$30 off During Our Annual Pro Sale. View Details »

katagaitai勉強会#6 EasyなWeb編 / katagaitaiCTF#6 Web

Yu Yagihashi
August 13, 2016
Technology
1
1.1k

katagaitai勉強会#6 EasyなWeb編 / katagaitaiCTF#6 Web

katagaitai勉強会#6 Web編のスライドです。

Yu Yagihashi

August 13, 2016
Tweet

More Decks by Yu Yagihashi

See All by Yu Yagihashi
A Security Engineer in the Web Re-architecture Project
yagihashoo
0
980
The face of X-Content-Type-Options which you may not know
yagihashoo
0
340
A talk about XSS thousand knocks(Shibuya.XSS techtalk#10)
yagihashoo
6
2.5k

Other Decks in Technology

See All in Technology
APIシナリオテストツールとしてのrunn / 4 API testing tools
k1low
1
510
AWS Security Hubを有効化したけど見てない人に向けたDevSecOpsの実現方法 / #kayac_andpad_event
muziyoshiz
0
210
EventStormingとRDRA2.0で大規模レガシーシステムのフルリニューアルPJに挑む
leveragestech
0
1.4k
Amazon Bedrock を利用したAIチャットボット開発
yukimatsuyoshi
3
550
The Future of encoding/json
iamshunta
2
270
Garoon 開発チーム / Garoon development team
cybozuinsideout
PRO
0
2.2k
LINEでのコミュニケーションにマスコットキーホルダーを使ってみる / LINEを使ったLT大会 #5
you
PRO
0
110
更新”しない”ドキュメント管理 「イミュータブルドキュメントモデル」の実運用
kosui
10
1.5k
CircleCIの高速化🚀 / CircleCI faster
sinsoku
1
310
JAWS-UG_YOKOHAMA_20231204
hiashisan
0
290
SRE推進における失敗と成功 〜く"し"け"な"い"〜 - NIFTY Tech Day 2023
niftycorp
0
120
AWS re:Invent 2023 わざわざ現地まで行く意味あるの?→ありました
minorun365
PRO
5
1k

Featured

See All Featured
Git: the NoSQL Database
bkeepers
PRO
420
62k
GraphQLの誤解/rethinking-graphql
sonatard
45
8.7k
Unsuck your backbone
ammeep
660
56k
The World Runs on Bad Software
bkeepers
PRO
59
6.2k
Testing 201, or: Great Expectations
jmmastey
26
6.1k
Embracing the Ebb and Flow
colly
77
3.9k
Happy Clients
brianwarren
91
6.1k
Art, The Web, and Tiny UX
lynnandtonic
286
19k
Design by the Numbers
sachag
272
18k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
53
33k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
18
6.4k
Ruby is Unlike a Banana
tanoku
93
10k

Transcript

  1. LBUBHBJUBJษڧձ

    &BTZͳ8FCฤ
    1SFTFOUFECZ!ZBHJIBTIPP

    View Slide

  2. XIPBNJ

    View Slide

  3. )BTIUBHLBUBHBJUBJ$5'
    XIPBNJ
    ‣ :V:BHJIBTIJ
    ‣ IUUQTYTTNPF
    ‣ 5XJUUFS!ZBHJIBTIPP
    ‣ 944FS
    ‣ 4FDVSJUZ"TTFTTNFOU
    ‣ $5'GPS#FHJOOFST

    View Slide

  4. )BTIUBHLBUBHBJUBJ$5'
    .ZCPPLT

    View Slide

  5. 5BSHFU

    View Slide

  6. )BTIUBHLBUBHBJUBJ$5'
    4DPQF
    ‣ 8IBUEPFTl&BTZzNFBO 

    #FHJOOFS\IFSF^*OUFSNFEJBUF
    ‣ *IPQFUIJTFWFOUJTUPCFUIFOFYUTUFQGPSUIF
    CFHJOOFST
    ‣ .PSFEFFQMZ NPSFCSPBEMZ NPSFEFUBJMFE
    UIBOl$5'GPS#FHJOOFSTz

    View Slide

  7. )BTIUBHLBUBHBJUBJ$5'
    .JTTJPO
    ‣ )PU$PXT%BUJOH )BDLMV$5'

    ‣ -FU`TMFBSOUIF944XJUIPVUTDSJQUJOH
    ‣ 5IFSFBSFUXPXBZTUPTPMWF
    ‣ 8IBU`T%0.$MPCCFSJOH
    ‣ 8IBU`T$POUFOU4FDVSJUZ1PMJDZ
    ‣ $PPMPOF(PMEFOqBHBXBSEQSJ[FEBTUIFNPTU
    VOFYQFDUFETPMVUJPO

    View Slide

  8. 3FDPOOBJTTBODF

    View Slide

  9. )BTIUBHLBUBHBJUBJ$5'
    'JSTUPGBMM
    ‣ -FU`TBDDFTTUPUIFUBSHFUXFCTJUF
    ‣ IUUQTHPPHMR/K.G%
    ‣ #FDBVTFPGTPNFUFDIOJDBMSFBTPOT ZPVIBECFUUFS
    BDDFTTXJUI$ISPNF PS$ISPNFCBTFECSPXTFS

