{"id":477500,"date":"2023-08-09T09:15:57","date_gmt":"2023-08-09T09:15:57","guid":{"rendered":""},"modified":"2023-09-05T11:14:50","modified_gmt":"2023-09-05T11:14:50","slug":"http-parameter-pollution","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/jp\/wiki\/http-parameter-pollution\/","title":{"rendered":"HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3"},"content":{"rendered":"

HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3 (HPP) \u306f\u3001\u898b\u904e\u3054\u3055\u308c\u304c\u3061\u306a Web \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u8106\u5f31\u6027\u3067\u3042\u308a\u3001\u4e3b\u306b HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u7d4c\u7531\u3067\u9001\u4fe1\u3055\u308c\u308b\u30c7\u30fc\u30bf\u3092\u64cd\u4f5c\u3059\u308b\u3053\u3068\u3067 Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u5f71\u97ff\u3092\u53ca\u307c\u3057\u307e\u3059\u3002\u3053\u306e\u8a18\u4e8b\u3067\u306f\u3001HPP \u306e\u6b74\u53f2\u3001\u52d5\u4f5c\u3001\u4e3b\u306a\u6a5f\u80fd\u3001\u3055\u307e\u3056\u307e\u306a\u30bf\u30a4\u30d7\u3001\u6f5c\u5728\u7684\u306a\u7528\u9014\u3001\u95a2\u9023\u3059\u308b\u554f\u984c\u3068\u89e3\u6c7a\u7b56\u306b\u3064\u3044\u3066\u8a73\u3057\u304f\u8aac\u660e\u3057\u307e\u3059\u3002\u307e\u305f\u3001HPP \u3068\u30d7\u30ed\u30ad\u30b7 \u30b5\u30fc\u30d0\u30fc\u306e\u95a2\u4fc2\u3001\u304a\u3088\u3073\u3053\u306e Web \u30d9\u30fc\u30b9\u306e\u73fe\u8c61\u306b\u95a2\u9023\u3059\u308b\u5c06\u6765\u306e\u5c55\u671b\u306b\u3064\u3044\u3066\u3082\u8aac\u660e\u3057\u307e\u3059\u3002<\/p>\n

HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u9032\u5316<\/h2>\n

HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306f\u3001Web \u30c6\u30af\u30ce\u30ed\u30b8\u306e\u6025\u901f\u306a\u767a\u5c55\u3068 World Wide Web \u306e\u62e1\u5927\u306b\u4f34\u3044\u30012000 \u5e74\u4ee3\u521d\u982d\u306b\u521d\u3081\u3066 Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u660e\u78ba\u306a\u8106\u5f31\u6027\u3068\u3057\u3066\u7279\u5b9a\u3055\u308c\u307e\u3057\u305f\u3002Web \u30b5\u30a4\u30c8\u304c\u30c7\u30fc\u30bf\u306e\u8ee2\u9001\u306b HTTP GET \u304a\u3088\u3073 POST \u30ea\u30af\u30a8\u30b9\u30c8\u306b\u5927\u304d\u304f\u4f9d\u5b58\u3059\u308b\u3088\u3046\u306b\u306a\u308b\u306b\u3064\u308c\u3001\u30cf\u30c3\u30ab\u30fc\u306f\u3053\u308c\u3089\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u51e6\u7406\u3059\u308b\u65b9\u6cd5\u3092\u60aa\u7528\u3059\u308b\u53ef\u80fd\u6027\u3092\u767a\u898b\u3057\u307e\u3057\u305f\u3002<\/p>\n

