Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
CodeBlue2014 -JP- libinjection-from sqli to xss
Search
Nick Galbreath
February 16, 2014
Programming
2.8k
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
CodeBlue2014 -JP- libinjection-from sqli to xss
Nick Galbreath
February 16, 2014
More Decks by Nick Galbreath
See All by Nick Galbreath
signalsciences2014.pdf
ngalbreath
0
56
Positive Outcomes from Zero Days
ngalbreath
0
390
Summary of Swiss Cyber Storm 2016
ngalbreath
0
350
Resilient Software Engineering
ngalbreath
0
580
Web App Security in an Agile World
ngalbreath
0
180
Rugged Software Engineering 2015-10-22
ngalbreath
1
95
BYOD DevOpsDays 2015
ngalbreath
0
490
Secure Application Development with Golang
ngalbreath
1
720
Bringing Your Own Dependencies
ngalbreath
0
200
Other Decks in Programming
See All in Programming
【やさしく解説 設計編 #0】DDDのコード、読めるのに分からない人へ
panda728
PRO
1
230
過去最大のMCPアップデート! 2026-07-28 RC版の謎に迫る
licux
6
460
act1-costs.pdf
sumedhbala
0
170
Go1.27で導入されるジェネリクスメソッドでできること
mackee
0
250
Mujeres en SEO Summit 2026 - Greatest Disaster Hits en Web Performance
guaca
0
240
例外の正しい扱い方 そのエラー try-catchして大丈夫?
jinwatanabe
0
340
SREの積み重ねがAI駆動開発のガードレールになった ― 7つの実践/SRE Guardrails The 7
tomoyakitaura
7
2.9k
エージェンティックRAGにAWSで入門しよう!
har1101
9
1.9k
LaravelLive Japan の裏方のすべて — 第188回 PHP勉強会@東京 (2026-06-24)
suguruooki
2
150
TAKTでAI駆動開発の品質を設計する
j5ik2o
7
1.7k
ランチタイムLT会3周年!ランチタイムLT会を3年間続けられたお話
y0hgi
1
130
どこまでゆるくて許されるのか
tk3fftk
0
430
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
HTML-Aware ERB: The Path to Reactive Rendering @ RubyCon 2026, Rimini, Italy
marcoroth
2
310
Git: the NoSQL Database
bkeepers
PRO
432
67k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
201
75k
The untapped power of vector embeddings
frankvandijk
2
1.8k
YesSQL, Process and Tooling at Scale
rocio
174
15k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
55
3.4k
Rails Girls Zürich Keynote
gr2m
96
14k
Fireside Chat
paigeccino
42
4k
The Curse of the Amulet
leimatthew05
2
13k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
380
Transcript
libinjection SQLi͔ΒXSS·Ͱ Nick Galbreath @ngalbreath! Signal Sciences Corp!
[email protected]
Code
Blue ∙ ౦ژ ∙ 2014-02-18 ϦϒΠϯδΣΫγϣϯ
This is also in English! ຊޠͪ͜Βˣ https://speakerdeck.com/ngalbreath/ codeblue2014-en-libinjection-from-sqli-to-xss https://speakerdeck.com/ngalbreath/ codeblue2014-jp-libinjection-from-sqli-to-xss
