{"id":477747,"date":"2023-08-09T09:19:35","date_gmt":"2023-08-09T09:19:35","guid":{"rendered":""},"modified":"2023-09-05T11:15:18","modified_gmt":"2023-09-05T11:15:18","slug":"json-hijacking","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/kr\/wiki\/json-hijacking\/","title":{"rendered":"JSON \ud558\uc774\uc7ac\ud0b9"},"content":{"rendered":"<p>&quot;JavaScript Object Notation \ud558\uc774\uc7ac\ud0b9&quot;\uc774\ub77c\uace0\ub3c4 \uc54c\ub824\uc9c4 JSON \ud558\uc774\uc7ac\ud0b9\uc740 JSON(JavaScript Object Notation)\uc744 \ub370\uc774\ud130 \uad50\ud658 \ud615\uc2dd\uc73c\ub85c \uc0ac\uc6a9\ud558\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0 \uc601\ud5a5\uc744 \ubbf8\uce58\ub294 \ubcf4\uc548 \ucde8\uc57d\uc810\uc785\ub2c8\ub2e4. \uc774 \ucde8\uc57d\uc810\uc744 \ud1b5\ud574 \uacf5\uaca9\uc790\ub294 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc774 \uadf8\ub7ec\ud55c \uacf5\uaca9\uc5d0 \ub300\ud574 \uc801\uc808\ud558\uac8c \ubcf4\ud638\ub418\uc9c0 \uc54a\uc744 \ub54c \ud53c\ud574\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c \uc911\uc694\ud55c \ub370\uc774\ud130\ub97c \ud6d4\uce60 \uc218 \uc788\uc2b5\ub2c8\ub2e4. JSON \ud558\uc774\uc7ac\ud0b9\uc740 \uc6f9 \ud398\uc774\uc9c0\uac00 \uc6f9 \ud398\uc774\uc9c0\ub97c \uc81c\uacf5\ud55c \ub3c4\uba54\uc778\uc774 \uc544\ub2cc \ub2e4\ub978 \ub3c4\uba54\uc778\uc5d0 \uc694\uccad\ud558\ub294 \uac83\uc744 \ubc29\uc9c0\ud558\ub294 \ubcf4\uc548 \uc870\uce58\uc778 \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc744 \ud65c\uc6a9\ud569\ub2c8\ub2e4.<\/p>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uae30\uc6d0\uacfc \uadf8\uc5d0 \ub300\ud55c \uccab \ubc88\uc9f8 \uc5b8\uae09\uc758 \uc5ed\uc0ac\uc785\ub2c8\ub2e4.<\/h2>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc740 2006\ub144 Jeremiah Grossman\uc774 \ucc98\uc74c \ubc1c\uacac\ud558\uace0 \ubb38\uc11c\ud654\ud588\uc2b5\ub2c8\ub2e4. \uadf8\uc758 \uc5f0\uad6c\uc5d0\uc11c \uadf8\ub294 JSON \uc751\ub2f5\uc744 \uc0ac\uc6a9\ud558\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc774 \uc774 \ucde8\uc57d\uc810\uc744 \ubc29\uc9c0\ud558\uae30 \uc704\ud55c \ud45c\uc900 \ubc29\ubc95\uc774 \ubd80\uc871\ud558\uae30 \ub54c\ubb38\uc5d0 \uc774 \ucde8\uc57d\uc810\uc5d0 \ucde8\uc57d\ud558\ub2e4\ub294 \uc0ac\uc2e4\uc744 \ubc1c\uacac\ud588\uc2b5\ub2c8\ub2e4. JSON \ud558\uc774\uc7ac\ud0b9\uc5d0 \ub300\ud55c \uccab \ubc88\uc9f8 \uc5b8\uae09\uc740 \uc801\uc808\ud55c \ubcf4\uc548 \uc870\uce58 \uc5c6\uc774 JSON\uc744 \ub370\uc774\ud130 \uad50\ud658 \ud615\uc2dd\uc73c\ub85c \uc0ac\uc6a9\ud558\ub294 \uac83\uacfc \uad00\ub828\ub41c \uc7a0\uc7ac\uc801 \uc704\ud5d8\uc5d0 \ub300\ud55c \uad00\uc2ec\uc744 \ubd88\ub7ec\uc77c\uc73c\ucf30\uc2b5\ub2c8\ub2e4.<\/p>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \uc815\ubcf4\uc785\ub2c8\ub2e4. JSON \ud558\uc774\uc7ac\ud0b9 \uc8fc\uc81c\ub97c \ud655\uc7a5\ud569\ub2c8\ub2e4.<\/h2>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc740 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc774 \ubcf4\uc548 JSON \uc751\ub2f5 \ub798\ud37c\uc640 \uac19\uc740 \uc801\uc808\ud55c \ubcf4\uc548 \uba54\ucee4\ub2c8\uc998\uc744 \uad6c\ud604\ud558\uc9c0 \uc54a\uace0 JSON \ub370\uc774\ud130\ub97c \uc81c\uacf5\ud560 \ub54c \ubc1c\uc0dd\ud569\ub2c8\ub2e4. \uc77c\ubc18\uc801\uc73c\ub85c \uc6f9\ud398\uc774\uc9c0\uac00 \uc11c\ubc84\uc5d0\uc11c JSON \ub370\uc774\ud130\ub97c \uc694\uccad\ud560 \ub54c \ud398\uc774\uc9c0\uc758 JavaScript \ucf54\ub4dc\uc5d0\uc11c \uc27d\uac8c \uad6c\ubb38 \ubd84\uc11d\ud558\uace0 \uc0ac\uc6a9\ud560 \uc218 \uc788\ub294 \ud569\ubc95\uc801\uc778 JSON \uac1c\uccb4\ub97c \uc218\uc2e0\ud569\ub2c8\ub2e4.