HPP \u306b\u95a2\u3059\u308b\u6700\u521d\u306e\u6587\u66f8\u306f 2000 \u5e74\u4ee3\u306b\u9061\u308a\u307e\u3059\u304c\u3001\u3053\u306e\u7528\u8a9e\u81ea\u4f53\u306f 2010 \u5e74\u306b OWASP (Open Web Application Security Project) \u304c\u8ad6\u6587\u3092\u767a\u8868\u3057\u305f\u3053\u3068\u3092\u53d7\u3051\u3066 Web \u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30b3\u30df\u30e5\u30cb\u30c6\u30a3\u306b\u3088\u3063\u3066\u6b63\u5f0f\u306b\u8a8d\u77e5\u3055\u308c\u3001\u3053\u306e\u8106\u5f31\u6027\u304c\u811a\u5149\u3092\u6d74\u3073\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3057\u305f\u3002<\/p>\n

HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u89e3\u660e<\/h2>\n

HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306f\u3001\u64cd\u4f5c\u3055\u308c\u305f\u30d1\u30e9\u30e1\u30fc\u30bf\u3092 HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u306b\u633f\u5165\u3059\u308b\u30bf\u30a4\u30d7\u306e Web \u8106\u5f31\u6027\u3067\u3059\u3002\u3053\u308c\u306b\u3088\u308a\u3001\u653b\u6483\u8005\u306f Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u6a5f\u80fd\u3092\u5909\u66f4\u3057\u305f\u308a\u3001\u5165\u529b\u691c\u8a3c\u30c1\u30a7\u30c3\u30af\u3092\u30d0\u30a4\u30d1\u30b9\u3057\u305f\u308a\u3001\u6a5f\u5bc6\u30c7\u30fc\u30bf\u306b\u30a2\u30af\u30bb\u30b9\u3057\u305f\u308a\u3001\u305d\u306e\u4ed6\u306e\u5f62\u5f0f\u306e Web \u30d9\u30fc\u30b9\u306e\u653b\u6483\u3092\u5b9f\u884c\u3057\u305f\u308a\u3059\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n

HPP \u306f\u3001Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u306e\u7570\u306a\u308b\u90e8\u5206\u304b\u3089\u540c\u3058\u540d\u524d\u306e HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u3092 1 \u3064\u306b\u7d44\u307f\u5408\u308f\u305b\u305f\u3068\u304d\u306b\u767a\u751f\u3057\u307e\u3059\u3002\u653b\u6483\u8005\u306f\u3053\u308c\u3089\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u64cd\u4f5c\u3059\u308b\u3053\u3068\u3067\u3001\u4e88\u671f\u3057\u306a\u3044\u65b9\u6cd5\u3067\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u52d5\u4f5c\u3092\u5236\u5fa1\u3067\u304d\u3001\u3055\u307e\u3056\u307e\u306a\u6f5c\u5728\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3 \u30ea\u30b9\u30af\u306b\u3064\u306a\u304c\u308a\u307e\u3059\u3002<\/p>\n

HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u4ed5\u7d44\u307f<\/h2>\n

HPP \u306e\u5185\u90e8\u52d5\u4f5c\u306f\u3001Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u51e6\u7406\u3059\u308b\u65b9\u6cd5\u306b\u57fa\u3065\u3044\u3066\u3044\u307e\u3059\u3002HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u3067\u306f\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u306f GET \u30ea\u30af\u30a8\u30b9\u30c8\u306e URL \u306e\u4e00\u90e8\u3068\u3057\u3066\u3001\u307e\u305f\u306f POST \u30ea\u30af\u30a8\u30b9\u30c8\u306e\u672c\u6587\u5185\u3067\u9001\u4fe1\u3055\u308c\u307e\u3059\u3002\u3053\u308c\u3089\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u4f7f\u7528\u3057\u3066\u3001Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u8fd4\u3059\u30c7\u30fc\u30bf\u3084\u64cd\u4f5c\u3059\u308b\u30c7\u30fc\u30bf\u3092\u6307\u5b9a\u3067\u304d\u307e\u3059\u3002<\/p>\n

Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u304c\u884c\u308f\u308c\u308b\u3068\u3001\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u30b5\u30fc\u30d0\u30fc\u306f\u30ea\u30af\u30a8\u30b9\u30c8\u306b\u542b\u307e\u308c\u308b\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u51e6\u7406\u3057\u307e\u3059\u3002\u305f\u3060\u3057\u3001\u540c\u3058\u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u8907\u6570\u56de\u542b\u307e\u308c\u3066\u3044\u308b\u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3092\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u6b63\u3057\u304f\u51e6\u7406\u3057\u306a\u3044\u3068\u3001HPP \u653b\u6483\u306e\u6a5f\u4f1a\u304c\u751f\u3058\u307e\u3059\u3002<\/p>\n

HPP \u653b\u6483\u3067\u306f\u3001\u653b\u6483\u8005\u306f HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u5185\u306b\u540c\u3058\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u8907\u6570\u56de\u542b\u3081\u307e\u3059\u304c\u3001\u305d\u306e\u305f\u3073\u306b\u7570\u306a\u308b\u5024\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3 \u30b5\u30fc\u30d0\u30fc\u306f\u3001\u958b\u767a\u8005\u304c\u610f\u56f3\u3057\u306a\u3044\u65b9\u6cd5\u3067\u3053\u308c\u3089\u306e\u5024\u3092\u7d44\u307f\u5408\u308f\u305b\u308b\u305f\u3081\u3001\u6f5c\u5728\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u306e\u8106\u5f31\u6027\u304c\u751f\u3058\u307e\u3059\u3002<\/p>\n

HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u4e3b\u306a\u7279\u5fb4<\/h2>\n

HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306f\u3001\u3044\u304f\u3064\u304b\u306e\u7279\u5fb4\u306b\u3088\u3063\u3066\u4ed6\u306e Web \u8106\u5f31\u6027\u3068\u533a\u5225\u3055\u308c\u307e\u3059\u3002<\/p>\n

    \n
  1. HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u306e\u30bf\u30fc\u30b2\u30c3\u30c8\u8a2d\u5b9a:<\/strong> HPP \u306f\u3001HTTP GET \u304a\u3088\u3073 POST \u30ea\u30af\u30a8\u30b9\u30c8\u5185\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u5177\u4f53\u7684\u306b\u30bf\u30fc\u30b2\u30c3\u30c8\u3068\u3057\u307e\u3059\u3002<\/li>\n
  2. \u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u64cd\u4f5c:<\/strong> HPP \u653b\u6483\u306e\u4e2d\u6838\u306f\u3001\u3053\u308c\u3089\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u5024\u3092\u64cd\u4f5c\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/li>\n
  3. \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u52d5\u4f5c\u306b\u4f9d\u5b58:<\/strong> HPP \u653b\u6483\u306e\u5f71\u97ff\u306f\u3001\u6a19\u7684\u306e Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u5185\u306e\u7e70\u308a\u8fd4\u3057\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u3069\u306e\u3088\u3046\u306b\u51e6\u7406\u3059\u308b\u304b\u306b\u5927\u304d\u304f\u4f9d\u5b58\u3057\u307e\u3059\u3002<\/li>\n
  4. \u5e83\u7bc4\u56f2\u306b\u308f\u305f\u308b\u5f71\u97ff\u306e\u53ef\u80fd\u6027:<\/strong> HPP \u306f\u3001\u7e70\u308a\u8fd4\u3055\u308c\u308b HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u9069\u5207\u306b\u51e6\u7406\u3057\u306a\u3044 Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306b\u6f5c\u5728\u7684\u306b\u5f71\u97ff\u3092\u53ca\u307c\u3059\u53ef\u80fd\u6027\u304c\u3042\u308b\u305f\u3081\u3001\u305d\u306e\u5f71\u97ff\u306f\u5e83\u7bc4\u56f2\u306b\u308f\u305f\u308a\u307e\u3059\u3002<\/li>\n
  5. \u30b9\u30c6\u30eb\u30b9\u30a2\u30d7\u30ed\u30fc\u30c1:<\/strong> HPP \u653b\u6483\u306f\u3001\u6b63\u5f53\u306a\u30e6\u30fc\u30b6\u30fc\u5165\u529b\u3092\u88c5\u3046\u53ef\u80fd\u6027\u304c\u3042\u308b\u305f\u3081\u3001\u691c\u51fa\u304c\u56f0\u96e3\u306a\u5834\u5408\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n<\/ol>\n

    HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u7a2e\u985e<\/h2>\n

    \u4f7f\u7528\u3055\u308c\u308b HTTP \u30e1\u30bd\u30c3\u30c9\u306b\u57fa\u3065\u3044\u3066\u3001HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306b\u306f\u4e3b\u306b 2 \u3064\u306e\u30bf\u30a4\u30d7\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n

      \n
    1. GET \u30d9\u30fc\u30b9\u306e HPP:<\/strong> \u3053\u306e\u30bf\u30a4\u30d7\u306e HPP \u653b\u6483\u306f\u3001HTTP GET \u30ea\u30af\u30a8\u30b9\u30c8\u306e URL \u5185\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u64cd\u4f5c\u3057\u307e\u3059\u3002<\/li>\n
    2. POST\u30d9\u30fc\u30b9\u306eHPP:<\/strong> \u3053\u306e\u30bf\u30a4\u30d7\u306e HPP \u653b\u6483\u306f\u3001HTTP POST \u30ea\u30af\u30a8\u30b9\u30c8\u306e\u672c\u6587\u5185\u306e\u30d1\u30e9\u30e1\u30fc\u30bf\u3092\u64cd\u4f5c\u3057\u307e\u3059\u3002<\/li>\n<\/ol>\n\n\n\n\n\n\n
      HTTP \u30e1\u30bd\u30c3\u30c9<\/th>\n\u8aac\u660e<\/th>\n\u6f5c\u5728\u7684\u306a\u5f71\u97ff<\/th>\n<\/tr>\n<\/thead>\n
      \u5f97\u308b<\/td>\n\u30d1\u30e9\u30e1\u30fc\u30bf\u306f URL \u306b\u8ffd\u52a0\u3055\u308c\u3001\u30e6\u30fc\u30b6\u30fc\u306b\u8868\u793a\u3055\u308c\u307e\u3059\u3002<\/td>\n\u30b5\u30fc\u30d0\u30fc\u306e\u5fdc\u7b54\u3084Web\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u52d5\u4f5c\u3092\u64cd\u4f5c\u3067\u304d\u308b<\/td>\n<\/tr>\n
      \u5f79\u8077<\/td>\n\u30d1\u30e9\u30e1\u30fc\u30bf\u306f HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u306e\u672c\u6587\u306b\u542b\u307e\u308c\u3066\u304a\u308a\u3001\u975e\u8868\u793a\u306b\u306a\u3063\u3066\u3044\u307e\u3059\u3002<\/td>\n\u30b5\u30fc\u30d0\u30fc\u306e\u72b6\u614b\u3084\u4fdd\u5b58\u3055\u308c\u3066\u3044\u308b\u60c5\u5831\u3092\u5909\u66f4\u3067\u304d\u308b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

      HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u5b9f\u88c5: \u554f\u984c\u3068\u89e3\u6c7a\u7b56<\/h2>\n

      HPP \u653b\u6483\u306f\u30b9\u30c6\u30eb\u30b9\u6027\u304c\u9ad8\u3044\u3082\u306e\u306e\u3001\u30ea\u30b9\u30af\u3092\u691c\u51fa\u3057\u3066\u8efd\u6e1b\u3059\u308b\u65b9\u6cd5\u306f\u3042\u308a\u307e\u3059\u3002\u305d\u306e\u307b\u3068\u3093\u3069\u306f\u3001\u7279\u306b HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u306b\u95a2\u3057\u3066\u3001\u5165\u529b\u3092\u9069\u5207\u306b\u51e6\u7406\u3057\u3066\u30b5\u30cb\u30bf\u30a4\u30ba\u3059\u308b\u3053\u3068\u3067\u3059\u3002<\/p>\n

