Staying still makes you regressed

Dev Blog posted on Hugo

  • Tracks of my dev life
  • Ark for oblivion
  • Milestone for wanderer

Database

Database ๋ฐ์ดํ„ฐ๋ฅผ ํšจ์œจ์ ์œผ๋กœ ์ €์žฅํ•˜์—ฌ ๊ด€๋ฆฌํ•˜๋Š” ์‹œ์Šคํ…œ์„ Database๋ผ๊ณ  ํ•œ๋‹ค. Database ๋ฅผ ์ฒด๊ณ„์ ์œผ๋กœ ์กฐ์ž‘ํ•˜๊ธฐ ์œ„ํ•ด์„œ DBMS(DataBase Management System) ์„ ์‚ฌ์šฉํ•œ๋‹ค. Database๋Š” ํ˜•ํƒœ์— ๋”ฐ๋ผ ํฌ๊ฒŒ Relational Database (๊ด€๊ณ„ํ˜• DB), Non-Relational Database(๋น„๊ด€๊ณ„ํ˜• DB) ๋กœ ๋ถ„๋ฅ˜๋œ๋‹ค. Relational Database : ํ…Œ์ด๋ธ” ํ˜•ํƒœ๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ๊ด€๋ฆฌ Non-Relational Database : key-value ์„ธํŠธ๋กœ ๊ตฌ์„ฑ๋œ ํ˜•ํƒœ๋กœ ๋ฐ์ดํ„ฐ๋ฅผ ๊ด€๋ฆฌ(ex: json format) RDBMS (Relational Database Management System) Relational Database ์กฐ์ž‘์„ ์œ„ํ•œ ์‹œ์Šคํ…œ์„ ์˜๋ฏธํ•œ๋‹ค. Codds ์—์„œ ์ •์˜ํ•œ 12๊ฐ€์ง€ ์ •์˜์— ๋”ฐ๋ฅด๋„๋ก ์„ค๊ณ„๋œ๋‹ค. (๋ณดํ†ต์€ ์„ ๋‘์˜ 2๊ฐ€์ง€ ๊ทœ์น™๋งŒ ํ•„์ˆ˜๋กœ ๋”ฐ๋ฅธ๋‹ค.) SQL (Structured Query Language) ์ด๋ผ๋Š” ์ฟผ๋ฆฌ ์–ธ์–ด๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ Database๋ฅผ ์กฐ์ž‘ํ•œ๋‹ค. SQL (Structured Query Language) RDBMS์˜ ๋ฐ์ดํ„ฐ๋ฅผ ์ •์˜ํ•˜๊ณ  ์งˆ์˜, ์ˆ˜์ • ๋“ฑ์„ ํ•˜๊ธฐ ์œ„ํ•ด ๊ณ ์•ˆ๋œ ์–ธ์–ด๋กœ, ๋‹ค์Œ ์„ธ๊ฐ€์ง€ ์ข…๋ฅ˜์˜ ์–ธ์–ด๋ฅผ ํฌํ•จํ•œ๋‹ค. DDL (Data Definition Language) : ๋ฐ์ดํ„ฐ๋ฅผ ์ •์˜ํ•˜๊ธฐ ์œ„ํ•œ ์–ธ์–ด๋กœ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ ์ƒ์„ฑ/์ˆ˜์ •/์‚ญ์ œ ๋“ฑ์˜ ํ–‰์œ„๋ฅผ ์ˆ˜ํ–‰ DML (Data Manipulation Language) : ๋ฐ์ดํ„ฐ๋ฅผ ์กฐ์ž‘ํ•˜๊ธฐ ์œ„ํ•œ ์–ธ์–ด๋กœ ์‹ค์ œ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋‚ด์— ์กด์žฌํ•˜๋Š” ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•ด ์กฐํšŒ/์ €์žฅ/์ˆ˜์ •/์‚ญ์ œ ๋“ฑ์˜ ํ–‰์œ„๋ฅผ ์ˆ˜ํ–‰ DCL(Data Control Language) : ์ ‘๊ทผ ๊ถŒํ•œ์„ ์„ค์ •ํ•˜๊ธฐ ์œ„ํ•œ ์–ธ์–ด NoSQL Non-Relational Database ๋ฅผ ์œ„ํ•œ ์–ธ์–ด๋กœ, Non-Relational DBMS ๋ผ๊ณ ๋„ ๋ถˆ๋ฆฐ๋‹ค. SQL๋ฅผ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ  ๋ณต์žกํ•˜์ง€ ์•Š์€ ๋ฐ์ดํ„ฐ๋ฅผ ์ €์žฅํ•ด ๋‹จ์ˆœ ๊ฒ€์ƒ‰ ๋ฐ ์ถ”๊ฐ€ ๊ฒ€์ƒ‰ ์ž‘์—…์„ ์œ„ํ•ด ๋งค์šฐ ์ตœ์ ํ™”๋˜์—ˆ๊ณ , ์ €์žฅ๊ณต๊ฐ„์ด ํฌ๋‹ค๋Š” ๊ฒƒ์ด ํŠน์ง•์ด๋‹ค. key-value ์กฐํ•ฉ์œผ๋กœ ๋ฐ์ดํ„ฐ์— ์ ‘๊ทผํ•˜๊ธฐ์— ๋ฌธ๋ฒ•์ด ๋”ฐ๋กœ ์—†๋‹ค๋Š” ๊ฒƒ๋„ ์žฅ์ ์ด๋‹ค. MongoDB, Redis, CouchDB ๋“ฑ์ด ํ•ด๋‹น๋œ๋‹ค. MongoDB : Json ํ˜•ํƒœ๋กœ ํ…Œ์ด๋ธ” ๊ด€๋ฆฌ Redis : ๋ฉ”๋ชจ๋ฆฌ ๊ธฐ๋ฐ˜ DBMS๋กœ ์†๋„๊ฐ€ ๋นจ๋ผ ์ž„์‹œ๋ฐ์ดํ„ฐ ์บ์‹ฑ ์šฉ๋„๋กœ ์ฃผ๋กœ ์‚ฌ์šฉ CouchDB : ์ด๋Š” ์›น ๊ธฐ๋ฐ˜์˜ DBMS๋กœ, REST API ํ˜•์‹์œผ๋กœ ์š”์ฒญ์„ ์ฒ˜๋ฆฌ ๋ฌธ๋ฒ• MongoDB ๋ฐ์ดํ„ฐ ์‚ฝ์ž… ...

