Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSでDoSる/ Shibuya.XSS techtalk #11

Masato Kinugawa
May 16, 2019
Technology
21
6.8k

JSでDoSる/ Shibuya.XSS techtalk #11

Shibuya.XSS techtalk #11 の発表資料です。

Masato Kinugawa

May 16, 2019
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
3.5k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.1k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
19k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
21k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
98k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
25k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
20k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
2.1k

Other Decks in Technology

See All in Technology
EMConf JP 2025 懇親会LT / EMConf JP 2025 social gathering
sugamasao
2
180
2025-02-21 ゆるSRE勉強会 Enhancing SRE Using AI
yoshiiryo1
1
470
IAMポリシーのAllow/Denyについて、改めて理解する
smt7174
2
190
ソフトウェアエンジニアと仕事するときに知っておいたほうが良いこと / Key points for working with software engineers
pinkumohikan
1
140
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
180
わたしがEMとして入社した「最初の100日」の過ごし方 / EMConfJp2025
daiksy
13
4.2k
短縮URLをお手軽に導入しよう
nakasho
0
140
日経のデータベース事業とElasticsearch
hinatades
PRO
0
200
CDKのコードを書く環境を作りました with Amazon Q
nobuhitomorioka
1
150
Reading Code Is Harder Than Writing It
trishagee
2
120
AIエージェント元年
shukob
0
150
Share my, our lessons from the road to re:Invent
naospon
0
130

Featured

See All Featured
Into the Great Unknown - MozCon
thekraken
35
1.6k
Gamification - CAS2011
davidbonilla
80
5.1k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
10
510
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
52k
Product Roadmaps are Hard
iamctodd
PRO
50
11k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.7k
Keith and Marios Guide to Fast Websites
keithpitt
411
22k
Faster Mobile Websites
deanohume
306
31k
Embracing the Ebb and Flow
colly
84
4.6k
Become a Pro
speakerdeck
PRO
26
5.2k
GitHub's CSS Performance
jonrohan
1030
460k

Transcript

  1. for(;;){ alert(` `); } /* 2019/05/16 Shibuya.XSS techtalk #11*/ /*

    Masato Kinugawa */

  2. • • •

  3. None

  4. • • • • •

  5. • • • •

  6. • • • • • • • • • •

  7. while(1){ alert(` `); }

  8. • •

  10. • • > decodeURIComponent("%E3%81%82"); < " " > decodeURIComponent("%FF"); ‣

    Uncaught URIError: URI malformed
  11. None

  12. • • • > encodeURIComponent(" "); < "%E3%81%82" > encodeURIComponent("\uDC00");

    ‣ Uncaught URIError: URI malformed

  13. https://www.ecma-international.org/ecma-262/9.0/index.html#sec-encode

  14. (function a(){ alert(` `); a(); })()

  15. • • • • / \/ • " \" •

    \ \\ <script> userInput = "AAA\\\";alert(1)\/\/ <\/script>"; displayContents(); </script>

  16. • <script> userInput = "AAA [ ] BBB"; displayContents(); </script>

  17. • <script> userInput = "AAA BBB"; displayContents(); </script>

  18. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  19. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  20. • <script> userInput = "AAA [U+2028] BBB"; displayContents(); </script>

  21. • • • • •

  22. <script> userInput = "<!--<script>"; displayContents(); </script>

  23. • • <script> userInput = "<!--<script>"; </script> <textarea></script> <img src=x

    onerror=alert(1)> </textarea>

  24. • • https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script- elements

  25. • <script> userInput = "<%"; </script> <textarea>%></script><img src=x onerror=alert(1)> </textarea>

    https://html5sec.org/#91 <xmp> <% </xmp> <textarea> %></xmp><img src=x onerror=alert(1)> </textarea>

  26. • • • • •

  27. setInterval(` alert(\` \`) `,1);

  28. • •

  30. • • • userInfo = {"name": 123}// name = userInfo.name.toUpperCase()

    Uncaught TypeError: userInfo.name.toUpperCase is not a function

  31. siteData = {"url":"https:// ...","title":{"toString":null},...}; url = "url: " + siteData.url;

    title = "title: " + siteData.title;

  32. • • • ({toString: function(){alert(1)} })+""; ({valueOf : function(){alert(2)} })+"";

  33. • • • > ({toString:null})+""; ‣ Uncaught TypeError: Cannot convert

    object to primitive value

  34. • • • • •

  35. • > typeof "aaa"; < ‣ "string" > typeof 123;

    < ‣ "number" > typeof true; < ‣ "boolean" > typeof []; < ‣ "object" > typeof {}; < ‣ "object" > typeof null; < ‣ "object"

