Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CodeBlue2014 -JP- libinjection-from sqli to xss
Search
Nick Galbreath
February 16, 2014
Programming
2.8k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
CodeBlue2014 -JP- libinjection-from sqli to xss
Nick Galbreath
February 16, 2014
More Decks by Nick Galbreath
See All by Nick Galbreath
signalsciences2014.pdf
ngalbreath
0
56
Positive Outcomes from Zero Days
ngalbreath
0
390
Summary of Swiss Cyber Storm 2016
ngalbreath
0
350
Resilient Software Engineering
ngalbreath
0
580
Web App Security in an Agile World
ngalbreath
0
180
Rugged Software Engineering 2015-10-22
ngalbreath
1
95
BYOD DevOpsDays 2015
ngalbreath
0
490
Secure Application Development with Golang
ngalbreath
1
720
Bringing Your Own Dependencies
ngalbreath
0
200
Other Decks in Programming
See All in Programming
コーディングルールの鮮度を保ちたい for SRE NEXT 2026 / keep-fresh-go-internal-conventions-sre-next-2026
handlename
0
120
AI駆動開発を妨げる技術的負債の解消アプローチ / ai-refactoring-approach
minodriven
17
8.7k
Signal Forms: Details & Live Coding @enterJS 2026 in Mannheim
manfredsteyer
PRO
0
220
自作OSでスライド発表する
uyuki234
1
3.7k
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
140
「AIで開発し、AIを届ける」をEvalでつなぐ 〜AIネイティブに始めるプロダクト開発の実践〜 / Connecting "Develop with AI, deliver AI" with Eval
rkaga
4
5.7k
ECSアプリログをFireLensでコスト削減しようとしたけど諦めた話 in Fargate×Node.js
akihisaikeda
2
4.2k
Creating Composable Callables in Contemporary C++
rollbear
0
190
Claude Opus 4.6以後の受託開発エンジニアの変化(Claude Code開発ノウハウ大公開スペシャルbyクラスメソッド)
iidatakuma
1
340
symfony/aiとlaravel/boost
77web
0
120
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.6k
トークンをケチるな、設計しろ:GitHub Copilotを賢く使うコンテキスト戦略
ochtum
0
300
Featured
See All Featured
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
400
How to train your dragon (web standard)
notwaldorf
97
6.7k
Joys of Absence: A Defence of Solitary Play
codingconduct
1
410
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
800
The Director’s Chair: Orchestrating AI for Truly Effective Learning
tmiket
1
210
How to Align SEO within the Product Triangle To Get Buy-In & Support - #RIMC
aleyda
2
1.6k
Producing Creativity
orderedlist
PRO
348
40k
Speed Design
sergeychernyshev
33
1.9k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.2k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
190
Designing for humans not robots
tammielis
254
26k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
960
Transcript
libinjection SQLi͔ΒXSS·Ͱ Nick Galbreath @ngalbreath! Signal Sciences Corp!
