‣ "Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites." (OWASP, https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ) ‣ ͬ͘͟Γ͍͏ͱ͜͏ ‣ ߈ܸऀ͕ Web αΠτʹεΫϦϓτΛೖ ‣ ඪతͷϒϥβ্ͰͦΕ͕࣮ߦ͞ΕΔ
ιʔεͱγϯΫ ‣ Source - ߈ܸऀ͕ίϯτϩʔϧͰ͖Δ e.g. location.hash, location.search, location.href, ... e.g. document.cookie, document.referrer, ... e.g. window.name, ... ‣ Sink - JS ੜ & ࣮ߦʹΘΕ͏ΔՕॴ e.g. location.href (redirect) e.g. HTMLElement.innerHTML e.g. document.write e.g. eval, setTimeout, setInterval, Function
૿Ճɾଟ༷Խ͢Δ Db XSS ͷڴҖ ‣ DOM ૢ࡞ͳ͠Ͱ࡞ΒΕΔ Web αΠτগͳ͍ (or ͳ͍) ‣ JS ͕ංେԽ͢Ε͢Δ΄Ͳݟ͚ͭʹ͍͘ ‣ ͦΜͳத XSS ϒϥβ্͚ͩͷͰͳ͍ ‣ e.g. Electron ‣ Web ։ൃͷٕज़Ͱ Desktop Apps Λ࡞ΕΔ ‣ XSS ͷڴҖ͕ΑΓԼͷϨΠϠʹۙͮ͘
Script gadget ͱԿ͔ - ۩ମྫΛݟͯΈΔ ‣ 2017 ʹ @slekies Β͕ൃද ‣ "By injecting benign HTML markup matching DOM selectors used in the application we are able to trigger the execution of specific pieces of legitimate application code - script gadgets." [2] <script> p = document.getElementById("username"); p.innerHTML = "<p>you are " + location.hash.substring(1) + "</p>"; </script> ͜ͷεΫϦϓτஅยΛ gadget ͱݺͿ
ઌੜ) ʰಙؙຊʱͷಙؙઌੜ͕ XSS ͱԿ͔ɺͲ͏ͳͷ͔Λ·ͱΊͨࢿྉɻ ˠ https://www.slideshare.net/ockeghem/xssreintroduction (2) S. Lekies, K. Kotowicz, S. Groß, E. A. V. Nava, and M. Johns, “Code-Reuse Attacks for the Web : Breaking Cross-Site Scripting Mitigations via Script Gadgets,” ACM SIGSAC Conf. Comput. Commun. Secur., pp. 1709–1723, 2017. (3) Breaking XSS mitigations via Script Gadgets https://www.blackhat.com/docs/us-17/thursday/us-17-Lekies-Dont-Trust-The-DOM- Bypassing-XSS-Mitigations-Via-Script-Gadgets.pdf POC ͨͪ https://github.com/google/security-research-pocs/tree/master/script-gadgets
Filter Bypass Cheat Sheet https://github.com/masatokinugawa/filterbypass/wiki/Browser%27s-XSS-Filter-Bypass-Cheat- Sheet (5) UTF-7ʹΑΔΫϩεαΠτεΫϦϓςΟϯά߈ܸ http://gihyo.jp/admin/serial/01/charcode/0001 (6)ʦແࢹͰ͖ͳ͍ʧIEͷContent-Typeແࢹ http://www.atmarkit.co.jp/ait/articles/0903/30/news118.html (7) Vue.js: Copyright (c) 2013-present, Yuxi (Evan) You Released under the MIT license https://raw.githubusercontent.com/vuejs/vue/dev/LICENSE