Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
21k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
4.9k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
67k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
17
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
17k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.4k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
20k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.1k

Other Decks in Technology

See All in Technology
A8f0494d61f79b35ff8a4902c7decb73?s=48 iqbocchi
0
530
33d6320b53f63f6627508095633cf5ce?s=48 yosuke_matsuura
PRO
0
3.4k
48712994d81fae89e671dd3f43b8b7a2?s=48 kappa4
4
2.2k
835671ae91e49b2637313b91dacda1db?s=48 tdys13
4
3.4k
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
940
0e20ab5db11ca70d818a4f10bfea9c9c?s=48 ymas0315
0
160
Bf7fe621f4fe1615c228ef8a79b87282?s=48 shirayanagiryuji
1
410
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
200
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
230
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
190
567600e04dbcb14d6bd8f120e6625a27?s=48 tsuyo
0
180
19fc8f6113c5c3d86e6176362ff29479?s=48 kanaugust
PRO
0
170

Featured

See All Featured
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
332
29k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
23
3.8k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
9
530
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
437
28k
1b8ad785acdd1ce1c99914b1c2a4e10e?s=48 sugarenia
233
830k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
30
3.3k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
11
1.3k
Dafc4723e9a1c067796c0fec6f509774?s=48 lemiorhan
626
42k
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
780
240k
245cee81a9c424266e5e401d844ea881?s=48 lara
172
9.5k
D67fff74178013024d833b3eec6cf27f?s=48 lynnandtonic
270
16k
7fa6101cd43067653cf4ac6c7ca54305?s=48 akmur
252
19k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None