Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSでDoSる/ Shibuya.XSS techtalk #11

Masato Kinugawa
May 16, 2019
Technology
21
5.7k

JSでDoSる/ Shibuya.XSS techtalk #11

Shibuya.XSS techtalk #11 の発表資料です。

Masato Kinugawa

May 16, 2019
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
81k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
17k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
18k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.6k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
23k
USAGE OF XSS FILTER
masatokinugawa
4
2.4k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
masatokinugawa
7
2.5k
XSS Attacks through PATH
masatokinugawa
8
16k

Other Decks in Technology

See All in Technology
MaintainabilityIndexを 計測しながらコードの保守性を 改善している話
toya108
0
210
カンファレンスに登壇してみよう / Let's try to talk on conference
yumechi
0
140
Brewing better code... What makes a good architecture?
android10
0
110
コミュニティを活用した勉強習慣化.pdf
taketakekaho
1
250
Get the best of both worlds - Integrating Rust with other languages
haraldreingruber
0
110
マトリクス型組織の導入後の変化を定量的に捉える
hagevvashi
0
260
OCI技術資料 : ロード・バランサー 詳細 / Load Balancer 200
ocise
2
6.1k
Protect your backends with Firebase App Check
firebasethailand
0
320
SATySFi で卒論を書いた話
pickoba
0
100
Roslyn とその活用法
nenonaninu
2
290
ふりかえりでふりかえることしかできなかったジュニアチームが、次の打ち手を出せるチームになるのにやったこと
kumagoro95
1
220
Digital campaign
bau
0
190

Featured

See All Featured
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
21
1.5k
Clear Off the Table
cherdarchuk
79
290k
The Brand Is Dead. Long Live the Brand.
mthomps
47
2.8k
Designing for humans not robots
tammielis
244
24k
Optimizing for Happiness
mojombo
364
64k
Building a Scalable Design System with Sketch
lauravandoore
450
30k
A Tale of Four Properties
chriscoyier
149
21k
Mobile First: as difficult as doing things right
swwweet
213
7.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
207
10k
Git: the NoSQL Database
bkeepers
PRO
417
59k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
6
640
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
120
28k

Transcript

  1. for(;;){ alert(` `); } /* 2019/05/16 Shibuya.XSS techtalk #11*/ /*

    Masato Kinugawa */

  2. • • •

  3. None

  4. • • • • •

  5. • • • •

  6. • • • • • • • • • •

  7. while(1){ alert(` `); }

  8. • •

  10. • • > decodeURIComponent("%E3%81%82"); < " " > decodeURIComponent("%FF"); ‣

    Uncaught URIError: URI malformed
  11. None

  12. • • • > encodeURIComponent(" "); < "%E3%81%82" > encodeURIComponent("\uDC00");

    ‣ Uncaught URIError: URI malformed

  13. https://www.ecma-international.org/ecma-262/9.0/index.html#sec-encode

  14. (function a(){ alert(` `); a(); })()

  15. • • • • / \/ • " \" •

    \ \\ <script> userInput = "AAA\\\";alert(1)\/\/ <\/script>"; displayContents(); </script>

  16. • <script> userInput = "AAA [ ] BBB"; displayContents(); </script>

  17. • <script> userInput = "AAA BBB"; displayContents(); </script>

  18. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  19. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  20. • <script> userInput = "AAA [U+2028] BBB"; displayContents(); </script>

  21. • • • • •

  22. <script> userInput = "<!--<script>"; displayContents(); </script>

  23. • • <script> userInput = "<!--<script>"; </script> <textarea></script> <img src=x

    onerror=alert(1)> </textarea>

  24. • • https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script- elements

  25. • <script> userInput = "<%"; </script> <textarea>%></script><img src=x onerror=alert(1)> </textarea>

    https://html5sec.org/#91 <xmp> <% </xmp> <textarea> %></xmp><img src=x onerror=alert(1)> </textarea>

  26. • • • • •

  27. setInterval(` alert(\` \`) `,1);

  28. • •

  30. • • • userInfo = {"name": 123}// name = userInfo.name.toUpperCase()

    Uncaught TypeError: userInfo.name.toUpperCase is not a function

  31. siteData = {"url":"https:// ...","title":{"toString":null},...}; url = "url: " + siteData.url;

    title = "title: " + siteData.title;

  32. • • • ({toString: function(){alert(1)} })+""; ({valueOf : function(){alert(2)} })+"";

  33. • • • > ({toString:null})+""; ‣ Uncaught TypeError: Cannot convert

    object to primitive value

  34. • • • • •

  35. • > typeof "aaa"; < ‣ "string" > typeof 123;

