明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

1a5bce24526a7d6f1ab89678df2d673c?s=47 Masato Kinugawa
March 29, 2016
Technology
14
20k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

1a5bce24526a7d6f1ab89678df2d673c?s=128

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
4.7k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
5
2.2k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
9
3k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
17
9.9k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
35
17k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
2
1.3k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
21
19k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
4
2.1k
1a5bce24526a7d6f1ab89678df2d673c?s=48 masatokinugawa
7
2k

Other Decks in Technology

See All in Technology
5b47136bedcba2799edf4fcd27ea66d7?s=48 yaegashi
0
370
0251532f4fb413ea1a026efe6eb16b87?s=48 stajima
0
260
992ab21437c2ec7c70d9af79ed2a2273?s=48 7110
0
240
842515eaf8fbb2dfcc75197e7797dc15?s=48 sat
0
310
783718ebd2faaa896d4cb347835c07fb?s=48 tarotaro0
0
460
A49d01c48e10d19feb8e61310bceabab?s=48 _kensh
2
160
Dacd98e0fcfc478b24f9cd7ec9208904?s=48 manabusakai
0
990
B1cc148711c6a37a5c922b6e72a4ad52?s=48 upura
1
980
1dfa2bb34977b1db41d0d46d4505183f?s=48 osuke
2
2.2k
Ca7e4f1680e175e6462a039923e71fc5?s=48 kyokonishito
0
180
46fdd2ebc85d68659b83d5eb5c6a49aa?s=48 keisukeyamashita
3
380
A645e7c3a6635ead8fa323c583769591?s=48 hololab
0
350

Featured

See All Featured
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
203
6.6k
E14f55d3f939977cecbf51b64ff6f861?s=48 keithpitt
398
20k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
99
5.7k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
236
23k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
119
7.7k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
9
1.3k
245cee81a9c424266e5e401d844ea881?s=48 lara
588
60k
48c098b6579220a67a6ba949be6e4b5a?s=48 revolveconf
195
9.4k
Ecdea9b9714877b86cee08458f085481?s=48 trallard
6
250
8081b26e05bb4354f7d65ffc34cbbd67?s=48 chriscoyier
142
19k
719435d98d452de7ac367c828266cf01?s=48 erikaheidi
5
3.6k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
102
14k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None