Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
21k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
5k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
70k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
12k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
17
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
18k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.4k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
20
21k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.2k

Other Decks in Technology

See All in Technology
7975b9fd58c8945ae1c6b38747de7f28?s=48 line_developers_tw2
0
580
164fd510e92a1912155b869b2c333c1e?s=48 tutuz
5
3.1k
E8aaf6f975dda96c47412cf311089243?s=48 tadashi0713
6
1.7k
462feb0fe0493c40d55650da664e8773?s=48 clustervr
PRO
0
120
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
160
D5e41f085758da619761b10b6c54e6af?s=48 chikuta
0
290
Cbc297b07593321e52c75a9ebcc0f843?s=48 jacopen
3
370
D8e79ab09f15e69d600c00131bf7d2a9?s=48 yfutamura
0
610
F6d9eaeab301cb77b4b9d2b99a69eedc?s=48 hfu
0
130
A84b3c763c9c543069b7c02551e2720e?s=48 yuyamada
0
500
6afbe110d33ef7e859fb8649b86bae55?s=48 mashabow
0
140
A97eee01397705443a72a48ce29d3e19?s=48 cybozuinsideout
3
3.1k

Featured

See All Featured
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
192
17k
C51b39fa3c79ccb99dcb8a076bc98287?s=48 brianwarren
82
4.8k
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
302
32k
245cee81a9c424266e5e401d844ea881?s=48 lara
590
61k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
23
1.3k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
217
16k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
93
3.1k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
54
4.4k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
56
9.4k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
311
17k
Af6a12710770ad9a7cfd08c97efd40d3?s=48 pedronauck
653
110k
282d599b414022eba5096510f675b6e2?s=48 chrislema
173
14k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None