<\/p>\n<p>\uadf8\ub7ec\ub098 JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uacbd\uc6b0 \uacf5\uaca9\uc790\ub294 \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc744 \uc545\uc6a9\ud558\uc5ec JSON \ub370\uc774\ud130\ub97c \ud6d4\uce60 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uacf5\uaca9\uc790\ub294 \ud53c\ud574\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\ub97c \uc18d\uc5ec \uacf5\uaca9\uc790\uac00 \uc81c\uc5b4\ud558\ub294 \uc545\uc131 \uc11c\ubc84\uc5d0 \uad50\ucc28 \ucd9c\ucc98 \uc694\uccad\uc744 \ud558\ub3c4\ub85d \ud569\ub2c8\ub2e4. JSON \uc694\uccad\uc5d0\ub294 (\uae30\uc874 Ajax \uc694\uccad\uacfc \ub2ec\ub9ac) \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc5d0 \uc545\uc131 \uc11c\ubc84\uac00 JSON \ub370\uc774\ud130\ub97c \uc9c1\uc811 \uc218\uc2e0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<p>&quot;X-Content-Type-Options: nosniff&quot; \ub610\ub294 &quot;while(1);&quot;\uacfc \uac19\uc740 \uc801\uc808\ud55c \ubcf4\uc548 \ud5e4\ub354 \ub610\ub294 \uc751\ub2f5 \ub798\ud37c\uac00 \uc5c6\uc73c\uba74 \uacf5\uaca9\uc790\uac00 \uc131\uacf5\uc801\uc778 JSON \ud558\uc774\uc7ac\ud0b9 \uacf5\uaca9\uc744 \uc2e4\ud589\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \uacf5\uaca9\uc790\ub294 \ubbfc\uac10\ud55c \ub370\uc774\ud130\ub97c \ud6d4\uccd0 \uc7a0\uc7ac\uc801\uc73c\ub85c \uc0ac\uc6a9\uc790 \uac1c\uc778 \uc815\ubcf4 \ubcf4\ud638 \ubc0f \ubcf4\uc548\uc744 \uc190\uc0c1\uc2dc\ud0ac \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9\uc758 \ub0b4\ubd80 \uad6c\uc870. JSON \ud558\uc774\uc7ac\ud0b9\uc774 \uc791\ub3d9\ud558\ub294 \ubc29\uc2dd<\/h2>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc740 \uc8fc\ub85c \ud2b9\uc815 \ubcf4\uc548 \uae30\uc220\uc744 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uace0 JSON \uc751\ub2f5\uc744 \uc0ac\uc6a9\ud558\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ub300\uc0c1\uc73c\ub85c \ud569\ub2c8\ub2e4. \uacf5\uaca9\uc758 \ub0b4\ubd80 \uad6c\uc870\ub294 \ub2e4\uc74c \ub2e8\uacc4\ub85c \uad6c\uc131\ub429\ub2c8\ub2e4.<\/p>\n<ol>\n<li>\ud53c\ud574\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\ub294 \uc6f9 \uc11c\ubc84\uc5d0 JSON \ub370\uc774\ud130 \uc694\uccad\uc744 \ubcf4\ub0c5\ub2c8\ub2e4.<\/li>\n<li>\uc6f9 \uc11c\ubc84\ub294 \uc694\uccad\uc744 \ucc98\ub9ac\ud558\uace0 \uc751\ub2f5\uc73c\ub85c JSON \ub370\uc774\ud130\ub97c \ub2e4\uc2dc \ubcf4\ub0c5\ub2c8\ub2e4.<\/li>\n<li>\uacf5\uaca9\uc790\ub294 \ud53c\ud574\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\ub97c \uc18d\uc5ec \uacf5\uaca9\uc790\uc758 \uc11c\ubc84\ub85c \uc5f0\uacb0\ub418\ub294 \ucd94\uac00 \uad50\ucc28 \uc6d0\ubcf8 \uc694\uccad\uc744 \uc0dd\uc131\ud569\ub2c8\ub2e4.<\/li>\n<li>JSON \uc694\uccad\uc5d0\ub294 \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc774 \uc801\uc6a9\ub418\uc9c0 \uc54a\uc73c\ubbc0\ub85c \uacf5\uaca9\uc790\uc758 \uc11c\ubc84\ub294 \ud53c\ud574\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\uc5d0\uc11c \uc9c1\uc811 JSON \uc751\ub2f5\uc744 \uac00\ub85c\ucc55\ub2c8\ub2e4.