        \n
      1. \u5165\u529b\u3092\u691c\u8a3c:<\/strong> Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u3067\u306f\u3001\u3059\u3079\u3066\u306e\u5165\u529b\u304c\u671f\u5f85\u3055\u308c\u308b\u5f62\u5f0f\u3092\u6e80\u305f\u3057\u3066\u3044\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3059\u308b\u305f\u3081\u306b\u691c\u8a3c\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n
      2. \u5165\u529b\u3092\u30b5\u30cb\u30bf\u30a4\u30ba:<\/strong> \u6f5c\u5728\u7684\u306b\u6709\u5bb3\u306a\u30c7\u30fc\u30bf\u3092\u524a\u9664\u3059\u308b\u305f\u3081\u306b\u3001\u3059\u3079\u3066\u306e\u5165\u529b\u3092\u30b5\u30cb\u30bf\u30a4\u30ba\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/li>\n
      3. Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3 \u30d5\u30a1\u30a4\u30a2\u30a6\u30a9\u30fc\u30eb (WAF) \u3092\u5b9f\u88c5\u3059\u308b:<\/strong> WAF \u306f\u591a\u304f\u306e HPP \u8a66\u884c\u3092\u691c\u51fa\u3057\u3066\u30d6\u30ed\u30c3\u30af\u3067\u304d\u307e\u3059\u3002<\/li>\n
      4. \u5b9a\u671f\u7684\u306a\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u76e3\u67fb:<\/strong> \u5b9a\u671f\u7684\u306b\u30b3\u30fc\u30c9\u3092\u30ec\u30d3\u30e5\u30fc\u3057\u3001\u4fb5\u5165\u30c6\u30b9\u30c8\u3092\u5b9f\u65bd\u3059\u308b\u3068\u3001\u6f5c\u5728\u7684\u306a\u8106\u5f31\u6027\u3092\u7279\u5b9a\u3057\u3066\u5bfe\u51e6\u3059\u308b\u306e\u306b\u5f79\u7acb\u3061\u307e\u3059\u3002<\/li>\n<\/ol>\n