<span title='2025-03-20 22:03:29 +0900 KST'>March 20, 2025</span>&nbsp;ยท&nbsp;3 min&nbsp;ยท&nbsp;AswinBlue

Exploit

๊ณต๊ฒฉ ๋ฐฉ๋ฒ• ๋ถ„๋ฅ˜ Server side ๊ณต๊ฒฉ ๋ฐฉ๋ฒ• Injection (์ธ์ ์…˜) ์„œ๋ฒ„์˜ ์ฒ˜๋ฆฌ ๊ณผ์ • ์ค‘ ์‚ฌ์šฉ์ž๊ฐ€ ์ž…๋ ฅํ•œ ๋ฐ์ดํ„ฐ๊ฐ€ ์‹œ์Šคํ…œ์˜ ๋‹ค๋ฅธ ๊ธฐ๋Šฅ์„ ์ฃผ๊ฑฐ๋‚˜ ๋ฌธ๋ฒ•์ ์œผ๋กœ ์‚ฌ์šฉ๋˜์–ด ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์  injection ๊ณต๊ฒฉ์˜ ์ข…๋ฅ˜ SQL Injection Command Injection SSTI (Server Side Template Injection) Path Traversal SSRF (Server Side Request Forgery) ORM๊ณผ ๊ฐ™์ด ๊ฒ€์ฆ๋œ SQL ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ฐฉ์–ด๊ฐ€ ํ•„์š”ํ•˜๋‹ค. File vulnerability ์„œ๋ฒ„์˜ ํŒŒ์ผ ์‹œ์Šคํ…œ์— ์‚ฌ์šฉ์ž๊ฐ€ ์›ํ•˜๋Š” ํ–‰์œ„๋ฅผ ํ•  ์ˆ˜ ์žˆ์„ ๋•Œ ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์  system(PHP), child_process(Node JS), os.system(Python) ๋“ฑ OS command๋ฅผ ์‹คํ–‰ํ•˜๋Š” ํ•จ์ˆ˜๋ฅผ ํ˜ธ์ถœํ•˜์ง€ ์•Š๋Š” ๋ฐฉ๋ฒ•์ด ๊ฐ€์žฅ ์ข‹์œผ๋‚˜, ์ž…๋ ฅ ํ•„ํ„ฐ๋ง์ด๋‚˜ ๋Œ€์ฒด ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ ์œ„ํ˜‘์„ ์ค„์ผ ์ˆ˜ ์žˆ๋‹ค. Business Logic Vulnerability (๋น„์ฆˆ๋‹ˆ์Šค ๋กœ์ง ์ทจ์•ฝ์ ) ์ธ์ ์…˜, ํŒŒ์ผ ๊ด€๋ จ ์ทจ์•ฝ์ ๋“ค๊ณผ๋Š” ๋‹ค๋ฅด๊ฒŒ ์ •์ƒ์ ์ธ ํ๋ฆ„์„ ์•…์šฉํ•˜๋Š” ๊ฒƒ Language specific Vulnerability (PHP, Python, NodeJS) ์›น ์–ดํ”Œ๋ฆฌ์ผ€์ด์…˜์—์„œ ์‚ฌ์šฉํ•˜๋Š” ์–ธ์–ด์˜ ํŠน์„ฑ์œผ๋กœ ์ธํ•ด ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์  Misconfiguration ์ž˜๋ชป๋œ ์„ค์ •์œผ๋กœ ์ธํ•ด ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์  Debug mode๋ฅผ ์„ค์ •ํ•œ ์ฑ„๋กœ ๋ฐฐํฌํ•˜๋Š” ๊ฒฝ์šฐ ์ž„์‹œ/๋ฐฑ์—… ํŒŒ์ผ์„ ์‚ญ์ œํ•˜์ง€ ์•Š์€ ๊ฒฝ์šฐ ๋ฐฑ์—…ํŒŒ์ผ ์ข…๋ฅ˜ bak : ๋ฐฑ์—… ํŒŒ์ผ, ๋Œ€๋ถ€๋ถ„์˜ ์—๋””ํ„ฐ์—์„œ ์‚ฌ์šฉํ•จ config : ์„ค์ • ํŒŒ์ผ, ๋น„๋ฐ€ ํ‚ค๋“ค์ด ์กด์žฌํ•˜๋Š” ๊ฒฝ์šฐ๊ฐ€ ๋งŽ์Œ sql : sql schema ํŒŒ์ผ, ๋ฐ์ดํ„ฐ ๋ฒ ์ด์Šค ๊ตฌ์กฐ๋ฅผ ์•Œ์•„๋‚ผ ์ˆ˜ ์žˆ์Œ sh : shell script ํŒŒ์ผ ~ : bluefish ์—๋””ํ„ฐ ๋ฐฑ์—… ํŒŒ์ผ ์„œ๋น„์Šค์™€๋Š” ๋ฌด๊ด€ํ•œ ํŒŒ์ผ๋“ค์„ ์ œ๊ฑฐํ•ด์„œ ์œ„ํ˜‘์„ ์—†์•จ ์ˆ˜ ์žˆ์Œ VCS ํ”„๋กœ๊ทธ๋žจ์œผ๋กœ ์ธํ•œ ์ž„์‹œ ํŒŒ์ผ๋“ค์„ ์ •๋ฆฌํ•ด์•ผ ํ•œ๋‹ค. .git, .hg ๋“ฑ์˜ ํŒŒ์ผ์ด ์žˆ๋‹ค. https://github.com/kost/dvcs-ripper ์ •๋ณด๋ฅผ ์ฐธ์กฐํ•˜์—ฌ ์ง„๋‹จ์ด ๊ฐ€๋Šฅํ•˜๋‹ค. ์›น ์„œ๋ฒ„์˜ ์„ค์ •์œผ๋กœ VCS ํŒŒ์ผ์˜ ๊ฒฝ๋กœ์˜ ์ ‘๊ทผ์„ ๋ง‰๋Š” ๋ฐฉ๋ฒ•๋„ ๊ฐ€๋Šฅํ•˜๋‹ค. location ~ /\.(git|hg) { deny all; } ๋„คํŠธ์›Œํฌ ๋ฐ”์ธ๋”ฉ์„ 0.0.0.0 ์œผ๋กœ ์„ธํŒ…ํ•˜๋Š” ๊ฒฝ์šฐ ํŽธ์˜๋ฅผ ์œ„ํ•ด ์„ธํŒ…ํ•œ ์„ค์ •์„ ์šด์˜ ํ™˜๊ฒฝ์ด ๋ณ€๊ฒฝ๋˜์—ˆ์Œ์—๋„ ๊ทธ๋Œ€๋กœ ์œ ์ง€ํ•˜์—ฌ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋Š” ์ทจ์•ฝ์ ์ด๋‹ค. ๋‚ด๋ถ€ ๋ง์—์„œ๋งŒ ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ๋Š” ์„œ๋น„์Šค๋Š” mask๋ฅผ ์ œ๋Œ€๋กœ ์„ค์ • ํ•ด ์ฃผ๊ณ , ํ—ˆ์šฉํ•  ํฌํŠธ๋ฅผ ์ œ์™ธํ•œ ์„ค์ •์€ ๋ชจ๋‘ ์‚ญ์ œํ•˜๋„๋ก ํ•˜์—ฌ ์œ„ํ˜‘์„ ์ œ๊ฑฐํ•œ๋‹ค. ์ทจ์•ฝ์  XSS (Cross Site Scripting) ๊ณต๊ฒฉ์ž๊ฐ€ ์›น ๋ฆฌ์†Œ์Šค์— ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‚ฝ์ž…ํ•ด ์ด์šฉ์ž์˜ ์›น ๋ธŒ๋ผ์šฐ์ €์—์„œ ํ•ด๋‹น ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ํ•˜๋Š” ๊ณต๊ฒฉ์ด๋‹ค. XSS ์ทจ์•ฝ์ ์ด ์กด์žฌํ•˜๋Š” ์‚ฌ์ดํŠธ์— ๊ณต๊ฒฉ์ž๋Š” origin ๊ถŒํ•œ์œผ๋กœ ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ํฌํ•จ๋œ ํŽ˜์ด์ง€๋ฅผ ๋งŒ๋“ค์–ด์„œ ์ด์šฉ์ž๊ฐ€ ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ํฌํ•จ๋œ ํŽ˜์ด์ง€๋ฅผ ๋ฐฉ๋ฌธํ•˜๋ฉด ๊ณต๊ฒฉ์ž์˜ ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ๋™์ž‘ํ•ด ์ •๋ณด๋ฅผ ํƒˆ์ทจํ•˜๋Š” ๋ฐฉ์‹์ด๋‹ค. ๊ณต๊ฒฉ ๊ฒฝ๋กœ XSS ๊ณต๊ฒฉ์€ ์ด์šฉ์ž๊ฐ€ ์‚ฝ์ž…ํ•œ ๋‚ด์šฉ์„ ์ถœ๋ ฅํ•˜๋Š” ๊ธฐ๋Šฅ์—์„œ ๋ฐœ์ƒํ•œ๋‹ค. ์•…์„ฑ ํƒœ๊ทธ๋ฅผ ํ•„ํ„ฐ๋งํ•˜๋Š” HTML Sanitization์„ ์‚ฌ์šฉํ•˜๊ฑฐ๋‚˜ ์—”ํ‹ฐํ‹ฐ ์ฝ”๋“œ๋กœ ์น˜ํ™˜ํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ XSS๋ฅผ ์˜ˆ๋ฐฉํ•  ์ˆ˜ ์žˆ๋‹ค. Flask๋Š” render_template ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์ธ์ž๋ฅผ HTML ์—”ํ‹ฐํ‹ฐ์ฝ”๋“œ๋กœ ๋ณ€ํ™˜ํ•˜์—ฌ ์ถœ๋ ฅํ•˜๋Š” ๋ฐฉ์‹์œผ๋กœ XSS๋ฅผ ๋ฐฉ์ง€ํ•œ๋‹ค. ์•„๋ž˜์™€ ๊ฐ™์ด ์ž…๋ ฅ๊ฐ’์„ ๊ทธ๋Œ€๋กœ ์ถœ๋ ฅํ•˜๊ฒŒ ๋˜๋ฉด, ์ž…๋ ฅ๊ฐ’์œผ๋กœ script ๋ฅผ ์ „๋‹ฌํ•ด ๊ณต๊ฒฉ์— ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ์„œ๋ฒ„์˜ ์ฝ”๋“œ @app.route("/vulnerable") def vulnerable(): param = request.args.get("param", "") # ์ด์šฉ์ž๊ฐ€ ์ž…๋ ฅํ•œ ์ธ์ž๋ฅผ ๊ฐ€์ ธ์˜ด return param # ์ด์šฉ์ž์˜ ์ž…๋ ฅ๊ฐ’์„ ํ™”๋ฉด ์ƒ์— ํ‘œ์‹œ ๊ณต๊ฒฉ์ž ์ž…๋ ฅ1. ๋‹ค๋ฅธ ํŽ˜์ด์ง€๋กœ redirection <script>location.href = "/another_page?param=PARAM1";</script> ๊ณต๊ฒฉ์ž ์ž…๋ ฅ2. cookie ์ •๋ณด ์ถœ๋ ฅ <script>document.cookie</script> XSS ๊ณต๊ฒฉ ์ข…๋ฅ˜ XSS ๋Š” ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ์˜ ์œ„์น˜์™€ ์นจํˆฌ ๊ฒฝ๋กœ์— ๋”ฐ๋ผ ์•„๋ž˜์™€ ๊ฐ™์ด ๊ตฌ๋ถ„๋œ๋‹ค. Stored XSS : XSS์— ์‚ฌ์šฉ๋˜๋Š” ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ์„œ๋ฒ„์— ์ €์žฅ๋˜๊ณ  ์„œ๋ฒ„์˜ ์‘๋‹ต์— ๋‹ด๊ฒจ์˜ค๋Š” XSS ๊ฒŒ์‹œ๋ฌผ๊ณผ ๋Œ“๊ธ€์— ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํฌํ•จํ•ด ์—…๋กœ๋“œํ•˜๋Š” ๋ฐฉ์‹์ด ์žˆ์Œ ๋ถˆํŠน์ • ๋‹ค์ˆ˜์—๊ฒŒ ๋ณด์—ฌ์ง€๊ธฐ ๋•Œ๋ฌธ์— ํŒŒ๊ธ‰๋ ฅ์ด ํฌ๋‹ค. Reflected XSS : XSS์— ์‚ฌ์šฉ๋˜๋Š” ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ URL์— ์‚ฝ์ž…๋˜๊ณ  ์„œ๋ฒ„์˜ ์‘๋‹ต์— ๋‹ด๊ฒจ์˜ค๋Š” XSS ๊ฒŒ์‹œํŒ ์„œ๋น„์Šค์—์„œ ์ž‘์„ฑ๋œ ๊ฒŒ์‹œ๋ฌผ์„ ์กฐํšŒํ•˜๊ธฐ ์œ„ํ•œ ๊ฒ€์ƒ‰์ฐฝ์—์„œ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ํฌํ•จํ•ด ๊ฒ€์ƒ‰ํ•˜๋Š” ๋ฐฉ์‹์ด ์žˆ์Œ ๊ฒ€์ƒ‰ ๊ฒฐ๊ณผ๋ฅผ ์‘๋‹ต์— ํฌํ•จํ•˜๋Š” ์ผ๋ถ€ ์„œ๋น„์Šค์—์„œ ๋ฐœ์ƒ ๊ฐ€๋Šฅ ๊ณต๊ฒฉ์„ ์œ„ํ•ด์„œ๋Š” ๋‹ค๋ฅธ ์ด์šฉ์ž๋ฅผ ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ ํฌํ•จ๋œ ๋งํฌ์— ์ ‘์†ํ•˜๋„๋ก ์œ ๋„ํ•ด์•ผ ํ•จ DOM-based XSS : XSS์— ์‚ฌ์šฉ๋˜๋Š” ์•…์„ฑ ์Šคํฌ๋ฆฝํŠธ๊ฐ€ URL Fragment์— ์‚ฝ์ž…๋˜๋Š” XSS Universal XSS : ํด๋ผ์ด์–ธํŠธ์˜ ๋ธŒ๋ผ์šฐ์ € ํ˜น์€ ๋ธŒ๋ผ์šฐ์ €์˜ ํ”Œ๋Ÿฌ๊ทธ์ธ์—์„œ ๋ฐœ์ƒํ•˜๋Š” ์ทจ์•ฝ์ ์œผ๋กœ SOP ์ •์ฑ…์„ ์šฐํšŒํ•˜๋Š” XSS CSRF (Cross Site Request Forgery) ์–ด๋–ค ์‚ฌ์ดํŠธ์—์„œ ์ด์šฉ์ž์˜ ์‹ ์› ์ •๋ณด๊ฐ€ ํฌํ•จ๋œ ์ฟ ํ‚ค๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค๋ฉด, ํƒ€์ธ์˜ ์ฟ ํ‚ค๋ฅผ ํƒˆ์ทจํ•˜์—ฌ ๋ณ€์กฐ๋œ ๋ช…๋ น์„ ์„œ๋ฒ„๋กœ ๋ฒˆ๋‹ฌํ•˜๋Š” ๊ณต๊ฒฉ ๋ฐฉ์‹์ด๋‹ค. ์ด์šฉ์ž์˜ ์‹ ์› ์ •๋ณด๊ฐ€ ํฌํ•จ๋œ ์ฟ ํ‚ค๋Š” ์ผ์ข…์˜ ์„œ๋ช…๊ณผ ๊ฐ™์€ ์—ญํ• ์„ ํ•˜๊ธฐ ๋•Œ๋ฌธ์—, ์ฟ ํ‚ค๊ฐ€ ํŠน์ • ๋ช…๋ น์— ๋Œ€ํ•œ ์ด์šฉ์ž์˜ ๋ณธ์ธ ์ธ์ฆ ์—ญํ• ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜๋„ ์žˆ๋‹ค. 2์ฐจ ์ธ์ฆ์„ ์ˆ˜ํ–‰ํ•˜์ง€ ์•Š๊ณ  cookie๋กœ๋งŒ ์ธ์ฆ์„ ํ•˜๋Š” ์‚ฌ์ดํŠธ์— ๋Œ€ํ•ด ๊ณต๊ฒฉ์ด ๊ฐ€๋Šฅํ•˜๋‹ค. XSS๋Š” ์ธ์ฆ ์ •๋ณด์ธ ์„ธ์…˜ ๋ฐ ์ฟ ํ‚ค ํƒˆ์ทจ๋ฅผ ๋ชฉ์ ์œผ๋กœ ์„œ๋ฒ„์—์„œ ์Šคํฌ๋ฆฝํŠธ๋ฅผ ์‹คํ–‰ ํ•˜๋Š” ๋ฐฉ์‹์ธ ๋ฐ˜๋ฉด, CSRF๋Š” ์ด์šฉ์ž๊ฐ€ ์ž„์˜ ํŽ˜์ด์ง€์— HTTP ์š”์ฒญ์„ ๋ณด๋‚ด๋Š” ๊ฒƒ์„ ๋ชฉ์ ์œผ๋กœ ํ•˜๋Š” ๊ณต๊ฒฉ์ด๋‹ค. ๊ณต๊ฒฉ ๊ฒฝ๋กœ <img> ํƒœ๊ทธ๋‚˜ <form> ํƒœ๊ทธ๋ฅผ ํ™œ์šฉํ•ด์„œ ์‚ฌ์šฉ์ž๊ฐ€ ์˜๋„ํ•˜์ง€ ์•Š์€ ๋ช…๋ น์„ ์„œ๋ฒ„์— ์š”์ฒญํ•˜๋Š” script๋ฅผ ์‹คํ–‰์‹œํ‚ฌ ์ˆ˜ ์žˆ๋‹ค. /* img ํƒœ๊ทธ ํ™œ์šฉ ์š”์ฒญ ์ „๋‹ฌ */ <img src='http://bank.dreamhack.io/sendmoney?to=Dreamhack&amount=1337' width=0px height=0px>` /* javascript ๊ณต๊ฒฉ ์˜ˆ์‹œ */ /* ์ƒˆ ์ฐฝ ๋„์šฐ๊ธฐ */ window.open('http://bank.dreamhack.io/sendmoney?to=Dreamhack&amount=1337'); /* ํ˜„์žฌ ์ฐฝ ์ฃผ์†Œ ์˜ฎ๊ธฐ๊ธฐ */ location.href = 'http://bank.dreamhack.io/sendmoney?to=Dreamhack&amount=1337'; location.replace('http://bank.dreamhack.io/sendmoney?to=Dreamhack&amount=1337'); SQL Injection ์กฐ์ž‘๋œ SQL ์ฟผ๋ฆฌ๋ฅผ ์„œ๋ฒ„์— ์ฃผ์ž…ํ•˜์—ฌ ์ธ์ฆ์„ ์šฐํšŒํ•˜๊ฑฐ๋‚˜, ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์˜ ์ •๋ณด๋ฅผ ์œ ์ถœํ•˜๋Š” ๊ณต๊ฒฉํ–‰์œ„ Blind SQL Injection : SQL Injection ์˜ ํ•œ ์ข…๋ฅ˜๋กœ, DBMS๊ฐ€ ๋‹ต๋ณ€ ๊ฐ€๋Šฅํ•œ ํ˜•ํƒœ๋กœ ์งˆ๋ฌธ์„ ์ˆ˜ํ–‰ํ•˜์—ฌ ์Šค๋ฌด๊ณ ๊ฐœ ๊ฒŒ์ž„๊ณผ ๊ฐ™์ด ์ •๋‹ต์„ ์œ ์ถ”ํ•ด ๋‚˜๊ฐ€๋Š” ๊ณต๊ฒฉ ๊ธฐ๋ฒ• NoSQL Injection NoSQL์€ ๋ฐ์ดํ„ฐ ํƒ€์ž…์œผ๋กœ โ€˜์˜ค๋ธŒ์ ํŠธโ€™ ๋ผ๋Š” ๊ฐœ๋…์„ ๊ฐ–๋Š”๋‹ค. ์˜ค๋ธŒ์ ํŠธ ํƒ€์ž…์˜ ์ž…๋ ฅ๊ฐ’์„ ์ฒ˜๋ฆฌํ•  ๋•Œ์—๋Š” ์ฟผ๋ฆฌ ์—ฐ์‚ฐ์ž๋ฅผ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ณ , ์ด ๋ถ€๋ถ„์˜ ์ทจ์•ฝ์ ์„ ํ™œ์šฉํ•œ ๊ฒƒ์ด NoSQL Injection ์ด๋‹ค. NodeJs๋ฅผ ์˜ˆ๋ฅผ ๋“ค๋ฉด ์•„๋ž˜์™€ ๊ฐ™์ด url์— object๋ฅผ ๋Œ€์ž…ํ•  ์ˆ˜ ์žˆ๋‹ค. // ์„œ๋ฒ„ ์ฝ”๋“œ ์˜ˆ์‹œ const express = require('express'); const app = express(); app.get('/', function(req,res) { console.log('data:', req.query.data, ' / type:', typeof req.query.data); res.send('done'); }); const server = app.listen(3000, function(){ console.log('app.listen'); }); // ๊ฒฐ๊ณผ ์˜ˆ์‹œ http://localhost:3000/?data=1234 data: 1234 type: string http://localhost:3000/?data[]=1234 data: [ '1234' ] type: object http://localhost:3000/?data[]=1234&data[]=5678 data: [ '1234', '5678' ] type: object http://localhost:3000/?data[5678]=1234 data: { '5678': '1234' } type: object http://localhost:3000/?data[5678]=1234&data=0000 data: { '5678': '1234', '0000': true } type: object http://localhost:3000/?data[5678]=1234&data[]=0000 data: { '0': '0000', '5678': '1234' } type: object http://localhost:3000/?data[5678]=1234&data[1111]=0000 data: { '1111': '0000', '5678': '1234' } type: object ์ด ๋ฐฉ๋ฒ•์œผ๋กœ ์•„๋ž˜์™€ ๊ฐ™์ด โ€˜dataโ€™ ๊ฐ์ฒด ์•ˆ์— NoSQL ์ฟผ๋ฆฌ๊ฐ€ ๋“ค์–ด๊ฐ€๋„๋ก url์„ ์„ค์ •ํ•  ์ˆ˜๋„ ์žˆ๋‹ค. NoSQL ๋ฌธ๋ฒ• ์ฐธ์กฐ http://localhost:3000/?data[$eq]=A data: { "$eq": "A" } type: object Command Injection ๊ณต๊ฒฉ์ž๊ฐ€ ํด๋ผ์ด์–ธํŠธ ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ํ†ตํ•ด ์„œ๋ฒ„์ธก์— ์‹œ์Šคํ…œ ๋ช…๋ น์–ด๋ฅผ ์ „๋‹ฌํ•˜์—ฌ ์‹คํ–‰์‹œ์ผœ ๊ณต๊ฒฉ์„ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ธฐ๋ฒ• PHP์˜ system, Node JS์˜ child_process, ํŒŒ์ด์ฌ์˜ os.system ๊ณผ ๊ฐ™์ด ์‹œ์Šคํ…œ ๋ช…๋ น์–ด๋ฅผ ์ˆ˜ํ–‰ํ•˜๋Š” ํ•จ์ˆ˜์— ์ด์šฉ์ž๊ฐ€ ์ž„์˜์˜ ์ธ์ž๋ฅผ ์ „๋‹ฌํ•  ์ˆ˜ ์žˆ์„ ๋•Œ ๋ฐœ์ƒํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ช…๋ น์–ด ์ž…๋ ฅ๋ž€์— ๋‹ค๋ฅธ ๋ช…๋ น์–ด๋ฅผ ์ž…๋ ฅํ•˜๋Š” ๊ธฐ๋ฒ•์—๋Š” ๋‹ค์Œ์˜ ๋ฉ”ํƒ€๋ฌธ์ž ๋“ค์„ ํ™œ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ช…๋ น์–ด ์น˜ํ™˜ ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ `` ์‚ฌ์ด์— ๋“  ๋ฌธ์ž๋Š” ์ƒˆ๋กœ์šด ๋ช…๋ น์–ด ๋ผ์ธ์œผ๋กœ ์ธ์‹ํ•œ๋‹ค. ex) echo `ls` ls ๋ช…๋ น์–ด๊ฐ€ ์‹คํ–‰๋œ๋‹ค. ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ $() ์‚ฌ์ด์— ๋“  ๋ฌธ์ž๋Š” ์ƒˆ๋กœ์šด ๋ช…๋ น์–ด ๋ผ์ธ์œผ๋กœ ์ธ์‹ํ•œ๋‹ค. ex) echo $(ls) ls ๋ช…๋ น์–ด๊ฐ€ ์‹คํ–‰๋œ๋‹ค. ๋ช…๋ น์–ด ์—ฐ์† ์‹คํ–‰ ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ || ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด, || ์•ž๊ณผ || ๋’ค๋ฅผ ๋‹ค๋ฅธ ๋ช…๋ น์–ด ๋ผ์ธ์œผ๋กœ ์ธ์‹ํ•˜๊ณ  ๊ฐ๊ฐ ์‹คํ–‰ํ•œ๋‹ค. ํ•œ ์ค„์— ๋‘˜ ์ด์ƒ์˜ ๋ช…๋ น์–ด๋ฅผ ์‹คํ–‰์‹œํ‚ฌ ์ˆ˜ ์žˆ๋‹ค. ex) mkdir FILE || cd FILE FILE ๋””๋ ‰ํ„ฐ๋ฆฌ๋ฅผ ๋งŒ๋“ค๊ณ  FILE ๋””๋ ‰ํ„ฐ๋ฆฌ ์•ˆ์œผ๋กœ ์ด๋™ํ•˜๋Š” ๋ช…๋ น์„ ํ•œ์ค„๋กœ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ && ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด, && ์•ž๊ณผ && ๋’ค๋ฅผ ๋‹ค๋ฅธ ๋ช…๋ น์–ด ๋ผ์ธ์œผ๋กœ ์ธ์‹ํ•˜๊ณ  ๊ฐ๊ฐ ์‹คํ–‰ํ•œ๋‹ค. ex) mkdir FILE && cd FILE FILE ๋””๋ ‰ํ„ฐ๋ฆฌ๋ฅผ ๋งŒ๋“ค๊ณ  FILE ๋””๋ ‰ํ„ฐ๋ฆฌ ์•ˆ์œผ๋กœ ์ด๋™ํ•˜๋Š” ๋ช…๋ น์„ ํ•œ์ค„๋กœ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค. ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ ; ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด, ; ์•ž๊ณผ ; ๋’ค๋ฅผ ๋‹ค๋ฅธ ๋ช…๋ น์–ด ๋ผ์ธ์œผ๋กœ ์ธ์‹ํ•˜๊ณ  ๊ฐ๊ฐ ์‹คํ–‰ํ•œ๋‹ค. ex) mkdir FILE ; cd FILE FILE ๋””๋ ‰ํ„ฐ๋ฆฌ๋ฅผ ๋งŒ๋“ค๊ณ  FILE ๋””๋ ‰ํ„ฐ๋ฆฌ ์•ˆ์œผ๋กœ ์ด๋™ํ•˜๋Š” ๋ช…๋ น์„ ํ•œ์ค„๋กœ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋‹ค. ํŒŒ์ดํ”„ ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ | ๋ฅผ ์‚ฌ์šฉํ•˜๋ฉด | ์•ž์˜ ๋ช…๋ น์–ด ์‹คํ–‰ ๊ฒฐ๊ณผ๋ฅผ | ๋’ค์˜ ๋ช…๋ น์–ด ์‹คํ–‰์‹œ ์ž…๋ ฅ์œผ๋กœ ์„ค์ •ํ•  ์ˆ˜ ์žˆ๋‹ค. ex) cat FILE | less FILE ๋‚ด์šฉ์„ ์ถœ๋ ฅํ•œ ๊ฒƒ์„ less ๋ช…๋ น์œผ๋กœ ๋‚˜๋ˆ ์„œ ๋ณผ ์ˆ˜ ์žˆ๋„๋ก ํ•œ๋‹ค. ๋’ท๋‚ด์šฉ ๋ฌด์‹œ ๋ฆฌ๋ˆ…์Šค ์‰˜์—์„œ #์„ ์‚ฌ์šฉํ•˜๋ฉด # ๋’ค์˜ ๋‚ด์šฉ์€ ์ฃผ์„์ฒ˜๋ฆฌ๋˜์–ด ๋ฌด์‹œ๋œ๋‹ค. ex) ls #a"sdfa"sdโ€™fas"โ€™โ€œdf ๊ตฌ๋ฌธ ์˜ค๋ฅ˜ ์—†์ด ls ๋ช…๋ น์ด ์ž˜ ์‹คํ–‰๋œ๋‹ค. ๋ฌธ์ž์—ด์„ whitelist ์ฒ˜๋ฆฌํ•˜๊ฑฐ๋‚˜ blacklist ์ฒ˜๋ฆฌํ•˜์—ฌ ๊ณต๊ฒฉ์„ ๋ฐฉ์–ดํ•  ์ˆ˜ ์žˆ๋‹ค. ์ •๊ทœ์‹์„ ํ†ตํ•ด IP ์ฃผ์†Œ ํฌ๋ฉง์„ whitelist ๋กœ ์ง€์ •ํ•˜๋Š” ์ฝ”๋“œ import re, os, ... ... chk_ip = re.compile('^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$') if bool(chk_ip.match(ip)): return run_system(f'ping -c 3 {ip}') else: return 'ip format error' ํ—ˆ์šฉ๋˜๋ฉด ์•ˆ๋˜๋Š” ๋ฌธ์ž์—ด์„ blacklist ๋กœ ์ง€์ •ํ•˜๋Š” ์ฝ”๋“œ if '\'' in ip: return 'not allowed character' return run_system(f'ping -c 3 \'{ip}\'') # shell command ์ƒ์—์„œ ๋ชจ๋“  ์ž…๋ ฅ์„ ๋ฌธ์ž์—ด๋กœ ์ฒ˜๋ฆฌํ•˜๋Š” Single Quotes (')๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ•จ system(PHP), child_process(Node JS), os.system(Python) ๋“ฑ OS command๋ฅผ ์‹คํ–‰ํ•˜๋Š” ํ•จ์ˆ˜ ์™ธ ๋Œ€์ฒด ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ๋ฐฉ๋ฒ•์œผ๋กœ ์œ„ํ˜‘์„ ์ค„์ผ ์ˆ˜ ์žˆ๋‹ค. File Vulnerability ๊ณต๊ฒฉ์ž์˜ ํŒŒ์ผ์„ ์›น ์„œ๋น„์Šค์˜ ํŒŒ์ผ ์‹œ์Šคํ…œ์— ์—…๋กœ๋“œ ํ˜น์€ ํ•˜๋Š” ๊ณผ์ •์—์„œ ๋ฐœ์ƒํ•˜๋Š” ๋ณด์•ˆ ์ทจ์•ฝ์  ํŒŒ์ผ ์—…๋กœ๋“œ/๋‹ค์šด๋กœ๋“œ ์„œ๋น„์Šค๋ฅผ ๊ฐœ๋ฐœ์‹œ ์ด์šฉ์ž๊ฐ€ ์—…๋กœ๋“œํ•œ ํŒŒ์ผ์„ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์ €์žฅํ•˜๋Š” ๊ฒƒ๋ณด๋‹ค๋Š” ์„œ๋ฒ„์˜ ํŒŒ์ผ ์‹œ์Šคํ…œ์— ์ €์žฅํ•˜๋Š” ๊ฒƒ์ด ๊ฐœ๋ฐœํ•˜๊ธฐ ์‰ฝ๊ณ , ๊ด€๋ฆฌ ํšจ์œจ๋„ ๋†’์ง€๋งŒ File Vulnerability๋ฅผ ์ฃผ์˜ํ•ด์•ผ ํ•œ๋‹ค. ์›๊ฒฉ ์ฝ”๋“œ ์‹คํ–‰, ๋ฏผ๊ฐ์ •๋ณด ํƒˆ์ทจ ๋“ฑ์ด ์ˆ˜ํ–‰๋  ์ˆ˜ ์žˆ๋‹ค. File Upload Vulnerability ...