<\/li>\n<li>\uc774\uc81c \uacf5\uaca9\uc790\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ub3c4\uba54\uc778 \ub0b4\uc5d0\uc11c\ub9cc \uc561\uc138\uc2a4\ud560 \uc218 \uc788\uc5c8\ub358 \ubbfc\uac10\ud55c JSON \ub370\uc774\ud130\uc5d0 \uc561\uc138\uc2a4\ud560 \uc218 \uc788\uac8c \ub418\uc5c8\uc2b5\ub2c8\ub2e4.<\/li>\n<\/ol>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc8fc\uc694 \ud2b9\uc9d5\uc744 \ubd84\uc11d\ud569\ub2c8\ub2e4.<\/h2>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc8fc\uc694 \uae30\ub2a5\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4.<\/p>\n<ul>\n<li>\ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45 \uc545\uc6a9: JSON \ud558\uc774\uc7ac\ud0b9\uc740 JSON \uc694\uccad\uc5d0 \ub300\ud55c \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc758 \uba74\uc81c\ub97c \ud65c\uc6a9\ud558\ubbc0\ub85c \uacf5\uaca9\uc790\uac00 JSON \uc751\ub2f5\uc744 \uac00\ub85c\ucc4c \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n<li>\uc801\uc808\ud55c \uc751\ub2f5 \ub798\ud37c \ubd80\uc871: &quot;while(1)&quot;\uacfc \uac19\uc740 \uc548\uc804\ud55c JSON \uc751\ub2f5 \ub798\ud37c\uac00 \uc5c6\uc2b5\ub2c8\ub2e4. \ub610\ub294 &quot;X-Content-Type-Options: nosniff&quot;\ub97c \uc0ac\uc6a9\ud558\uba74 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc774 JSON \ud558\uc774\uc7ac\ud0b9\uc5d0 \ucde8\uc57d\ud574\uc9c8 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/li>\n<li>JSON \uc5d4\ub4dc\ud3ec\uc778\ud2b8\uc5d0 \uc9d1\uc911: \uacf5\uaca9\uc740 \ub370\uc774\ud130 \uad50\ud658\uc744 \uc704\ud574 JSON \uc5d4\ub4dc\ud3ec\uc778\ud2b8\ub97c \ud65c\uc6a9\ud558\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \uc911\uc2ec\uc73c\ub85c \uc774\ub8e8\uc5b4\uc9d1\ub2c8\ub2e4.<\/li>\n<\/ul>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9 \uc720\ud615<\/h2>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc740 \uacf5\uaca9 \uc218\ud589\uc5d0 \uc0ac\uc6a9\ub418\ub294 \ubc29\ubc95\uc5d0 \ub530\ub77c \ub450 \uac00\uc9c0 \uc8fc\uc694 \uc720\ud615\uc73c\ub85c \ubd84\ub958\ub420 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<ol>\n<li>\n<p><strong>\uc9c1\uc811 JSON \ud558\uc774\uc7ac\ud0b9:<\/strong> \uc774\ub7ec\ud55c \uc720\ud615\uc758 \uacf5\uaca9\uc5d0\uc11c \uacf5\uaca9\uc790\ub294 \ud53c\ud574\uc790\uc758 \ube0c\ub77c\uc6b0\uc800\ub97c \uc18d\uc5ec JSON \uc694\uccad\uc744 \uacf5\uaca9\uc790\uc758 \uc11c\ubc84\uc5d0 \uc9c1\uc811 \ubcf4\ub0b4\ub3c4\ub85d \ud569\ub2c8\ub2e4. \uadf8\ub7ec\uba74 \uacf5\uaca9\uc790\uc758 \uc11c\ubc84\ub294 \ucd94\uac00 \ub2e8\uacc4 \uc5c6\uc774 JSON \ub370\uc774\ud130\ub97c \uc9c1\uc811 \uc218\uc2e0\ud569\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>JSONP(\ud328\ub529\uc774 \ud3ec\ud568\ub41c JSON) \ud558\uc774\uc7ac\ud0b9:<\/strong> JSONP\ub294 \uad50\ucc28 \ucd9c\ucc98 \uc694\uccad\uc5d0 \ub300\ud55c \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45 \uc81c\ud55c\uc744 \uadf9\ubcf5\ud558\ub294 \ub370 \uc0ac\uc6a9\ub418\ub294 \uae30\uc220\uc785\ub2c8\ub2e4. JSONP \ud558\uc774\uc7ac\ud0b9\uc5d0\uc11c \uacf5\uaca9\uc790\ub294 JSONP \ucf5c\ubc31 \ud568\uc218\ub97c \uc870\uc791\ud558\uc5ec JSON \ub370\uc774\ud130\ub97c \uc218\uc2e0\ud558\uace0 \uc7a0\uc7ac\uc801\uc73c\ub85c \ubbfc\uac10\ud55c \uc815\ubcf4\ub97c \ucd94\ucd9c\ud569\ub2c8\ub2e4.