{"id":51,"date":"2017-03-01T22:05:10","date_gmt":"2017-03-01T22:05:10","guid":{"rendered":"http:\/\/damrakoc.com\/blog\/?p=51"},"modified":"2020-01-17T15:50:39","modified_gmt":"2020-01-17T15:50:39","slug":"birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection","status":"publish","type":"post","link":"http:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/","title":{"rendered":"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS – SQL Injection)"},"content":{"rendered":"

Yapt\u0131\u011f\u0131m\u0131z web uygulamalar\u0131 \u00fczerinde her ne kadar g\u00fcvenlik \u00f6nlemi al\u0131p g\u00fcvenli bir sistem olu\u015fturdu\u011fumuzu d\u00fc\u015f\u00fcnsekte, hi\u00e7 bir sistem y\u00fczde y\u00fcz olarak g\u00fcvenli de\u011fildir.<\/u>\u00a0Sadece kod olarak d\u00fc\u015f\u00fcnmemek gerek. Hosting firman\u0131z, \u0130\u015fletim sistemi, Load balancer, Web server gibi bir \u00e7ok varyasyon sizin kendi aya\u011f\u0131n\u0131za s\u0131kman\u0131z i\u00e7in yeterli.\u00a0Ald\u0131\u011f\u0131n\u0131z her t\u00fcrl\u00fc g\u00fcvenlik \u00f6nlemi bir \u015fekilde a\u015f\u0131labilir.\u00a0<\/strong><\/p>\n


\nG\u00fcvenlik konusunda bence dikkat edilmesi gereken en b\u00fcy\u00fck olay kullan\u0131c\u0131d\u0131r.<\/u> Her kullan\u0131c\u0131ya potansiyel su\u00e7lu g\u00f6z\u00fcyle bakmak ve siteyi ona g\u00f6re yap\u0131land\u0131rmak gerekir. Sitenizi ziyaret eden kullan\u0131c\u0131 her ne kadar sitenize zarar vermek amac\u0131nda olmasada, kullan\u0131c\u0131ya tam olarak g\u00fcvenmemelisiniz. \u00d6zellikle \u00fcyelik sistemi olan sitelerin \u00fcye kay\u0131t ve giri\u015f sayfalar\u0131nda gerekli g\u00fcvenlik \u00f6nlemlerini alman\u0131z gerekmektedir. Bizde bu konudan hareket ederek alabilece\u011fimiz g\u00fcvenlik \u00f6nlemlerine bakal\u0131m…
\n<\/strong><\/p>\n

Temel bir konu olacak belki ama yakla\u015f\u0131k olarak 3-4 senelik \u00e7al\u0131\u015fma hayat\u0131mda g\u00f6rm\u00fc\u015f oldu\u011fum
\nform verileri site i\u00e7in olduk\u00e7a b\u00fcy\u00fck g\u00fcvenlik sorunu<\/u> te\u015fkil etmektedir. Form verilerinizi g\u00f6nderirken. Formdan gelen verilerinizi zararl\u0131 kod i\u00e7erebilece\u011fi ihtimali \u00fczerine mutlaka verilerini filtrelemelisiniz. Bu filtrelemeyi yapmad\u0131\u011f\u0131n\u0131z zaman sitenizde en b\u00fcy\u00fck a\u00e7\u0131klardan biri; SQL Injection<\/span>\u00a0sald\u0131r\u0131s\u0131na u\u011frama ihtimaliniz y\u00fcksektir. (hex encode ile sql injection g\u00f6rmedim de\u011fil).Yar\u0131m adamlardan kurtulmak \u00fczere\u00a0PHP<\/span> i\u00e7in PDO<\/span> ile birlikte sql sorgusunu \u00e7al\u0131\u015ft\u0131rmadan \u00f6nce bind edilen parametreleri prepare methodunu tetiklemeniz yeterlidir.<\/strong><\/p>\n

