際際滷

際際滷Share a Scribd company logo

Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection

Download as ppt, pdf
takesako
takesako

http://wafful.org/

1 of 29
Downloaded 78 times
Aイメ`ジファイト Shibuya.pm #8 サイボウズ?ラボ幄塀氏芙 幢独 措 id:TAKESAKO
はじめに
Internet Explorer のセキュリティO協 デフォルトが仝嗤燭砲垢襦垢里泙
?
IE でのg佩Y惚
orz
mod_imagefight イメ`ジファイト
イメ`ジファイトとは Apache 2 OutputFilter o蕎晒 Web Server 好張芥`ドが 根まれている かもしれない mod_imagefight Safe Image internet XSS Image
mod_imagefight の聞喘隈 α 井 httpd.conf ╂ LoadModule imagefight_module modules/mod_imagefight.so <Location />      # AddOutputFilter   ImageFight   .png .bmp .gif .jpg   AddOutputFilterByType ImageFight image/gif image/jpeg </Location> 徨、 Content-Type による Filter m喘
mod_imagefight をインスト`ルした Web サ`バから PNG 鮫颪鰌iみzんだとき啜弔忙颪きQえ イメ`ジファイト嘛鮫中 IE + Fiddler
IE コンテンツ徭單eによる XSS 契峭    Anti-XSS コ`ドの徭携襭 Apache
Why? イメ`ジファイト
ブラウザ の バグ碧 Web アプリ箸 ad-hoc に 鬉垢襪里話羌垢世茲
?
A イメ`ジファイト
ブラウザ の バグ碧 を旋喘して、 ブラウザ登協できる
JavaScript/CSS を聞わない ブラウザ登e
HTML 2.0
融隼ですが、HTML 2.0 Quiz のrgです。 <img src= /slideshow/shibuyapm8/122778/&quot; 1.gif /slideshow/shibuyapm8/122778/&quot; src= /slideshow/shibuyapm8/122778/&quot; 2.gif/slideshow/shibuyapm8/122778/&quot;> 燕幣される鮫颪錬 (1) 1.gif が燕幣される (2) 2.gif が燕幣される (3) ブラウザによってなる Answers. ‐}/
融隼ですが、HTML 2.0 Quiz のrgです。 <img src= /slideshow/shibuyapm8/122778/&quot; 1.gif /slideshow/shibuyapm8/122778/&quot; src= /slideshow/shibuyapm8/122778/&quot; 2.gif/slideshow/shibuyapm8/122778/&quot;> 燕幣される鮫颪錬 (1) 1.gif が燕幣される (2) 2.gif が燕幣される (3) ブラウザによってなる Answers. ‐}/
‐}2/ <img /src = /slideshow/shibuyapm8/122778/^1.gif ̄ src(\x00) = ^2.gif ̄ src(\x0c) = ^3.gif ̄ src = ^4.gif ̄ /> (1) 1.gif が燕幣される (2) 2.gif が燕幣される (3) 3.gif が燕幣される (4) 4.gif が燕幣される Answers. ☆ ブラウザによってなる
鮄知別
print<<EOF; <img /src \x00 =/slideshow/shibuyapm8/122778/&quot;ie.gif/slideshow/shibuyapm8/122778/&quot; /''src \x00 =/slideshow/shibuyapm8/122778/&quot;firefox1_5.gif/slideshow/shibuyapm8/122778/&quot; /''src=/slideshow/shibuyapm8/122778/&quot;firefox2_0.gif/slideshow/shibuyapm8/122778/&quot; //slideshow/shibuyapm8/122778/&quot;/slideshow/shibuyapm8/122778/&quot;src=/slideshow/shibuyapm8/122778/&quot;gecko_others.gif/slideshow/shibuyapm8/122778/&quot; /slideshow/shibuyapm8/122778/&quot;s \x00 rc=/slideshow/shibuyapm8/122778/&quot;safari2.gif/slideshow/shibuyapm8/122778/&quot; /slideshow/shibuyapm8/122778/&quot;src=/slideshow/shibuyapm8/122778/&quot;safari3.gif/slideshow/shibuyapm8/122778/&quot; /slideshow/shibuyapm8/122778/&quot;/slideshow/shibuyapm8/122778/&quot;src=/slideshow/shibuyapm8/122778/&quot;konqueror.gif/slideshow/shibuyapm8/122778/&quot; src \x00 =/slideshow/shibuyapm8/122778/&quot;w3m.gif/slideshow/shibuyapm8/122778/&quot; src \x0c =/slideshow/shibuyapm8/122778/&quot;opera.gif/slideshow/shibuyapm8/122778/&quot; src=/slideshow/shibuyapm8/122778/&quot;others.gif/slideshow/shibuyapm8/122778/&quot; src=/slideshow/shibuyapm8/122778/&quot;lynx.gif/slideshow/shibuyapm8/122778/&quot; /> EOF
http://wafful.org Demo
?
Konqueror や Safari2 の登協もできるよ
參貧 Aきは Web で
    _  ”    (  ??? ) 瘧     (   ?瘧     |     |    し {J わっふる ! わっふる ! wafful.org
Debugging Browser-detection on papers ご賠ありがとうございました
Ad