<span title='2025-03-11 20:54:59 +0900 KST'>March 11, 2025</span>&nbsp;ยท&nbsp;26 min&nbsp;ยท&nbsp;AswinBlue

Youtube Downloader

Youtoube Download Window OS์—์„œ Python์œผ๋กœ Youtube ์˜์ƒ์„ ๋‹ค์šด๋กœ๋“œ ํ•˜๋Š” ๋ฐฉ๋ฒ• 1. Python Code ์ž‘์„ฑ yt-dlp ํŒจํ‚ค์ง€๋ฅผ ๋‹ค์šด๋ฐ›๋Š”๋‹ค. pip install yt-dlp ๋ช…๋ น์œผ๋กœ ์†์‰ฝ๊ฒŒ ๋‹ค์šด๋กœ๋“œ ๊ฐ€๋Šฅํ•˜๋‹ค. github ์ฃผ์†Œ๋Š” ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค. : https://github.com/yt-dlp/yt-dlp ์ฝ”๋“œ๋ฅผ ์ž‘์„ฑํ•œ๋‹ค. ์•„๋ž˜๋Š” ์ƒ˜ํ”Œ ์ฝ”๋“œ์ด๋‹ค. import yt_dlp import os import time ########## # ์„ค์ • ########## # ์ตœ๋Œ€ ์žฌ์‹œ๋„ ํšŸ์ˆ˜ MAX_RETRIES = 3 # ์žฌ์‹œ๋„ ์‚ฌ์ด์˜ ๋Œ€๊ธฐ ์‹œ๊ฐ„ (์ดˆ) RETRY_DELAY = 5 # ๋‹ค์šด๋กœ๋“œ ๋ฆฌ์ŠคํŠธ download_lists = [ { "name": 'FOLDER_NAME', # ๋‹ค์šด๋กœ๋“œ ๋ฐ›์„ ํด๋” ์ด๋ฆ„ "url": 'https://www.youtube.com/watch?v=CJuIRe_1c2g&list=RDMM&start_radio=1&rv=R4CecLdF11E', # ๋‹ค์šด๋กœ๋“œ ํ•  playlist URL }, { "name": 'SAMPLE2', "url": 'https://www.youtube.com/watch?v=66l5r_IEZrI&list=RDGMEMYH9CUrFO7CfLJpaD7UR85w&start_radio=1&rv=CJuIRe_1c2g', }, ] ########## # ๋‹ค์šด๋กœ๋“œ ์‹œ์ž‘ ########## for idx, list in enumerate(download_lists): # 'ํด๋”์ด๋ฆ„/์˜์ƒ์ œ๋ชฉ.ํ™•์žฅ์ž' ํ˜•์‹์œผ๋กœ ๋‹ค์šด๋กœ๋“œ output_dir = os.path.join(f'./{list["name"]}/', '%(title)s.%(ext)s') ydl_opt = { 'outtmpl': output_dir, 'format': 'bestaudio/best', # ๋‹ค์šด๋กœ๋“œํ•  ํฌ๋งท ์ง€์ • 'download_archive': 'downloaded.txt', # ๋‹ค์šด๋กœ๋“œ ์•„์นด์ด๋ธŒ ํŒŒ์ผ ์ง€์ •(๋ฏธ๋ฆฌ ๋‹ค์šด๋ฐ›์€ ํ•ญ๋ชฉ๋“ค์„ ์ฒดํฌํ•˜์—ฌ ์ค‘๋ณต์œผ๋กœ ๋ฐ›์ง€ ์•Š๋„๋ก ํ•˜๋Š” ๊ธฐ๋กํŒŒ์ผ) 'postprocessors': [{ 'key': 'FFmpegExtractAudio', 'preferredcodec': 'mp3', # mp3ํฌ๋ฉง์œผ๋กœ ๋ณ€ํ™˜ 'preferredquality': '192', }], 'verbose': True, # ์ž์„ธํ•œ ๋””๋ฒ„๊น… ์ •๋ณด ์ถœ๋ ฅ 'ignoreerrors': True, # ๋‹ค์šด๋กœ๋“œ ์˜ค๋ฅ˜ ๋ฌด์‹œ } for attempt in range(1, MAX_RETRIES + 1): try: with yt_dlp.YoutubeDL(ydl_opt) as ydl: ydl.download([ list["url"] ]) print(f'{list["name"]}:: ๋‹ค์šด๋กœ๋“œ ์™„๋ฃŒ') break except Exception as e: print(f'{list["name"]}:: ๋‹ค์šด๋กœ๋“œ ์‹คํŒจ ({attempt}/{MAX_RETRIES}): {e}') if attempt < MAX_RETRIES: print(f'{list["name"]}:: {RETRY_DELAY}์ดˆ ํ›„ ๋‹ค์‹œ ์‹œ๋„ํ•ฉ๋‹ˆ๋‹ค...') time.sleep(RETRY_DELAY) else: print(f'{list["name"]}:: ์ตœ๋Œ€ ์žฌ์‹œ๋„ ํšŸ์ˆ˜๋ฅผ ์ดˆ๊ณผํ–ˆ์Šต๋‹ˆ๋‹ค. ๋‹ค์šด๋กœ๋“œ๋ฅผ ์ค‘๋‹จํ•ฉ๋‹ˆ๋‹ค.') print('๋ชจ๋“  ํ•ญ๋ชฉ ๋‹ค์šด๋กœ๋“œ ์™„๋ฃŒ') ๋‹ค๋ฅธ๊ฒƒ๋“ค์€ ์ˆ˜์ •ํ•  ํ•„์š” ์—†๊ณ , download_lists ์— ๋‹ค์šด๋กœ๋“œ ํ•  Youtube ์žฌ์ƒ๋ชฉ๋ก์„ ๋„ฃ์–ด์ค€๋‹ค. ...

