Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
JSでDoSる/ Shibuya.XSS techtalk #11
Search
Masato Kinugawa
May 16, 2019
Technology
20
7.1k
JSでDoSる/ Shibuya.XSS techtalk #11
Shibuya.XSS techtalk #11 の発表資料です。
Masato Kinugawa
May 16, 2019
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
masatokinugawa
0
680
Shadow DOM & Security - Exploring the boundary between light and shadow
masatokinugawa
1
1.9k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
4.2k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.6k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
23k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
100k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
28k
Other Decks in Technology
See All in Technology
MySQLのJSON機能の活用術
ikomachi226
0
120
Deno・Bunの標準機能やElysiaJSを使ったWebSocketサーバー実装 / ラーメン屋を貸し切ってLT会! IoTLT 2026新年会
you
PRO
0
190
Mosaic AI Gatewayでコーディングエージェントを配るための運用Tips / JEDAI 2026 新春 Meetup! AIコーディング特集
genda
0
130
Vitest Highlights in Angular
rainerhahnekamp
0
120
Digitization部 紹介資料
sansan33
PRO
1
6.7k
日本語テキストと音楽の対照学習の技術とその応用
lycorptech_jp
PRO
1
390
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
kekke_n
0
160
JuliaTokaiとしてはこれが最後かもしれない(仮) for NGK2026S
antimon2
0
130
3分でわかる!新機能 AWS Transform custom
sato4mi
1
280
月間数億レコードのアクセスログ基盤を無停止・低コストでAWS移行せよ!アプリケーションエンジニアのSREチャレンジ💪
miyamu
0
530
Amazon Bedrock AgentCore EvaluationsでAIエージェントを評価してみよう!
yuu551
0
200
Meshy Proプラン課金した
henjin0
0
150
Featured
See All Featured
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
120
16th Malabo Montpellier Forum Presentation
akademiya2063
PRO
0
44
Facilitating Awesome Meetings
lara
57
6.7k
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
48
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.4k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
130
State of Search Keynote: SEO is Dead Long Live SEO
ryanjones
0
110
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
254
22k
Optimizing for Happiness
mojombo
379
71k
Jess Joyce - The Pitfalls of Following Frameworks
techseoconnect
PRO
1
62
30 Presentation Tips
portentint
PRO
1
200
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
320
Transcript
for(;;){ alert(` `); } /* 2019/05/16 Shibuya.XSS techtalk #11*/ /*
Masato Kinugawa */
• • •
None
• • • • •
• • • •
• • • • • • • • • •
•
while(1){ alert(` `); }
• •
•
• • > decodeURIComponent("%E3%81%82"); < " " > decodeURIComponent("%FF"); ‣
Uncaught URIError: URI malformed
None
• • • > encodeURIComponent(" "); < "%E3%81%82" > encodeURIComponent("\uDC00");
‣ Uncaught URIError: URI malformed
https://www.ecma-international.org/ecma-262/9.0/index.html#sec-encode
(function a(){ alert(` `); a(); })()
• • • • / \/ • " \" •
\ \\ <script> userInput = "AAA\\\";alert(1)\/\/ <\/script>"; displayContents(); </script>
• <script> userInput = "AAA [ ] BBB"; displayContents(); </script>
• <script> userInput = "AAA BBB"; displayContents(); </script>
• https://www.ecma-international.org/ecma-262/9.0/index.html#table-33
• https://www.ecma-international.org/ecma-262/9.0/index.html#table-33
• <script> userInput = "AAA [U+2028] BBB"; displayContents(); </script>
• • • • •
<script> userInput = "<!--<script>"; displayContents(); </script>
• • <script> userInput = "<!--<script>"; </script> <textarea></script> <img src=x
onerror=alert(1)> </textarea>
• • https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script- elements
• <script> userInput = "<%"; </script> <textarea>%></script><img src=x onerror=alert(1)> </textarea>
https://html5sec.org/#91 <xmp> <% </xmp> <textarea> %></xmp><img src=x onerror=alert(1)> </textarea>
• • • • •
setInterval(` alert(\` \`) `,1);
• •
•
• • • userInfo = {"name": 123}// name = userInfo.name.toUpperCase()
Uncaught TypeError: userInfo.name.toUpperCase is not a function
siteData = {"url":"https:// ...","title":{"toString":null},...}; url = "url: " + siteData.url;
title = "title: " + siteData.title;
• • • ({toString: function(){alert(1)} })+""; ({valueOf : function(){alert(2)} })+"";
• • • > ({toString:null})+""; ‣ Uncaught TypeError: Cannot convert
object to primitive value
• • • • •
• > typeof "aaa"; < ‣ "string" > typeof 123;
< ‣ "number" > typeof true; < ‣ "boolean" > typeof []; < ‣ "object" > typeof {}; < ‣ "object" > typeof null; < ‣ "object"
• • > Array.isArray([]); < ‣ true > Array.isArray({}); <
‣ false > null === null < ‣ true
• • > Object.prototype.toString.call("aaa"); < ‣ "[object String]" > Object.prototype.toString.call(123);
< ‣ "[object Number]" > Object.prototype.toString.call(true); < ‣ "[object Boolean]" > Object.prototype.toString.call([]); < ‣ "[object Array]" > Object.prototype.toString.call({}); < ‣ "[object Object]" > Object.prototype.toString.call(null); < ‣ "[object Null]"
<style>*{ color:expression( alert(" ") )}
• • • <toString>AAA</toString>
• • •
• • function tellMeFruitColor(USER_INPUT){ fruits = { "apple":"red", "lemon":"yellow", "peach":"pink"
}; if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }
> tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"
> tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "toString: function toString() { [native code] }" > tellMeFruitColor("constructor"); < "constructor: function Object() { [native code] }" > tellMeFruitColor("__proto__"); < "__proto__: [object Object]"
None
• •
https://qiita.com/howdy39/items/35729490b024ca295d6c
if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return
"I don't know that fruit"; }
if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return
"I don't know that fruit"; }
if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return
"I don't know that fruit"; }
if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return
"I don't know that fruit"; }
if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return
"I don't know that fruit"; }
if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return
"I don't know that fruit"; }
> ({"toString":function(){return "a"}})+""; < " " > ({"prop":"a"})+""; < "[object
Object]"
whiteListTags = { "span":funcForSanitizingSpanElem, "div": funcForSanitizingDivElem, "a":" funcForSanitizingAElem, ... }
// whiteListTags[ ] <toString> whiteListTags["toString"]()
fileIcons = { "txt":"https://example.com/img/icon-txt.gif", "png":"https://example.com/img/icon-png.gif", "jpg":" https://example.com/img/icon-jpg.gif ", ... }
// fileIcons[ ] dos.constructor fileIcons["constructor"]
• • • •
• • function tellMeFruitColor(USER_INPUT){ fruits = { ... }; -
if(fruits[USER_INPUT]){ + if(Object.prototype.hasOwnProperty.call(fruits,USER_INPUT)){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }
> tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"
> tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "I don't know that fruit" > tellMeFruitColor("constructor"); < "I don't know that fruit" > tellMeFruitColor("__proto__"); < "I don't know that fruit"
• • fruits["toString"] undefined function tellMeFruitColor(USER_INPUT){ - fruits = {
... }; + fruits = Object.create(null); + fruits = Object.assign(fruits,{"apple":"red","lemon": ... }) if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }
• • function tellMeFruitColor(USER_INPUT){ - fruits = { ... };
+ fruits = new Map(["apple","red"], + ["lemon","yellow"], + ["peach","pink"]); - if(fruits[USER_INPUT]){ - return USER_INPUT + ": " + fruits[USER_INPUT]; + if(fruits.get(USER_INPUT)){ + return USER_INPUT + ": " + fruits.get(USER_INPUT); }else{ return "I don't know that fruit"; } }
({toString: function(){ alert(` `); this+""; } })+"";
• •
• • • USER_INPUT = {"length": 1e10,"constructor":{"name":"Array"}}; if(USER_INPUT.constructor.name === "Array"){
array = []; for (var i = 0; i < USER_INPUT.length; i++) { array.push(USER_INPUT[i]); } }
==== JS stack trace ========================================= Security context: 00000099763A5549 <JSObject> 1:
/* anonymous */ [repl:~1] [pc=000000C1A3E8B9B9](this=00000382794865D9 <JSGlobal Object>) 5: /* anonymous */ [vm.js:65] [bytecode=000002EDD76E8421 offset=87](this=0000021A2A00C731 <ContextifyScript map = 00000203C25E1319>,options=0000021A2A00C709 <Object map = 00000203C25E13C9>) 6: defaultEval [repl.js:244] [bytecode=000002EDD76E7089 offset=445](this=0000021A2A00C7A1 <REPLServer ... FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory 1: node::DecodeWrite 2: node_module_register 3: v8::internal::FatalProcessOutOfMemory 4: v8::internal::FatalProcessOutOfMemory 5: v8::internal::Factory::NewUninitializedFixedArray 6: v8::internal::WasmDebugInfo::SetupForTesting 7: v8::internal::interpreter::BytecodeArrayRandomIterator::UpdateOffsetFromIndex 8: 000000C1A3D043C1
• • •
•
• • • • •
for(;;){ alert(` `); } /* */
masatokinugawa
ikomachi226
you
genda
rainerhahnekamp
sansan33
lycorptech_jp
kekke_n
antimon2
sato4mi
miyamu
yuu551
henjin0
nikkihalliwell
akademiya2063
lara
marketingsoph
marcduiker
dugsong
ryanjones
smashingmag
mojombo
techseoconnect
portentint
reverentgeek
![• <script> userInput = "AAA [ ] BBB"; displayContents(); </script>](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_15.jpg){kind=link}
![• <script> userInput = "AAA [U+2028] BBB"; displayContents(); </script>](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_19.jpg){kind=link}
![• • > Array.isArray([]); < ‣ true > Array.isArray({}); <](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_35.jpg){kind=link}
![• • > Object.prototype.toString.call("aaa"); < ‣ "[object String]" > Object.prototype.toString.call(123);](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_36.jpg){kind=link}
![if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_45.jpg){kind=link}
![if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_46.jpg){kind=link}
![if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_47.jpg){kind=link}
![if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_48.jpg){kind=link}
![if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_49.jpg){kind=link}
![if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_50.jpg){kind=link}
![• • fruits["toString"] undefined function tellMeFruitColor(USER_INPUT){ - fruits = {](https://files.speakerdeck.com/presentations/ba6578ce2cf84cc0ab1f3a1037fa6b24/slide_57.jpg){kind=link}
