thu, 01 Jan 1970 00:00:00 GMT\"\n };\n var g = function(a) {\n var d = e,\n b = location.hostname;\n c(d, a, null);\n c(d, a, b);\n for (var f = 0;;) {\n f = b.indexOf(\".\", f + 1);\n if (0 > f) break;\n c(d, a, b.substring(f + 1))\n }\n };\n var h;\n if (4E3 < unescape(encodeURI(document.cookie)).length) {\n for (var k = document.cookie.split(\";\"), l = [], m = 0; m < k.length; m++) {\n var n = k[m].match(\/^\\s*([^=]+)\/);\n n && l.push(n[1])\n }\n for (var p = 0; p < l.length; p++) {\n var e = l[p];\n g(\"\/\");\n for (var q = location.pathname, r = 0;;) {\n r = q.indexOf(\"\/\", r + 1);\n if (0 > r) break;\n var t = q.substring(0, r);\n g(t);\n g(t + \"\/\")\n }\n \"\/\" != q.charAt(q.length - 1) && (g(q), g(q + \"\/\"))\n }\n h = !0\n } else h = !1;\n h && setTimeout(function() {\n if (history.replaceState) {\n var a = location.href;\n history.replaceState(null, \"\", \"\/\");\n location.replace(a)\n }\n }, 1E3);\n})();<\/pre>\n\n\n\n24\ub77c\uc778\uc744 \ubcf4\uba74 Cookie\uc758 \uae38\uc774\uac00 4E3(4000)\uc744 \ub118\uc744 \uacbd\uc6b0\uc5d0 \ud2b9\uc815 \ud568\uc218\ub97c \uc2e4\ud589\ud558\uba70,
\ud574\ub2f9 \ud568\uc218\uc5d0\uc11c\ub294 \ucfe0\ud0a4\uc758 expires\ub97c 1970\ub144\uc73c\ub85c \ubcc0\uc870\ud574 \ubaa8\ub4e0 \ucfe0\ud0a4\ub97c \uc0ad\uc81c\ud55c\ub2e4.
\uc989 413 \uc624\ub958 \ud398\uc774\uc9c0\uc5d0 \uc0bd\uc785\ub41c \ucf54\ub4dc\ub294 \ucfe0\ud0a4\uc758 \uae38\uc774\uac00 4000\uc774 \ub118\ub294\uc9c0 \ud655\uc778\ud558\uace0, 4000\uc774 \ub118\uc73c\uba74 \ucfe0\ud0a4\ub97c \uc0ad\uc81c\ud558\ub294 \ud589\ub3d9\uc744 \ud55c\ub2e4.<\/p>\n\n\n\n
Cookie bomb \uacf5\uaca9\uc744 \ud0c0\uac9f\ud305\ud574\uc11c \uc791\uc131\ub41c \uc815\ud655\ud55c \ubbf8\ud2f0\uac8c\uc774\uc158\uc774\ub2e4.
Google drive, Hangout, Youtube \ub4f1 \uad6c\uae00\uc758 \ubaa8\ub4e0 \uc11c\ube44\uc2a4\uc5d0\uc11c \ub3d9\uc77c\ud55c \ucf54\ub4dc\ub97c \ubc18\ud658\ud55c\ub2e4.<\/p>\n\n\n\n
\uadf8\ub807\ub2e4\uba74 \uc774\ub7ec\ud55c \ubbf8\ud2f0\uac8c\uc774\uc158\uc740 Cookie bomb\uc744 \uc644\ubcbd\ud558\uac8c \ubc29\uc5b4\ud560 \uc218 \uc788\uc744\uae4c?<\/p>\n\n\n\n
\ucfe0\ud0a4\uc5d0\ub294 HttpOnly \ub77c\ub294 \ud50c\ub798\uadf8\uac00 \uc788\uc73c\uba70 \ud574\ub2f9 \ud50c\ub798\uadf8\ub294 JavaScript\uc5d0\uc11c \ucfe0\ud0a4\uc5d0 \uc811\uadfc\ud558\ub294\uac83\uc744 \ub9c9\ub294\ub2e4.