[email protected]
Code
Blue ∙ ౦ژ ∙ 2014-02-18 ϦϒΠϯδΣΫγϣϯ
This is also in English! ຊޠͪ͜Βˣ https://speakerdeck.com/ngalbreath/ codeblue2014-en-libinjection-from-sqli-to-xss https://speakerdeck.com/ngalbreath/ codeblue2014-jp-libinjection-from-sqli-to-xss
χοΫɾΨϧϒϨε Nick Galbreath @ngalbreath • ϑΝϯμʔ/CTO of Signal Sciences Corp
• લ৬: IponWeb (Ϟείϫ, ౦ژ) • ͦͷલ: Etsy.com (χϡʔϤʔΫࢢ)
ʮlibinjectionʯͱʁ • SQLi߈ܸΛݕग़͢ΔͨΊͷখ͞ͳϥΠϒϥϦʔ • Cݴޠ • PythonɺluaɺphpͷAPI • Black Hat
USA 2012Ͱॳొ • ΦʔϓϯιʔεͱBSDϥΠηϯε • https://github.com/client9/libinjection
ͳΜͰlibinjectionͳͷ? • طଘͷݕग़ͷ΄ͱΜͲ͕ਖ਼نදݱͰߦΘΕΔ • Ϣχοτςετ͕ͳ͍ • ύϑΥʔϚϯεʢʣςετ͕ͳ͍ • ιʔείʔυͷΧόʔྖҬςετ͕ͳ͍ •
ਖ਼֬ੑͷςετ͕ͳ͍ • ޡݕग़ͷςετ͕ͳ͍
libinjection SQLiͷݱࡏ • Version 3.9.1 • 8000 SQLi ಛ •
400+ Ϣχοτςετ • 85,000+ SQLi αϯϓϧ
ݱࡏͷΘΕํ • mod_security WAF http://www.modsecurity.org/ • ironbee WAF https://www.ironbee.com/ •
glastopf honeypot http://glastopf.org/ • ϓϥΠϕʔτͳWAFs • ͞·͟·ͳاۀͰ • αʔυύʔςΟͷJava࣮ https://github.com/Kanatoko/libinjection-Java • αʔυύʔςΟͷ.NET࣮ https://github.com/kochetkov/ Libinjection.NetLibinjection.Net
XSS
SQLiͱͷྨࣅੑ • ඪ४తͳϥΠϒϥϦʔ͕ͳ͍ • ͋Δͱͯ͠ݶΒΕͨςετ͔͠ଘࡏ͠ͳ͍ • ਖ਼نදݱʹج͍ͮͨݕग़ • ͬͱྑ͘Ͱ͖ͳ͍͔ʁ
2छྨͷXSS • HTML ΠϯδΣΫγϣϯ߈ܸ • Javascript ΠϯδΣΫγϣϯ߈ܸ
XSS Javascript ΠϯδΣΫγϣϯ • DOMελΠϧͷ߈ܸ • طଘͷjavascriptίʔυͷ߈ܸ • ຊͷݕग़ΫϥΠΞϯτͰ͔͠Ͱ͖ͳ͍
• ͔ͳΓͷ
HTML ΠϯδΣΫγϣϯ • HTML ΠϯδΣΫγϣϯͱɺHTMLͷτʔΫϯԽ ΞϧΰϦζϜʹର͢Δ߈ܸ (text “<b>foo</b>” to
tags <b>, foo, </b>) • HTMLͷίϯςΩετΛjavascriptʹมߋ͠ɺ৽͍͠ javascriptΛՃ͢Δ͜ͱ͕త • ͜ΕΒͷ߈ܸݕग़Ͱ͖Δ͖
HTML ΠϯδΣΫγϣϯ αϯϓϧ <b>XSS</b> (HTML) <foo XSS> (tag attribute name)
<foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)
HTML τʔΫϯԽΣϒϒϥβ • ͜Ε·Ͱɺͯ͢ͷϒϥβʔHTMLΛҟͳΔํ๏Ͱ τʔΫϯԽ͍ͯͨ͠ • յΕͨHTMLλάɺఆ֎ͷจࣈΤϯίʔυΛͬͨ ͋ΒΏΔ߈ܸ͕ൃੜͯ͠͠·͍ͬͯͨ • ݱࡏͰɺ΄΅ͯ͢ͷϒϥβʔ͕HTML5Ͱنఆ͞
ΕͨΞϧΰϦζϜΛ༻͍ͯ͠Δ • HTML5ͷΞϧΰϦζϜͱͯਖ਼֬
ͯ͢ͷεςοϓ http://www.w3.org/html/wg/drafts/html/CR/syntax.html#tokenization
εςοϓ͕͔ͳΓ໌֬
σεΫτοϓϒϥβͷ60ˋҎ্ɺ HTML5Ͱ͋Δ http://tnw.co/1cqFueo IE 9 9% IE 10 11% IE
