Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
22k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
5.1k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
73k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
13k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
18
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
18k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.4k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
20
22k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.3k

Other Decks in Technology

See All in Technology
79dcb04101764d7bf66f898dd446838e?s=48 tsukubachallenge
0
250
A73e8918471bd7e3065d129e2ed75e98?s=48 ystk_hara
0
430
44b799f91cc48e38c5fe9f5d9c5ecc61?s=48 takaichi00
10
2.2k
7fb060398b26ed622d34921bd64e4f5d?s=48 yoshiakiyamasaki
0
140
01c581e230dd588a5c9b7a8c243c4f43?s=48 u1nakayama
0
340
15d05906370266398f014184d86d17c5?s=48 cyber_unfold
0
470
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
3
270
4ef794bdea63fc6153845bb26bac38a2?s=48 ridwy
0
120
41fc8526e23c360635e0bbe20f2802dc?s=48 cchanabo
1
680
C4221ba79492601eb59a9ef5d4f4bbaa?s=48 nakamuuu
3
170
85da685d91fda190e2e3162d0de248a4?s=48 recruitengineers
4
140
8625dbdd61cc3f8c55da6ee323b5e4ce?s=48 twingob
1
180

Featured

See All Featured
Ef32e0b1ac5082450dc8c1fca3a26b5c?s=48 cherdarchuk
77
270k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
92
4.1k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
25
4.1k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
156
12k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
496
110k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
277
17k
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
364
63k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
633
49k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
162
6.8k
79acae287842acf29084005533a7fb3b?s=48 hursman
111
9.5k
A16eb159db895e3b01d3dc95767ad595?s=48 jonyablonski
36
1.7k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
10
730

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None