XSS Attacks through PATH

Transcript

1. View Slide

2. View Slide

3. View Slide

4. View Slide

5. FIRST
   H A L F
   

   View Slide

6. https://host/tags/aaa/
   ...
   
   
   
   
   ...
   

   View Slide

7. ...
   
   content="https://host/path/index">
   
   ...
   https://host/path/index?p=1
   

   View Slide

8. ...
   
   content="https://host/path/index;aaa">
   
   ...
   https://host/path/index;aaa?p=1
   

   View Slide

9. View Slide

10. http://php.net/index.php
    http://php.net/index.php/xxx/yyy/zzz
    

    View Slide

11. http://shibuyaxss.connpass.com/event/28232/
    http://shibuyaxss.connpass.com/event/28232/;abc
    

    View Slide

12. View Slide

13. SCRIPT_URL /test.php/PATH
    SCRIPT_URI http://localhost/test.php/PATH
    PATH_INFO /PATH
    PATH_TRANSLATED \PATH<\b>
    PHP_SELF /test.php/PATH
    

    View Slide

14. GET /path?query HTTP/1.1
    The URI which was given in order to access this page;
    for instance, '/index.html'.
    http://php.net/manual/ja/reserved.variables.server.php
    

    View Slide

15. /test.php/PATH?QUERY
    GET
    /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY%
    3C/b%3E HTTP/1.1
    QUERY_STRING %3Cb%3EQUERY%3C/b%3E
    REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?
    %3Cb%3EQUERY%3C/b%3E
    

    View Slide

16. /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    GET /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    HTTP/1.1
    QUERY_STRING QUERY
    REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
    

    View Slide

17. http://localhost/test.php/PATH
    GET /test.php/PATH HTTP/1.1
    

    View Slide

18. /test.php/%3Cb%3EPATH%3C/b%3E
    GET /test.php/PATH HTTP/1.1
    REQUEST_URI /test.php/PATH
    location.pathname
    /test.php/%3Cb%3EPATH%3C/b%3E
    

    View Slide

19. View Slide

20. LATER
    H A L F
    

    View Slide

21. View Slide

22. View Slide

23. View Slide

24. View Slide

25. View Slide

26. View Slide

27. View Slide

28. View Slide

29. View Slide

30. View Slide

31. View Slide

32. View Slide

33. View Slide

34. HTTP/1.1 200 OK
    Content-Type: text/html; charset=UTF-8
    X-UA-Compatible: IE=9
    
    
    
    

    View Slide

35. 
    
    
    

    View Slide

36. ifr=document.createElement('');
    document.body.appendChild(ifr);
    InvalidCharacterError
    

    View Slide

37. 
    <br/>console.log(document.documentMode) /* 9 */<br/>
    
    

    View Slide

38. 
    src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/%
    2F..%2F..%2Fjizen2#hash">
    

    View Slide

39. src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js">
    
    

    View Slide

40. View Slide

41. View Slide

42. View Slide

43. View Slide

44. View Slide

45. View Slide

46. View Slide

47. View Slide

48. View Slide

49. View Slide

50. View Slide

51. View Slide

52. View Slide