Upgrade to Pro — share decks privately, control downloads, hide ads and more …

接觸資安才發現前端的水真深 - Modern Web 2021

Huli
October 15, 2021
Technology
0
1.6k

接觸資安才發現前端的水真深 - Modern Web 2021

接觸資安才發現前端的水真深 - Modern Web 2021

Huli

October 15, 2021
Tweet

More Decks by Huli

See All by Huli
ModernWeb 2018 - 輕鬆應付複雜的非同步操作:RxJS + Redux Observable
aszx87410
0
57
Attacking web without JS - CSS injection
aszx87410
0
2.5k
Front-end Security that Front-end developers don't know
aszx87410
2
5.2k
你懂了 JavaScript,也不懂 JavaScript - MOPCON 2021
aszx87410
3
770
JSDC2020 - 用 API mocking 讓前端不再苦等待
aszx87410
0
1.1k

Other Decks in Technology

See All in Technology
Autify Company Deck
autifyhq
1
25k
サーバーを超えて: 開発者のために作られたTiDB ServerlessとChat2Query
pingcap0315
0
120
Priorityを制するものはローディングを制す
edwardkenfox
4
330
LLM×Cloud Runでオンライン薬局の既存オペレーションを自動化した話
pharma_x_tech
0
720
備えあれば患いなし:効率的なインシデント対応を目指すSREの取り組み
kazumax55
0
190
TechNight#71 - Oracle Database 23c 新機能#1 JSON関連新機能
oracle4engineer
PRO
0
130
TechNight#71 - Oracle Database 23c 新機能#1 Microservices関連新機能
oracle4engineer
PRO
0
100
【IoT-Tech Meetup #5】WireGuardを動かす環境やハードウェア紹介
soracom
PRO
0
140
サービスへの影響を抑えてデータベースの移行を実施したはなし Aurora MySQL -> Cloud SQL
pistatium
0
280
KubeCon China 2023: Adventures in Platform Building
salaboy
0
100
マルチプロダクト運用におけるSREのあり方/SRE NEXT 2023-link-and-motivation
lmi
0
100
30点で打席に立つ
konifar
52
32k

Featured

See All Featured
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9k
Building Your Own Lightsaber
phodgson
97
5.2k
The Cult of Friendly URLs
andyhume
71
5.3k
Documentation Writing (for coders)
carmenintech
55
3.3k
How to name files
jennybc
56
85k
Mobile First: as difficult as doing things right
swwweet
214
8.2k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Adopting Sorbet at Scale
ufuk
66
8.1k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
225
50k
Code Reviewing Like a Champion
maltzj
510
38k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
A Philosophy of Restraint
colly
195
15k

Transcript

  1. 接觸資安才發現前端的⽔水真深
    Huli @ Modern Web 2021

    View Slide

  2. About
    上半年年:OneDegree 前端⼯工程師

    View Slide

  3. About
    上半年年:OneDegree 前端⼯工程師
    下半年年:Cymetrics 資安⼯工程師

    View Slide

  4. View Slide

  5. Agenda
    1. 繞過各種限制

    2. side channel attack

    3. 其他你不知道的功能

    View Slide

  6. Agenda
    1. 繞過各種限制

    2. side channel attack

    3. 其他你不知道的功能

    View Slide

  7. XSS

    View Slide

  8. <br/>alert(1)<br/>

    View Slide

  9. onerror=alert(1)>

    View Slide


  10. View Slide

  11. Q1
    如果把 HTML 中的空格都拿掉
    是否還可以⽤用屬性 XSS?

    View Slide

  12. Q1
    如果把 HTML 中的空格都拿掉
    是否還可以⽤用屬性 XSS?

    View Slide


  13. View Slide


  14. View Slide

  15. Q2
    如果禁⽌止使⽤用 on 開頭的屬性,
    是否還能 XSS?

    View Slide

  16. Q2
    如果禁⽌止使⽤用 on 開頭的屬性,
    是否還能 XSS?

    View Slide

  17. src="javascript:alert(1)">

    View Slide

  18. Q3
    如果把 javascript 開頭的值都濾掉,
    是否還能 XSS?

    View Slide

  19. Q3
    如果把 javascript 開頭的值都濾掉,
    是否還能 XSS?

    View Slide

  20. src="java\tscript:alert(1)">

    View Slide

  21. Q4
    如果去除 tab 跟空⾏行行以後去掉 javascript,
    是否還能 XSS?

    View Slide

  22. Q4
    如果去除 tab 跟空⾏行行以後去掉 javascript,
    是否還能 XSS?

    View Slide

  23. src="javascript:alert(1)">

    View Slide

  24. src="javascript:alert
    (1)">

    View Slide

  25. Q5
    如果去除 src 屬性,
    是否還能 XSS?

    View Slide

  26. Q5
    如果去除 src 屬性,
    是否還能 XSS?

    View Slide

  27. href="javascript:alert(1)">

    View Slide

  28. <br/>alert(1)<br/>

    View Slide

  29. <br/>alert`1`<br/>

    View Slide

  30. onerror=alert;throw 1

    View Slide

  31. onerror=eval;throw
    "=alert\x281\x29"