11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%
ϞόΠϧϒϥβͷ90ˋ͕ HTML5Ͱ͋Δ http://bit.ly/JQSZxb
Γ͕ɺIE6ɺIE7ɺIE8 • IE6 ͕ফ͑Δͷ࣌ؒͷ • IE7 ͷࢢγΣΞͨͬͨ2% • IE8 ͷࢢγΣΞ20%
• ΄ͱΜͲ͕Windows XP • ͜ΕΒͷࢢγΣΞ͕͜ΕҎ্૿͑Δ͜ͱͳ͍
libinjection XSS
HTML̑Σϒϒϥβ ʹ͓͚ΔHTML ΠϯδΣΫ γϣϯ߈ܸ • No: XML / XSLT ΠϯδΣΫγϣϯ
• No: IE6ɺIE7ɺOpera • FFɺChromeͷݹ͍όʔδϣϯ • No: DOMελΠϧͷ߈ܸ
libinjection HTML5 • શͳHTML5τʔΫϯԽ • πϦʔDOMΛߏங͠ͳ͍ • ͍͔ͳΔσʔλίϐʔ͠ͳ͍
τʔΫϯԽͷαϯϓϧ TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE
alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
ҟͳΔHTMLίϯςΩετͰ νΣοΫ ֤Πϯϓοτɺ6ͭͷҟͳΔHTMLίϯςΩετͰνΣοΫ͞Ε Δɻ <b>XSS</b> (raw HTML) <foo XSS> (tag
attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)
ͷ͋ΔτʔΫϯΛআ֎ • ͷ͋ΔλάɺΞτϦϏϡʔτɺόϦϡʔ͕আ֎͞ ΕΔɻ • λάɿ<script>ɺXML·ͨSVGʹؔ࿈͢Δͯ͢ • ΞτϦϏϡʔτͷ໊લ: on*ͳͲ •
ΞτϦϏϡʔτͷόϦϡʔɿjavascriptͷURL • ͳͲͳͲ
τϨʔχϯάσʔλ
XSS Cheat Sheets • ΄ͱΜͲ͕࣌ޮ(Firefox 3! ) • ݹ͍߈ܸ͕আڈ͞ΕΔ
HTML5SEC.org • ૉΒ͍͠ใࢿݯ • Ұ෦ݹ͍߈ܸͳͲ࠷৽Ͱͳ͍ͷ
@soaj1664ashar • ৽͍͠߈ܸΛఆظతʹ։ൃͯ͠Δ • XSS͕͖ͳΒɺ൴ΛϑΥϩʔ͠Α͏ • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA •
http://bit.ly/1iXODkW
߈ܸ /εΩϟφʔ • XSSεΩϟφʔͷΞτϓοτΛ׆༻ • Shazzer fuzzͷσʔλϕʔε http://shazzer.co.uk/ (ModSecurityνʔϜͷ͓͔͛)
ݱࡏͷঢ়گ
طʹ׆༻Ͱ͖·͢ • github https://github.com/client9/libinjection • ΣϒαΠτ https://libinjection.client9.com/ • ·ͩΞϧϑΝஈ֊
$ make test-xss ./reader -t -i -x -m 10 ../data/xss*
../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja	vascr	ipt:confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639݅ͷ૯αϯϓϧ 1628͕݅ਖ਼͍͠XSSݕग़ 11݅ͷݕग़࿙Ε
IEɿҾ༻ූʹؔ͢Δ • IE 8ɺӳޠͰ͍͏ͱ͜Ζͷ‘unbalanced quotes’ ʢҾ༻ූ͕ਖ਼͘͠ด͍ͯ͡ͳ͍ͳͲʣʹର͢Δಈ࡞ ͕͓͔͍͠ • ͜ͷʹؔͯ͠ݱࡏରԠ͕ਐߦத <img
src="x` `<script>alert(1)</script>"` `>
ύϑΥʔϚϯε ݅Ҏ্Λ ඵͰνΣοΫ
2014-02-18ͷTO DO • ·ͩΞϧϑΝஈ֊ — ݱ࣌ͰૉΒ͍͠ϛε͕Ӆ͞Ε͍ͯΔ Մೳੑ͋Δ • ݕग़࿙Εʹؔ͢ΔQAະ •
Ұ෦ͷIEΠϯδΣΫγϣϯʹະରԠ • ࣮ݧͷͨΊͷςετϕου͕ͳ͍ʢࠓिޙʹͰʣ • QAͷॆ࣮ɺίʔυͷΧόϨοδͷڧԽ͕ඞཁ • εΫϦϓτݴޠͷରԠ·ͩʢ͍ۙ͏ͪʣ
[email protected]
͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