Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
22k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
5.1k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
72k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
13k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
18
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
18k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.4k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
20
21k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.2k

Other Decks in Technology

See All in Technology
609308e6510e41133d30460eef1ccd36?s=48 no24oka
0
290
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
320
A101f74d588593108432afc2dec834f2?s=48 cmabe
3
2.5k
8bc2f1f5bfb8ed1f79492bfa7da6ddb1?s=48 hichikawa1126
1
1.2k
0abc75d0ead1b1300178fad993308c67?s=48 motchy1204
1
140
1405a601755e5fcbfdc93a2560368bb1?s=48 freddi
3
180
66ab7440501bcaad37e602c8c9a708db?s=48 yjsong
0
250
35fa62e1944d634eb5cb7fabffb1d84d?s=48 enkuma
0
490
39adbc0cddb8c0ea8470c80248e9e71b?s=48 hyodol2513
1
2.8k
4756285958b3bd553b49ed5ba544ec23?s=48 fasahina
0
340
6ddc65998177a0f05be629dc31321a8f?s=48 kken78
1
160
79b0777f41898e4c9d75d9839d4cb476?s=48 1stship
2
190

Featured

See All Featured
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
222
120k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
156
12k
78b475797a14c84799063c7cd073962f?s=48 holman
463
280k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
287
47k
0bce06bd06ee7a2c4f5500f25dcf7f18?s=48 paulrobertlloyd
74
1.6k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
218
16k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
6.8k
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
20
910
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
77
270k
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
85
8.1k
D83926c323d4f9289f947b4b4e76b939?s=48 jensimmons
209
10k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None