Upgrade to Pro — share decks privately, control downloads, hide ads and more …

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Avatar for Masato Kinugawa Masato Kinugawa
March 29, 2016
Technology
14
28k

明日から使える?! PATHでXSSする技術/ Shibuya.XSS techtalk #7

Shibuya.XSS techtalk #7 の資料です。
Avatar for Masato Kinugawa

Masato Kinugawa

March 29, 2016
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
730
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
3.8k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.3k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
20k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
22k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
99k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
Avatar for Masato Kinugawa masatokinugawa
9
26k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
Avatar for Masato Kinugawa masatokinugawa
18
12k

Other Decks in Technology

See All in Technology
MobileActOsaka_250704.pdf
Avatar for AKAI Tadaaki akaitadaaki
0
110
ビズリーチが挑む メトリクスを活用した技術的負債の解消 / dev-productivity-con2025
Avatar for Visional Engineering & Design visional_engineering_and_design
3
6.8k
B2C&B2B&社内向けサービスを抱える開発組織におけるサービス価値を最大化するイニシアチブ管理
Avatar for Belong inc. belongadmin
1
6.2k
AI時代の開発生産性を加速させるアーキテクチャ設計
Avatar for PLAID Tech plaidtech
PRO
3
120
自律的なスケーリング手法FASTにおけるVPoEとしてのアカウンタビリティ / dev-productivity-con-2025
Avatar for Yoshiki Iida yoshikiiida
1
15k
PO初心者が考えた ”POらしさ”
Avatar for (Ha)rady nb_rady
0
190
怖くない!はじめてのClaude Code
Avatar for Shinya Masadome(東京AI祭) shinya337
0
380
整頓のジレンマとの戦い〜Tidy First?で振り返る事業とキャリアの歩み〜/Fighting the tidiness dilemma〜Business and Career Milestones Reflected on in Tidy First?〜
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
2
15k
タイミーのデータモデリング事例と今後のチャレンジ
Avatar for Toshiki Tsuchikawa ttccddtoki
6
2.3k
20250707-AI活用の個人差を埋めるチームづくり
Avatar for shnjtk shnjtk
4
3.6k
敢えて生成AIを使わないマネジメント業務
Avatar for Kazuki Maeda kzkmaeda
2
390
生成AI時代 文字コードを学ぶ意義を見出せるか?
Avatar for hiroshi ueda hrsued
1
810

Featured

See All Featured
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Code Review Best Practice
Avatar for Trisha Gee trishagee
69
18k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
10
950
Intergalactic Javascript Robots from Outer Space
Avatar for Vicent Martí tanoku
271
27k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
730
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
130
19k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Adopting Sorbet at Scale
Avatar for Ufuk Kayserilioglu ufuk
77
9.4k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
42
7.6k
ReactJS: Keep Simple. Everything can be a component!
Avatar for Pedro Nauck pedronauck
667
120k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
90
590k
GraphQLとの向き合い方2022年版
Avatar for Yosuke Kurami quramy
49
14k

Transcript

  1. None
  2. None
  3. None
  4. None
  5. None

  6. https://host/tags/aaa/ ... </head> <body> <form> <input type="text" value="aaa"> ...

  7. ... </head> <meta property="og:url" content="https://host/path/index"> <body> ... https://host/path/index?p=1

  8. ... </head> <meta property="og:url" content="https://host/path/index;aaa"> <body> ... https://host/path/index;aaa?p=1

  9. None

  10. http://php.net/index.php http://php.net/index.php/xxx/yyy/zzz

  11. http://shibuyaxss.connpass.com/event/28232/ http://shibuyaxss.connpass.com/event/28232/;abc

  12. None

  13. SCRIPT_URL /test.php/<b>PATH</b> SCRIPT_URI http://localhost/test.php/<b>PATH</b> PATH_INFO /<b>PATH</b> PATH_TRANSLATED \<b>PATH<\b> PHP_SELF /test.php/<b>PATH</b>

  14. GET /path?query HTTP/1.1 http://php.net/manual/ja/reserved.variables.server.php

  15. /test.php/<b>PATH</b>?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?%3Cb%3EQUERY% 3C/b%3E HTTP/1.1 QUERY_STRING %3Cb%3EQUERY%3C/b%3E REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E? %3Cb%3EQUERY%3C/b%3E

    http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  16. /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> GET /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> HTTP/1.1 QUERY_STRING <b>QUERY</b> REQUEST_URI /test.php/%3Cb%3EPATH%3C/b%3E?<b>QUERY</b> http://localhost/test.php/<b>PATH</b>?<b>QUERY</b>

  17. http://localhost/test.php/<b>PATH</b> GET /test.php/<b>PATH</b> HTTP/1.1

  18. /test.php/%3Cb%3EPATH%3C/b%3E GET /test.php/<b>PATH</b> HTTP/1.1 REQUEST_URI /test.php/<b>PATH</b> location.pathname /test.php/%3Cb%3EPATH%3C/b%3E http://localhost/test.php/<b>PATH</b>

  19. None
  20. None
  21. None
  22. None
  23. None
  24. None
  25. None
  26. None
  27. None
  28. None
  29. None
  30. None
  31. None
  32. None
  33. None

  34. HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 X-UA-Compatible: IE=9 <head> <meta

    http-equiv="X-UA-Compatible" content="IE=9"> </head>

  35. <svg> <circle cx="100" cy="100" r="50" fill="red"/> </svg>

  36. ifr=document.createElement('<iframe onload=alert(1)>'); document.body.appendChild(ifr); InvalidCharacterError

  37. <meta http-equiv="X-UA-Compatible" content="IE=9"> <script> console.log(document.documentMode) /* 9 */ </script> <iframe

    src=//victim/></iframe> http://blogs.msdn.com/cfs-filesystemfile.ashx/__key/communityserver-blogs-components- weblogfiles/00-00-01-35-07/3073.IE_5F00_chart_5F00_jp.pdf

  38. <meta http-equiv="X-UA-Compatible" content="IE=9"> <embed src="http://shibuya.vulnerabledoma.in/javascript:alert(1)/% 2F..%2F..%2Fjizen2#hash"></embed>

  39. <script src="//ajax.googleapis.com/ajax/libs/jquerymobile/1.4.5/jquery.mobile.min.js"> </script>

  40. None
  41. None
  42. None
  43. None
  44. None
  45. None
  46. None
  47. None
  48. None
  49. None
  50. None
  51. None
  52. None