        \u985e\u4f3c\u306e\u8106\u5f31\u6027\u3068\u306e\u6bd4\u8f03<\/h2>\n

        HPP \u306b\u985e\u4f3c\u3057\u305f Web \u306e\u8106\u5f31\u6027\u3092\u3044\u304f\u3064\u304b\u793a\u3057\u307e\u3059\u3002<\/p>\n\n\n\n\n\n\n\n
        \u8106\u5f31\u6027<\/th>\n\u8aac\u660e<\/th>\nHPP\u3068\u306e\u985e\u4f3c\u70b9<\/th>\n<\/tr>\n<\/thead>\n
        SQL\u30a4\u30f3\u30b8\u30a7\u30af\u30b7\u30e7\u30f3<\/td>\n\u653b\u6483\u8005\u306f\u5165\u529b\u3092\u64cd\u4f5c\u3057\u3066\u3001\u30c7\u30fc\u30bf\u30d9\u30fc\u30b9\u4e0a\u3067\u4efb\u610f\u306e SQL \u30af\u30a8\u30ea\u3092\u5b9f\u884c\u3057\u307e\u3059\u3002<\/td>\n\u3069\u3061\u3089\u3082\u3001\u5165\u529b\u3092\u64cd\u4f5c\u3057\u3066\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u306e\u52d5\u4f5c\u3092\u5909\u66f4\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n
        \u30af\u30ed\u30b9\u30b9\u30ec\u30c3\u30c9<\/td>\n\u653b\u6483\u8005\u306f\u3001\u4ed6\u306e\u30e6\u30fc\u30b6\u30fc\u304c\u95b2\u89a7\u3059\u308b Web \u30da\u30fc\u30b8\u306b\u60aa\u610f\u306e\u3042\u308b\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u633f\u5165\u3057\u307e\u3059\u3002<\/td>\n\u3069\u3061\u3089\u3082\u30b5\u30fc\u30d0\u30fc\u5074\u306e\u52d5\u4f5c\u3092\u64cd\u4f5c\u3057\u3001\u30e6\u30fc\u30b6\u30fc\u306e\u60c5\u5831\u3092\u5371\u967a\u306b\u3055\u3089\u3059\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002<\/td>\n<\/tr>\n
        CSRF<\/td>\n\u653b\u6483\u8005\u306f\u3001\u8a8d\u8a3c\u3055\u308c\u3066\u3044\u308b Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u4e0a\u3067\u88ab\u5bb3\u8005\u3092\u9a19\u3057\u3066\u4e0d\u8981\u306a\u30a2\u30af\u30b7\u30e7\u30f3\u3092\u5b9f\u884c\u3055\u305b\u307e\u3059\u3002<\/td>\n\u3069\u3061\u3089\u3082\u3001\u30b5\u30a4\u30c8\u304c\u30e6\u30fc\u30b6\u30fc\u306e\u30d6\u30e9\u30a6\u30b6\u306b\u6301\u3064\u4fe1\u983c\u3092\u60aa\u7528\u3057\u307e\u3059\u3002<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

        HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u5c06\u6765\u5c55\u671b<\/h2>\n

        Web \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u304c\u9032\u5316\u3057\u7d9a\u3051\u308b\u306b\u3064\u308c\u3066\u3001\u305d\u308c\u3092\u60aa\u7528\u3059\u308b\u305f\u3081\u306b\u4f7f\u7528\u3055\u308c\u308b\u624b\u6cd5\u3082\u9032\u5316\u3057\u307e\u3059\u3002HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306f\u4ee5\u524d\u304b\u3089\u77e5\u3089\u308c\u3066\u3044\u307e\u3059\u304c\u3001\u307e\u3060\u5e83\u304f\u7406\u89e3\u3055\u308c\u3066\u304a\u3089\u305a\u3001\u30c1\u30a7\u30c3\u30af\u3082\u3055\u308c\u3066\u3044\u306a\u3044\u305f\u3081\u3001\u5c06\u6765\u7684\u306b\u306f\u3088\u308a\u9855\u8457\u306a\u8105\u5a01\u306b\u306a\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u3055\u3089\u306b\u3001\u30e2\u30ce\u306e\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u306b\u3088\u3063\u3066 Web \u5bfe\u5fdc\u306e\u30c7\u30d0\u30a4\u30b9\u304c\u5897\u3048\u308b\u306b\u3064\u308c\u3066\u3001HPP \u306e\u6f5c\u5728\u7684\u306a\u653b\u6483\u5bfe\u8c61\u9818\u57df\u304c\u62e1\u5927\u3057\u307e\u3059\u3002<\/p>\n

        \u3057\u304b\u3057\u3001\u3053\u308c\u306f HPP \u306b\u5bfe\u3059\u308b\u9632\u5fa1\u306b\u4f7f\u7528\u3055\u308c\u308b\u30c4\u30fc\u30eb\u3068\u6280\u8853\u304c\u6539\u826f\u3055\u308c\u308b\u53ef\u80fd\u6027\u304c\u9ad8\u3044\u3053\u3068\u3082\u610f\u5473\u3057\u307e\u3059\u3002\u3053\u306e\u3088\u3046\u306a\u8106\u5f31\u6027\u3092\u691c\u51fa\u3057\u3066\u9632\u6b62\u3059\u308b\u305f\u3081\u306e\u5b89\u5168\u306a\u30b3\u30fc\u30c7\u30a3\u30f3\u30b0\u624b\u6cd5\u3068\u81ea\u52d5\u5316\u30c4\u30fc\u30eb\u3078\u306e\u6ce8\u76ee\u304c\u9ad8\u307e\u3063\u3066\u3044\u307e\u3059\u3002\u5c06\u6765\u7684\u306b\u306f\u3001\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u653b\u6483\u306b\u5bfe\u3059\u308b\u9632\u5fa1\u306b\u7279\u5316\u3057\u305f\u3001\u3088\u308a\u6d17\u7df4\u3055\u308c\u305f WAF \u3084\u540c\u69d8\u306e\u30c6\u30af\u30ce\u30ed\u30b8\u30fc\u304c\u767b\u5834\u3059\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002<\/p>\n