    < ‣ "number" > typeof true; < ‣ "boolean" > typeof []; < ‣ "object" > typeof {}; < ‣ "object" > typeof null; < ‣ "object"

  36. • • > Array.isArray([]); < ‣ true > Array.isArray({}); <

    ‣ false > null === null < ‣ true

  37. • • > Object.prototype.toString.call("aaa"); < ‣ "[object String]" > Object.prototype.toString.call(123);

    < ‣ "[object Number]" > Object.prototype.toString.call(true); < ‣ "[object Boolean]" > Object.prototype.toString.call([]); < ‣ "[object Array]" > Object.prototype.toString.call({}); < ‣ "[object Object]" > Object.prototype.toString.call(null); < ‣ "[object Null]"

  38. <style>*{ color:expression( alert(" ") )}

  39. • • • <toString>AAA</toString>

  40. • • •

  41. • • function tellMeFruitColor(USER_INPUT){ fruits = { "apple":"red", "lemon":"yellow", "peach":"pink"

    }; if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  42. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "toString: function toString() { [native code] }" > tellMeFruitColor("constructor"); < "constructor: function Object() { [native code] }" > tellMeFruitColor("__proto__"); < "__proto__: [object Object]"
  43. None

  44. • •

  45. https://qiita.com/howdy39/items/35729490b024ca295d6c

  46. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  47. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  48. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  49. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  50. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  51. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  52. > ({"toString":function(){return "a"}})+""; < " " > ({"prop":"a"})+""; < "[object

    Object]"

  53. whiteListTags = { "span":funcForSanitizingSpanElem, "div": funcForSanitizingDivElem, "a":" funcForSanitizingAElem, ... }

    // whiteListTags[ ] <toString> whiteListTags["toString"]()

  54. fileIcons = { "txt":"https://example.com/img/icon-txt.gif", "png":"https://example.com/img/icon-png.gif", "jpg":" https://example.com/img/icon-jpg.gif ", ... }

    // fileIcons[ ] dos.constructor fileIcons["constructor"]

  55. • • • •

  56. • • function tellMeFruitColor(USER_INPUT){ fruits = { ... }; -

    if(fruits[USER_INPUT]){ + if(Object.prototype.hasOwnProperty.call(fruits,USER_INPUT)){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  57. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "I don't know that fruit" > tellMeFruitColor("constructor"); < "I don't know that fruit" > tellMeFruitColor("__proto__"); < "I don't know that fruit"

  58. • • fruits["toString"] undefined function tellMeFruitColor(USER_INPUT){ - fruits = {

    ... }; + fruits = Object.create(null); + fruits = Object.assign(fruits,{"apple":"red","lemon": ... }) if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  59. • • function tellMeFruitColor(USER_INPUT){ - fruits = { ... };

    + fruits = new Map(["apple","red"], + ["lemon","yellow"], + ["peach","pink"]); - if(fruits[USER_INPUT]){ - return USER_INPUT + ": " + fruits[USER_INPUT]; + if(fruits.get(USER_INPUT)){ + return USER_INPUT + ": " + fruits.get(USER_INPUT); }else{ return "I don't know that fruit"; } }

  60. ({toString: function(){ alert(` `); this+""; } })+"";

  61. • •

  62. • • • USER_INPUT = {"length": 1e10,"constructor":{"name":"Array"}}; if(USER_INPUT.constructor.name === "Array"){

    array = []; for (var i = 0; i < USER_INPUT.length; i++) { array.push(USER_INPUT[i]); } }

  63. ==== JS stack trace ========================================= Security context: 00000099763A5549 <JSObject> 1:

    /* anonymous */ [repl:~1] [pc=000000C1A3E8B9B9](this=00000382794865D9 <JSGlobal Object>) 5: /* anonymous */ [vm.js:65] [bytecode=000002EDD76E8421 offset=87](this=0000021A2A00C731 <ContextifyScript map = 00000203C25E1319>,options=0000021A2A00C709 <Object map = 00000203C25E13C9>) 6: defaultEval [repl.js:244] [bytecode=000002EDD76E7089 offset=445](this=0000021A2A00C7A1 <REPLServer ... FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory 1: node::DecodeWrite 2: node_module_register 3: v8::internal::FatalProcessOutOfMemory 4: v8::internal::FatalProcessOutOfMemory 5: v8::internal::Factory::NewUninitializedFixedArray 6: v8::internal::WasmDebugInfo::SetupForTesting 7: v8::internal::interpreter::BytecodeArrayRandomIterator::UpdateOffsetFromIndex 8: 000000C1A3D043C1

  64. • • •

  66. • • • • •

  67. for(;;){ alert(` `); } /* */