Recommended

畏デブサミ2012液箸龍とg吩の巌樋來k需
畏デブサミ2012液箸龍とg吩の巌樋來k需畏デブサミ2012液箸龍とg吩の巌樋來k需
畏デブサミ2012液箸龍とg吩の巌樋來k需
Yosuke HASEGAWA
?
HTML2.0 - digg - OSC2007-fall
HTML2.0 - digg - OSC2007-fallHTML2.0 - digg - OSC2007-fall
HTML2.0 - digg - OSC2007-fall
takesako
?
?逮河顎艶姻霞をおぼえよう,修裡
?逮河顎艶姻霞をおぼえよう,修裡?逮河顎艶姻霞をおぼえよう,修裡
?逮河顎艶姻霞をおぼえよう,修裡
Nishida Kansuke
?
TFセミナ` マイクロソフトu瞳で恬る Web インフラ 児云
TFセミナ` マイクロソフトu瞳で恬る Web インフラ 児云TFセミナ` マイクロソフトu瞳で恬る Web インフラ 児云
TFセミナ` マイクロソフトu瞳で恬る Web インフラ 児云
hirookun
?
ある蕕い亮拝笋ら冥る永堰永のと蕕Ε灰
ある蕕い亮拝笋ら冥る永堰永のと蕕Ε灰ある蕕い亮拝笋ら冥る永堰永のと蕕Ε灰
ある蕕い亮拝笋ら冥る永堰永のと蕕Ε灰
FAL_A
?
SECCON CTF セキュリティ室氏コンテスト_岸について
SECCON CTF セキュリティ室氏コンテスト_岸についてSECCON CTF セキュリティ室氏コンテスト_岸について
SECCON CTF セキュリティ室氏コンテスト_岸について
takesako
?
Acme minechan
Acme minechanAcme minechan
Acme minechan
takesako
?
Acme::MineChan LT demo
Acme::MineChan LT demoAcme::MineChan LT demo
Acme::MineChan LT demo
takesako
?
Node.js - JavaScript Thread Programming
Node.js - JavaScript Thread ProgrammingNode.js - JavaScript Thread Programming
Node.js - JavaScript Thread Programming
takesako
?
Node.js - sleep sort algorithm
Node.js - sleep sort algorithmNode.js - sleep sort algorithm
Node.js - sleep sort algorithm
takesako
?
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNT
takesako
?
壅「議 屎ア蹶FJSON Validator
壅「議 屎ア蹶FJSON Validator壅「議 屎ア蹶FJSON Validator
壅「議 屎ア蹶FJSON Validator
takesako
?
屎号燕岌\もう匯つのバベルの満\直翫再匯
屎号燕岌\もう匯つのバベルの満\直翫再匯屎号燕岌\もう匯つのバベルの満\直翫再匯
屎号燕岌\もう匯つのバベルの満\直翫再匯
takesako
?
Perl6 Regex Programming with Rakudo
Perl6 Regex Programming with RakudoPerl6 Regex Programming with Rakudo
Perl6 Regex Programming with Rakudo
takesako
?
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
takesako
?
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
takesako
?
Perl x86 JIT Programming
Perl x86 JIT ProgrammingPerl x86 JIT Programming
Perl x86 JIT Programming
takesako
?
YAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing CeremonyYAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing Ceremony
takesako
?
HTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a PloyglotHTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a Ployglot
takesako
?
Devsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 TokyoDevsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 Tokyo
takesako
?
GIF89a Oldtype
GIF89a OldtypeGIF89a Oldtype
GIF89a Oldtype
takesako
?
Shibuyajs Digest
Shibuyajs DigestShibuyajs Digest
Shibuyajs Digest
takesako
?
Shibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnectShibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnect
takesako
?
Ad

More Related Content

More from takesako (15)