        \u30d7\u30ed\u30ad\u30b7\u30b5\u30fc\u30d0\u30fc\u3068HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3<\/h2>\n

        \u30d7\u30ed\u30ad\u30b7 \u30b5\u30fc\u30d0\u30fc\u306f\u3001\u4ed6\u306e\u30b5\u30fc\u30d0\u30fc\u306e\u30ea\u30bd\u30fc\u30b9\u3092\u6c42\u3081\u308b\u30af\u30e9\u30a4\u30a2\u30f3\u30c8\u304b\u3089\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u306e\u4ef2\u4ecb\u5f79\u3068\u3057\u3066\u6a5f\u80fd\u3057\u3001HPP \u653b\u6483\u306e\u9632\u5fa1\u306b\u4f7f\u7528\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002\u30d7\u30ed\u30ad\u30b7 \u30b5\u30fc\u30d0\u30fc\u306f\u3001\u7740\u4fe1 HTTP \u30ea\u30af\u30a8\u30b9\u30c8\u3092\u691c\u67fb\u3057\u3066 HPP \u306e\u5146\u5019 (\u30d1\u30e9\u30e1\u30fc\u30bf\u306e\u7e70\u308a\u8fd4\u3057\u306a\u3069) \u3092\u691c\u51fa\u3057\u3001\u3053\u308c\u3089\u306e\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u30d6\u30ed\u30c3\u30af\u307e\u305f\u306f\u5909\u66f4\u3057\u3066\u8105\u5a01\u3092\u8efd\u6e1b\u3067\u304d\u307e\u3059\u3002<\/p>\n

        \u3055\u3089\u306b\u3001\u30d7\u30ed\u30ad\u30b7 \u30b5\u30fc\u30d0\u30fc\u306f\u9694\u96e2\u306e\u5f62\u614b\u3068\u3057\u3066\u4f7f\u7528\u3067\u304d\u3001\u5185\u90e8\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u3078\u306e\u76f4\u63a5\u7684\u306a\u9732\u51fa\u3084\u6f5c\u5728\u7684\u306a HPP \u653b\u6483\u304b\u3089\u4fdd\u8b77\u3057\u307e\u3059\u3002\u307e\u305f\u3001\u30d7\u30ed\u30ad\u30b7 \u30b5\u30fc\u30d0\u30fc\u306f\u3001\u3059\u3079\u3066\u306e\u53d7\u4fe1 HTTP \u8981\u6c42\u3092\u30ed\u30b0\u306b\u8a18\u9332\u3059\u308b\u3088\u3046\u306b\u69cb\u6210\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u3001\u8a66\u884c\u3055\u308c\u305f HPP \u653b\u6483\u3092\u8b58\u5225\u304a\u3088\u3073\u5206\u6790\u3059\u308b\u305f\u3081\u306e\u8cb4\u91cd\u306a\u30c7\u30fc\u30bf\u3092\u63d0\u4f9b\u3057\u307e\u3059\u3002<\/p>\n

        \u95a2\u9023\u30ea\u30f3\u30af<\/h2>\n

        HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u8a73\u7d30\u306b\u3064\u3044\u3066\u306f\u3001\u6b21\u306e\u30ea\u30bd\u30fc\u30b9\u3092\u3054\u89a7\u304f\u3060\u3055\u3044\u3002<\/p>\n

