Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

Other Decks in Technology

Transcript

  1. https://host/tags/aaa/
    ...




    ...

    View full-size slide

  2. ...

    content="https://host/path/index">

    ...
    https://host/path/index?p=1

    View full-size slide

  3. ...

    content="https://host/path/index;aaa">

    ...
    https://host/path/index;aaa?p=1

    View full-size slide

  4. http://php.net/index.php
    http://php.net/index.php/xxx/yyy/zzz

    View full-size slide

  5. http://shibuyaxss.connpass.com/event/28232/
    http://shibuyaxss.connpass.com/event/28232/;abc

    View full-size slide

  6. SCRIPT_URL /test.php/PATH
    SCRIPT_URI http://localhost/test.php/PATH
    PATH_INFO /PATH
    PATH_TRANSLATED \PATH<\b>
    PHP_SELF /test.php/PATH

    View full-size slide

  7. GET /path?query HTTP/1.1
    http://php.net/manual/ja/reserved.variables.server.php

    View full-size slide

  8. /test.php/PATH?QUERY
    GET
    /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY%
    3C/b%3E HTTP/1.1
    QUERY_STRING %3Cb%3EQUERY%3C/b%3E
    REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?
    %3Cb%3EQUERY%3C/b%3E
    http://localhost/test.php/PATH?QUERY

    View full-size slide

  9. /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    GET /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    HTTP/1.1
    QUERY_STRING QUERY
    REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    http://localhost/test.php/PATH?QUERY

    View full-size slide

  10. http://localhost/test.php/PATH
    GET /test.php/PATH HTTP/1.1

    View full-size slide

  11. /test.php/%3Cb%3EPATH%3C/b%3E
    GET /test.php/PATH HTTP/1.1
    REQUEST_URI /test.php/PATH
    location.pathname
    /test.php/%3Cb%3EPATH%3C/b%3E
    http://localhost/test.php/PATH

    View full-size slide

  12. HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    X-UA-Compatible: IE=9



    View full-size slide

  13. ifr=document.createElement('');
    document.body.appendChild(ifr);
    InvalidCharacterError

    View full-size slide


  14. <br/>console.log(document.documentMode) /* 9 */<br/>

    http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components-
    weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

    View full-size slide


  15. src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/%
    2F..%2F..%2Fjizen2#hash">

    View full-size slide

  16. src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js">

    View full-size slide