    ‣ *OUIJTMFDUVSF *VTF(PPHMF$ISPNFGPSFYBNQMF

    View Slide

  10. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ $SFBUFBOBDDPVOUBOEMPHJO

    View Slide

  11. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ 6TFSTDBODIBUXJUITPNFDPXTʜ

    View Slide

  12. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ 6TFSTDBODIBUXJUITPNFDPXTʜ

    View Slide

  13. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ 4FFNTJNQPTTJCMFUPHFUUIFQSFNJVNBDDPVOU

    View Slide

  14. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ "OPUIFSGFBUVSFGPSUIFSFQPSUJOHQSPCMFN

    View Slide

  15. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ "OPUIFSGFBUVSFGPSUIFSFQPSUJOHQSPCMFN

    View Slide

  16. )BTIUBHLBUBHBJUBJ$5'
    -FU`TTFFUIFGFBUVSFT
    ‣ "MMGFBUVSFTPGUIJTTJUF
    ‣ $PXFS7JFX%JTQMBZTBMMPOMJOFDPXT
    ‣ $IBUUJOHQBHF$IBUXJUISFTQFDUJWFDPXT
    ‣ 3FQPSUJOH1BHF5IFGPSNUPSFQPSUQSPCMFNT
    ‣ 5IFO XIBUTIBMMXFEP
    ‣ 5IFSFTIPVMECFTPNFWVMOFSBCJMJUJFT
    ‣ 5IJTTJUFIBTB944
    ‣ $BOZPVpOEJUPVU

    View Slide

  17. )BTIUBHLBUBHBJUBJ$5'
    "UUFOUJPO
    ‣ 5IJTTJUFQSPIJCJUTTFOEJOHBSFQPSU
    DPOTFDVUJWFMZ
    ‣ 6TFSTDBOTFOEBSFQPSUFWFSZNJOVUFT
    ‣ 0NJUUJOHEFUBJMT JUDBOCFFWBEFEVTJOH9
    'PSXBSEFE'PSIFBEFS
    ‣ $POpHVSF#VSQ4VJUFGPSSFXSJUJOHSFRVFTUIFBEFS

    View Slide

  18. )BTIUBHLBUBHBJUBJ$5'
    "UUFOUJPO
    ‣ $POpHVSJOH#VSQ1SPYZʜ

    View Slide

  19. )BTIUBHLBUBHBJUBJ$5'
    "UUFOUJPO
    ‣ $POpHVSJOH#VSQ1SPYZʜ

    View Slide

  20. )BTIUBHLBUBHBJUBJ$5'
    "UUFOUJPO
    ‣ $POpHVSJOH#VSQ1SPYZʜ

    View Slide

  21. )BTIUBHLBUBHBJUBJ$5'
    3FQPSUJOH1BHF
    ‣ 8IFOTFFJOHUIFQBHFUPTFOEBSFQPSUUP
    BENJO 944FSNVTUUIJOL

    l5IFSFNBZCFTPNF944z
    ‣ :PVNBZTBZl8IZEJEZPVLOPXUIBU z
    ‣ 5IFSFJTOPSFBTPO 944JTKVTUUIFSF

    View Slide

  22. 8IFSF`TUIFqBH

    View Slide

  23. )BTIUBHLBUBHBJUBJ$5'
    *OWFTUJHBUJPO
    ‣ :PVIBWFNJOVUFT
    ‣ 'JOEXIFSFUIFqBHJT
    ‣ )JOU5IFTPVSDFDPEFLOPXTFWFSZUIJOH
    ‣ :PVLOPXNBOZTPMVUJPOTUPHFUUIFTPVSDF
    DPEF3$& 1BUIUSBWFSTBM BOETPPO

    View Slide

  24. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 8IBUZPVIBWFUPEPpSTUMZJTHBUIFS
    JOGPSNBUJPO
    ‣ 8IPJTJOGPSNBUJPO %/4SFDPSET )551IFBEFST
    4ZTUFNFSSPSNFTTBHFT BOETPPO
    ‣ 4PNFUJNFT IJEEFOQBHFTBSFMJTUFEPO

    lSPCPUTUYUz
    ‣ *UJTO`UHPPEUPIJEFTPNFUIJOHMJTUJOHPOSPCPUTUYU
    ‣ SPCPUTUYUJTPQFOUPFWFSZPOFPOUIF*OUFSOFU

    0GDPVSTFJU`TJOUFOEFEUPTIPXUIBUDSBXMFST

    View Slide

  25. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 5IFSFTFFNTCFHJUEJSFDUPSZ

    View Slide

  26. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ *U`TQPTTJCMFUPBDRVJSFBMMTPVSDFDPEFTʜ

    View Slide

  27. )BTIUBHLBUBHBJUBJ$5'
    )PXUPHFUUIFTPVSDFT
    ‣ 6TFXHFUUPEPXOMPBEUIFHJUEJSFDUPSZ
    ‣ "GUFSEPXOMPBEJU VTFHJUBOESFTUPSFUIF
    TPVSDFDPEFTPOUIFMPDBM
    wget -r --no-check-certificate -erobots=off https://wildwildweb.fluxfingers.net:1401/.git/

