Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSでDoSる/ Shibuya.XSS techtalk #11

Masato Kinugawa
May 16, 2019
Technology
20
6.9k

JSでDoSる/ Shibuya.XSS techtalk #11

Shibuya.XSS techtalk #11 の発表資料です。

Masato Kinugawa

May 16, 2019
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
470
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
3.6k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.2k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
19k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
21k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
98k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
26k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
20k

Other Decks in Technology

See All in Technology
Creating Awesome Change in SmartNews
martin_lover
1
280
AIで進化するソフトウェアテスト:mablの最新生成AI機能でQAを加速!
mfunaki
0
140
Terraform Cloudで始めるおひとりさまOrganizationsのすゝめ
handy
2
180
プロダクト開発におけるAI時代の開発生産性
shnjtk
2
240
Mastraに入門してみた ~AWS CDKを添えて~
tsukuboshi
0
230
Amazon CloudWatch を使って NW 監視を行うには
o11yfes2023
0
160
品質文化を支える小さいクロスファンクショナルなチーム / Cross-functional teams fostering quality culture
toma_sm
0
110
Porting PicoRuby to Another Microcontroller: ESP32
yuuu
4
410
The Tale of Leo: Brave Lion and Curious Little Bug
canalun
1
120
Ops-JAWS_Organizations小ネタ3選.pdf
chunkof
2
170
3月のAWSアップデートを5分間でざっくりと!
kubomasataka
0
120
MCPを活用した検索システムの作り方/How to implement search systems with MCP #catalks
quiver
12
6.5k

Featured

See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
80
8.9k
Visualization
eitanlees
146
16k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
GraphQLとの向き合い方2022年版
quramy
46
14k
Documentation Writing (for coders)
carmenintech
69
4.7k
Docker and Python
trallard
44
3.3k
How to train your dragon (web standard)
notwaldorf
90
6k
Fireside Chat
paigeccino
37
3.4k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.2k
StorybookのUI Testing Handbookを読んだ
zakiyama
29
5.6k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5.3k
Scaling GitHub
holman
459
140k

Transcript

  1. for(;;){ alert(` `); } /* 2019/05/16 Shibuya.XSS techtalk #11*/ /*

    Masato Kinugawa */

  2. • • •

  3. None

  4. • • • • •

  5. • • • •

  6. • • • • • • • • • •

  7. while(1){ alert(` `); }

  8. • •

  10. • • > decodeURIComponent("%E3%81%82"); < " " > decodeURIComponent("%FF"); ‣

    Uncaught URIError: URI malformed
  11. None

  12. • • • > encodeURIComponent(" "); < "%E3%81%82" > encodeURIComponent("\uDC00");

    ‣ Uncaught URIError: URI malformed

  13. https://www.ecma-international.org/ecma-262/9.0/index.html#sec-encode

  14. (function a(){ alert(` `); a(); })()

  15. • • • • / \/ • " \" •

    \ \\ <script> userInput = "AAA\\\";alert(1)\/\/ <\/script>"; displayContents(); </script>

  16. • <script> userInput = "AAA [ ] BBB"; displayContents(); </script>

  17. • <script> userInput = "AAA BBB"; displayContents(); </script>

  18. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  19. • https://www.ecma-international.org/ecma-262/9.0/index.html#table-33

  20. • <script> userInput = "AAA [U+2028] BBB"; displayContents(); </script>

  21. • • • • •

  22. <script> userInput = "<!--<script>"; displayContents(); </script>

  23. • • <script> userInput = "<!--<script>"; </script> <textarea></script> <img src=x

    onerror=alert(1)> </textarea>

  24. • • https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script- elements

  25. • <script> userInput = "<%"; </script> <textarea>%></script><img src=x onerror=alert(1)> </textarea>

    https://html5sec.org/#91 <xmp> <% </xmp> <textarea> %></xmp><img src=x onerror=alert(1)> </textarea>

  26. • • • • •

  27. setInterval(` alert(\` \`) `,1);

  28. • •

  30. • • • userInfo = {"name": 123}// name = userInfo.name.toUpperCase()

    Uncaught TypeError: userInfo.name.toUpperCase is not a function

  31. siteData = {"url":"https:// ...","title":{"toString":null},...}; url = "url: " + siteData.url;

    title = "title: " + siteData.title;

  32. • • • ({toString: function(){alert(1)} })+""; ({valueOf : function(){alert(2)} })+"";

  33. • • • > ({toString:null})+""; ‣ Uncaught TypeError: Cannot convert

    object to primitive value

  34. • • • • •

  35. • > typeof "aaa"; < ‣ "string" > typeof 123;

    < ‣ "number" > typeof true; < ‣ "boolean" > typeof []; < ‣ "object" > typeof {}; < ‣ "object" > typeof null; < ‣ "object"

  36. • • > Array.isArray([]); < ‣ true > Array.isArray({}); <

    ‣ false > null === null < ‣ true

  37. • • > Object.prototype.toString.call("aaa"); < ‣ "[object String]" > Object.prototype.toString.call(123);