  36. • • > Array.isArray([]); < ‣ true > Array.isArray({}); <

    ‣ false > null === null < ‣ true

  37. • • > Object.prototype.toString.call("aaa"); < ‣ "[object String]" > Object.prototype.toString.call(123);

    < ‣ "[object Number]" > Object.prototype.toString.call(true); < ‣ "[object Boolean]" > Object.prototype.toString.call([]); < ‣ "[object Array]" > Object.prototype.toString.call({}); < ‣ "[object Object]" > Object.prototype.toString.call(null); < ‣ "[object Null]"

  38. <style>*{ color:expression( alert(" ") )}

  39. • • • <toString>AAA</toString>

  40. • • •

  41. • • function tellMeFruitColor(USER_INPUT){ fruits = { "apple":"red", "lemon":"yellow", "peach":"pink"

    }; if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  42. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "toString: function toString() { [native code] }" > tellMeFruitColor("constructor"); < "constructor: function Object() { [native code] }" > tellMeFruitColor("__proto__"); < "__proto__: [object Object]"
  43. None

  44. • •

  45. https://qiita.com/howdy39/items/35729490b024ca295d6c

  46. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  47. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  48. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  49. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  50. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  51. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  52. > ({"toString":function(){return "a"}})+""; < " " > ({"prop":"a"})+""; < "[object

    Object]"

  53. whiteListTags = { "span":funcForSanitizingSpanElem, "div": funcForSanitizingDivElem, "a":" funcForSanitizingAElem, ... }

    // whiteListTags[ ] <toString> whiteListTags["toString"]()

  54. fileIcons = { "txt":"https://example.com/img/icon-txt.gif", "png":"https://example.com/img/icon-png.gif", "jpg":" https://example.com/img/icon-jpg.gif ", ... }

    // fileIcons[ ] dos.constructor fileIcons["constructor"]

  55. • • • •

  56. • • function tellMeFruitColor(USER_INPUT){ fruits = { ... }; -

    if(fruits[USER_INPUT]){ + if(Object.prototype.hasOwnProperty.call(fruits,USER_INPUT)){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  57. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "I don't know that fruit" > tellMeFruitColor("constructor"); < "I don't know that fruit" > tellMeFruitColor("__proto__"); < "I don't know that fruit"

  58. • • fruits["toString"] undefined function tellMeFruitColor(USER_INPUT){ - fruits = {

    ... }; + fruits = Object.create(null); + fruits = Object.assign(fruits,{"apple":"red","lemon": ... }) if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  59. • • function tellMeFruitColor(USER_INPUT){ - fruits = { ... };

    + fruits = new Map(["apple","red"], + ["lemon","yellow"], + ["peach","pink"]); - if(fruits[USER_INPUT]){ - return USER_INPUT + ": " + fruits[USER_INPUT]; + if(fruits.get(USER_INPUT)){ + return USER_INPUT + ": " + fruits.get(USER_INPUT); }else{ return "I don't know that fruit"; } }

  60. ({toString: function(){ alert(` `); this+""; } })+"";

  61. • •

  62. • • • USER_INPUT = {"length": 1e10,"constructor":{"name":"Array"}}; if(USER_INPUT.constructor.name === "Array"){

    array = []; for (var i = 0; i < USER_INPUT.length; i++) { array.push(USER_INPUT[i]); } }

  63. ==== JS stack trace ========================================= Security context: 00000099763A5549 <JSObject> 1:

    /* anonymous */ [repl:~1] [pc=000000C1A3E8B9B9](this=00000382794865D9 <JSGlobal Object>) 5: /* anonymous */ [vm.js:65] [bytecode=000002EDD76E8421 offset=87](this=0000021A2A00C731 <ContextifyScript map = 00000203C25E1319>,options=0000021A2A00C709 <Object map = 00000203C25E13C9>) 6: defaultEval [repl.js:244] [bytecode=000002EDD76E7089 offset=445](this=0000021A2A00C7A1 <REPLServer ... FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory 1: node::DecodeWrite 2: node_module_register 3: v8::internal::FatalProcessOutOfMemory 4: v8::internal::FatalProcessOutOfMemory 5: v8::internal::Factory::NewUninitializedFixedArray 6: v8::internal::WasmDebugInfo::SetupForTesting 7: v8::internal::interpreter::BytecodeArrayRandomIterator::UpdateOffsetFromIndex 8: 000000C1A3D043C1

  64. • • •

  66. • • • • •

  67. for(;;){ alert(` `); } /* */