<\/p>\n<\/li>\n<\/ol>\n<p>\ub2e4\uc74c\uc740 \ub450 \uac00\uc9c0 \uc720\ud615\uc758 JSON \ud558\uc774\uc7ac\ud0b9 \uac04\uc758 \ucc28\uc774\uc810\uc744 \uac15\uc870\ud558\ub294 \ube44\uad50\ud45c\uc785\ub2c8\ub2e4.<\/p>\n<table>\n<thead>\n<tr>\n<th>\uc720\ud615<\/th>\n<th>\ubc29\ubc95<\/th>\n<th>\uc7a5\uc810<\/th>\n<th>\ub2e8\uc810<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>\uc9c1\uc811 JSON \ud558\uc774\uc7ac\ud0b9<\/td>\n<td>JSON \uc694\uccad\uc5d0 \ub300\ud574 \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc744 \uc545\uc6a9\ud569\ub2c8\ub2e4.<\/td>\n<td>\uc2e4\ud589\uc758 \ub2e8\uc21c\uc131, JSON \ub370\uc774\ud130\uc5d0 \ub300\ud55c \uc9c1\uc811 \uc561\uc138\uc2a4<\/td>\n<td>\ub85c\uadf8\uc5d0 \ub354 \ub9ce\uc774 \ud45c\uc2dc\ub418\uace0 \uac10\uc9c0\ud558\uae30 \ub354 \uc27d\uc2b5\ub2c8\ub2e4.<\/td>\n<\/tr>\n<tr>\n<td>JSONP \ud558\uc774\uc7ac\ud0b9<\/td>\n<td>JSONP \ucf5c\ubc31 \ud568\uc218 \uc870\uc791<\/td>\n<td>\ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc744 \uc6b0\ud68c\ud560 \uac00\ub2a5\uc131\uc774 \uc788\uc74c<\/td>\n<td>\ucde8\uc57d\ud55c JSONP \uad6c\ud604\uc774 \ud544\uc694\ud569\ub2c8\ub2e4.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9\uc758 \ud65c\uc6a9\ubc29\ubc95\uacfc \ubb38\uc81c\uc810, \ud65c\uc6a9\uc5d0 \ub530\ub978 \ud574\uacb0\ubc29\ubc95\uc744 \uc18c\uac1c\ud569\ub2c8\ub2e4.<\/h2>\n<h3>\uc545\uc6a9 \ubc29\ubc95<\/h3>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc744 \uc0ac\uc6a9\ud558\uba74 \uc0ac\uc6a9\uc790 \uc790\uaca9 \uc99d\uba85, \uc778\uc99d \ud1a0\ud070 \ub610\ub294 JSON \uc751\ub2f5\uc5d0 \uc800\uc7a5\ub41c \uae30\ud0c0 \ubbfc\uac10\ud55c \ub370\uc774\ud130\uc640 \uac19\uc740 \ubbfc\uac10\ud55c \uc815\ubcf4\ub97c \uc5bb\uc744 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud6d4\uce5c \ub370\uc774\ud130\ub294 \uacf5\uaca9\uc790\uac00 \ub2e4\uc591\ud55c \uc545\uc758\uc801\uc778 \ubaa9\uc801\uc73c\ub85c \uc624\uc6a9\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<h3>\ubb38\uc81c \ubc0f \ud574\uacb0 \ubc29\ubc95<\/h3>\n<p>JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc8fc\uc694 \ubb38\uc81c\ub294 JSON\uc744 \ub370\uc774\ud130 \uad50\ud658 \ud615\uc2dd\uc73c\ub85c \uc0ac\uc6a9\ud558\ub294 \ub9ce\uc740 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0 \ud45c\uc900 \ubcf4\uc548 \uc870\uce58\uac00 \ubd80\uc871\ud558\ub2e4\ub294 \uac83\uc785\ub2c8\ub2e4. JSON \ud558\uc774\uc7ac\ud0b9\uacfc \uad00\ub828\ub41c \uc704\ud5d8\uc744 \uc644\ud654\ud558\uae30 \uc704\ud574 \uac1c\ubc1c\uc790\uc640 \uc6f9 \uc0ac\uc774\ud2b8 \uad00\ub9ac\uc790\ub294 \ub2e4\uc74c \uc194\ub8e8\uc158\uc744 \uad6c\ud604\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<ol>\n<li>\n<p><strong>\ubcf4\uc548 JSON \uc751\ub2f5 \ub798\ud37c:<\/strong> &quot;while(1)&quot;\uacfc \uac19\uc740 \ubcf4\uc548 \ub798\ud37c \ub0b4\uc5d0 JSON \uc751\ub2f5\uc744 \ud3ec\ud568\ud569\ub2c8\ub2e4. \ub610\ub294 \u201cX-Content-Type-Options: nosniff.