    View Slide

  28. )BTIUBHLBUBHBJUBJ$5'
    )PXUPHFUUIFTPVSDFT
    ‣ 3VOAHJUTUBUVTABOEDPOpSNUIBUUIF
    EJSFDUPSJFTQSPQFSMZEPXOMPBEFE

    View Slide

  29. )BTIUBHLBUBHBJUBJ$5'
    )PXUPHFUUIFTPVSDFT
    ‣ 3VOAHJUSFTFUŠIBSEABOESFTUPSFGBMMFOPVU
    pMFT

    View Slide

  30. )BTIUBHLBUBHBJUBJ$5'
    (FUJOUPUIFTPVSDFDPEFT
    ‣ "QBSUGSPNBOZUIJOHFMTF MPPLUIF
    MJTUPGUIFTPVSDFDPEFT
    ‣ +VTUVTFAMT3APSAUSFFA
    ‣ 4PNF"1*TDSJQUTBSFJOUIFlBQJz
    EJSFDUPSZ JU`TJOUFSFTUJOH
    ‣ 5IFSFJTBDPOpHTDSJQUTOBNFEXJUI
    lDGHQIQz-FU`TCFHJOXJUIUIJT
    .
    ├── api
    │ ├── error.php
    │ ├── login.php
    │ ├── logout.php
    │ ├── premium.php
    │ ├── register.php
    │ └── report.php
    ├── cfg.php
    ├── css
    │ └── style.css
    ├── index.php
    ├── js
    │ ├── form.js
    │ ├── http.js
    │ ├── loader.js
    │ ├── pages
    │ │ ├── chat.js
    │ │ ├── error.js
    │ │ ├── index.js
    │ │ ├── internal.js
    │ │ ├── logout.js
    │ │ └── report.js
    │ ├── router.js
    │ └── template.js
    ├── lib
    │ ├── Template.php
    │ ├── session.php
    │ └── util.php
    ├── robots.txt
    ├── static
    │ ├── abbie.jpg
    │ ├── clara.jpg
    │ ├── cow_front.jpg
    │ ├── maggie.jpg
    │ └── rosie.jpg
    └── templates
    ├── cow.html
    ├── error.html
    ├── index.html
    ├── internal.html
    ├── layout.phtml
    ├── message.html
    ├── message.pjson
    └── report.html

    View Slide

  31. )BTIUBHLBUBHBJUBJ$5'
    $IFDLUIFDPOpH
    ‣ 5IFqBHTUSJOHJTEFpOFEBTBDPOTUBOU
    ‣ 4PXFOFFEUPpOEXIFSFUIJTDPOTUBOUJT
    DBMMFEJOUIFTPVSDFDPEFT
    ‣ *U`TTJNQMFUBTL KVTUVTFHSFQ
    ‣ HSFQF'-"(ApOEOBNFQIQA
    27 // change this
    28 define('FLAG', 'XXX');
    29 define('SALT', 'XXX');

    View Slide

  32. )BTIUBHLBUBHBJUBJ$5'
    (SFQSFTVMU
    ‣ 5IFqBHJTVTFEJOQSFNJVNQIQ
    ‣ 4PHFUJOUPUIJTpMFOFYU

    View Slide

  33. )BTIUBHLBUBHBJUBJ$5'
    QSFNJVNQIQ
    ‣ 5IJT"1*JTDBMMFEPOUIFDIBUQBHF
    ‣ *OUIFMBUFSTUFQ HFUUJOHJOUPUIFDMJFOUTJEF
    DPEFT

    View Slide

  34. 5JNFUP944

    View Slide

  35. )BTIUBHLBUBHBJUBJ$5'
    *OWFTUJHBUJPO
    ‣ 944XJMMCFOFFEFEUPDBQUVSFUIFqBH
    ‣ #BTJDBMMZ ZPVIBWFUPpOEUIFWVMOFSBCJMJUJFTGSPN
    TDSBUDIJO$5'
    ‣ :PVIBWFNJOVUFT
    ‣ 'JOEVTFGVMPOF

    View Slide

  36. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ $PVMEZPVpOEHPPEPOF
    ‣ 4PNFUBHTXPSLPOl QDIBUT944 Tz
    ‣ )PXFWFS DPVMEZPVSVOlBMFSU b944`
    zPOUIJT
    QBHF
    ‣ 5IFSF`TTPNFUIJOHTUSBOHFXJUIUIJTTJUF
    SJHIU

    View Slide

  37. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 4PNFUBHTMJLFTXPSLTXFMM

    View Slide

  38. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ )PXFWFS TDSJQUEPFTO`UXPSLBUBMM

    View Slide

  39. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 4PNFUIJOHXSPOHʜ

    View Slide

  40. l3FGVTFEUPFYFDVUFJOMJOFFWFOUIBOEMFSCFDBVTFJU
    WJPMBUFTUIFGPMMPXJOH$POUFOU4FDVSJUZ1PMJDZ
    EJSFDUJWFTDSJQUTSDTFMG&JUIFSUIFVOTBGFJOMJOF
    LFZXPSE BIBTI TIB
    PSBOPODF
    OPODF
    JTSFRVJSFEUPFOBCMFJOMJOFFYFDVUJPOz

