Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Masato Kinugawa
March 29, 2016
Technology
14
25k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
13k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
0
9.5k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.1k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
86k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
21k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.8k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
25k

Other Decks in Technology

See All in Technology
1,800万人が利用する『家族アルバム みてね』におけるK8s基盤のアップグレード戦略と継続的改善 / FamilyAlbum's upgrade strategy and continuous improvement for K8s infrastructure
kohbis
0
300
Autify Company Deck
autifyhq
1
25k
Warningアラートを放置しない!アラート駆動でログやメトリックを自動収集する仕組みによる恩恵
mashiike
2
160
Fivetranでデータ移動を自動化する
hankehly
0
150
Amazon FSx for NetApp ONTAPを 利用するときに気をつけることn選 〜移行プロセスを添えて〜 #devio2023
non97
0
140
監視とオブザーバビリティ 〜 悩む前に確認しておくべきこと / 20230926-ssmjp-monitoring-and-observability
opelab
9
1.3k
Customer-Centricity Unleashed: Transforming Businesses with LINE Tech
linedevth
0
140
Product Ops: Conectando Estratégia e Execução de Produto
rigolon
1
180
今改めて見直してみるラズパイの真価
hamadakoji
1
170
クラウドサイン事業本部 プロダクト組織 紹介資料
bengo4com
0
190
電動マイクロモビリティのシェアサービス「LUUP」におけるEnabling SLOの実践
grimoh
1
200
サービスへの影響を抑えてデータベースの移行を実施したはなし Aurora MySQL -> Cloud SQL
pistatium
0
270

Featured

See All Featured
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
16k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Robots, Beer and Maslow
schacon
154
7.6k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
GitHub's CSS Performance
jonrohan
1021
440k
Happy Clients
brianwarren
92
6.1k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
The Power of CSS Pseudo Elements
geoffreycrofte
56
4.6k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
5
670
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
880
Designing for humans not robots
tammielis
246
24k

Transcript

  1. View Slide

  2. View Slide

  3. View Slide

  4. View Slide

  5. View Slide

  6. https://host/tags/aaa/
    ...




    ...

    View Slide

  7. ...

    content="https://host/path/index">

    ...
    https://host/path/index?p=1

    View Slide

  8. ...

    content="https://host/path/index;aaa">

    ...
    https://host/path/index;aaa?p=1

    View Slide

  9. View Slide

  10. http://php.net/index.php
    http://php.net/index.php/xxx/yyy/zzz

    View Slide

  11. http://shibuyaxss.connpass.com/event/28232/
    http://shibuyaxss.connpass.com/event/28232/;abc

    View Slide

  12. View Slide

  13. SCRIPT_URL /test.php/PATH
    SCRIPT_URI http://localhost/test.php/PATH
    PATH_INFO /PATH
    PATH_TRANSLATED \PATH<\b>
    PHP_SELF /test.php/PATH

    View Slide

  14. GET /path?query HTTP/1.1
    http://php.net/manual/ja/reserved.variables.server.php

    View Slide

  15. /test.php/PATH?QUERY
    GET
    /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY%
    3C/b%3E HTTP/1.1
    QUERY_STRING %3Cb%3EQUERY%3C/b%3E
    REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?
    %3Cb%3EQUERY%3C/b%3E
    http://localhost/test.php/PATH?QUERY

    View Slide

  16. /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    GET /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    HTTP/1.1
    QUERY_STRING QUERY
    REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    http://localhost/test.php/PATH?QUERY

    View Slide

  17. http://localhost/test.php/PATH
    GET /test.php/PATH HTTP/1.1

    View Slide

  18. /test.php/%3Cb%3EPATH%3C/b%3E
    GET /test.php/PATH HTTP/1.1
    REQUEST_URI /test.php/PATH
    location.pathname
    /test.php/%3Cb%3EPATH%3C/b%3E
    http://localhost/test.php/PATH

    View Slide

  19. View Slide

  20. View Slide

  21. View Slide

  22. View Slide

  23. View Slide

  24. View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. View Slide

  29. View Slide

  30. View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    X-UA-Compatible: IE=9



    View Slide




  35. View Slide

  36. ifr=document.createElement('');
    document.body.appendChild(ifr);
    InvalidCharacterError

    View Slide


  37. <br/>console.log(document.documentMode) /* 9 */<br/>

    http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-
    weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

    View Slide


  38. src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/%
    2F..%2F..%2Fjizen2#hash">

    View Slide

  39. src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js">

    View Slide

  40. View Slide

  41. View Slide

  42. View Slide

  43. View Slide

  44. View Slide

  45. View Slide

  46. View Slide

  47. View Slide

  48. View Slide

  49. View Slide

  50. View Slide

  51. View Slide

  52. View Slide