\u201d \uc774\ub807\uac8c \ud558\uba74 \ube0c\ub77c\uc6b0\uc800\uac00 JSON \ub370\uc774\ud130\ub97c \uc9c1\uc811 \uad6c\ubb38 \ubd84\uc11d\ud558\ub294 \uac83\uc744 \ubc29\uc9c0\ud558\uc5ec \uc7a0\uc7ac\uc801\uc778 \uacf5\uaca9\uc790\uac00 \ud574\ub2f9 \ub370\uc774\ud130\uc5d0 \uc561\uc138\uc2a4\ud560 \uc218 \uc5c6\uac8c \ub429\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>CORS(\uad50\ucc28 \uc6d0\ubcf8 \ub9ac\uc18c\uc2a4 \uacf5\uc720):<\/strong> CORS \uc815\ucc45\uc744 \uad6c\ud604\ud558\uba74 JSON \ub370\uc774\ud130\uc5d0 \ub300\ud55c \uad50\ucc28 \ucd9c\ucc98 \uc561\uc138\uc2a4\ub97c \uc81c\ud55c\ud558\uc5ec \uacf5\uaca9\uc790\uac00 \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45 \uba74\uc81c\ub97c \uc545\uc6a9\ud558\ub294 \uac83\uc744 \ud6a8\uacfc\uc801\uc73c\ub85c \ubc29\uc9c0\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>\ud1a0\ud070 \uae30\ubc18 \uc778\uc99d:<\/strong> OAuth\uc640 \uac19\uc740 \ud1a0\ud070 \uae30\ubc18 \uc778\uc99d \ubc29\ubc95\uc744 \ud65c\uc6a9\ud558\uba74 \ubb34\ub2e8 \uc561\uc138\uc2a4\ub85c\ubd80\ud130 \ubcf4\ud638\ud558\uace0 JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc601\ud5a5\uc744 \uc644\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>\ucf58\ud150\uce20 \ubcf4\uc548 \uc815\ucc45(CSP):<\/strong> CSP \ud5e4\ub354\ub97c \uad6c\uc131\ud568\uc73c\ub85c\uc368 \uad00\ub9ac\uc790\ub294 \uc6f9 \ud398\uc774\uc9c0\uc5d0\uc11c \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc2e4\ud589\ud560 \uc218 \uc788\ub294 \ub3c4\uba54\uc778\uc744 \uc81c\uc5b4\ud558\uc5ec JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc704\ud5d8\uc744 \uc904\uc77c \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<\/ol>\n<h2>\uc8fc\uc694 \ud2b9\uc9d5 \ubc0f \uae30\ud0c0 \uc720\uc0ac\ud55c \uc6a9\uc5b4\uc640\uc758 \ube44\uad50\ub97c \ud45c\uc640 \ubaa9\ub85d \ud615\ud0dc\ub85c \uc81c\uacf5\ud569\ub2c8\ub2e4.<\/h2>\n<p>\ub2e4\uc74c\uc740 \uc720\uc0ac\ud55c \uc6a9\uc5b4 \ubc0f \uad00\ub828 \uac1c\ub150\uc744 \uc0ac\uc6a9\ud55c JSON \ud558\uc774\uc7ac\ud0b9 \ube44\uad50\ud45c\uc785\ub2c8\ub2e4.<\/p>\n<table>\n<thead>\n<tr>\n<th>\uc6a9\uc5b4<\/th>\n<th>\uc124\uba85<\/th>\n<th>\ucc28\uc774\uc810<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>JSON \ud558\uc774\uc7ac\ud0b9<\/td>\n<td>JSON \uc694\uccad\uc5d0 \ub300\ud55c \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45 \uba74\uc81c\ub97c \uc545\uc6a9\ud558\ub294 \ucde8\uc57d\uc810.<\/td>\n<td>JSON \uc751\ub2f5\uacfc \uad00\ub828\ud558\uc5ec \ubcf4\uc548 JSON \uc751\ub2f5 \ub798\ud37c\uac00 \uc5c6\ub294 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc744 \ub300\uc0c1\uc73c\ub85c \ud569\ub2c8\ub2e4.<\/td>\n<\/tr>\n<tr>\n<td>\uad50\ucc28 \uc0ac\uc774\ud2b8 \uc2a4\ud06c\ub9bd\ud305<\/td>\n<td>\ub370\uc774\ud130\ub97c \ud6d4\uce58\uac70\ub098 \uc0ac\uc6a9\uc790 \uc138\uc158\uc744 \uac00\ub85c\ucc44\uae30 \uc704\ud574 \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158\uc5d0 \uc545\uc131 \uc2a4\ud06c\ub9bd\ud2b8\ub97c \uc0bd\uc785\ud558\ub294 \uacf5\uaca9\uc785\ub2c8\ub2e4.<\/td>\n<td>\uc2a4\ud06c\ub9bd\ud2b8 \uc0bd\uc785\uc5d0 \uc911\uc810\uc744 \ub450\ub294 \ubc18\uba74, JSON \ud558\uc774\uc7ac\ud0b9\uc740 JSON \ub370\uc774\ud130\uc5d0 \ub300\ud55c \uc9c1\uc811 \uc561\uc138\uc2a4\ub97c \ubaa9\ud45c\ub85c \ud569\ub2c8\ub2e4.<\/td>\n<\/tr>\n<tr>\n<td>\uc0ac\uc774\ud2b8 \uac04 \uc694\uccad \uc704\uc870(CSRF)<\/td>\n<td>\uc2e0\ub8b0\ud560 \uc218 \uc788\ub294 \uc0ac\uc774\ud2b8\uc5d0\uc11c \uc6d0\uce58 \uc54a\ub294 \uc791\uc5c5\uc744 \uc218\ud589\ud558\ub3c4\ub85d \uc0ac\uc6a9\uc790\ub97c \uc18d\uc774\ub294 \uacf5\uaca9\uc785\ub2c8\ub2e4.