Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CodeBlue2014 -JP- libinjection-from sqli to xss

CodeBlue2014 -JP- libinjection-from sqli to xss

Nick Galbreath

February 16, 2014
Tweet

More Decks by Nick Galbreath

Other Decks in Programming

Transcript

  1. χοΫɾΨϧϒϨε
 Nick Galbreath
 @ngalbreath • ϑΝ΢ϯμʔ/CTO of Signal Sciences Corp

    • લ৬: IponWeb (Ϟείϫ, ౦ژ) • ͦͷલ: Etsy.com (χϡʔϤʔΫࢢ)
  2. ʮlibinjectionʯͱ͸ʁ • SQLi߈ܸΛݕग़͢ΔͨΊͷখ͞ͳϥΠϒϥϦʔ • Cݴޠ • PythonɺluaɺphpͷAPI • Black Hat

    USA 2012Ͱॳొ৔ • ΦʔϓϯιʔεͱBSDϥΠηϯε • https://github.com/client9/libinjection
  3. libinjection SQLiͷݱࡏ • Version 3.9.1 • 8000 SQLi ಛ௃ •

    400+ Ϣχοτςετ • 85,000+ SQLi αϯϓϧ
  4. ݱࡏͷ࢖ΘΕํ • mod_security WAF http://www.modsecurity.org/ • ironbee WAF https://www.ironbee.com/ •

    glastopf honeypot http://glastopf.org/ • ϓϥΠϕʔτͳWAFs • ͞·͟·ͳاۀ಺Ͱ • αʔυύʔςΟͷJava࣮૷
 https://github.com/Kanatoko/libinjection-Java • αʔυύʔςΟͷ.NET࣮૷
 https://github.com/kochetkov/ Libinjection.NetLibinjection.Net
  5. XSS

  6. HTML ΠϯδΣΫγϣϯ • HTML ΠϯδΣΫγϣϯͱ͸ɺHTMLͷτʔΫϯԽ ΞϧΰϦζϜʹର͢Δ߈ܸ 
 (text “<b>foo</b>” to

    tags <b>, foo, </b>) • HTMLͷίϯςΩετΛjavascriptʹมߋ͠ɺ৽͍͠ javascriptΛ௥Ճ͢Δ͜ͱ͕໨త • ͜ΕΒͷ߈ܸ͸ݕग़Ͱ͖Δ΂͖
  7. HTML ΠϯδΣΫγϣϯ
 αϯϓϧ <b>XSS</b> (HTML) <foo XSS> (tag attribute name)

    <foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)
  8. σεΫτοϓϒϥ΢βͷ60ˋҎ্͸ɺ HTML5Ͱ͋Δ http://tnw.co/1cqFueo IE 9 9% IE 10 11% IE

    11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%
  9. ࢒Γ͕ɺIE6ɺIE7ɺIE8 • IE6 ͕ফ͑Δͷ͸࣌ؒͷ໰୊ • IE7 ͷࢢ৔γΣΞ͸ͨͬͨ2% • IE8 ͷࢢ৔γΣΞ͸20%

    • ΄ͱΜͲ͕Windows XP • ͜ΕΒͷࢢ৔γΣΞ͕͜ΕҎ্૿͑Δ͜ͱ͸ͳ͍
  10. HTML̑΢Σϒϒϥ΢β ʹ͓͚ΔHTML ΠϯδΣΫ γϣϯ߈ܸ • No: XML / XSLT ΠϯδΣΫγϣϯ

    • No: IE6ɺIE7ɺOpera • FFɺChromeͷݹ͍όʔδϣϯ • No: DOMελΠϧͷ߈ܸ
  11. τʔΫϯԽͷαϯϓϧ TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE

    alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
  12. ҟͳΔHTMLίϯςΩετͰ νΣοΫ ֤Πϯϓοτ͸ɺ6ͭͷҟͳΔHTMLίϯςΩετͰνΣοΫ͞Ε Δɻ <b>XSS</b> (raw HTML) <foo XSS> (tag

    attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)
  13. $ make test-xss ./reader -t -i -x -m 10 ../data/xss*

    ../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja&Tab;vascr&Tab;ipt&colon;confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639݅ͷ૯αϯϓϧ਺ 1628͕݅ਖ਼͍͠XSSݕग़਺ 11݅ͷݕग़࿙Ε
  14. 2014-02-18ͷTO DO • ·ͩΞϧϑΝஈ֊ — ݱ࣌఺Ͱ͸ૉ੖Β͍͠ϛε͕Ӆ͞Ε͍ͯΔ Մೳੑ͸͋Δ • ݕग़࿙Εʹؔ͢ΔQA͸ະ׬੒ •

    Ұ෦ͷIEΠϯδΣΫγϣϯʹ͸ະରԠ • ࣮ݧͷͨΊͷςετϕου͕ͳ͍ʢࠓिޙ൒ʹͰ΋ʣ • QAͷॆ࣮ɺίʔυͷΧόϨοδͷڧԽ͕ඞཁ • εΫϦϓτݴޠͷରԠ͸·ͩʢ͍ۙ͏ͪʣ