Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSでDoSる/ Shibuya.XSS techtalk #11

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
May 16, 2019
Technology
21
5.5k

JSでDoSる/ Shibuya.XSS techtalk #11

Shibuya.XSS techtalk #11 の発表資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

May 16, 2019
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Electron: Abusing the lack of context isolation - CureCon(en)
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
78k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
16k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
18k
ブラウザのUIのバグを探す / Secusoba PopUnder
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.5k
攻撃者視点で見る Service Worker / PWA Study SW
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
20
23k
USAGE OF XSS FILTER
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.3k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.4k
XSS Attacks through PATH
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
8
16k

Other Decks in Technology

See All in Technology
Learning from AWS Customer Security Incidents [2022]
A431674e1b362e40786876211b77455e?s=48 ramimac
0
490
Kubernetesの上に作る、統一されたマイクロサービス運用体験
5292dd0924f5e440a4b7ff40b165a0b4?s=48 tkuchiki
1
750
目と耳を持った自然言語処理 - スタートアップにおける価値創出のために
64fb973c47087ece7fb9b45d5b8593a4?s=48 yag_ays
PRO
0
520
~スタートアップの人たちに捧ぐ~ 監視再入門 in AWS
Bf5ee9059859ed5d855b5ff4680e63e2?s=48 track3jyo
PRO
30
8.5k
Microsoft 365の中でのPower BIの利用 / M365VM2022
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
0
1.5k
Embedded SRE at Mercari
Ecb3acc2d246962361a4f8b3f7a6dd12?s=48 tcnksm
0
800
220428event_overview
E55fbffb4afd0a84d36c945ed68d8c19?s=48 caddi_eng
2
210
モデリング、コンテキスト トランジション +1 / Data modeling
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
0
110
20220510_簡単にできるコスト異常検出(Cost Anomaly Detection) /jaws-ug-asa-cost-anomaly-detection-20220510
97b3cca999b52cb5296675ac0a5c12cd?s=48 emiki
2
310
Research Paper Introduction #98 "NSDI 2022 recap"
464d1574ef169d2457c907e77794d973?s=48 cafenero_777
0
200
Salesforce女子部-権限についてまとめてみたその1
F95794a2051e510588225c20afb7e3b2?s=48 sfggjp
0
180
ニフティでSRE推進活動を始めて取り組んできたこと
374e82d9428869942bed1de094a7ca95?s=48 niftycorp
2
210

Featured

See All Featured
Art, The Web, and Tiny UX
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
280
17k
Streamline your AJAX requests with AmplifyJS and jQuery
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
125
8.5k
Java REST API Framework Comparison - PWX 2021
72a2082c6a4dd79ad68befb3db911616?s=48 mraible
PRO
11
4.6k
Designing for Performance
245cee81a9c424266e5e401d844ea881?s=48 lara
596
63k
A Philosophy of Restraint
C9b18d9dff88a9dd2393364c2b3b21bd?s=48 colly
192
14k
Pencils Down: Stop Designing & Start Developing
79acae287842acf29084005533a7fb3b?s=48 hursman
112
9.8k
Agile that works and the tools we love
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
319
19k
Dealing with People You Can't Stand - Big Design 2015
44b54d2ffcb7857004071cc6795dde11?s=48 cassininazir
350
21k
Adopting Sorbet at Scale
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
63
7.5k
ReactJS: Keep Simple. Everything can be a component!
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
655
120k
Learning to Love Humans: Emotional Interface Design
5f50f94346fbcb23706f0707169317a4?s=48 aarron
261
37k
Happy Clients
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
89
5.5k

Transcript

  1. for(;;){ alert(` `); } /* 2019/05/16 Shibuya.XSS techtalk #11*/ /*

    Masato Kinugawa */

  2. • • •

  3. None

  4. • • • • •

  5. • • • •

  6. • • • • • • • • • •

  7. while(1){ alert(` `); }

  8. • •

  10. • • > decodeURIComponent("%E3%81%82"); < " " > decodeURIComponent("%FF"); ‣

    Uncaught URIError: URI malformed
  11. None

  12. • • • > encodeURIComponent(" "); < "%E3%81%82" > encodeURIComponent("\uDC00");

    ‣ Uncaught URIError: URI malformed

  13. https://www.ecma-international.org/ecma-262/9.0/index.html#sec-encode

  14. (function a(){ alert(` `); a(); })()

  15. • • • • / \/ • " \" •

    \ \\ <script> userInput = "AAA\\\";alert(1)\/\/ <\/script>"; displayContents(); </script>

  16. • <script> userInput = "AAA [ ] BBB"; displayContents(); </script>

  17. • <script> userInput = "AAA BBB"; displayContents(); </script>

  18. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  19. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  20. • <script> userInput = "AAA [U+2028] BBB"; displayContents(); </script>

  21. • • • • •

  22. <script> userInput = "<!--<script>"; displayContents(); </script>

  23. • • <script> userInput = "<!--<script>"; </script> <textarea></script> <img src=x

    onerror=alert(1)> </textarea>

  24. • • https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script- elements

  25. • <script> userInput = "<%"; </script> <textarea>%></script><img src=x onerror=alert(1)> </textarea>

    https://html5sec.org/#91 <xmp> <% </xmp> <textarea> %></xmp><img src=x onerror=alert(1)> </textarea>