Olu\u015fabilecek bir di\u011fer \u00f6nemli a\u00e7\u0131k ise XSS<\/span> (Cross site scripting) a\u00e7\u0131\u011f\u0131d\u0131r<\/strong>, en yayg\u0131n uygulama katman\u0131 web sald\u0131r\u0131lar\u0131ndan biridir. XSS g\u00fcvenlik a\u00e7\u0131klar\u0131, bir sayfaya g\u00f6m\u00fcl\u00fc olan, sunucu taraf\u0131nda de\u011fil de istemci taraf\u0131nda (kullan\u0131c\u0131n\u0131n web taray\u0131c\u0131s\u0131nda) y\u00fcr\u00fct\u00fclen komut dosyalar\u0131n\u0131 hedefler. XSS’nin kendisi, HTML<\/span> ve JavaScript<\/span> gibi istemci taraf\u0131 komut dosyas\u0131 dillerinin \u0130nternet g\u00fcvenlik zay\u0131fl\u0131klar\u0131n\u0131n getirdi\u011fi bir tehdittir. XSS kavram\u0131, bir web uygulamas\u0131n\u0131n istemci taraf\u0131 komut dosyalar\u0131n\u0131 k\u00f6t\u00fc niyetli kullan\u0131c\u0131n\u0131n istedi\u011fi bi\u00e7imde y\u00fcr\u00fctmek \u00fczere manip\u00fcle etmektir. B\u00f6yle bir manip\u00fclasyon, sayfa y\u00fcklendi\u011finde veya ili\u015fkili bir etkinlik ger\u00e7ekle\u015ftirildi\u011finde y\u00fcr\u00fct\u00fclebilen bir sayfaya bir komut dosyas\u0131 g\u00f6mebilir.<\/strong><\/p>\n

XSS, bug\u00fcn yaz\u0131l\u0131mda en yayg\u0131n g\u00fcvenlik a\u00e7\u0131\u011f\u0131d\u0131r. XSS’nin bulunmas\u0131 ve d\u00fczeltilmesi kolay oldu\u011fu i\u00e7in bu durum b\u00f6yle olmamal\u0131d\u0131r. XSS a\u00e7\u0131klar\u0131 kurcalama ve hassas veri h\u0131rs\u0131zl\u0131\u011f\u0131 gibi sonu\u00e7lar\u0131 do\u011furabilir.<\/strong><\/p>\n

XSS’nin Temel Kavramlar\u0131<\/strong>
\nXSS, savunmas\u0131z web uygulamalar\u0131 \u00fczerinde ger\u00e7ekle\u015ftirilen web tabanl\u0131 bir sald\u0131r\u0131d\u0131r.<\/strong>
\nXSS sald\u0131r\u0131lar\u0131nda, kurban kullan\u0131c\u0131d\u0131r ve uygulama de\u011fildir.<\/strong>
\nXSS sald\u0131r\u0131lar\u0131nda, k\u00f6t\u00fc ama\u00e7l\u0131 i\u00e7erik, JavaScript’i kullanarak kullan\u0131c\u0131lara da\u011f\u0131t\u0131l\u0131r.<\/strong><\/p>\n