<span title='2025-03-09 20:40:01 +0900 KST'>March 9, 2025</span>&nbsp;ยท&nbsp;2 min&nbsp;ยท&nbsp;AswinBlue

Cookie

Cookie HTTP์˜ ํŠน์ง•(Connectionless, Stateless) ๋•Œ๋ฌธ์— Web Server ๋Š” HTTP๋กœ ์š”์ฒญ๋œ ํŒจํ‚ท๋“ค์ด ์–ด๋–ค Web Client์—์„œ ์ „๋‹ฌ๋œ ๊ฒƒ์ธ์ง€ ๊ตฌ๋ถ„ํ•  ์ˆ˜ ์—†๋‹ค. IP ์ฃผ์†Œ์™€ User-Agent ๋“ฑ์˜ ์ •๋ณด๋Š” ๋งค๋ฒˆ ๋ณ€๊ฒฝ๋  ์ˆ˜ ์žˆ๋‹ค. Client์˜ ์ •๋ณด์™€ ์š”์ฒญ์˜ ๋‚ด์šฉ์„ ๊ตฌ์ฒดํ™”ํ•˜๊ธฐ ์œ„ํ•ด, Server๋Š” Client ๋งˆ๋‹ค ๊ณ ์œ ํ•œ Cookie๋ฅผ ๋ฐœ๊ธ‰ํ•˜๊ณ , Client๋Š” Server์— ์š”์ฒญ์„ ๋ณด๋‚ผ ๋•Œ๋งˆ๋‹ค Cookie๋ฅผ ๊ฐ™์ด ์ „์†กํ•œ๋‹ค. Server๋Š” Request ํŒจํ‚ท์— ๋“ค์–ด์žˆ๋Š” Cookie ๋ฅผ ํ†ตํ•ด Client์˜ ์ •๋ณด์™€ ์ƒํƒœ๋ฅผ ๊ธฐ๋กํ•œ๋‹ค. Cookie ๋Š” key-value ๋กœ ๊ตฌ์„ฑ๋œ ํŒŒ์ผ์ด๋ฉฐ, Client ์— ์ €์žฅ๋œ๋‹ค. Cookie์˜ ๋‹จ์  4KB์˜ ํฌ๊ธฐ ์ œํ•œ ์ฟ ํ‚ค๋กœ ์ธํ•ด ์›น์˜ ๋ฐ˜์‘์„ฑ์ด ๋А๋ ค์งˆ ์ˆ˜ ์žˆ์Œ ๋„๋ฉ”์ธ ๋‚ด์˜ ๋ชจ๋“  ํŽ˜์ด์ง€๊ฐ€ ๊ฐ™์€ ์ฟ ํ‚ค๋ฅผ ์ „๋‹ฌ ๋ฐ›์Œ HTTP ํ”„๋กœํ† ์ฝœ๋กœ Cookie ์š”์ฒญ์‹œ ์•”ํ˜ธํ™” ๋˜์ง€ ์•Š์•„ ๋ณด์•ˆ์ด ์ทจ์•ฝํ•จ ์ฟ ํ‚ค๋Š” ์‚ฌ์šฉ์ž์˜ ๋กœ์ปฌ์— ํ…์ŠคํŠธ๋กœ ์ €์žฅ ๋˜์–ด์žˆ์–ด ์‰ฝ๊ฒŒ ๋‚ด์šฉ ํ™•์ธ์ด ๊ฐ€๋Šฅํ•จ ์•…์˜์ ์ธ Client ๊ฐ€ Cookie ๋ฅผ ๋ณ€์กฐํ•  ์ˆ˜ ์žˆ์Œ Modern Storage APIs Cookie ์˜ ๋‹จ์ ์„ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด ์‚ฌ์šฉ๋˜๋Š” ๋ฐฉ๋ฒ•์ด๋‹ค. Local storage, Session storage ๋“ฑ์ด ์žˆ๋‹ค. Session Session ์€ Server ์—์„œ ์ƒ์„ฑํ•œ ๋žœ๋คํ•œ ๋ฌธ์ž์—ด์ด๊ณ , Server ๊ฐ€ Client ๋งˆ๋‹ค ๊ณ ์œ ํ•œ ๊ฐ’์„ ๋ฐœ๊ธ‰ํ•œ๋‹ค. ...

<span title='2025-03-09 16:10:13 +0900 KST'>March 9, 2025</span>&nbsp;ยท&nbsp;3 min&nbsp;ยท&nbsp;AswinBlue