HttpOnly \ud50c\ub798\uadf8\uac00 \uc124\uc815\ub418\uc5b4 \uc788\uc73c\uba74 \uc704\uc758 \ucf54\ub4dc\ub85c\ub294 Cookie bomb\uc744 \ubc29\uc5b4\ud560 \uc218 \uc5c6\ub2e4.<\/p>\n\n\n\n
\ubb3c\ub860 JavaScript\ub97c \uc0ac\uc6a9\ud574\uc11c\ub294 HttpOnly \ud50c\ub798\uadf8\uac00 \uc124\uc815\ub41c \ucfe0\ud0a4\ub97c \uc0dd\uc131\ud558\ub294\uac83\uc774 \ubd88\uac00\ub2a5\ud558\ub2e4.
\ud558\uc9c0\ub9cc XSS\uac00 \uc544\ub2cc \uc11c\ubc84\uce21\uc5d0\uc11c \ucfe0\ud0a4\ub97c \ud560\ub2f9\ud574\uc8fc\ub294 \uae30\ub2a5\uc744 \uc545\uc6a9\ud55c Cookie bomb \uacf5\uaca9\uc774 \uac00\ub2a5\ud560 \ub54c,
\ud574\ub2f9 \uae30\ub2a5\uc5d0\uc11c \ucfe0\ud0a4\ub97c HttpOnly \ud50c\ub798\uadf8\ub97c \uc124\uc815\ud55c\ucc44\ub85c \ud560\ub2f9\ud574\uc900\ub2e4\uba74 \uc704\uc758 JavaScript \ucf54\ub4dc\ub97c \uc6b0\ud68c \uac00\ub2a5\ud558\ub2e4.<\/p>\n\n\n\n
\ub367\ubd99\uc784) \uc790\uc2e0\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c \uc2e4\uc2b5\uc744 \uc6d0\ud55c\ub2e4\uba74 \ud06c\ub86c \uc2dc\ud06c\ub9bf \ubaa8\ub4dc\ub97c \ud65c\uc6a9\ud558\uc2dc\uae38 \uad8c\uc7a5\ud569\ub2c8\ub2e4.<\/p>\n\n\n\n
Reference<\/p>https:\/\/homakov.blogspot.com\/2014\/01\/cookie-bomb-or-lets-break-internet.html<\/a>
https:\/\/blog.innerht.ml\/tag\/cookie-bomb\/<\/a><\/cite><\/blockquote>\n\n\n\n<\/p>\n","protected":false},"excerpt":{"rendered":"
\ud30c\uae09\ub825\uacfc \ubcf4\uc548 \uc804\ubb38\uac00\ub4e4\uc758 \uad00\uc2ec\ub3c4\uac00 \ubc18\ub4dc\uc2dc \uc77c\uce58\ud558\uc9c0\ub294 \uc54a\ub294\ub2e4.\ud30c\uae09\ub825\uc774 \ud06c\uc9c0\ub9cc, \uad00\uc2ec\uc744 \ubc1b\uc9c0 \ubabb\ud558\ub294 \uacf5\uaca9 \uae30\ubc95 \ud55c \uac00\uc9c0\uc5d0 \ub300\ud574\uc11c \ub2e4\ub904\ubcf4\ub824\uace0 \ud55c\ub2e4. \uadf8 \uc804\uc5d0 \uac04\ub2e8\ud55c \uc0ac\uc2e4\uc744 \uba87 \uac1c \uc9da\uc5b4\ubcf4\uc790. HTTP \ud504\ub85c\ud1a0\ucf5c\uc740 Request\uc640 Response\ub85c \ub098\ub258\uc5b4\uc9c0\uace0, Request\uc640 Response\ub294 \ud5e4\ub354\uc640 \ubc14\ub514\ub85c \uad6c\ubd84\ub41c\ub2e4.Request \ud5e4\ub354\uac00 \ub108\ubb34 \ud074 \uacbd\uc6b0\uc5d0 \uc11c\ubc84\uc5d0\uc11c\ub294 413 Request Entity Too Large, 400 Bad Request \ub4f1\uc758 \uc5d0\ub7ec\ub97c \uc751\ub2f5\ud55c\ub2e4.