明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

by Masato Kinugawa

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

https://host/tags/aaa/ ... ...

Slide 7

Slide 7 text

... ... https://host/path/index?p=1

Slide 8

Slide 8 text

... ... https://host/path/index;aaa?p=1

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

Slide 11

Slide 11 text

http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

SCRIPT_URL /test.php/PATH SCRIPT_URI http://localhost/test.php/PATH PATH_INFO /PATH PATH_TRANSLATED \PATH<\b> PHP_SELF /test.php/PATH

Slide 14

Slide 14 text

GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

Slide 15

Slide 15 text

/test.php/PATH?QUERY GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E http://localhost/test.php/PATH?QUERY

Slide 16

Slide 16 text

/test.php/%3Cb%3EPATH%3C/b%3E?QUERY GET /test.php/%3Cb%3EPATH%3C/b%3E?QUERY HTTP/1.1 QUERY_STRING QUERY REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?QUERY http://localhost/test.php/PATH?QUERY

Slide 17

Slide 17 text

http://localhost/test.php/PATH GET /test.php/PATH HTTP/1.1

Slide 18

Slide 18 text

/test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/PATH HTTP/1.1 REQUEST_URI /test.php/PATH location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/PATH

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

No content

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

No content

Slide 31

Slide 31 text

No content

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9

Slide 35

Slide 35 text

Slide 36

Slide 36 text

ifr=document.createElement(''); document.body.appendChild(ifr); InvalidCharacterError

Slide 37

Slide 37 text

console.log(document.documentMode) /* 9 */ http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

Slide 1

Slide 1 text

Slide 2

Slide 2 text

Slide 3

Slide 3 text

Slide 4

Slide 4 text

Slide 5

Slide 5 text

Slide 6

Slide 6 text

Slide 7

Slide 7 text

Slide 8

Slide 8 text

Slide 9

Slide 9 text

Slide 10

Slide 10 text

Slide 11

Slide 11 text

Slide 12

Slide 12 text

Slide 13

Slide 13 text

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

Slide 20

Slide 20 text

Slide 21

Slide 21 text

Slide 22

Slide 22 text

Slide 23

Slide 23 text

Slide 24

Slide 24 text

Slide 25

Slide 25 text

Slide 26

Slide 26 text

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

Slide 31

Slide 31 text

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Slide 34

Slide 34 text

Slide 35

Slide 35 text

Slide 36

Slide 36 text

Slide 37

Slide 37 text

Slide 38

Slide 38 text

Slide 39

Slide 39 text

Slide 40

Slide 40 text