χοΫɾΨϧϒϨε Nick Galbreath @ngalbreath • ϑΝϯμʔ/CTO of Signal Sciences Corp
• લ৬: IponWeb (Ϟείϫ, ౦ژ) • ͦͷલ: Etsy.com (χϡʔϤʔΫࢢ)
ʮlibinjectionʯͱʁ • SQLi߈ܸΛݕग़͢ΔͨΊͷখ͞ͳϥΠϒϥϦʔ • Cݴޠ • PythonɺluaɺphpͷAPI • Black Hat
USA 2012Ͱॳొ • ΦʔϓϯιʔεͱBSDϥΠηϯε • https://github.com/client9/libinjection
ͳΜͰlibinjectionͳͷ? • طଘͷݕग़ͷ΄ͱΜͲ͕ਖ਼نදݱͰߦΘΕΔ • Ϣχοτςετ͕ͳ͍ • ύϑΥʔϚϯεʢʣςετ͕ͳ͍ • ιʔείʔυͷΧόʔྖҬςετ͕ͳ͍ •
ਖ਼֬ੑͷςετ͕ͳ͍ • ޡݕग़ͷςετ͕ͳ͍
libinjection SQLiͷݱࡏ • Version 3.9.1 • 8000 SQLi ಛ •
400+ Ϣχοτςετ • 85,000+ SQLi αϯϓϧ
ݱࡏͷΘΕํ • mod_security WAF http://www.modsecurity.org/ • ironbee WAF https://www.ironbee.com/ •
glastopf honeypot http://glastopf.org/ • ϓϥΠϕʔτͳWAFs • ͞·͟·ͳاۀͰ • αʔυύʔςΟͷJava࣮ https://github.com/Kanatoko/libinjection-Java • αʔυύʔςΟͷ.NET࣮ https://github.com/kochetkov/ Libinjection.NetLibinjection.Net
XSS
SQLiͱͷྨࣅੑ • ඪ४తͳϥΠϒϥϦʔ͕ͳ͍ • ͋Δͱͯ͠ݶΒΕͨςετ͔͠ଘࡏ͠ͳ͍ • ਖ਼نදݱʹج͍ͮͨݕग़ • ͬͱྑ͘Ͱ͖ͳ͍͔ʁ
2छྨͷXSS • HTML ΠϯδΣΫγϣϯ߈ܸ • Javascript ΠϯδΣΫγϣϯ߈ܸ
XSS Javascript ΠϯδΣΫγϣϯ • DOMελΠϧͷ߈ܸ • طଘͷjavascriptίʔυͷ߈ܸ • ຊͷݕग़ΫϥΠΞϯτͰ͔͠Ͱ͖ͳ͍
• ͔ͳΓͷ
HTML ΠϯδΣΫγϣϯ • HTML ΠϯδΣΫγϣϯͱɺHTMLͷτʔΫϯԽ ΞϧΰϦζϜʹର͢Δ߈ܸ (text “<b>foo</b>” to
tags <b>, foo, </b>) • HTMLͷίϯςΩετΛjavascriptʹมߋ͠ɺ৽͍͠ javascriptΛՃ͢Δ͜ͱ͕త • ͜ΕΒͷ߈ܸݕग़Ͱ͖Δ͖
HTML ΠϯδΣΫγϣϯ αϯϓϧ <b>XSS</b> (HTML) <foo XSS> (tag attribute name)
<foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)
HTML τʔΫϯԽΣϒϒϥβ • ͜Ε·Ͱɺͯ͢ͷϒϥβʔHTMLΛҟͳΔํ๏Ͱ τʔΫϯԽ͍ͯͨ͠ • յΕͨHTMLλάɺఆ֎ͷจࣈΤϯίʔυΛͬͨ ͋ΒΏΔ߈ܸ͕ൃੜͯ͠͠·͍ͬͯͨ • ݱࡏͰɺ΄΅ͯ͢ͷϒϥβʔ͕HTML5Ͱنఆ͞
ΕͨΞϧΰϦζϜΛ༻͍ͯ͠Δ • HTML5ͷΞϧΰϦζϜͱͯਖ਼֬
ͯ͢ͷεςοϓ http://www.w3.org/html/wg/drafts/html/CR/syntax.html#tokenization
εςοϓ͕͔ͳΓ໌֬
σεΫτοϓϒϥβͷ60ˋҎ্ɺ HTML5Ͱ͋Δ http://tnw.co/1cqFueo IE 9 9% IE 10 11% IE
11 10% Firefox 14% Chrome 13% Safari 5% ------------ HTML5 62%
ϞόΠϧϒϥβͷ90ˋ͕ HTML5Ͱ͋Δ http://bit.ly/JQSZxb
Γ͕ɺIE6ɺIE7ɺIE8 • IE6 ͕ফ͑Δͷ࣌ؒͷ • IE7 ͷࢢγΣΞͨͬͨ2% • IE8 ͷࢢγΣΞ20%
• ΄ͱΜͲ͕Windows XP • ͜ΕΒͷࢢγΣΞ͕͜ΕҎ্૿͑Δ͜ͱͳ͍
libinjection XSS
HTML̑Σϒϒϥβ ʹ͓͚ΔHTML ΠϯδΣΫ γϣϯ߈ܸ • No: XML / XSLT ΠϯδΣΫγϣϯ
• No: IE6ɺIE7ɺOpera • FFɺChromeͷݹ͍όʔδϣϯ • No: DOMελΠϧͷ߈ܸ
libinjection HTML5 • શͳHTML5τʔΫϯԽ • πϦʔDOMΛߏங͠ͳ͍ • ͍͔ͳΔσʔλίϐʔ͠ͳ͍
τʔΫϯԽͷαϯϓϧ TAG_NAME_OPEN img ATTR_NAME src ATTR_VALUE junk ATTR_NAME onerror ATTR_VALUE
alert(1); TAG_NAME_CLOSE > <img src=“junk” onerror=alert(1);>
ҟͳΔHTMLίϯςΩετͰ νΣοΫ ֤Πϯϓοτɺ6ͭͷҟͳΔHTMLίϯςΩετͰνΣοΫ͞Ε Δɻ <b>XSS</b> (raw HTML) <foo XSS> (tag
attribute name) <foo name=XSS> (tag attribute value) <foo name='XSS'> (Ҿ༻ූͷத) <foo name="XSS"> (Ҿ༻ූͷத) <foo name=`XSS`> (IEͷΈ!)