    < ‣ "[object Number]" > Object.prototype.toString.call(true); < ‣ "[object Boolean]" > Object.prototype.toString.call([]); < ‣ "[object Array]" > Object.prototype.toString.call({}); < ‣ "[object Object]" > Object.prototype.toString.call(null); < ‣ "[object Null]"

  38. <style>*{ color:expression( alert(" ") )}

  39. • • • <toString>AAA</toString>

  40. • • •

  41. • • function tellMeFruitColor(USER_INPUT){ fruits = { "apple":"red", "lemon":"yellow", "peach":"pink"

    }; if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  42. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "toString: function toString() { [native code] }" > tellMeFruitColor("constructor"); < "constructor: function Object() { [native code] }" > tellMeFruitColor("__proto__"); < "__proto__: [object Object]"
  43. None

  44. • •

  45. https://qiita.com/howdy39/items/35729490b024ca295d6c

  46. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  47. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  48. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  49. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  50. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  51. if(fruits["toString"]){ return "toString" + ": " + fruits["toString"]; }else{ return

    "I don't know that fruit"; }

  52. > ({"toString":function(){return "a"}})+""; < " " > ({"prop":"a"})+""; < "[object

    Object]"

  53. whiteListTags = { "span":funcForSanitizingSpanElem, "div": funcForSanitizingDivElem, "a":" funcForSanitizingAElem, ... }

    // whiteListTags[ ] <toString> whiteListTags["toString"]()

  54. fileIcons = { "txt":"https://example.com/img/icon-txt.gif", "png":"https://example.com/img/icon-png.gif", "jpg":" https://example.com/img/icon-jpg.gif ", ... }

    // fileIcons[ ] dos.constructor fileIcons["constructor"]

  55. • • • •

  56. • • function tellMeFruitColor(USER_INPUT){ fruits = { ... }; -

    if(fruits[USER_INPUT]){ + if(Object.prototype.hasOwnProperty.call(fruits,USER_INPUT)){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  57. > tellMeFruitColor("apple"); < "apple: red" > tellMeFruitColor("lemon"); < "lemon: yellow"

    > tellMeFruitColor("strawberry"); < "I don't know that fruit" > tellMeFruitColor("toString"); < "I don't know that fruit" > tellMeFruitColor("constructor"); < "I don't know that fruit" > tellMeFruitColor("__proto__"); < "I don't know that fruit"

  58. • • fruits["toString"] undefined function tellMeFruitColor(USER_INPUT){ - fruits = {

    ... }; + fruits = Object.create(null); + fruits = Object.assign(fruits,{"apple":"red","lemon": ... }) if(fruits[USER_INPUT]){ return USER_INPUT + ": " + fruits[USER_INPUT]; }else{ return "I don't know that fruit"; } }

  59. • • function tellMeFruitColor(USER_INPUT){ - fruits = { ... };

    + fruits = new Map(["apple","red"], + ["lemon","yellow"], + ["peach","pink"]); - if(fruits[USER_INPUT]){ - return USER_INPUT + ": " + fruits[USER_INPUT]; + if(fruits.get(USER_INPUT)){ + return USER_INPUT + ": " + fruits.get(USER_INPUT); }else{ return "I don't know that fruit"; } }

  60. ({toString: function(){ alert(` `); this+""; } })+"";

  61. • •

  62. • • • USER_INPUT = {"length": 1e10,"constructor":{"name":"Array"}}; if(USER_INPUT.constructor.name === "Array"){

    array = []; for (var i = 0; i < USER_INPUT.length; i++) { array.push(USER_INPUT[i]); } }

  63. ==== JS stack trace ========================================= Security context: 00000099763A5549 <JSObject> 1:

    /* anonymous */ [repl:~1] [pc=000000C1A3E8B9B9](this=00000382794865D9 <JSGlobal Object>) 5: /* anonymous */ [vm.js:65] [bytecode=000002EDD76E8421 offset=87](this=0000021A2A00C731 <ContextifyScript map = 00000203C25E1319>,options=0000021A2A00C709 <Object map = 00000203C25E13C9>) 6: defaultEval [repl.js:244] [bytecode=000002EDD76E7089 offset=445](this=0000021A2A00C7A1 <REPLServer ... FATAL ERROR: CALL_AND_RETRY_LAST Allocation failed - JavaScript heap out of memory 1: node::DecodeWrite 2: node_module_register 3: v8::internal::FatalProcessOutOfMemory 4: v8::internal::FatalProcessOutOfMemory 5: v8::internal::Factory::NewUninitializedFixedArray 6: v8::internal::WasmDebugInfo::SetupForTesting 7: v8::internal::interpreter::BytecodeArrayRandomIterator::UpdateOffsetFromIndex 8: 000000C1A3D043C1

  64. • • •

  66. • • • • •

  67. for(;;){ alert(` `); } /* */