Web

Web HTTP๋ฅผ ์ด์šฉํ•˜์—ฌ ์ •๋ณด๋ฅผ ๊ณต์œ ํ•˜๋Š” ์ธํ„ฐ๋„ท ๊ธฐ๋ฐ˜ ์„œ๋น„์Šค๋ฅผ Web์ด๋ผ ํ•œ๋‹ค. ์ •๋ณด ์ œ๊ณต์ž๋ฅผ Web Server, ์ •๋ณด ์ˆ˜์‹ ์ž๋ฅผ Web Client๋ผ ์นญํ•œ๋‹ค. ํ˜„์žฌ์˜ ์›น์€ ๋‹จ์ˆœ ์ •๋ณด ์ œ๊ณต์„ ๋– ๋‚˜ ์„œ๋น„์Šค๋ฅผ ์ œ๊ณตํ•˜๋Š” ํ˜•ํƒœ๋กœ ๋ฐœ์ „ํ•˜๊ณ  ์žˆ์œผ๋ฉฐ, Front end ์™€ Back end ๋กœ ์—ญํ• ์ด ๋‚˜๋‰˜์–ด์ง€๊ณ  ์žˆ๋‹ค. Front end : Web resource๋กœ ๊ตฌ์„ฑ๋œ ์‚ฌ์šฉ์ž์—๊ฒŒ ์ง์ ‘ ๋ณด์—ฌ์ง€๋Š” ๋ถ€๋ถ„ Back end : ์‚ฌ์šฉ์ž์—๊ฒŒ ์ง์ ‘ ๋ณด์—ฌ์ง€์ง€๋Š” ์•Š์ง€๋งŒ ์„œ๋น„์Šค ์ œ๊ณต์„ ์œ„ํ•ด ๊ตฌ๋™๋˜๋Š” ๋ถ€๋ถ„ Web Resource ์›น์— ๊ฐ–์ถฐ์ง„ ์ •๋ณด ์ž์‚ฐ์„ ์˜๋ฏธํ•˜๋ฉฐ, ์‚ฌ์šฉ์ž์—๊ฒŒ ์ œ๊ณต๋˜์–ด ํ™”๋ฉด์„ ๊ตฌ์„ฑํ•˜๋Š”๋ฐ ์‚ฌ์šฉ๋œ๋‹ค. ๊ณ ์œ ํ•œ ์‹๋ณ„์ž์ธ Uniform Resource Identifier (URI)๋ฅผ ๊ฐ€์ง„๋‹ค. ๋Œ€ํ‘œ์ ์ธ ์›น ๋ฆฌ์†Œ์Šค์˜ ์ข…๋ฅ˜ Hyper Text Markup Language (HTML) : ํƒœ๊ทธ์™€ ์†์„ฑ์„ ํ†ตํ•œ ๊ตฌ์กฐํ™”๋œ ๋ฌธ์„œ ์ž‘์„ฑ์— ์‚ฌ์šฉ. ์„ค๋ช… ์ฐธ์กฐ Cascading Style Sheets (CSS) : ์›น ๋ฌธ์„œ์˜ ์™ธํ˜•์„ ์กฐ์ ˆํ•˜๋Š”๋ฐ ์‚ฌ์šฉ. ์„ค๋ช… ์ฐธ์กฐ JavaScript (JS) : ์ด์šฉ์ž์˜ ๋ธŒ๋ผ์šฐ์ €์—์„œ ์‹คํ–‰๋˜๋Š” ์ฝ”๋“œ๋กœ front end ์˜ ๋™์ž‘์„ ๊ฒฐ์ •. ์„ค๋ช… ์ฐธ์กฐ text image video font Web browser Client ์˜ ์œ„์น˜์—์„œ Server ์™€ HTTP ํ†ต์‹ ์„ ์ˆ˜ํ–‰ํ•ด์ฃผ๊ณ  ๊ทธ ๊ฒฐ๊ณผ๋ฅผ ๊ฐ€์‹œํ™” ํ•ด ์ฃผ๋Š” ๋„๊ตฌ๋กœ, ์‚ฌ์šฉ์ž๊ฐ€ HTTP ํ†ต์‹ ์„ ์ง์ ‘ ์•Œ์ง€ ๋ชปํ•ด๋„ Web์„ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ด ์ค€๋‹ค. ๋™์ž‘ ์ˆœ์„œ URL ๋ถ„์„ DNS ์š”์ฒญ HTTP Request get HTTP Respond ๋ฆฌ์†Œ์Šค ๋‹ค์šด๋กœ๋“œ ๋ฐ ์›น ๋žœ๋”๋ง Dev Tool Web browser ์—์„œ ์‚ฌ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๊ฐœ๋ฐœ์ž ๋„๊ตฌ Ctrl + U : ์†Œ์Šค์ฝ”๋“œ ๋ณด๊ธฐ ๋‹จ์ถ•ํ‚ค console.log : ์ฝ˜์†”์ฐฝ์— ๋กœ๊ทธ ์ถœ๋ ฅ document.cookie : ์ฝ˜์†”์ฐฝ์—์„œ ์ฟ ํ‚ค ์ถœ๋ ฅ location.href : ์ „์ฒด URL ์„ ๋ฐ˜ํ™˜ํ•˜๊ฑฐ๋‚˜, URL์„ ์—…๋ฐ์ดํŠธ URL(Uniform Resource Locator) ์›น์— ์žˆ๋Š” ๋ฆฌ์†Œ์Šค์˜ ์œ„์น˜๋ฅผ ํ‘œํ˜„ํ•˜๋Š” ๋ฌธ์ž์—ด URL ์˜ ๊ตฌ์„ฑ ์š”์†Œ Scheme: ์›น ์„œ๋ฒ„์™€ ์–ด๋–ค ํ”„๋กœํ† ์ฝœ๋กœ ํ†ต์‹ ํ• ์ง€ ๋‚˜ํƒ€๋ƒ…๋‹ˆ๋‹ค. Host: Authority์˜ ์ผ๋ถ€๋กœ, ์ ‘์†ํ•  ์›น ์„œ๋ฒ„์˜ ์ฃผ์†Œ์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. Port: Authority์˜ ์ผ๋ถ€๋กœ, ์ ‘์†ํ•  ์›น ์„œ๋ฒ„์˜ ํฌํŠธ์— ๋Œ€ํ•œ ์ •๋ณด๋ฅผ ๊ฐ€์ง€๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. Path: ์ ‘๊ทผํ•  ์›น ์„œ๋ฒ„์˜ ๋ฆฌ์†Œ์Šค ๊ฒฝ๋กœ๋กœ โ€˜/โ€˜๋กœ ๊ตฌ๋ถ„๋ฉ๋‹ˆ๋‹ค. Query: ์›น ์„œ๋ฒ„์— ์ „๋‹ฌํ•˜๋Š” ํŒŒ๋ผ๋ฏธํ„ฐ์ด๋ฉฐ URL์—์„œ โ€˜?โ€™ ๋’ค์— ์œ„์น˜ํ•ฉ๋‹ˆ๋‹ค. Fragment: ๋ฉ”์ธ ๋ฆฌ์†Œ์Šค์— ์กด์žฌํ•˜๋Š” ์„œ๋ธŒ ๋ฆฌ์†Œ์Šค๋ฅผ ์ ‘๊ทผํ•  ๋•Œ ์ด๋ฅผ ์‹๋ณ„ํ•˜๊ธฐ ์œ„ํ•œ ์ •๋ณด๋ฅผ ๋‹ด๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. โ€˜#โ€™ ๋ฌธ์ž ๋’ค์— ์œ„์น˜ํ•ฉ๋‹ˆ๋‹ค. Domain name ์ˆซ์ž์˜ ์กฐํ•ฉ์œผ๋กœ ์ด๋ฃจ์–ด์ง„ IP ์ฃผ์†Œ๋ฅผ ์‚ฌ๋žŒ์ด ์ฝ๊ธฐ ์‰ฌ์šด ํ˜•ํƒœ์˜ ๋ฌธ์ž์—ด๋กœ ๋Œ€์ฒดํ•œ ํ˜•ํƒœ Domain name ์„ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” DNS๊ฐ€ ํ•„์š”ํ•˜๋‹ค. DNS(Domain Name Server) ์— Domain name ์„ ์งˆ์˜ํ•˜๋ฉด DNS ๋Š” ๋งคํ•‘๋˜๋Š” IP ๋ฅผ ๋ฐ˜ํ™˜ํ•œ๋‹ค. ์ฝ˜์†”์˜ nslookup ๋ช…๋ น์œผ๋กœ domain name ์ •๋ณด๋ฅผ ํ™•์ธํ•  ์ˆ˜ ์žˆ๋‹ค. ex) nslookup google.com ...

<span title='2025-03-06 22:46:50 +0900 KST'>March 6, 2025</span>&nbsp;ยท&nbsp;3 min&nbsp;ยท&nbsp;AswinBlue