    View Slide

  32. onerror=eval;throw
    "=alert\x281\x29"
    Uncaught 123

    View Slide

  33. onerror=eval;throw
    "=alert\x281\x29"
    Uncaught=123

    View Slide

  34. onerror=eval;throw
    "=alert\x281\x29"
    Uncaught=alert(1)

    View Slide

  35. View Slide

  36. 字數限制

    View Slide


  37. 13 字

    View Slide

  38. 利利⽤用現有資訊

    View Slide

  39. onload=
    eval(`'`+location)>
    13 + 18 = 31 字

    View Slide

  40. a.com#';alert(1)
    `'` + location
    => 'a.com#';alert(1)

    View Slide

  41. onload=
    eval(`'`+document.URL)>
    13 + 22 = 35 字

    View Slide

  42. onload=
    eval(`'`+document.URL)>
    13 + 22 = 35 字
    9 個字

    View Slide

  43. onload=
    eval(`'`+URL)>
    13 + 13 = 26 字

    View Slide

  44. View Slide

  45. View Slide

  46. Q6
    name = 123
    typeof name === "number"

    View Slide

  47. Q6
    name = 123
    typeof name === "number"

    View Slide

  48. example.com
    window.name

    View Slide

  49. huli.tw
    window.name

    View Slide

  50. onload=
    eval(name)>
    13 + 10 = 23 字

    View Slide

  51. https://tinyxss.terjanq.me/

    View Slide

  52. Agenda
    1. 繞過各種限制

    2. side channel attack

    3. 其他你不知道的功能

    View Slide

  53. Agenda
    1. 繞過各種限制

    2. Cross site leaks (XS leak)

    3. 其他你不知道的功能

    View Slide

  54. Download
    請輸入要搜尋的使⽤用者名稱
    example.com/download

    View Slide

  55. Download
    請輸入要搜尋的使⽤用者名稱
    查無使⽤用者
    example
    example.com/download?q=example

    View Slide

  56. Download
    請輸入要搜尋的使⽤用者名稱
    a
    example.com/download?q=a

    View Slide

  57. Download
    請輸入要搜尋的使⽤用者名稱
    a

    View Slide

  58. 然後呢,我們能做什什麼?

    View Slide

  59. Download
    請輸入要搜尋的使⽤用者名稱
    iframe
    example.com/download
    huli.tw

    View Slide

  60. Download
    請輸入要搜尋的使⽤用者名稱
    iframe
    example
    example.com/download?q=example
    huli.tw

    View Slide

  61. Download
    請輸入要搜尋的使⽤用者名稱
    iframe
    example
    iframe.contentWindow.origin
    example.com/download?q=example
    huli.tw

    View Slide

  62. Download
    請輸入要搜尋的使⽤用者名稱
    iframe
    a
    iframe.contentWindow.origin
    example.com/download?q=a
    huli.tw

    View Slide

  63. View Slide

  64. example.com/users/123
    David
    id=message
    傳送訊息

    View Slide

  65. example.com/users/210
    Peter
    id=add
    加入好友

    View Slide

  66. 然後呢,我們能做什什麼?

    View Slide

  67. example.com/users/123
    David
    id=message
    傳送訊息

    View Slide

  68. example.com/users/123#message
    David
    id=message
    傳送訊息 focus

    View Slide

  69. iframe
    example.com/users/123#message
    huli.tw
    David
    id=message
    傳送訊息

    View Slide

  70. View Slide

  71. Agenda
    1. 繞過各種限制

    2. side channel attack

    3. 其他你不知道的功能

    View Slide

  72. example.com/files example.com/blog
    上傳各種檔案 放各種⽂文章

    View Slide

  73. example.com/files example.com/blog
    path: /files path: /blog
    上傳各種檔案 放各種⽂文章

    View Slide

  74. example.com/files example.com/blog
    path: /files path: /blog
    放各種⽂文章
    
<br/>alert(1)
<br/>
    files/xss.html

    View Slide

  75. example.com/files example.com/blog
    path: /files path: /blog
    放各種⽂文章
    
<br/>alert(1)
<br/>
    files/xss.html

    View Slide

  76. View Slide

  77. View Slide

  78. example.com
    ……….

    View Slide

  79. example.com
    ………. 
<br/>alert(1)
<br/>

    View Slide

  80. example.com
    ………. 
<br/>alert(1)
<br/>

    View Slide

  81. View Slide

  82. View Slide

  83. Agenda
    1. 繞過各種限制

    2. side channel attack

    3. 其他你不知道的功能

    View Slide

  84. 資料來來源
    1.https://tinyxss.terjanq.me/
    2.https://xsleaks.dev/
    3.LINE CTF 2021
    4.DiceCTF 2021
    5.zer0pts CTF 2021

    View Slide

  85. google:
    cymetrics blog

    View Slide