ͷ͋ΔτʔΫϯΛআ֎ • ͷ͋ΔλάɺΞτϦϏϡʔτɺόϦϡʔ͕আ֎͞ ΕΔɻ • λάɿ<script>ɺXML·ͨSVGʹؔ࿈͢Δͯ͢ • ΞτϦϏϡʔτͷ໊લ: on*ͳͲ •
ΞτϦϏϡʔτͷόϦϡʔɿjavascriptͷURL • ͳͲͳͲ
τϨʔχϯάσʔλ
XSS Cheat Sheets • ΄ͱΜͲ͕࣌ޮ(Firefox 3! ) • ݹ͍߈ܸ͕আڈ͞ΕΔ
HTML5SEC.org • ૉΒ͍͠ใࢿݯ • Ұ෦ݹ͍߈ܸͳͲ࠷৽Ͱͳ͍ͷ
@soaj1664ashar • ৽͍͠߈ܸΛఆظతʹ։ൃͯ͠Δ • XSS͕͖ͳΒɺ൴ΛϑΥϩʔ͠Α͏ • http://bit.ly/1bwXTgn • http://pastebin.com/u6FY1xDA •
http://bit.ly/1iXODkW
߈ܸ /εΩϟφʔ • XSSεΩϟφʔͷΞτϓοτΛ׆༻ • Shazzer fuzzͷσʔλϕʔε http://shazzer.co.uk/ (ModSecurityνʔϜͷ͓͔͛)
ݱࡏͷঢ়گ
طʹ׆༻Ͱ͖·͢ • github https://github.com/client9/libinjection • ΣϒαΠτ https://libinjection.client9.com/ • ·ͩΞϧϑΝஈ֊
$ make test-xss ./reader -t -i -x -m 10 ../data/xss*
../data/xss-html5secorg.txt 149 False test 62_1 <x '="foo"><x foo='><img src=x onerror=alert(1)//'> ../data/xss-html5secorg.txt 151 False test 62_2 <! '="foo"><x foo='><img src=x onerror=alert(2)//'> ../data/xss-html5secorg.txt 153 False test 62_3 <? '="foo"><x foo='><img src=x onerror=alert(3)//'> ../data/xss-html5secorg.txt 352 False test 102 <img src="x` `<script>alert(1)</script>"` `> ../data/xss-soaj1664ashar-pastebin-u6FY1xDA.txt 96 False 92) <--`<img/src=` onerror=alert(1)> --!> ../data/xss-soaj1664ashar.txt 21 False <form/action=ja	vascr	ipt:confirm(document.cookie)> <button/type=submit> ../data/xss-xenotix.txt 17 False "'`><?img src=xxx:x onerror=javascript:alert(1)> ../data/xss-xenotix.txt 19 False '`"><?script>javascript:alert(1)</script> ../data/xss-xenotix.txt 610 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 613 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ../data/xss-xenotix.txt 615 False `"'><img src=xxx:x ?onerror=javascript:alert(1)> ! XSS : 1628 SAFE : 11 TOTAL : 1639 ! Threshold is 10, got 11, failing. 1639݅ͷ૯αϯϓϧ 1628͕݅ਖ਼͍͠XSSݕग़ 11݅ͷݕग़࿙Ε
IEɿҾ༻ූʹؔ͢Δ • IE 8ɺӳޠͰ͍͏ͱ͜Ζͷ‘unbalanced quotes’ ʢҾ༻ූ͕ਖ਼͘͠ด͍ͯ͡ͳ͍ͳͲʣʹର͢Δಈ࡞ ͕͓͔͍͠ • ͜ͷʹؔͯ͠ݱࡏରԠ͕ਐߦத <img
src="x` `<script>alert(1)</script>"` `>
ύϑΥʔϚϯε ݅Ҏ্Λ ඵͰνΣοΫ
2014-02-18ͷTO DO • ·ͩΞϧϑΝஈ֊ — ݱ࣌ͰૉΒ͍͠ϛε͕Ӆ͞Ε͍ͯΔ Մೳੑ͋Δ • ݕग़࿙Εʹؔ͢ΔQAະ •
Ұ෦ͷIEΠϯδΣΫγϣϯʹະରԠ • ࣮ݧͷͨΊͷςετϕου͕ͳ͍ʢࠓिޙʹͰʣ • QAͷॆ࣮ɺίʔυͷΧόϨοδͷڧԽ͕ඞཁ • εΫϦϓτݴޠͷରԠ·ͩʢ͍ۙ͏ͪʣ
[email protected]
͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