    View Slide

  41. l3FGVTFEUPFYFDVUFJOMJOFFWFOUIBOEMFSCFDBVTFJU
    WJPMBUFTUIFGPMMPXJOH$POUFOU4FDVSJUZ1PMJDZ
    EJSFDUJWFTDSJQUTSDTFMG&JUIFSUIFVOTBGFJOMJOF
    LFZXPSE BIBTI TIB
    PSBOPODF
    OPODF
    JTSFRVJSFEUPFOBCMFJOMJOFFYFDVUJPOz
    8IBU`TUIJT

    View Slide

  42. $POUFOU4FDVSJUZ1PMJDZ

    View Slide

  43. )BTIUBHLBUBHBJUBJ$5'
    8IBU`TUIF$41
    ‣ /FXHFOFSBUJPOXFCTFDVSJUZNFDIBOJTN
    ‣ #FZPOETUIF4BNF0SJHJO1PMJDZ
    ‣ &QPDINBLJOHBOUJ944GFBUVSFPOCSPXTFST
    ‣ 3FTUSJDUTMPBEJOHSFTPVSDFTCBTFEPOXIJUFMJTU
    ‣ 8FCTJUFJOGPSNTTBGFSFTPVSDFXJUIQPMJDZEJSFDUJWF
    UPCSPXTFST
    ‣ %JSFDUJWFTXPVMECFXSJUUFOJOUIFGPSNBUMJLF

    \EJSFDUJWFOBNF^\SFTPVSDFPSJHJOT^

    View Slide

  44. )BTIUBHLBUBHBJUBJ$5'
    .PSFBCPVU$41
    ‣ )PXUPVTF
    ‣ $POUFOU4FDVSJUZ1PMJDZIFBEFS
    ‣ $POUFOU4FDVSJUZ1PMJDZ3FQPSU0OMZIFBEFS
    ‣ .BKPSEJSFDUJWFT ZPVOFFEUPLOPXGPS$5'

    ‣ EFGBVMUTSD
    ‣ TDSJQUTSD
    ‣ .BKPSSFTPVSDFT ZPVOFFEUPLOPXGPS$5'

    ‣ bTFMG`
    ‣ bVOTBGFJOMJOF`
    ‣ bVOTBGFFWBM`

    View Slide

  45. )BTIUBHLBUBHBJUBJ$5'
    -PPLBHBJO
    ‣ )PX`TPOUIFTJUF-FU`TMPPLBHBJO

    View Slide

  46. )BTIUBHLBUBHBJUBJ$5'
    8IBU$41EJE
    ‣ -FU`TMPPLBUQPMJDJFT
    ‣ bTFMG`NFBOTUIFTDSJQUT PSTPNFUIJOHFMTF

    PSJHJOBUFEGSPNUIFTBNFPSJHJOBSFQFSNJUUFE
    ‣ 5IFTFQPMJDJFTDPOUBJOOPbVOTBGFJOMJOF`
    ‣ 4PCSPXTFSTEPO`UFYFDVUFUIFDPEFTMJLFCFMPX


    *OMJOFTDSJQUT TDSJQUBMFSU bUIJT`
    TDSJQU


    &WFOUIBOEMFST JNHTSDYPOFSSPSBMFSU bUIJT`



    +BWB4DSJQUTDIFNF KBWBTDSJQUBMFSU bUIJT`


    default-src ‘none'; img-src 'self'; script-src ‘self';
    style-src ‘self'; connect-src 'self'

    View Slide

  47. )BTIUBHLBUBHBJUBJ$5'
    8IBU$41EJE
    ‣ 0VS944DPEFJTʜ
    ‣ 0VS944DPEFJTJOKFDUFEUP)5.-DPOUFYU
    ‣ 4PXFIBWFUPVTFJOMJOFTDSJQUTUPFYFDVUFBSCJUSBM
    DPEFTPOUIFQBHF
    ‣ )PXFWFSʜ
    ‣ $41CMPDLTFYFDVUJOHJOMJOFTDSJQUTKVTUMJLF

    lJNHTSDYPOFSSPSBMFSU
    z
    ‣ *IBEBUBMLBCPVU$41 BMTPSFGFSUIBU
    ‣ IUUQXXXTMJEFTIBSFOFUZBHJIBTIPPDTQGYPT

    View Slide

  48. 4P XIBU`TUIFQMBO

    View Slide

  49. )BTIUBHLBUBHBJUBJ$5'
    8IBUDBO*EP
    ‣ $41FWBTJPOJTPVUPGUIFTDPQFUPEBZ
    ‣ *U`TUPPEJ⒏DVMUUPEFBMXJUIJOTIPSUUFSN
    ‣ 5IFQPMJDJFTPOUIJTTJUFIBTOPFWJEFOUqBX
    ‣ )5.-UBHJOKFDUJPOJTQPTTJCMFFWFOVOEFSUIF
    $41
    ‣ 4PNFPSEJOBM)5.-UBHTHJWFVTqBHUPEBZ
    ‣ 4PUPEBZMFU`TMFBSOOPUPSEJOBM944