Node.js - JavaScript Thread Programming
Node.js - JavaScript Thread ProgrammingNode.js - JavaScript Thread Programming
Node.js - JavaScript Thread Programming
takesako
?
Node.js - sleep sort algorithm
Node.js - sleep sort algorithmNode.js - sleep sort algorithm
Node.js - sleep sort algorithm
takesako
?
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNT
takesako
?
壅「議 屎ア蹶FJSON Validator
壅「議 屎ア蹶FJSON Validator壅「議 屎ア蹶FJSON Validator
壅「議 屎ア蹶FJSON Validator
takesako
?
屎号燕岌\もう匯つのバベルの満\直翫再匯
屎号燕岌\もう匯つのバベルの満\直翫再匯屎号燕岌\もう匯つのバベルの満\直翫再匯
屎号燕岌\もう匯つのバベルの満\直翫再匯
takesako
?
Perl6 Regex Programming with Rakudo
Perl6 Regex Programming with RakudoPerl6 Regex Programming with Rakudo
Perl6 Regex Programming with Rakudo
takesako
?
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
takesako
?
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
takesako
?
Perl x86 JIT Programming
Perl x86 JIT ProgrammingPerl x86 JIT Programming
Perl x86 JIT Programming
takesako
?
YAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing CeremonyYAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing Ceremony
takesako
?
HTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a PloyglotHTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a Ployglot
takesako
?
Devsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 TokyoDevsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 Tokyo
takesako
?
GIF89a Oldtype
GIF89a OldtypeGIF89a Oldtype
GIF89a Oldtype
takesako
?
Shibuyajs Digest
Shibuyajs DigestShibuyajs Digest
Shibuyajs Digest
takesako
?
Shibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnectShibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnect
takesako
?
Node.js - JavaScript Thread Programming
Node.js - JavaScript Thread ProgrammingNode.js - JavaScript Thread Programming
Node.js - JavaScript Thread Programming
takesako
?
Node.js - sleep sort algorithm
Node.js - sleep sort algorithmNode.js - sleep sort algorithm
Node.js - sleep sort algorithm
takesako
?
x86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNTx86x64 SSE4.2 POPCNT
x86x64 SSE4.2 POPCNT
takesako
?
壅「議 屎ア蹶FJSON Validator
壅「議 屎ア蹶FJSON Validator壅「議 屎ア蹶FJSON Validator
壅「議 屎ア蹶FJSON Validator
takesako
?
屎号燕岌\もう匯つのバベルの満\直翫再匯
屎号燕岌\もう匯つのバベルの満\直翫再匯屎号燕岌\もう匯つのバベルの満\直翫再匯
屎号燕岌\もう匯つのバベルの満\直翫再匯
takesako
?
Perl6 Regex Programming with Rakudo
Perl6 Regex Programming with RakudoPerl6 Regex Programming with Rakudo
Perl6 Regex Programming with Rakudo
takesako
?
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to usThat Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
That Goes Without Alpha-Num (or Does It ?) all your base10 are belong to us
takesako
?
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
Devsumi2010 Ecmascript5 (ISO/IEC JTC1/SC22)
takesako
?
Perl x86 JIT Programming
Perl x86 JIT ProgrammingPerl x86 JIT Programming
Perl x86 JIT Programming
takesako
?
YAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing CeremonyYAPC::Asia 2008 Closing Ceremony
YAPC::Asia 2008 Closing Ceremony
takesako
?
HTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a PloyglotHTML Binary Hacks & GIF89a Ployglot
HTML Binary Hacks & GIF89a Ployglot
takesako
?
Devsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 TokyoDevsumi2008 - YAPC::Asia 2008 Tokyo
Devsumi2008 - YAPC::Asia 2008 Tokyo
takesako
?
GIF89a Oldtype
GIF89a OldtypeGIF89a Oldtype
GIF89a Oldtype
takesako
?
Shibuyajs Digest
Shibuyajs DigestShibuyajs Digest
Shibuyajs Digest
takesako
?
Shibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnectShibuyajs24 JavaScript.GIF x LiveConnect
Shibuyajs24 JavaScript.GIF x LiveConnect
takesako
?