<\/td>\n<td>CSRF\ub294 \uc0ac\uc6a9\uc790 \uc791\uc5c5\uc5d0 \ucd08\uc810\uc744 \ub9de\ucd94\ub294 \ubc18\uba74, JSON \ud558\uc774\uc7ac\ud0b9\uc740 JSON\uc5d0 \ub300\ud55c \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45 \ud65c\uc6a9\uc744 \ub2e4\ub8f9\ub2c8\ub2e4.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>JSON \ud558\uc774\uc7ac\ud0b9\uacfc \uad00\ub828\ub41c \ubbf8\ub798\uc758 \uad00\uc810\uacfc \uae30\uc220.<\/h2>\n<p>\uc6f9 \uae30\uc220\uc774 \ubc1c\uc804\ud568\uc5d0 \ub530\ub77c JSON \ud558\uc774\uc7ac\ud0b9\uacfc \uad00\ub828\ub41c \uc7a0\uc7ac\uc801 \uc704\ud5d8\ub3c4 \uc99d\uac00\ud569\ub2c8\ub2e4. \uac1c\ubc1c\uc790\uc640 \ubcf4\uc548 \uc804\ubb38\uac00\ub294 \uc774\ub7ec\ud55c \ucde8\uc57d\uc810\uc744 \ubc29\uc9c0\ud558\uae30 \uc704\ud574 \ud601\uc2e0\uc801\uc778 \ubc29\ubc95\uc744 \uc9c0\uc18d\uc801\uc73c\ub85c \ubaa8\uc0c9\ud558\uace0 \uc788\uc2b5\ub2c8\ub2e4. JSON \ud558\uc774\uc7ac\ud0b9\uacfc \uad00\ub828\ub41c \ubbf8\ub798\uc758 \uba87 \uac00\uc9c0 \uc7a0\uc7ac\uc801\uc778 \uad00\uc810\uacfc \uae30\uc220\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4.<\/p>\n<ol>\n<li>\n<p><strong>\ubcf4\uc548 JSON \uc751\ub2f5 \ub798\ud37c \ud45c\uc900\ud654:<\/strong> \ud45c\uc900\ud654\ub41c \ubcf4\uc548 JSON \uc751\ub2f5 \ub798\ud37c\ub97c \ucc44\ud0dd\ud558\uba74 \uac1c\ubc1c\uc790\uac00 \ud558\uc774\uc7ac\ud0b9 \uacf5\uaca9\uc73c\ub85c\ubd80\ud130 JSON \ub370\uc774\ud130\ub97c \ub354 \uc27d\uac8c \ubcf4\ud638\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>JSON\uc5d0 \ub300\ud55c \ud5a5\uc0c1\ub41c \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45:<\/strong> JSON \uc694\uccad\uc744 \ubcf4\ub2e4 \ud3ec\uad04\uc801\uc73c\ub85c \ucc98\ub9ac\ud558\uae30 \uc704\ud574 \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45\uc744 \uac15\ud654\ud558\uba74 JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc704\ud5d8\uc744 \uc904\uc77c \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>\uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubc29\ud654\ubcbd(WAF)\uc758 \ubc1c\uc804:<\/strong> \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubc29\ud654\ubcbd\uc740 JSON \ud558\uc774\uc7ac\ud0b9 \uc2dc\ub3c4\ub97c \ud6a8\uacfc\uc801\uc73c\ub85c \ud0d0\uc9c0\ud558\uace0 \ucc28\ub2e8\ud558\uae30 \uc704\ud574 \ubcf4\ub2e4 \uc815\uad50\ud55c \uc54c\uace0\ub9ac\uc998\uc744 \ud1b5\ud569\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>JSON \uc6f9 \ud1a0\ud070(JWT) \ucc44\ud0dd \uc99d\uac00:<\/strong> JWT\ub294 \ub2f9\uc0ac\uc790 \uac04\uc5d0 \uc815\ubcf4\ub97c JSON \uac1d\uccb4\ub85c \uc804\uc1a1\ud558\ub294 \uc548\uc804\ud55c \ubc29\ubc95\uc744 \uc81c\uacf5\ud558\ubbc0\ub85c JSON \ud558\uc774\uc7ac\ud0b9\uc5d0 \ub35c \ucde8\uc57d\ud569\ub2c8\ub2e4.<\/p>\n<\/li>\n<\/ol>\n<h2>\ud504\ub85d\uc2dc \uc11c\ubc84\ub97c \uc0ac\uc6a9\ud558\uac70\ub098 JSON \ud558\uc774\uc7ac\ud0b9\uacfc \uc5f0\uacb0\ud558\ub294 \ubc29\ubc95.<\/h2>\n<p>\ud504\ub85d\uc2dc \uc11c\ubc84\ub294 \ud074\ub77c\uc774\uc5b8\ud2b8\uc640 \uc6f9 \uc11c\ubc84 \uac04\uc758 \uc911\uac1c\uc790 \uc5ed\ud560\uc744 \ud558\uc5ec JSON \ud558\uc774\uc7ac\ud0b9 \uc704\ud5d8\uc744 \uc644\ud654\ud558\ub294 \uc5ed\ud560\uc744 \ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4. \ud504\ub85d\uc2dc \uc11c\ubc84\ub97c JSON \ud558\uc774\uc7ac\ud0b9\uacfc \uc5f0\uacb0\ud558\ub294 \ubc29\ubc95\uc740 \ub2e4\uc74c\uacfc \uac19\uc2b5\ub2c8\ub2e4.