    View Slide

  50. )BTIUBHLBUBHBJUBJ$5'
    )5.-5BH*OKFDUJPO
    ‣ (FOFSBMMZ JU`TVTFEBTTZOPOZNPG944
    ‣ *U`TTJNQMF KVTUJOKFDUTPNF)5.-UBHT
    ‣ 5PEBZ JOUSPEVDJOHUXPPGHPPE)5.-UBH
    JOKFDUJPOBUUBDLNFUIPET
    ‣ 6TFUIFNBOEHFUUIFqBH

    View Slide





  51. DOM test
    <br/>console.log(document.URL);<br/>// => http://example.com/~~~<br/>


    foo bar
    <br/>console.log(document.URL);<br/>// => <form name="URL">foo bar</form><br/>


    TU%0.$MPCCFSJOH

    View Slide

  52. )BTIUBHLBUBHBJUBJ$5'
    8IBU`T%0.$MPCCFSJOH
    ‣ :PVLOPX%0.JTSFBMMZNFTTFE
    ‣ /PUPOMZ%0. CVUUIF8FCJTBMMNFTTFEGPSMPOH
    UJNF
    ‣ 5IFSFTIPVMECFTPMJECPSEFSCFUXFFOUIF
    )5.-EPDVNFOUBOEUIF+BWB4DSJQUDPEF
    ‣ "OEJUIBWFUPCFGPSCJEEFOJNQMJDJUBDDFTTUPUIF
    +BWB4DSJQUXPSMEGSPN)5.-XPSME
    ‣ )PXFWFS GPSTPNFSFBTPOT JUDBOIBQQFOBOEMFBE
    TPNFBUUBDLTUPUIFTZTUFN5PEBZMFU`TVTFJU
    ‣ %0.$MPCCFSJOH5IF4QBOOFS
    ‣ IUUQXXXUIFTQBOOFSDPVLEPN
    DMPCCFSJOH

    View Slide

  53. )BTIUBHLBUBHBJUBJ$5'
    8IBU`T%0.$MPCCFSJOH
    ‣ %0.USFFJTDPOTUSVDUFEBVUPNBUJDBMMZBGUFS
    %0.DPOUFOUMPBEJOH
    ‣ 8IFO%0.USFFJTDPOTUSVDUFE TPNFGPSNJUFN
    FMFNFOUTBSFJOUFHSBUFEJOUP%0.USFF NFBOT
    HFOFSBUJOHPCKFDUTJO+BWB4DSJQUXPSME

    ‣ *UJTCBTFEPOUIFlOBNFzPSlJEzQSPQFSUZPGUIF
    FMFNFOUT
    ‣ 4PUIFFMFNFOUTOBNFEPSBTTJHOFE*%FYJTUTJO
    +BWB4DSJQUXPSMEGSPNUIFTUBSU

    View Slide

  54. )BTIUBHLBUBHBJUBJ$5'




    DOM test


    foo bar
    <br/>console.log(here.innerHTML);<br/>// => foo bar<br/>






    DOM test


    foo bar
    <br/>console.log(document.here.innerHTML);<br/>// => foo bar<br/>


    8IBU`T%0.$MPCCFSJOH
    ‣ 5IF%0.FMFNFOUTPCKFDUTBSFHFOFSBUFE
    BVUPNBUJDBMMZ
    ‣ "OEJUDBOCFBDDFTTFEWJB+BWB4DSJQUDPEF
    ‣ 8IBUEPFTUIJTNFBO

    View Slide

  55. )BTIUBHLBUBHBJUBJ$5'
    8IBU`T%0.$MPCCFSJOH
    ‣ +VTUMJLFCFMPX PWFSSJEJOHUPUIFEFGBVMU
    PCKFDUTPDDVSTGPSEPDVNFOUVTJOHUIJT
    UFDIOJRVF




    DOM test
    <br/>console.log(document.URL);<br/>// => http://example.com/~~~<br/>


    foo bar
    <br/>console.log(document.URL);<br/>// => <form name="URL">foo bar</form><br/>






    DOM test
    <br/>var AAA = "global obj";<br/>console.log(AAA);<br/>// => global obj<br/>


    foo bar
    <br/>console.log(AAA);<br/>// => global obj<br/>


    View Slide

  56. )BTIUBHLBUBHBJUBJ$5'
    8IBU`T%0.$MPCCFSJOH
    ‣ 0WFSSJEJOHEPDVNFOUPCKFDUT XFDBODBVTF
    BOFSSPSJOUFOUJPOBMMZ
    ‣ :PVNBZUIJOLl*TUIBUBMM z
    ‣ *U`TUSJWJBM IPXFWFSIBTBCJHF⒎FDUGPSUIJT
    )PU$PXT%BUJOH

    View Slide



  57. foo ⇒links to
    sqli.moe/foo.html
    <br/>location.href=“bar.html"<br/> ⇒move to sqli.moe/bar.html
    OE#BTFUBHJOKFDUJPO

    View Slide

  58. )BTIUBHLBUBHBJUBJ$5'
    5IFGFBUVSFPGCBTFUBH
    ‣ #BTFUBHEFpOFTUIFCBTFVSJGPSUIFSFMBUJWF
    QBUITJOUIFQBHF
    ‣ &⒎FDUCPUIUBHTBOEDPEFT
    ‣ +VTUMJLFCFMPX
    ‣ $BOOPUVTFlKBWBTDSJQUz BOETPPO NBZCF