Shibuya.pm#8 - ImageFight - HTML 2.0 New Browser Detection

  • 1. Aイメ`ジファイト Shibuya.pm #8 サイボウズ?ラボ幄塀氏芙 幢独 措 id:TAKESAKO
  • 3. Internet Explorer のセキュリティO協 デフォルトが仝嗤燭砲垢襦垢里泙
  • 4. ?
  • 6. orz
  • 8. イメ`ジファイトとは Apache 2 OutputFilter o蕎晒 Web Server 好張芥`ドが 根まれている かもしれない mod_imagefight Safe Image internet XSS Image
  • 9. mod_imagefight の聞喘隈 α 井 httpd.conf ╂ LoadModule imagefight_module modules/mod_imagefight.so <Location />      # AddOutputFilter   ImageFight   .png .bmp .gif .jpg   AddOutputFilterByType ImageFight image/gif image/jpeg </Location> 徨、 Content-Type による Filter m喘
  • 10. mod_imagefight をインスト`ルした Web サ`バから PNG 鮫颪鰌iみzんだとき啜弔忙颪きQえ イメ`ジファイト嘛鮫中 IE + Fiddler
  • 11. IE コンテンツ徭單eによる XSS 契峭    Anti-XSS コ`ドの徭携襭 Apache
  • 13. ブラウザ の バグ碧 Web アプリ箸 ad-hoc に 鬉垢襪里話羌垢世茲
  • 14. ?
  • 16. ブラウザ の バグ碧 を旋喘して、 ブラウザ登協できる
  • 19. 融隼ですが、HTML 2.0 Quiz のrgです。 <img src= /slideshow/shibuyapm8/122778/&quot; 1.gif /slideshow/shibuyapm8/122778/&quot; src= /slideshow/shibuyapm8/122778/&quot; 2.gif/slideshow/shibuyapm8/122778/&quot;> 燕幣される鮫颪錬 (1) 1.gif が燕幣される (2) 2.gif が燕幣される (3) ブラウザによってなる Answers. ‐}/
  • 20. 融隼ですが、HTML 2.0 Quiz のrgです。 <img src= /slideshow/shibuyapm8/122778/&quot; 1.gif /slideshow/shibuyapm8/122778/&quot; src= /slideshow/shibuyapm8/122778/&quot; 2.gif/slideshow/shibuyapm8/122778/&quot;> 燕幣される鮫颪錬 (1) 1.gif が燕幣される (2) 2.gif が燕幣される (3) ブラウザによってなる Answers. ‐}/
  • 21. ‐}2/ <img /src = /slideshow/shibuyapm8/122778/^1.gif ̄ src(\x00) = ^2.gif ̄ src(\x0c) = ^3.gif ̄ src = ^4.gif ̄ /> (1) 1.gif が燕幣される (2) 2.gif が燕幣される (3) 3.gif が燕幣される (4) 4.gif が燕幣される Answers. ☆ ブラウザによってなる
  • 23. print<<EOF; <img /src \x00 =/slideshow/shibuyapm8/122778/&quot;ie.gif/slideshow/shibuyapm8/122778/&quot; /''src \x00 =/slideshow/shibuyapm8/122778/&quot;firefox1_5.gif/slideshow/shibuyapm8/122778/&quot; /''src=/slideshow/shibuyapm8/122778/&quot;firefox2_0.gif/slideshow/shibuyapm8/122778/&quot; //slideshow/shibuyapm8/122778/&quot;/slideshow/shibuyapm8/122778/&quot;src=/slideshow/shibuyapm8/122778/&quot;gecko_others.gif/slideshow/shibuyapm8/122778/&quot; /slideshow/shibuyapm8/122778/&quot;s \x00 rc=/slideshow/shibuyapm8/122778/&quot;safari2.gif/slideshow/shibuyapm8/122778/&quot; /slideshow/shibuyapm8/122778/&quot;src=/slideshow/shibuyapm8/122778/&quot;safari3.gif/slideshow/shibuyapm8/122778/&quot; /slideshow/shibuyapm8/122778/&quot;/slideshow/shibuyapm8/122778/&quot;src=/slideshow/shibuyapm8/122778/&quot;konqueror.gif/slideshow/shibuyapm8/122778/&quot; src \x00 =/slideshow/shibuyapm8/122778/&quot;w3m.gif/slideshow/shibuyapm8/122778/&quot; src \x0c =/slideshow/shibuyapm8/122778/&quot;opera.gif/slideshow/shibuyapm8/122778/&quot; src=/slideshow/shibuyapm8/122778/&quot;others.gif/slideshow/shibuyapm8/122778/&quot; src=/slideshow/shibuyapm8/122778/&quot;lynx.gif/slideshow/shibuyapm8/122778/&quot; /> EOF
  • 25. ?
  • 26. Konqueror や Safari2 の登協もできるよ
  • 28.     _  ”    (  ??? ) 瘧     (   ?瘧     |     |    し {J わっふる ! わっふる ! wafful.org
  • 29. Debugging Browser-detection on papers ご賠ありがとうございました
About
? 2025 際際滷