Slide 1
Slide 1 text
for(;;){
alert(`
`);
} /* 2019/05/16 Shibuya.XSS techtalk #11*/
/* Masato Kinugawa */
Slide 2
Slide 2 text
•
•
•
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
•
•
•
•
•
Slide 5
Slide 5 text
•
•
•
•
Slide 6
Slide 6 text
•
•
•
•
•
•
•
•
•
•
•
Slide 7
Slide 7 text
while(1){
alert(`
`);
}
Slide 8
Slide 8 text
•
•
Slide 9
Slide 9 text
•
Slide 10
Slide 10 text
•
•
> decodeURIComponent("%E3%81%82");
< " "
> decodeURIComponent("%FF");
‣ Uncaught URIError: URI malformed
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
•
•
•
> encodeURIComponent(" ");
< "%E3%81%82"
> encodeURIComponent("\uDC00");
‣ Uncaught URIError: URI malformed
Slide 13
Slide 13 text
https://www.ecma-international.org/ecma-262/9.0/index.html#sec-encode
Slide 14
Slide 14 text
(function a(){
alert(`
`);
a();
})()
Slide 15
Slide 15 text
•
•
•
• / \/
• " \"
• \ \\
userInput = "AAA\\\";alert(1)\/\/ <\/script>";
displayContents();
Slide 16
Slide 16 text
•
userInput = "AAA [ ] BBB";
displayContents();
Slide 17
Slide 17 text
•
userInput = "AAA
BBB";
displayContents();
Slide 18
Slide 18 text
•
https://www.ecma-international.org/ecma-262/9.0/index.html#table-33
Slide 19
Slide 19 text
•
https://www.ecma-international.org/ecma-262/9.0/index.html#table-33
Slide 20
Slide 20 text
•
userInput = "AAA [U+2028] BBB";
displayContents();
Slide 21
Slide 21 text
•
•
•
•
•
Slide 22
Slide 22 text
userInput = "<!--<script>";
displayContents();
Slide 23
Slide 23 text
•
•
userInput = "<!--<script>";
Slide 24
Slide 24 text
•
•
https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-
elements
Slide 25
Slide 25 text
•
userInput = "<%";
%>
https://html5sec.org/#91
<%
%>
Slide 26
Slide 26 text
•
•
•
•
•
Slide 27
Slide 27 text
setInterval(`
alert(\`
\`)
`,1);
Slide 28
Slide 28 text
•
•
Slide 29
Slide 29 text
•
Slide 30
Slide 30 text
•
•
•
userInfo = {"name": 123}//
name = userInfo.name.toUpperCase()
Uncaught TypeError:
userInfo.name.toUpperCase is not a function
Slide 31
Slide 31 text
siteData =
{"url":"https:// ...","title":{"toString":null},...};
url = "url: " + siteData.url;
title = "title: " + siteData.title;
Slide 32
Slide 32 text
•
•
•
({toString: function(){alert(1)} })+"";
({valueOf : function(){alert(2)} })+"";
Slide 33
Slide 33 text
•
•
•
> ({toString:null})+"";
‣ Uncaught TypeError:
Cannot convert object to primitive value
Slide 34
Slide 34 text
•
•
•
•
•
Slide 35
Slide 35 text
•
> typeof "aaa";
< ‣ "string"
> typeof 123;
< ‣ "number"
> typeof true;
< ‣ "boolean"
> typeof [];
< ‣ "object"
> typeof {};
< ‣ "object"
> typeof null;
< ‣ "object"
Slide 36
Slide 36 text
•
•
> Array.isArray([]);
< ‣ true
> Array.isArray({});
< ‣ false
> null === null
< ‣ true
Slide 37
Slide 37 text
•
•
> Object.prototype.toString.call("aaa");
< ‣ "[object String]"
> Object.prototype.toString.call(123);
< ‣ "[object Number]"
> Object.prototype.toString.call(true);
< ‣ "[object Boolean]"
> Object.prototype.toString.call([]);
< ‣ "[object Array]"
> Object.prototype.toString.call({});
< ‣ "[object Object]"
> Object.prototype.toString.call(null);
< ‣ "[object Null]"
Slide 38
Slide 38 text
*{
color:expression(
alert("
")
)}
Slide 39
Slide 39 text
•
•
•
AAA
Slide 40
Slide 40 text
•
•
•
Slide 41
Slide 41 text
•
•
function tellMeFruitColor(USER_INPUT){
fruits = {
"apple":"red",
"lemon":"yellow",
"peach":"pink"
};
if(fruits[USER_INPUT]){
return USER_INPUT + ": " + fruits[USER_INPUT];
}else{
return "I don't know that fruit";
}
}
Slide 42
Slide 42 text
> tellMeFruitColor("apple");
< "apple: red"
> tellMeFruitColor("lemon");
< "lemon: yellow"
> tellMeFruitColor("strawberry");
< "I don't know that fruit"
> tellMeFruitColor("toString");
< "toString: function toString() { [native code] }"
> tellMeFruitColor("constructor");
< "constructor: function Object() { [native code] }"