<\/p>\n<ol>\n<li>\n<p><strong>\uc694\uccad \ud544\ud130\ub9c1:<\/strong> \ud504\ub85d\uc2dc \uc11c\ubc84\ub294 \ub4e4\uc5b4\uc624\ub294 JSON \uc694\uccad\uc744 \ud544\ud130\ub9c1\ud558\uc5ec \uc7a0\uc7ac\uc801\uc778 JSON \ud558\uc774\uc7ac\ud0b9 \uc2dc\ub3c4\uc758 \uc9d5\ud6c4\ub97c \ubcf4\uc5ec\uc8fc\ub294 \uc694\uccad\uc744 \ucc28\ub2e8\ud558\ub3c4\ub85d \uad6c\uc131\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>\uc751\ub2f5 \ub798\ud551:<\/strong> \ud504\ub85d\uc2dc \uc11c\ubc84\ub294 JSON \uc751\ub2f5\uc744 \ud074\ub77c\uc774\uc5b8\ud2b8\uc5d0 \uc804\ub2ec\ud558\uae30 \uc804\uc5d0 \uc548\uc804\ud55c \uc751\ub2f5 \ud5e4\ub354(\uc608: \u201cwhile(1);\u201d)\ub85c \ub798\ud551\ud558\uc5ec \ucd94\uac00 \ubcf4\uc548 \uacc4\uce35\uc744 \uc81c\uacf5\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<li>\n<p><strong>CORS \uad00\ub9ac:<\/strong> \ud504\ub85d\uc2dc \uc11c\ubc84\ub294 \uc5c4\uaca9\ud55c CORS \uc815\ucc45\uc744 \uc2dc\ud589\ud558\uc5ec JSON \ub370\uc774\ud130\uc5d0 \ub300\ud55c \ubb34\ub2e8 \uc561\uc138\uc2a4\ub97c \ubc29\uc9c0\ud558\uace0 JSON \ud558\uc774\uc7ac\ud0b9 \uc704\ud5d8\uc744 \ucd5c\uc18c\ud654\ud560 \uc218 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<\/li>\n<\/ol>\n<h2>\uad00\ub828\ub41c \ub9c1\ud06c\ub4e4<\/h2>\n<p>JSON \ud558\uc774\uc7ac\ud0b9 \ubc0f \uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \ubcf4\uc548\uc5d0 \ub300\ud55c \uc790\uc138\ud55c \ub0b4\uc6a9\uc740 \ub2e4\uc74c \ub9ac\uc18c\uc2a4\ub97c \ucc38\uc870\ud558\uc138\uc694.<\/p>\n<ol>\n<li><a href=\"https:\/\/owasp.org\/www-community\/attacks\/JSON_Hijacking\" target=\"_new\" rel=\"noopener nofollow\">OWASP JSON \ud558\uc774\uc7ac\ud0b9<\/a><\/li>\n<li><a href=\"https:\/\/www.jeremiahgrossman.com\/2006\/01\/advanced-web-attack-techniques-using.html\" target=\"_new\" rel=\"noopener nofollow\">\uc608\ub808\ubbf8\uc57c \uadf8\ub85c\uc2a4\ub9cc\uc758 \ube14\ub85c\uadf8<\/a><\/li>\n<li><a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/Security\/Same-origin_policy\" target=\"_new\" rel=\"noopener nofollow\">MDN(Mozilla \uac1c\ubc1c\uc790 \ub124\ud2b8\uc6cc\ud06c) - \ub3d9\uc77c \ucd9c\ucc98 \uc815\ucc45<\/a><\/li>\n<\/ol>\n<p>\uc6f9 \uc560\ud50c\ub9ac\ucf00\uc774\uc158 \uac1c\ubc1c\uc790\uc640 \uad00\ub9ac\uc790\uac00 \uc0ac\uc6a9\uc790 \ub370\uc774\ud130\uc758 \ubcf4\uc548\uacfc \uac1c\uc778 \uc815\ubcf4 \ubcf4\ud638\ub97c \ubcf4\uc7a5\ud558\ub824\uba74 JSON \ud558\uc774\uc7ac\ud0b9\uc758 \uc704\ud5d8\uc744 \uc774\ud574\ud558\uace0 \ud574\uacb0\ud558\ub294 \uac83\uc774 \ud544\uc218\uc801\uc785\ub2c8\ub2e4. \ubaa8\ubc94 \uc0ac\ub840\ub97c \uad6c\ud604\ud558\uace0 \ucd5c\uc2e0 \ubcf4\uc548 \uc870\uce58\ub97c \uc9c0\uc18d\uc801\uc73c\ub85c \uc5c5\ub370\uc774\ud2b8\ud558\uba74 \uc774\ub7ec\ud55c \ucde8\uc57d\uc810\uc73c\ub85c\ubd80\ud130 \ubcf4\ud638\ud558\ub294 \ub370 \ub3c4\uc6c0\uc774 \ub429\ub2c8\ub2e4.