Siteler Aras\u0131 Komut Dosyalar\u0131n\u0131 A\u00e7\u0131klama<\/strong>
\nBir XSS g\u00fcvenlik a\u00e7\u0131\u011f\u0131, web uygulamalar\u0131 kullan\u0131c\u0131lardan veri toplad\u0131\u011f\u0131nda ve verileri ilk olarak d\u00fczg\u00fcn \u015fekilde do\u011frulamadan dinamik olarak web sayfalar\u0131na ekledi\u011finde ortaya \u00e7\u0131kar. XSS g\u00fcvenlik a\u00e7\u0131klar\u0131 bir sald\u0131rgan\u0131n keyfi komut \u00e7al\u0131\u015ft\u0131rmas\u0131na ve bir kurban kullan\u0131c\u0131s\u0131n\u0131n taray\u0131c\u0131s\u0131nda keyfi i\u00e7eri\u011fi g\u00f6r\u00fcnt\u00fclemesine izin verir. Ba\u015far\u0131l\u0131 bir XSS sald\u0131r\u0131s\u0131, sald\u0131r\u0131ya maruz kalan web uygulamas\u0131nda kurban\u0131n\u0131n taray\u0131c\u0131s\u0131n\u0131 veya hesab\u0131n\u0131 kontrol eden bir sald\u0131rgana yol a\u00e7ar. XSS, bir web uygulamas\u0131ndaki savunmas\u0131z sayfalar taraf\u0131ndan etkinle\u015ftirilmesine ra\u011fmen, bir XSS sald\u0131r\u0131s\u0131 kurban\u0131, uygulaman\u0131n kullan\u0131c\u0131lar\u0131 de\u011fil, uygulaman\u0131n kendisi de\u011fildir. Bir XSS g\u00fcvenlik a\u00e7\u0131\u011f\u0131 potensiyeli, k\u00f6t\u00fc niyetli kodun kurban\u0131n oturumu ba\u011flam\u0131nda y\u00fcr\u00fct\u00fclmesiyle olu\u015fur; bu da sald\u0131rgan\u0131n normal g\u00fcvenlik k\u0131s\u0131tlamalar\u0131n\u0131 a\u015fmas\u0131na olanak tan\u0131r.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Yapt\u0131\u011f\u0131m\u0131z web uygulamalar\u0131 \u00fczerinde her ne kadar g\u00fcvenlik \u00f6nlemi al\u0131p g\u00fcvenli bir sistem olu\u015fturdu\u011fumuzu d\u00fc\u015f\u00fcnsekte, hi\u00e7 bir sistem y\u00fczde y\u00fcz olarak g\u00fcvenli de\u011fildir.\u00a0Sadece kod olarak d\u00fc\u015f\u00fcnmemek gerek. Hosting firman\u0131z, \u0130\u015fletim sistemi, Load balancer, Web server gibi bir \u00e7ok varyasyon sizin kendi aya\u011f\u0131n\u0131za s\u0131kman\u0131z i\u00e7in yeterli.\u00a0Ald\u0131\u011f\u0131n\u0131z her t\u00fcrl\u00fc g\u00fcvenlik \u00f6nlemi bir \u015fekilde a\u015f\u0131labilir.\u00a0 G\u00fcvenlik konusunda bence […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,12],"tags":[],"class_list":["post-51","post","type-post","status-publish","format-standard","hentry","category-sql-injection","category-xss"],"yoast_head":"\nBirka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS - SQL Injection) - Damra KO\u00c7<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS - SQL Injection) - Damra KO\u00c7\" \/>\n<meta property=\"og:description\" content=\"Yapt\u0131\u011f\u0131m\u0131z web uygulamalar\u0131 \u00fczerinde her ne kadar g\u00fcvenlik \u00f6nlemi al\u0131p g\u00fcvenli bir sistem olu\u015fturdu\u011fumuzu d\u00fc\u015f\u00fcnsekte, hi\u00e7 bir sistem y\u00fczde y\u00fcz olarak g\u00fcvenli de\u011fildir.\u00a0Sadece kod olarak d\u00fc\u015f\u00fcnmemek gerek. Hosting firman\u0131z, \u0130\u015fletim sistemi, Load balancer, Web server gibi bir \u00e7ok varyasyon sizin kendi aya\u011f\u0131n\u0131za s\u0131kman\u0131z i\u00e7in yeterli.\u00a0Ald\u0131\u011f\u0131n\u0131z her t\u00fcrl\u00fc g\u00fcvenlik \u00f6nlemi bir \u015fekilde a\u015f\u0131labilir.\u00a0 G\u00fcvenlik konusunda bence […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/\" \/>\n<meta property=\"og:site_name\" content=\"Damra KO\u00c7\" \/>\n<meta property=\"article:published_time\" content=\"2017-03-01T22:05:10+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-01-17T15:50:39+00:00\" \/>\n<meta name=\"author\" content=\"damrakoc\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@damra_koc\" \/>\n<meta name=\"twitter:site\" content=\"@damra_koc\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"damrakoc\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/\",\"url\":\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/\",\"name\":\"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS - SQL Injection) - Damra KO\u00c7\",\"isPartOf\":{\"@id\":\"http:\/\/damrakoc.com\/blog\/#website\"},\"datePublished\":\"2017-03-01T22:05:10+00:00\",\"dateModified\":\"2020-01-17T15:50:39+00:00\",\"author\":{\"@id\":\"http:\/\/damrakoc.com\/blog\/#\/schema\/person\/c0aef33e15396f85a26d08495c742b8b\"},\"breadcrumb\":{\"@id\":\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/damrakoc.