    ‣ 4POPUVTFGVMGPS944JUTFMG


    foo ⇒links to sqli.moe/foo.html
    location.href="bar.html" ⇒move to sqli.moe/bar.html

    View Slide

  59. )BTIUBHLBUBHBJUBJ$5'
    8IBUIBQQFOT
    ‣ *OGPSNBUJPOMFBLBHF
    ‣ *GUIFSFRVFTUXJUIVSMQBSBNFUFSPDDVSTPOUIFQBHF
    UIBUJTJOKFDUFENBMJDJPVTCBTFUBH UIPTFVSM
    QBSBNFUFSTXJMMCFTFOUUPUIFNBMJDJPVTTFSWFS

    ‣ *OUIJTFYBNQMF UIFMJOLSFGFSTNBMJDJPVTEPNBJO
    lYTTNPFz
    ‣ *OUIFSFTVMU lTPNF@TFDSFU@JOGPzQBSBNFUFSMFBLTPVU
    UPUIFBOPUIFSTFSWFS
    ‣ 3FGFSFSTUPP
    ‣ *OUIFTPNFTJUVBUJPOT IUUQSFGFSFSJOGPXJMMBMTPMFBL

    link

    View Slide

  60. /PXUIFUJNFUP$5'

    View Slide

  61. )BTIUBHLBUBHBJUBJ$5'
    #ZUIFXBZ
    ‣ 944OFFETTPNFTFSWFSUPSFDFJWFUIFEBUB
    ‣ %PZPVIBWFUIFPOFBTTJHOFEHMPCBM
    BEESFTT
    ‣ *GZPVOPU VTFUIFTFTJUFT
    ‣ 5IBOLT!@//6@

    IUUQSFRVFTUCJO
    ‣ *NBEFUIJTMBTUOJHIUʜ

    IUUQLBUBHBJUBJTRMJNPF

    View Slide

  62. )BTIUBHLBUBHBJUBJ$5'
    &YQMPJUBUJPO
    ‣ 6TFUIF%0.$MPCCFSJOHBOEDBQUVSFUIFqBH
    ‣ :PVIBWFNJOVUFT

    View Slide

  63. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ 6TFUIFEFWFMPQFSUPPMT
    ‣ DPNNBOEPQUJPO*
    ‣ DUSMTIJGU*
    ‣ "MMXFCBDDFTTFTBSFMJTUFEPO/FUXPSLUBC
    ‣ l BQJQSFNJVNQIQzJTUIFPOFXFKVTUTBX
    CFGPSFIBOE

    View Slide

  64. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ -FU`TpOEUIFDPEFUPJTTVFUIFSFRVFTUUP
    QSFNJVNQIQ
    ‣ 0QFOUIF4PVSDFUBCBOECSPXTF

    KTQBHFTDIBUKT
    ‣ 'JOEBQISBTFlQSFNJVNQIQz
    ‣ *U`TBUMJOF
    ‣ *U`TDBMMFEJOQBHFHFU1SFNJVNNFUIPE
    ‣ 4PUIFOFYUJTUIJTNFUIPE

    View Slide

  65. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ 5IFSFTVMUPGQBHFHFU1SFNJVN
    JTTUPSFEJO
    QBHFpSTU.FTTBHFGVODUJPOBUMJOF
    ‣ "OE JU`TEJWJEFEBOETUPSFEUPBOPUIFS
    WBSJBCMFTJNNFEJBUFMZ
    ‣ 'JOBMMZqBHJTJOQSFNJVN@JE
    ‣ 8IBUJTQSFNJVN@JEVTFEGPS
    premium = page.getPremium();
    has_premium = premium[‘success’];
    premium_id = premium[‘message’];

    View Slide

  66. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ 'JOEBQISBTFlQSFNJVN@JEz
    ‣ *U`TBUMJOF
    ‣ 5IJTNFTTBHFWBSJBCMFJTVTFEGPS
    AUFNQBTTJHO NFTTBHF bNTH
    A
    ‣ 8IBU`TUFNQ
    ‣ "OEZPVOPUJDFAWBSALFZXPSEJTOPUVTFBUBMMJOUIJT
    DPEF
    message = cow_name + ((has_premium) ? ' (' + premium_id + ')' : ‘');

    View Slide

  67. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ UFNQJTFWFSZXIFSFJOUIJTDPEF
    ‣ 5IJTJTHMPCBMWBSJBCMF TPBMMGVODUJPOTDBO
    PWFSSJEFUIJTWBSJBCMF
    ‣ "OEJUSFNBJOTIBWJOHQSFWJPVTWBMVFCFGPSFPWFSSJEF
    JOFBDINFUIPE
    ‣ .PSFPWFS UIJTPCKFDUIBTUIFNFUIPEOBNFE
    lBTTJHOz
    ‣ *GUIJTlUFNQzWBSJBCMFJTMPDBUJPOPCKFDUʜ