<\/p>","protected":false},"featured_media":477748,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-477747","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about <mark>JSON Hijacking: An Encyclopedia Article<\/mark>","faq_items":[{"question":"What is JSON hijacking?","answer":"<p>JSON hijacking, also known as \"JavaScript Object Notation hijacking,\" is a security vulnerability that affects web applications using JSON as a data interchange format. It allows attackers to steal sensitive data from the victim's browser when the application lacks proper security measures.<\/p>"},{"question":"Who discovered JSON hijacking, and when was it first mentioned?","answer":"<p>JSON hijacking was first discovered and documented by Jeremiah Grossman in 2006. He brought attention to this vulnerability, highlighting the risks associated with using JSON without appropriate security measures.<\/p>"},{"question":"How does JSON hijacking work?","answer":"<p>JSON hijacking exploits the same-origin policy exemption for JSON requests. The attacker tricks the victim's browser into making an additional cross-origin request, which is intercepted by the attacker's server, granting them direct access to the JSON data.<\/p>"},{"question":"What are the key features of JSON hijacking?","answer":"<p>Key features include exploiting the same-origin policy, absence of secure JSON response wrappers, and targeting web applications using JSON endpoints for data exchange.<\/p>"},{"question":"What are the types of JSON hijacking?","answer":"<p>JSON hijacking can be classified into two types:<\/p><ol><li>Direct JSON hijacking: The attacker tricks the victim's browser to send JSON directly to the attacker's server.<\/li><li>JSONP hijacking: The attacker manipulates the JSONP callback function to extract JSON data.<\/li><\/ol>"},{"question":"How can JSON hijacking be mitigated?","answer":"<p>To prevent JSON hijacking, developers can implement secure JSON response wrappers, utilize CORS policies, employ token-based authentication, and configure Content Security Policy (CSP) headers.<\/p>"},{"question":"How does JSON hijacking differ from Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)?","answer":"<p>JSON hijacking targets the direct access to JSON data exploiting same-origin policy. XSS injects malicious scripts into web apps, while CSRF tricks users into performing unwanted actions on trusted sites.<\/p>"},{"question":"What are the future perspectives and technologies related to JSON hijacking?","answer":"<p>Future developments may include standardized secure JSON response wrappers, improved same-origin policy for JSON, and increased adoption of JSON Web Tokens (JWT) for secure data transmission.<\/p>"},{"question":"How can proxy servers help protect against JSON hijacking?","answer":"<p>Proxy servers can act as intermediaries between clients and web servers, filtering requests, wrapping responses securely, and managing CORS to minimize the risk of JSON hijacking.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/kr\/wp-json\/wp\/v2\/wiki\/477747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/kr\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/kr\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/kr\/wp-json\/wp\/v2\/wiki\/477747\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/kr\/wp-json\/wp\/v2\/media\/477748"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/kr\/wp-json\/wp\/v2\/media?parent=477747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}