\ud06c\uae30 \uc81c\ud55c\uc740 \uc11c\ubc84\ub9c8\ub2e4 \ub2e4\ub974\uc9c0\ub9cc \ub300\uccb4\ub85c 8kb\uac00 \ub118\uc5b4\uac00\uba74 \ub300\ubd80\ubd84\uc758 \uc11c\ubc84\uc5d0\uc11c \uc5d0\ub7ec\ub97c \uc751\ub2f5\ud55c\ub2e4. Apache : 8kb nginx : 4kb – 8kb IIS : 8kb – 16kb Tomcat : 8kb – 48kb \uc5ec\uae30\uc11c Request \ud5e4\ub354\uc5d0\ub294 \uc5b4\ub5a4 \uac12\uc774 \ub4e4\uc5b4\uac08\uae4c?\ubb34\uc218\ud788 \ub9ce\uc9c0\ub9cc \uac00\uc7a5 \ud754\ud788 \uc0ac\uc6a9\ub418\ub294 \ud5e4\ub354\ub294 \uc774\uc804 \uc6f9 \ud398\uc774\uc9c0 \uc8fc\uc18c\ub97c \uc758\ubbf8\ud558\ub294 referer, \ud074\ub77c\uc774\uc5b8\ud2b8\uc758 \ube0c\ub77c\uc6b0\uc800\ub97c \uc758\ubbf8\ud558\ub294 user agent, \uadf8\ub9ac\uace0 \ucfe0\ud0a4\ub4f1\uc774 \uc788\ub2e4. \ucfe0\ud0a4\uc5d0 \ucd08\uc810\uc744 \ub450\uc5b4\ubcf4\uc790. \uc11c\ubc84\uc5d0\uc11c \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0 \ub0b4\ub824\uc8fc\ub294 \uc791\uc740 \ud14d\uc2a4\ud2b8 \uc870\uac01\uc744 \ucfe0\ud0a4\ub77c\uace0 \ubd80\ub978\ub2e4.\ube0c\ub77c\uc6b0\uc800\ub294 \ucfe0\ud0a4\ub97c \uc800\uc7a5\ud574\ub450\uc5c8\ub2e4\uac00 HTTP Request\ub97c \ubcf4\ub0bc \ub54c \ud574\ub2f9 \ucfe0\ud0a4 \uc870\uac01\uc744 \ud5e4\ub354\ub85c \uc804\uc1a1\ud55c\ub2e4. \uc774 \ucfe0\ud0a4\uac00 \ube44\uc815\uc0c1\uc801\uc73c\ub85c \ud06c\uba74 \uc5b4\ub5a4\uc77c\uc774 \uc0dd\uae38\uae4c?Request \ud5e4\ub354\uac00 \ub108\ubb34 \ucee4\uc838 \uc0ac\uc6a9\uc790\uac00 \ud574\ub2f9 \uc6f9\uc0ac\uc774\ud2b8\uc5d0 \uc544\ubb34\ub9ac \uc811\uc18d\uc744 \uc2dc\ub3c4\ud574\ub3c4 \uc5d0\ub7ec\uba54\uc138\uc9c0\ub9cc \ubcfc \uc218 \uc788\uc744 \uac83\uc774\ub2e4. \uc790 \uadf8\ub807\ub2e4\uba74.\ub9cc\uc57d \uacf5\uaca9\uc790\uac00 \uc6f9\uc0ac\uc774\ud2b8\uc758 \ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud574 \ubc29\ubb38\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0 \ube44\uc815\uc0c1\uc801\uc73c\ub85c \ud070 \ucfe0\ud0a4\ub97c \uc0dd\uc131\ud574\uc904 \uc218 \uc788\ub2e4\uba74,\ud76c\uc0dd\uc790\ub294 \ucfe0\ud0a4\uac00 \uc0ad\uc81c\ub420\ub54c\uae4c\uc9c0 \uadf8 \uc6f9\uc0ac\uc774\ud2b8\ub97c \uc0ac\uc6a9\ud560 \uc218 \uc5c6\uac8c \ub41c\ub2e4. \uc5b4\ub5bb\uac8c \ud0c0 \uc0ac\uc774\ud2b8\uc758 \ucfe0\ud0a4\ub97c \uc0dd\uc131\ud574\uc904 \uc218 \uc788\uc744\uae4c? \uba3c\uc800 \uc6b0\ub9ac\ub294 XSS \ucde8\uc57d\uc810\uc744 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub2e4.