> tellMeFruitColor("__proto__");
< "__proto__: [object Object]"
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
•
•
Slide 45
Slide 45 text
https://qiita.com/howdy39/items/35729490b024ca295d6c
Slide 46
Slide 46 text
if(fruits["toString"]){
return "toString" + ": " + fruits["toString"];
}else{
return "I don't know that fruit";
}
Slide 47
Slide 47 text
if(fruits["toString"]){
return "toString" + ": " + fruits["toString"];
}else{
return "I don't know that fruit";
}
Slide 48
Slide 48 text
if(fruits["toString"]){
return "toString" + ": " + fruits["toString"];
}else{
return "I don't know that fruit";
}
Slide 49
Slide 49 text
if(fruits["toString"]){
return "toString" + ": " + fruits["toString"];
}else{
return "I don't know that fruit";
}
Slide 50
Slide 50 text
if(fruits["toString"]){
return "toString" + ": " + fruits["toString"];
}else{
return "I don't know that fruit";
}
Slide 51
Slide 51 text
if(fruits["toString"]){
return "toString" + ": " + fruits["toString"];
}else{
return "I don't know that fruit";
}
Slide 52
Slide 52 text
> ({"toString":function(){return "a"}})+"";
< " "
> ({"prop":"a"})+"";
< "[object Object]"
Slide 53
Slide 53 text
whiteListTags = {
"span":funcForSanitizingSpanElem,
"div": funcForSanitizingDivElem,
"a":" funcForSanitizingAElem, ...
}
// whiteListTags[ ]
whiteListTags["toString"]()
Slide 54
Slide 54 text
fileIcons = {
"txt":"https://example.com/img/icon-txt.gif",
"png":"https://example.com/img/icon-png.gif",
"jpg":" https://example.com/img/icon-jpg.gif ", ...
}
// fileIcons[ ]
dos.constructor
fileIcons["constructor"]
Slide 55
Slide 55 text
•
•
•
•
Slide 56
Slide 56 text
•
•
function tellMeFruitColor(USER_INPUT){
fruits = { ... };
- if(fruits[USER_INPUT]){
+ if(Object.prototype.hasOwnProperty.call(fruits,USER_INPUT)){
return USER_INPUT + ": " + fruits[USER_INPUT];
}else{
return "I don't know that fruit";
}
}
Slide 57
Slide 57 text
> tellMeFruitColor("apple");
< "apple: red"
> tellMeFruitColor("lemon");
< "lemon: yellow"
> tellMeFruitColor("strawberry");
< "I don't know that fruit"
> tellMeFruitColor("toString");
< "I don't know that fruit"
> tellMeFruitColor("constructor");
< "I don't know that fruit"
> tellMeFruitColor("__proto__");
< "I don't know that fruit"
Slide 58
Slide 58 text
•
• fruits["toString"] undefined
function tellMeFruitColor(USER_INPUT){
- fruits = { ... };
+ fruits = Object.create(null);
+ fruits = Object.assign(fruits,{"apple":"red","lemon": ... })
if(fruits[USER_INPUT]){
return USER_INPUT + ": " + fruits[USER_INPUT];
}else{
return "I don't know that fruit";
}
}
Slide 59
Slide 59 text
•
•
function tellMeFruitColor(USER_INPUT){
- fruits = { ... };
+ fruits = new Map(["apple","red"],
+ ["lemon","yellow"],
+ ["peach","pink"]);
- if(fruits[USER_INPUT]){
- return USER_INPUT + ": " + fruits[USER_INPUT];
+ if(fruits.get(USER_INPUT)){
+ return USER_INPUT + ": " + fruits.get(USER_INPUT);
}else{
return "I don't know that fruit";
}
}
Slide 60
Slide 60 text
({toString:
function(){
alert(`
`);
this+"";
}
})+"";
Slide 61
Slide 61 text
•
•
Slide 62
Slide 62 text
•
•
•
USER_INPUT = {"length": 1e10,"constructor":{"name":"Array"}};
if(USER_INPUT.constructor.name === "Array"){
array = [];
for (var i = 0; i < USER_INPUT.length; i++) {
array.push(USER_INPUT[i]);
}
}
Slide 63
Slide 63 text
==== JS stack trace =========================================
Security context: 00000099763A5549
1: /* anonymous */ [repl:~1] [pc=000000C1A3E8B9B9](this=00000382794865D9 )
5: /* anonymous */ [vm.js:65] [bytecode=000002EDD76E8421
offset=87](this=0000021A2A00C731 ,options=0000021A2A00C709 )
6: defaultEval [repl.js:244] [bytecode=000002EDD76E7089
offset=445](this=0000021A2A00C7A1
Slide 64
Slide 64 text
•
•
•
Slide 65
Slide 65 text
•
Slide 66
Slide 66 text
•
•
•
•
•
Slide 67
Slide 67 text
for(;;){
alert(`
`);
} /* */