    View Slide

  68. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ EFNP

    View Slide

  69. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ EFNP

    View Slide

  70. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ EFNP

    View Slide

  71. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ EFNP

    View Slide

  72. )BTIUBHLBUBHBJUBJ$5'
    $IBTFUIFqBH
    ‣ 5IFqBHJTEJTQMBZFEPOUIFDIBUUJOHQBHFJG
    UIFVTFSJTQSFNJVNBDDPVOU
    ‣ QSFNJVNQIQSFUVSOTUIFqBHJGUIFVTFSJTQSFNJVN
    BDDPVOU
    ‣ +BWB4DSJQUDPEFTPOUIFDIBUUJOHQBHFEJTQMBZTUIF
    WBMVFQSFNJVNQIQSFUVSOTPOUIFQBHF
    ‣ 4PVTFUIF944POUIFDIBUUJOHQBHF XFDBOBDRVJSF
    UIFqBH

    View Slide

  73. )BTIUBHLBUBHBJUBJ$5'
    5IJOLBCPVUTDFOBSJP
    ‣ 5IFSFJT944POUIFDIBUUJOHQBHF
    ‣ 5IFQBSBNFUFSNFBOTEFTUJOBUJPOJTWVMOFSBCMF
    ‣ 5IFTJUFIBWFBSFQPSUJOHQBHFBOEUIFBENJO
    NBZTFFUIFSFQPSUT
    ‣ "OEBENJONBZIBWFBDPOWFSTBUJPOXJUIUIF
    SFQPSUFSVTJOHUIFDIBUUJOHQBHF
    ‣ 4PBENJOUZQFJOUPUIFSFQPSUFSOBNFUPUIF
    DIBUUJOHQBHF
    ‣ *UpSFTPVS944DPEFT

    View Slide

  74. )BTIUBHLBUBHBJUBJ$5'
    5IJOLBCPVUTDFOBSJP
    $PX/BNFTPNFYTTDPEFT
    %FTDSJQUJPOIPHFIPHFIPHF
    "%.*/
    944

    ͲʔΜʂ
    '-"(
    .Z
    4FSWFS

    View Slide

  75. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ 8BUDIUIFlUFNQzWBSJBCMFBOEDPOpSNUIBUJUT
    WBMVF
    ‣ 4FUUIFCSFBLQPJOU
    ‣ $MJDLUIFMJOFOVNCFSBUMJOF

    QBHFDIBU"OTXFSdddd
    ‣ 6TFUIF8BUDIGFBUVSFPOUIFSJHIUTJEF
    ‣ $MJDLlzTJHO
    ‣ &OUFSlUFNQz
    ‣ 3FMPBE

    View Slide

  76. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ 'JSTUMZ lUFNQzWBSJBCMFQPJOUTMPDBUJPOPCKFDU
    ‣ $POUJOVPVTMZTUFQJOUPUIFOFYUGVODUJPODBMM
    ‣ *UDIBOHFTGSPNMPDBUJPOPCKFDUJOUP5FNQMBUFPCKFDU
    JOQBHFWJFXGVODUJPOBUMJOF
    ‣ 5IFOFYUGVODUJPODBMMJTGPSQBHFpSTU.FTTBHF
    XIJDIIBTDPEFEJTQMBZTUIFqBHPOUIFQBHF
    ‣ 0GDPVSTFUIFGVODUJPOEPFTO`USFEFpOFTlUFNQz
    temp = new Template('message.html');

    View Slide

  77. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ %PZPVSFNFNCFSXIBU%0.DMPCCFSJOHDBO
    EP
    ‣ 0WFSSJEFEPDVNFOUBOEDBVTFTPNFFSSPS
    ‣ *GUIFDPEFDBMMTEPDVNFOUNFUIPECFGPSF
    lUFNQzWBSJBCMFJTPWFSSJEEFOUP5FNQMBUF
    PCKFDUʜ
    ‣ *GJUPDDVSTJOQBHFWJFXGVODUJPO UFNQSFNBJOT
    CFJOHMPDBUJPOPCKFDUJOQBHFpSTU.FTTBHFGVODUJPO
    ‣ "OEMPDBUJPOBTTJHOXJMMCFDBMMFEXJUIUIFqBH

    View Slide

  78. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EPDVNFOUHFU&MFNFOU#Z*EJTDBMMFEBUMJOF
    CFGPSFlUFNQzWBSJBCMFJTPWFSSJEEFO
    ‣ *U`TBXFTPNF XFDBODMPCCFS
    EPDVNFOUHFU&MFNFOU#Z*EBOEDBVTFFSSPS
    ‣ "GUFSFSSPSPDDVST UIFSFTUPGDPEFTJOQBHFWJFX
    GVODUJPOJTOPUFYFDVUFE
    ‣ 4LJQQJOHTPNFDPEFT QBHFpSTU.FTTBHFXJMMCF
    DBMMFE

    View Slide

  79. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ -FU`TQSPWFUIFDPODFQUXPSLTXFMM
    ‣ 4FUUIFCSFBLQPJOUBUMJOF
    ‣ "DDFTTUPl QDIBUGPSN
    OBNFHFU&MFNFOU#Z*EGPSNz
    ‣ 4UFQJOUPOFYUGVODUJPODBMMGSPNUIFCSFBL
    QPJOU
    ‣ "OFSSPSPDDVSTBUMJOF
    ‣ 5PSFTVNFTDSJQUFYFDVUJPO ZPVBSFBU

    lGPSNOBNFHFU&MFNFOU#Z*EGPSNzBUUIFFOE
    btn_logout = document.getElementById('btn-logout');