  26. • • • • •

  27. setInterval(` alert(\` \`) `,1);

  28. • •

  30. • • • userInfo = {"name": 123}// name = userInfo.name.toUpperCase()

    Uncaught TypeError: userInfo.name.toUpperCase is not a function

  31. siteData = {"url":"https:// ...","title":{"toString":null},...}; url = "url: " + siteData.url;

    title = "title: " + siteData.title;

  32. • • • ({toString: function(){alert(1)} })+""; ({valueOf : function(){alert(2)} })+"";

  33. • • • > ({toString:null})+""; ‣ Uncaught TypeError: Cannot convert

    object to primitive value

  34. • • • • •

  35. • > typeof "aaa"; < ‣ "string" > typeof 123;

    < ‣ "number" > typeof true; < ‣ "boolean" > typeof []; < ‣ "object" > typeof {}; < ‣ "object" > typeof null; < ‣ "object"

  36. • • > Array.isArray([]); < ‣ true > Array.isArray({}); <

    ‣ false > null === null < ‣ true

  37. • • > Object.prototype.toString.call("aaa"); < ‣ "[object String]" > Object.prototype.toString.call(123);

    < ‣ "[object Number]" > Object.prototype.toString.call(true); < ‣ "[object Boolean]" > Object.prototype.toString.call([]); < ‣ "[object Array]" > Object.prototype.toString.call({}); < ‣ "[object Object]" > Object.prototype.toString.call(null); < ‣ "[object Null]"

  38. <style>*{ color:expression( alert(" ") )}

  39. • • • <toString>AAA</toString>

  40. • • •

  41. • • function tellMeFruitColor(USER_INPUT){ fruits = { "apple":"red", "lemon":"yellow", "peach":"pink"

    }; if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  42. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "toString: function toString() { [native code] }" > tellMeFruitColor("constructor"); < "constructor: function Object() { [native code] }" > tellMeFruitColor("__proto__"); < "__proto__: [object Object]"
  43. None

  44. • •

  45. https://qiita.com/howdy39/items/35729490b024ca295d6c

  46. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  47. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  48. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  49. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  50. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  51. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  52. > ({"toString":function(){return "a"}})+""; < " " > ({"prop":"a"})+""; < "[object

    Object]"

  53. whiteListTags = { "span":funcForSanitizingSpanElem, "div": funcForSanitizingDivElem, "a":" funcForSanitizingAElem, ... }

    // whiteListTags[ ] <toString> whiteListTags["toString"]()

  54. fileIcons = { "txt":"https://example.com/img/icon-txt.gif", "png":"https://example.com/img/icon-png.gif", "jpg":" https://example.com/img/icon-jpg.gif ", ... }

    // fileIcons[ ] dos.constructor fileIcons["constructor"]

  55. • • • •

  56. • • function tellMeFruitColor(USER_INPUT){ fruits = { ... }; -

    if(fruits[USER_INPUT]){ + if(Object.prototype.hasOwnProperty.call(fruits,USER_INPUT)){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  57. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "I don't know that fruit" > tellMeFruitColor("constructor"); < "I don't know that fruit" > tellMeFruitColor("__proto__"); < "I don't know that fruit"

  58. • • fruits["toString"] undefined function tellMeFruitColor(USER_INPUT){ - fruits = {

    ... }; + fruits = Object.create(null); + fruits = Object.assign(fruits,{"apple":"red","lemon": ... }) if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  59. • • function tellMeFruitColor(USER_INPUT){ - fruits = { ... };

    + fruits = new Map(["apple","red"], + ["lemon","yellow"], + ["peach","pink"]); - if(fruits[USER_INPUT]){ - return USER_INPUT + ": " + fruits[USER_INPUT]; + if(fruits.get(USER_INPUT)){ + return USER_INPUT + ": " + fruits.get(USER_INPUT); }else{ return "I don't know that fruit"; } }

  60. ({toString: function(){ alert(` `); this+""; } })+"";

  61. • •

  62. • • • USER_INPUT = {"length": 1e10,"constructor":{"name":"Array"}}; if(USER_INPUT.constructor.name === "Array"){

    array = []; for (var i = 0; i < USER_INPUT.length; i++) { array.push(USER_INPUT[i]); } }

  63. ==== JS stack trace ========================================= Security context: 00000099763A5549 <JSObject> 1:

    /* anonymous */ [repl:~1] [pc=000000C1A3E8B9B9](this=00000382794865D9 <JSGlobal Object>) 5: /* anonymous */ [vm.js:65] [bytecode=000002EDD76E8421 offset=87](this=0000021A2A00C731 <ContextifyScript map = 00000203C25E1319>,options=0000021A2A00C709 <Object map = 00000203C25E13C9>) 6: defaultEval [repl.js:244] [bytecode=000002EDD76E7089 offset=445](this=0000021A2A00C7A1 <REPLServer ... FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory 1: node::DecodeWrite 2: node_module_register 3: v8::internal::FatalProcessOutOfMemory 4: v8::internal::FatalProcessOutOfMemory 5: v8::internal::Factory::NewUninitializedFixedArray 6: v8::internal::WasmDebugInfo::SetupForTesting 7: v8::internal::interpreter::BytecodeArrayRandomIterator::UpdateOffsetFromIndex 8: 000000C1A3D043C1

  64. • • •

  66. • • • • •

  67. for(;;){ alert(` `); } /* */