明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7
by
Masato Kinugawa
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
No content
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
https://host/tags/aaa/ ... ...
Slide 7
Slide 7 text
... ... https://host/path/index?p=1
Slide 8
Slide 8 text
... ... https://host/path/index;aaa?p=1
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz
Slide 11
Slide 11 text
http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc
Slide 12
Slide 12 text
No content
Slide 13
Slide 13 text
SCRIPT_URL /test.php/
PATH
SCRIPT_URI http://localhost/test.php/
PATH
PATH_INFO /
PATH
PATH_TRANSLATED \
PATH<\b> PHP_SELF /test.php/
PATH
Slide 14
Slide 14 text
GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php
Slide 15
Slide 15 text
/test.php/
PATH
?
QUERY
GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E http://localhost/test.php/
PATH
?
QUERY
Slide 16
Slide 16 text
/test.php/%3Cb%3EPATH%3C/b%3E?
QUERY
GET /test.php/%3Cb%3EPATH%3C/b%3E?
QUERY
HTTP/1.1 QUERY_STRING
QUERY
REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?
QUERY
http://localhost/test.php/
PATH
?
QUERY
Slide 17
Slide 17 text
http://localhost/test.php/
PATH
GET /test.php/
PATH
HTTP/1.1
Slide 18
Slide 18 text
/test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/
PATH
HTTP/1.1 REQUEST_URI /test.php/
PATH
location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/
PATH
Slide 19
Slide 19 text
No content
Slide 20
Slide 20 text
No content
Slide 21
Slide 21 text
No content
Slide 22
Slide 22 text
No content
Slide 23
Slide 23 text
No content
Slide 24
Slide 24 text
No content
Slide 25
Slide 25 text
No content
Slide 26
Slide 26 text
No content
Slide 27
Slide 27 text
No content
Slide 28
Slide 28 text
No content
Slide 29
Slide 29 text
No content
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
No content
Slide 32
Slide 32 text
No content
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9
Slide 35
Slide 35 text
Slide 36
Slide 36 text
ifr=document.createElement(''); document.body.appendChild(ifr); InvalidCharacterError
Slide 37
Slide 37 text
console.log(document.documentMode) /* 9 */ http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf
Slide 38
Slide 38 text
Slide 39
Slide 39 text
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
No content
Slide 42
Slide 42 text
No content
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
No content
Slide 45
Slide 45 text
No content
Slide 46
Slide 46 text
No content
Slide 47
Slide 47 text
No content
Slide 48
Slide 48 text
No content
Slide 49
Slide 49 text
No content
Slide 50
Slide 50 text
No content
Slide 51
Slide 51 text
No content
Slide 52
Slide 52 text
No content