          \n
        1. OWASP: HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3<\/a><\/li>\n
        2. Acunetix: HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u3068\u306f\u4f55\u304b<\/a><\/li>\n
        3. HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u306e\u8106\u5f31\u6027<\/a><\/li>\n
        4. \u697d\u3057\u307f\u3068\u5229\u76ca\u306e\u305f\u3081\u306e HTTP \u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3 (HPP)<\/a><\/li>\n
        5. HTTP\u30d1\u30e9\u30e1\u30fc\u30bf\u6c5a\u67d3\u653b\u6483\u306b\u5bfe\u3059\u308b\u9632\u5fa1<\/a><\/li>\n<\/ol>","protected":false},"featured_media":477501,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-477500","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about HTTP Parameter Pollution: A Comprehensive Exploration<\/mark>","faq_items":[{"question":"What is HTTP Parameter Pollution?","answer":"

          HTTP Parameter Pollution (HPP) is a web security vulnerability that involves the injection of manipulated parameters into HTTP requests. This could potentially allow attackers to alter the way a web application functions, bypass input validation checks, access sensitive data, and carry out other forms of web-based attacks.<\/p>"},{"question":"When was HTTP Parameter Pollution first identified?","answer":"

          HTTP Parameter Pollution was first identified as a distinct web application vulnerability around the early 2000s. However, it was officially recognized by the web security community following the release of a paper by OWASP (Open Web Application Security Project) in 2010.<\/p>"},{"question":"How does an HTTP Parameter Pollution attack work?","answer":"

          In an HPP attack, the attacker includes the same parameter multiple times within an HTTP request, each time with different values. The application server then combines these values in a way that was not intended by the developers, leading to potential security vulnerabilities.<\/p>"},{"question":"What are the key features of HTTP Parameter Pollution?","answer":"

          The key features of HTTP Parameter Pollution include targeting HTTP requests, manipulation of parameters, dependency on the application behaviour, the potential for a widespread impact, and its stealthy approach.<\/p>"},{"question":"What types of HTTP Parameter Pollution exist?","answer":"

          There are two primary types of HTTP Parameter Pollution based on the HTTP method used: GET-Based HPP, which manipulates the parameters within the URL of an HTTP GET request, and POST-Based HPP, which manipulates the parameters within the body of an HTTP POST request.<\/p>"},{"question":"How can one mitigate the risks posed by HTTP Parameter Pollution attacks?","answer":"

          Most mitigation strategies involve properly handling and sanitizing input, particularly with respect to HTTP parameters. This includes validating and sanitizing input, implementing a Web Application Firewall (WAF), and conducting regular security audits.<\/p>"},{"question":"How do proxy servers guard against HTTP Parameter Pollution attacks?","answer":"

          Proxy servers can inspect incoming HTTP requests for signs of HPP (like repeated parameters) and block or alter these requests to mitigate the threat. They can also isolate internal networks from direct exposure to the internet and potential HPP attacks, and log all incoming HTTP requests for further analysis.<\/p>"},{"question":"What are the future perspectives of HTTP Parameter Pollution?","answer":"

          As web applications continue to evolve, so too will the techniques used to exploit them. However, the focus on secure coding practices and automated tools to detect and prevent such vulnerabilities is also increasing. In the future, we may see more sophisticated WAFs and similar technologies specifically designed to defend against parameter pollution attacks.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/jp\/wp-json\/wp\/v2\/wiki\/477500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/jp\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/jp\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/jp\/wp-json\/wp\/v2\/wiki\/477500\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/jp\/wp-json\/wp\/v2\/media\/477501"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/jp\/wp-json\/wp\/v2\/media?parent=477500"}],"curies":[{"name":"\u3046\u30fc\u3093","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}