これはFirefox OS Advent Calendar 2013 12/14の記事です。
こんにちは、にしむねあです。 この記事ではGeckoのlocalStorageの実装を紹介します。 私はセキュリティの分野に興味があるので、データのアクセス制御がどのように実装されているかを掘り下げてみたいと思います。
It appears that Safari does not enforce any kind of access | |
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a | |
result, any HTML file on the local file system that is opened in | |
Safari can read any file that the user has access to (and, of | |
course, it can upload those files too). Here's a little | |
proof-of-concept. Copy and paste this into a local HTML file and | |
open it in Safari. It will display the contents of /etc/passwd. | |
<script src=https://code.jquery.com/jquery-2.1.3.min.js></script> | |
<script> |
#!/usr/bin/env python2 | |
import os | |
import sys | |
import time | |
import subprocess | |
try: | |
from pyvirtualdisplay import Display | |
except ImportError: |
これはFirefox OS Advent Calendar 2013 12/14の記事です。
こんにちは、にしむねあです。 この記事ではGeckoのlocalStorageの実装を紹介します。 私はセキュリティの分野に興味があるので、データのアクセス制御がどのように実装されているかを掘り下げてみたいと思います。
#! /usr/bin/env ruby | |
# Pollenate ONE sync dir from each target into all other | |
# targets fuzzing the same format. Assumes that work | |
# dirs are named as by github.com/bnagy/afl-launch. | |
# | |
# Each target syncs inside its own directory already | |
# so copying any of the sync dirs works. It is possible | |
# that you'll miss some stuff, but it saves N * N-1 sync | |
# |
「Firefox OS Advent Calendar 2014」と「脆弱性"&'<<>\ Advent Calendar 2014」の12月20日の記事です。
先月報告したFirefox OSのHTMLインジェクションバグ(Bug 1101158 )について紹介します。このバグはFirefox OS Simulatorを含む一部の環境ではまだ修正されていませんが、リスク評価の上、Mozillaよりちょうど本日(!!)、公開の許可を頂き掲載しております。
Firefox OS v2.1/v2.2には、端末のホームボタンを長押ししたときに表示されるカードビューに、HTMLインジェクションの可能な箇所がありました。カードビューとはアクティブなウィンドウの一覧を表示する機能なのですが、ウィンドウのタイトルにHTMLタグが含まれることが考慮されていませんでした。
<!DOCTYPE HTML> | |
<html> | |
<script> | |
function t() | |
{ | |
var s="\n"; | |
var elements=new Array("a","abbr","acronym","address","applet","area","article","aside","audio","b","base","basefont","bdi","bdo","big","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","command","datalist","dd","del","details","dfn","dir","div","dl","dt","em","embed","fieldset","figcaption","figure","font","footer","form","frame","frameset","h1","h2","h6","head","header","hgroup","hr","html","i","iframe","img","input","ins","kbd","keygen","label","layer","legend","li","link","listing","main","map","mark","marquee","menu","meta","meter","nav","nobr","noembed","noframes","nolayer","noscript","object","ol","optgroup","option","output","p","param","plaintext","pre","progress","q","rp","ruby","rt","s","samp","script","section","select","small","source","span","strike","strong","style","sub","summary","sup","table","tbody","td","textarea","tfoot","th","thead","title","tr","track","tt","u","ul","v |
Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86 | |
Copyright (c) Microsoft Corporation. All rights reserved. | |
*** wait with pending attach | |
Symbol search path is: *** Invalid *** | |
**************************************************************************** | |
* Symbol loading may be unreliable without a symbol search path. * | |
* Use .symfix to have the debugger choose a symbol path. * | |
* After setting your symbol path, use .reload to refresh symbol locations. * |
これは「脆弱性"&'<<>\ Advent Calendar 2015」の12月19日の記事です。
この記事では Chrome 46 で修正された CVE-2015-6759 を紹介します。この脆弱性は先月の AVTOKYO 2015 でも披露したので、ご存じの方もいるかもしれません。
この脆弱性は、data: と blob: という2つの特殊なURLを組み合わせることにより、Chrome のオリジン判定を誤らせ、結果として、ネットワーク上から file: スキームの localStorage のデータを読み出すことができるというものです。仮にユーザが file: スキームの localStorage にトークンなどの機密情報を格納している場合、悪意のあるリンクを開くだけでそれらの情報が盗まれてしまいます。
この脆弱性のメカニズムはやや複雑ですので、data: URL と blob: URL の性質から順を追って説明します。これらをある程度知っている方は、前半部分を読み飛ばしても構いません。
Mozilla Firefox supports a feature that allows to define SVG images inside an OTF font to represent characters. This is useful if we for example want to work with colorful characters, Emoji, animated characters and so on. Firefox is currently the only relevant browser supporting this technology.
The general technology and its advantages are described here:
#!/usr/bin/env ruby | |
# | |
## Brute code stolen form: https://gist.github.com/petehamilton/4755855 | |
# | |
@domain = 'contoso.com' | |
def result?(sub) | |
results = %x(dig +noall #{sub}.#{@domain} +answer) |