    View Slide

  80. )BTIUBHLBUBHBJUBJ$5'
    'JOBMMZ
    ‣ *U`TQSPWFEUIBUMPDBUJPOBTTJHOJTDBMMFEXJUI
    MPDBUJPOIBTITMJDF

    ‣ 4PVTJOHUIFMPDBUJPOIBTIMJLFCFMPXXJMM
    SFEJSFDUTCSPXTFSUPYTTNPF
    ‣ IUUQYTTNPFGPSNOBNFHFU&MFNFOU#Z*E
    GPSN
    ‣ 4PVTJOHUIFMPDBUJPOIBTIMJLFCFMPXXJMM
    SFEJSFDUTBENJO`TCSPXTFSUPYTTNPFXJUIUIF
    qBH
    ‣ IUUQYTTNPFGPSNOBNFHFU&MFNFOU#Z*E
    GPSN

    View Slide

  81. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  82. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  83. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  84. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  85. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  86. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  87. )BTIUBHLBUBHBJUBJ$5'
    -FU`TDMPCCFS%0.
    ‣ EFNP

    View Slide

  88. )BTIUBHLBUBHBJUBJ$5'
    &YQMPJUBUJPO
    ‣ 6TFUIFCBTFUBHJOKFDUJPOBOEDBQUVSFUIF
    qBH
    ‣ 4IPXZPVUIJTXJUIPVUFYFSDJTF

    View Slide

  89. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 5IJOHTUPEPBSFTBNFXJUIQSFWJPVTPOF
    ‣ $BVTFBOFSSPSBOENBLFUFNQSFNBJOCFJOHMPDBUJPO
    PCKFDU
    ‣ *OUIJTFYBNQMF QVUUJOHUPBMMZ$41

    View Slide

  90. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 4LJQQJOHBMMEFUBJMT KVTUVTF

    CBTFISFGlIUUQGPPCBSz
    ‣ lUFNQzWBSJBCMFDIBOHFTGSPNMPDBUJPOPCKFDU
    JOUP5FNQMBUFPCKFDUBUMJOF
    ‣ /PXHFUJOUP5FNQMBUFPCKFDU
    temp = new Template('message.html');

    View Slide

  91. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 6TF$POTPMFJOEFWFMPQFSUPPMT

    View Slide

  92. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 5IFQBHFVTFTSFMBUJWFQBUIUPHFUUFNQMBUF
    pMF
    ‣ 4PJGCBTFUBHJTJOKFDUFE XFDBOPWFSSJEFSFRVFTU
    EFTUJOBUJPO
    ‣ 3FNFNCFSUIF$41QPMJDZ
    ‣ *UIBTBSVMFADPOOFDUTSDbTFMG`AUIBUSFTUSJDUT9)3
    SFRVFTUTUPPUIFSPSJHJOT
    ‣ *GUIFEFTUJOBUJPOPGBSFRVFTUGPSHFUUJOHUFNQMBUFJT
    PUIFSPSJHJO $41WJPMBUJPOPDDVSTBOEJUDBVTFBO
    FSSPS

    View Slide

  93. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ 8IJDIFWFS63-ZPVVTFXJMMF⒎FDU
    ‣ #FDBVTFBOZUIJOHCVUUIFTBNFPSJHJODBVTFBO$41
    WJPMBUJPOBOEBOFSSPS
    ‣ 4PVTJOHUIFMPDBUJPOIBTIMJLFCFMPXXJMMBMTP
    SFEJSFDUTBENJO`TCSPXTFSUPYTTNPFXJUIUIF
    qBH
    ‣ IUUQYTTNPFCBTFISFGIUUQGPPCBS

    View Slide

  94. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ EFNP

    View Slide

  95. )BTIUBHLBUBHBJUBJ$5'
    3FWJFX
    ‣ EFNP

    View Slide

  96. 4VNNBSZ

    View Slide

  97. "OZRVFTUJPOT

    View Slide

  98. )BTIUBHLBUBHBJUBJ$5'
    4VNNBSZ
    ‣ %0.JTDPNQMFUFMZNFTTFEVQ
    ‣ *U`TUIFDIBSN
    ‣ %PO`UGPSHFUUPVTFAWBSABOEAUSZDBUDIA
    ‣ #BEDPEFMFBETUPWVMOFSBCJMJUJFT
    ‣ 4PNFUJNFT UIFBUUBDLJOHTDFOBSJPJO$5'JT
    SFBMMZEJ⒏DVMUUPVOEFSTUBOE
    ‣ *NBHJOF

    View Slide

  99. )BTIUBHLBUBHBJUBJ$5'
    "DLOPXMFEHNFOU
    ‣ 5IJTCSJFpOHJTCBTFEPOUIJTXSJUFVQ
    ‣ IUUQTHJUIVCDPNDUGTXSJUFVQTUSFF
    NBTUFSIBDLMVDUGIPUDPXTEBUJOH
    ‣ 5IBOLTGPSBMMBUUFOEFFT
    ‣ 5IBOLTGPSNFNCFSTPGLBUBHBJUBJ

    View Slide

  100. 5IBOLZPV

    View Slide