\uc544\ub798\uc640 \uac19\uc740 \ucf54\ub4dc\ub97c \uc0bd\uc785\ud588\uc744 \ub54c \ud574\ub2f9 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc2e4\ud589\ud55c \ud074\ub77c\uc774\uc5b8\ud2b8\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0\ub294 4kb\uc9dc\ub9ac \ucfe0\ud0a4 100\uac1c\uac00 \uc0dd\uc131\ub420 \uac83\uc774\ub2e4. \uc774 400kb\uc9dc\ub9ac \ucfe0\ud0a4 \ud3ed\ud0c4\uc740 HTTP Request \ud5e4\ub354\uc5d0 \ud3ec\ud568\ub418\uc5b4 \uc804\uc1a1\ub418\uba70, \uc774\uc815\ub3c4 \ud06c\uae30\uc758 \ud5e4\ub354\ub97c \ubc1b\uc544\uc8fc\ub294 \uc11c\ubc84\ub294 \ucc3e\uc544\ubcf4\uae30 \uc5b4\ub835\ub2e4.\uc774\uc81c \ud76c\uc0dd\uc790\ub294 example.com\uc5d0 \uc811\uc18d\ud560 \uc218 \uc5c6\ub2e4. Cookie bomb\uc744 \uc704\ud574\uc11c \ubc18\ub4dc\uc2dc XSS\ub97c \uc0ac\uc6a9\ud574\uc57c \ud558\ub294\uac83\uc740 \uc544\ub2c8\ub2e4.\uac80\uc0c9 \uae30\ub85d, \uc720\uc800 \ud2b8\ub798\ud0b9 \ub4f1\uc758 \uac04\ub2e8\ud55c \ub3d9\uc791\uc744 \uc704\ud574\uc11c \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0 \ucfe0\ud0a4\ub97c \ub0b4\ub824\uc8fc\ub294 \ud589\ub3d9\uc740 \ud754\ud558\uba70,\ub0b4\ub824\uc8fc\ub294 \ucfe0\ud0a4\uc5d0 \uc720\uc800 \uc778\ud48b\uc774 \uc544\ubb34\ub7f0 \ud544\ud130\ub9c1 \uc5c6\uc774 \ud3ec\ud568\ub41c\ub2e4\uba74 Cookie bomb\uc774 \uac00\ub2a5\ud558\ub2e4. \uc774\uc81c \ud30c\uae09\ub825\uc744 \ub354 \ud0a4\uc6cc\ubcf4\uc790. example.com \ud558\uc704\uc5d0 \ub9ce\uc740 \uc11c\ube0c\ub3c4\uba54\uc778\uc774 \uc788\ub2e4\uace0 \uac00\uc815\ud558\uc790.a.example.comb.example.comc.example.com…xss \ucde8\uc57d\uc810\uc774 a.example.com\uc5d0\uc11c \ubc1c\uc0dd\ud588\uc744 \ub54c \ucfe0\ud0a4\uc758 domain\uc744 a.example.com\uc774 \uc544\ub2cc .example.com \uc73c\ub85c \uc124\uc815\ud558\uba74 example.com\uc758 \ubaa8\ub4e0 \uc11c\ube0c\ub3c4\uba54\uc778\uc5d0 \uc811\uadfc\uc774 \ubd88\uac00\ub2a5\ud574\uc9c4\ub2e4. \ub610\ud55c \ucfe0\ud0a4\uc758 \uc218\uba85\uc778 expires\ub97c \ud06c\uac8c \uc8fc\uba74 \ucfe0\ud0a4\uac00 \ub9cc\ub8cc\ub418\uae30\uae4c\uc9c0 \ub354 \uc624\ub798 \uac78\ub9b4\uac83\uc774\ub2e4. \uadf8\ub807\ub2e4\uba74 \ubc29\uc5b4\uc790\ub4e4\uc740 \uc774 \uacf5\uaca9\uc5d0 \uc5b4\ub5bb\uac8c \ub300\ucc98\ud558\uace0 \uc788\uc744\uae4c? \uba3c\uc800 Facebook\uc5d0\uc11c \ud574\ub2f9 \ud398\uc774\ub85c\ub4dc\ub97c \uc2e4\ud589\ud574\ubcf4\uc558\ub2e4. \uc544\ubb34\ub7f0 \ud78c\ud2b8 \uc5c6\uc774 \uc624\ub958\ub97c \ubc18\ud658\ud55c\ub2e4.