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS – SQL Injection)\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/damrakoc.com\/blog\/#website\",\"url\":\"http:\/\/damrakoc.com\/blog\/\",\"name\":\"Damra KO\u00c7\",\"description\":\"Software Developer\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/damrakoc.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/damrakoc.com\/blog\/#\/schema\/person\/c0aef33e15396f85a26d08495c742b8b\",\"name\":\"damrakoc\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/damrakoc.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1a5d82872160ecc5a366412de9d017ead27f16fcfce7c8e46532199f18145f06?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1a5d82872160ecc5a366412de9d017ead27f16fcfce7c8e46532199f18145f06?s=96&d=mm&r=g\",\"caption\":\"damrakoc\"},\"url\":\"http:\/\/damrakoc.com\/blog\/author\/damrakoc\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS - SQL Injection) - Damra KO\u00c7","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/","og_locale":"en_US","og_type":"article","og_title":"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS - SQL Injection) - Damra KO\u00c7","og_description":"Yapt\u0131\u011f\u0131m\u0131z web uygulamalar\u0131 \u00fczerinde her ne kadar g\u00fcvenlik \u00f6nlemi al\u0131p g\u00fcvenli bir sistem olu\u015fturdu\u011fumuzu d\u00fc\u015f\u00fcnsekte, hi\u00e7 bir sistem y\u00fczde y\u00fcz olarak g\u00fcvenli de\u011fildir.\u00a0Sadece kod olarak d\u00fc\u015f\u00fcnmemek gerek. Hosting firman\u0131z, \u0130\u015fletim sistemi, Load balancer, Web server gibi bir \u00e7ok varyasyon sizin kendi aya\u011f\u0131n\u0131za s\u0131kman\u0131z i\u00e7in yeterli.\u00a0Ald\u0131\u011f\u0131n\u0131z her t\u00fcrl\u00fc g\u00fcvenlik \u00f6nlemi bir \u015fekilde a\u015f\u0131labilir.\u00a0 G\u00fcvenlik konusunda bence […]","og_url":"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/","og_site_name":"Damra KO\u00c7","article_published_time":"2017-03-01T22:05:10+00:00","article_modified_time":"2020-01-17T15:50:39+00:00","author":"damrakoc","twitter_card":"summary_large_image","twitter_creator":"@damra_koc","twitter_site":"@damra_koc","twitter_misc":{"Written by":"damrakoc","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/","url":"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/","name":"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS - SQL Injection) - Damra KO\u00c7","isPartOf":{"@id":"http:\/\/damrakoc.com\/blog\/#website"},"datePublished":"2017-03-01T22:05:10+00:00","dateModified":"2020-01-17T15:50:39+00:00","author":{"@id":"http:\/\/damrakoc.com\/blog\/#\/schema\/person\/c0aef33e15396f85a26d08495c742b8b"},"breadcrumb":{"@id":"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/damrakoc.com\/blog\/birkac-temel-guvenlik-acigi-hakkinda-xss-sql-injection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/damrakoc.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Birka\u00e7 temel g\u00fcvenlik a\u00e7\u0131\u011f\u0131 hakk\u0131nda (XSS – SQL Injection)"}]},{"@type":"WebSite","@id":"http:\/\/damrakoc.com\/blog\/#website","url":"http:\/\/damrakoc.com\/blog\/","name":"Damra KO\u00c7","description":"Software Developer","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/damrakoc.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/damrakoc.com\/blog\/#\/schema\/person\/c0aef33e15396f85a26d08495c742b8b","name":"damrakoc","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/damrakoc.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1a5d82872160ecc5a366412de9d017ead27f16fcfce7c8e46532199f18145f06?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1a5d82872160ecc5a366412de9d017ead27f16fcfce7c8e46532199f18145f06?s=96&d=mm&r=g","caption":"damrakoc"},"url":"http:\/\/damrakoc.com\/blog\/author\/damrakoc\/"}]}},"_links":{"self":[{"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/posts\/51","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/comments?post=51"}],"version-history":[{"count":1,"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/posts\/51\/revisions"}],"predecessor-version":[{"id":52,"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/posts\/51\/revisions\/52"}],"wp:attachment":[{"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/media?parent=51"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/categories?post=51"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/damrakoc.com\/blog\/wp-json\/wp\/v2\/tags?post=51"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}