\uc77c\ubc18\uc778\uc774 \uc774 \uc624\ub958 \uba54\uc138\uc9c0\ub97c \ubcf4\uace0 \ucfe0\ud0a4 \uc0ad\uc81c\ub97c \ub5a0\uc62c\ub9b4 \uac00\ub2a5\uc131\uc740?\uc5c6\ub2e4. \ud2b8\uc704\ud130, \ub137\ud50c\ub9ad\uc2a4, \ub124\uc774\ubc84 \ubaa8\ub450 \uc544\ubb34\ub7f0 \ub300\ube44\uac00 \ub418\uc5b4\uc788\uc9c0 \uc54a\ub2e4. \ud558\uc9c0\ub9cc \uad6c\uae00\uc740 \ub2ec\ub790\ub2e4. \uc704\uc640 \uac19\uc740 413 \uc624\ub958\ub97c \ubc18\ud658\ud55c \ub4a4 \uba54\uc778\ud398\uc774\uc9c0\ub85c \ub3cc\uc544\uac00\uace0, \uc989\uc2dc \uc815\uc0c1\uc801\uc73c\ub85c \uc11c\ube44\uc2a4\uc758 \uc774\uc6a9\uc774 \uac00\ub2a5\ud588\ub2e4. \ubd84\uc11d\uacb0\uacfc \uc544\ub798\uc640 \uac19\uc740 \ucf54\ub4dc\uac00 413 \uc624\ub958 \ud398\uc774\uc9c0\uc5d0 \uc2ec\uc5b4\uc838 \uc788\uc5c8\ub2e4. beautifier\ub97c \ub3cc\ub9b0 \uacb0\uacfc\ub294 \uc544\ub798\uc640 \uac19\ub2e4. 24\ub77c\uc778\uc744 \ubcf4\uba74 Cookie\uc758 \uae38\uc774\uac00 4E3(4000)\uc744 \ub118\uc744 \uacbd\uc6b0\uc5d0 \ud2b9\uc815 \ud568\uc218\ub97c \uc2e4\ud589\ud558\uba70,\ud574\ub2f9 \ud568\uc218\uc5d0\uc11c\ub294 \ucfe0\ud0a4\uc758 expires\ub97c 1970\ub144\uc73c\ub85c \ubcc0\uc870\ud574 \ubaa8\ub4e0 \ucfe0\ud0a4\ub97c \uc0ad\uc81c\ud55c\ub2e4.\uc989 413 \uc624\ub958 \ud398\uc774\uc9c0\uc5d0 \uc0bd\uc785\ub41c \ucf54\ub4dc\ub294 \ucfe0\ud0a4\uc758 \uae38\uc774\uac00 4000\uc774 \ub118\ub294\uc9c0 \ud655\uc778\ud558\uace0, 4000\uc774 \ub118\uc73c\uba74 \ucfe0\ud0a4\ub97c \uc0ad\uc81c\ud558\ub294 \ud589\ub3d9\uc744 \ud55c\ub2e4. Cookie bomb \uacf5\uaca9\uc744 \ud0c0\uac9f\ud305\ud574\uc11c \uc791\uc131\ub41c \uc815\ud655\ud55c \ubbf8\ud2f0\uac8c\uc774\uc158\uc774\ub2e4.Google drive, Hangout, Youtube \ub4f1 \uad6c\uae00\uc758 \ubaa8\ub4e0 \uc11c\ube44\uc2a4\uc5d0\uc11c \ub3d9\uc77c\ud55c \ucf54\ub4dc\ub97c \ubc18\ud658\ud55c\ub2e4. \uadf8\ub807\ub2e4\uba74 \uc774\ub7ec\ud55c \ubbf8\ud2f0\uac8c\uc774\uc158\uc740 Cookie bomb\uc744 \uc644\ubcbd\ud558\uac8c \ubc29\uc5b4\ud560 \uc218 \uc788\uc744\uae4c? \ucfe0\ud0a4\uc5d0\ub294 HttpOnly \ub77c\ub294 \ud50c\ub798\uadf8\uac00 \uc788\uc73c\uba70 \ud574\ub2f9 \ud50c\ub798\uadf8\ub294 JavaScript\uc5d0\uc11c \ucfe0\ud0a4\uc5d0 \uc811\uadfc\ud558\ub294\uac83\uc744 \ub9c9\ub294\ub2e4.HttpOnly \ud50c\ub798\uadf8\uac00 \uc124\uc815\ub418\uc5b4 \uc788\uc73c\uba74 \uc704\uc758 \ucf54\ub4dc\ub85c\ub294 Cookie bomb\uc744 \ubc29\uc5b4\ud560 \uc218 \uc5c6\ub2e4. \ubb3c\ub860 JavaScript\ub97c \uc0ac\uc6a9\ud574\uc11c\ub294 HttpOnly \ud50c\ub798\uadf8\uac00 \uc124\uc815\ub41c \ucfe0\ud0a4\ub97c \uc0dd\uc131\ud558\ub294\uac83\uc774 \ubd88\uac00\ub2a5\ud558\ub2e4.\ud558\uc9c0\ub9cc XSS\uac00 \uc544\ub2cc \uc11c\ubc84\uce21\uc5d0\uc11c \ucfe0\ud0a4\ub97c \ud560\ub2f9\ud574\uc8fc\ub294 \uae30\ub2a5\uc744 \uc545\uc6a9\ud55c Cookie bomb \uacf5\uaca9\uc774 \uac00\ub2a5\ud560 \ub54c,\ud574\ub2f9 \uae30\ub2a5\uc5d0\uc11c \ucfe0\ud0a4\ub97c HttpOnly \ud50c\ub798\uadf8\ub97c \uc124\uc815\ud55c\ucc44\ub85c \ud560\ub2f9\ud574\uc900\ub2e4\uba74 \uc704\uc758 JavaScript \ucf54\ub4dc\ub97c \uc6b0\ud68c \uac00\ub2a5\ud558\ub2e4. \ub367\ubd99\uc784) \uc790\uc2e0\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c \uc2e4\uc2b5\uc744 \uc6d0\ud55c\ub2e4\uba74 \ud06c\ub86c \uc2dc\ud06c\ub9bf \ubaa8\ub4dc\ub97c \ud65c\uc6a9\ud558\uc2dc\uae38 \uad8c\uc7a5\ud569\ub2c8\ub2e4. Reference https:\/\/homakov.blogspot.com\/2014\/01\/cookie-bomb-or-lets-break-internet.htmlhttps:\/\/blog.innerht.ml\/tag\/cookie-bomb\/<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[4],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/469"}],"collection":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/comments?post=469"}],"version-history":[{"count":33,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/469\/revisions"}],"predecessor-version":[{"id":504,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/posts\/469\/revisions\/504"}],"wp:attachment":[{"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/media?parent=469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/categories?post=469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.rubiya.kr\/index.php\/wp-json\/wp\/v2\/tags?post=469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}