Upgrade to Pro — share decks privately, control downloads, hide ads and more …

hatena-diary-blog-xss

Yasuhiro Onishi
May 14, 2013
Technology
5
1k

 hatena-diary-blog-xss

はてなダイアリーやブログのXSS対策の事例を紹介します

Yasuhiro Onishi

May 14, 2013
Tweet

More Decks by Yasuhiro Onishi

See All by Yasuhiro Onishi
YAPC::Kyoto 2023 Keynote
onishi
3
7.2k
2016 Devsumi Kansai
onishi
3
1.2k
Hatena-Camp
onishi
2
3.8k
Hatena Blog for Engineer
onishi
2
2.9k
Hatena Blog Development Flow
onishi
34
37k
wget.pl
onishi
3
1.3k
Redmine::ChanでIRCからプロジェクト管理
onishi
5
5.1k
The new Text::Hatena
onishi
2
230
oEmbed と Text::Hatena
onishi
1
110

Other Decks in Technology

See All in Technology
カーネルコードの歩き方
sat
PRO
3
2.5k
Turbinando Microsserviços com Distributed Cache
jordihofc
1
300
AI in Action
charmichokshi
0
170
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
2
430
Amazon VPC Lattice を使い始める前におさえておきたいポイント n 選 / Introduction to VPC Lattice
hayaok3
1
880
Semantic KernelでGPTと外部ツールを連携する
takashi1029
1
680
CloudWatchでバレる 「君、仕事中にyo〇tube観てたよね?」
kadogen_0527
0
260
とあるQAエンジニアが、マイクロサービスの開発チームと、出会ったーー / Scrum Fest Niigata 2023
yoyakoba
0
130
ChatGPTをどう使うか?(JJUGナイトセミナー5/23)
shin_higuchi
0
360
トラブルシューティングから Linux カーネルに潜り込む
hiboma
7
1.4k
全世界のユーザー体験の改善にNew Relic Mobileをどのように活用したか/How New Relic Mobile was used to improve the global user experience
isaoshimizu
2
370
高さ比べじゃない、キャリアは歩んできた道
dzeyelid
0
210

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Happy Clients
brianwarren
90
5.9k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
1.4k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
KATA
mclloyd
13
10k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
The Power of CSS Pseudo Elements
geoffreycrofte
54
4.5k
Building Applications with DynamoDB
mza
86
5.1k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k
The Cult of Friendly URLs
andyhume
70
5.2k
The Web Native Designer (August 2011)
paulrobertlloyd
78
2.3k

Transcript

  1. μΠΞϦʔͱϒϩάͱ
    944
    גࣜձࣾ͸ͯͳ
    JEPOJTIJ
    !4IJCVZB944JO0TBLB

    View Slide

  2. ࣗݾ঺հ
    wJEPOJTIJେ੢߁༟
    wגࣜձࣾ͸ͯͳ
    wνʔϑΤϯδχΞ
    w͸ͯͳϒϩάσΟϨΫλʔ

    View Slide

  3. ͸ͯͳͱݴ͑͹944

    View Slide

  4. ͸ͯͳφ΢

    View Slide

  5. ͸ͯͳφ΢

    View Slide

  6. ͸ͯͳͱ944
    wਓྗݕࡧ͸ͯͳRIBUFOBOFKQ
    w͸ͯͳΞϯςφBIBUFOBOFKQ
    w͸ͯͳμΠΞϦʔEIBUFOBOFKQ
    w͸ͯͳϒοΫϚʔΫCIBUFOBOFKQ

    View Slide

  7. ͸ͯͳͱ944
    wಉҰυϝΠϯɾಉҰΫοΩʔʹΑΔ
    Ϣʔβʔೝূ
    wΫοΩʔΛୣΘΕͨΒηογϣϯϋ
    ΠδϟοΫ͞ΕಘΔ

    View Slide

  8. ͸ͯͳμΠΞϦʔ
    w೥ϦϦʔεͷϒϩάαʔϏε
    w؅ཧը໘ͱϒϩάը໘͕ಉҰυϝΠϯ
    wϒϩάαʔϏεˠϢʔβʔίϯςϯπ

    View Slide

  9. ͦͷ৔ฤू

    View Slide

  10. ͦͷ৔ฤू

    View Slide

  11. Ϣʔβʔίϯςϯπ
    w޷͖ͳ͜ͱΛॻ͖͍ͨ
    w޷͖ͳσβΠϯʹ͍ͨ͠
    w޷͖ͳϒϩάύʔπΛ࢖͍͍ͨ

    View Slide

  12. Ϣʔβʔརศੑͱ
    ҆શੑͷཱ྆

    View Slide

  13. Ϣʔβʔίϯςϯπ
    w޷͖ͳ͜ͱΛॻ͖͍ͨˠ)5.-944
    w޷͖ͳσβΠϯʹ͍ͨ͠ˠ$44944
    w޷͖ͳϒϩάύʔπΛ࢖͍͍ͨˠººº

    View Slide

  14. )5.-ͷ944ରࡦ
    wར༻Մೳཁૉ
    wར༻Մೳଐੑ
    wελΠϧཁૉ
    wΠϯϥΠϯ$44

    View Slide

  15. ஫ҙ͢΂͖ཁૉ
    wTDSJQU
    wPCKFDU
    wFNCFE
    wJGSBNF
    wTUZMF
    w

    View Slide

  16. ஫ҙ͢΂͖ଐੑ
    wΠϕϯτϋϯυϥ PODMJDL PO

    wKBWBTDSJQUεΩʔϚ͕ॻ͚Δཁૉ
    wISFG TSD DJUF
    wTUZMF
    wޙड़

    View Slide

  17. ͸ͯͳμΠΞϦʔͷ944ରࡦ
    wར༻ՄೳཁૉˠϗϫΠτϦετܗࣜ
    wར༻ՄೳଐੑˠϗϫΠτϦετܗࣜ
    wಛఆͷཁૉɾଐੑˠઐ༻ͷରࡦ
    wεΩʔϜରࡦ
    wελΠϧରࡦ

    View Slide

  18. $44ͷ944ରࡦ
    wFYQSFTTJPOରࡦ
    w!JNQPSUରࡦ

    View Slide

  19. FYQSFTTJPO
    color: expression( error ? 'red' : 'blue');

    View Slide

  20. FYQSFTTJPOίϝϯτ
    expr/* ίϝϯτ */ession

    View Slide

  21. FYQSFTTJPOίʔυϙΠϯτ
    \0065xpression

    View Slide

  22. FYQSFTTJPOશ֯
    ̴̴̸͇̿́͂͂̾̽

    View Slide

  23. FYQSFTTJPO਺஋จࣈ

    View Slide

  24. FYQSFTTJPOҟମ
    expressio\207f
    expressioⁿ
    ˣ

    View Slide

  25. !JNQPSU
    w!JNQPSUઌΛల։͢Δ
    w!JNQPS!JNQP!JNQ!JN!J

    View Slide

  26. ϒϩάύʔπͷ944ରࡦ
    wϗϫΠτϦετܗࣜ
    wIUUQTNFUBDQBOPSHSFMFBTF
    )5.-8JEHFU7BMJEBUPS

    View Slide

  27. ϒϩάύʔπͷ944ରࡦ
    wϒϩάόʔπࣗ਎ʹ੬ऑੑ͕͋Δ
    wυϝΠϯࣦޮˠѱҙΛ࣋ͬͨ+4࣮ߦ

    View Slide

  28. 944ରࡦৄ͘͠͸
    wϔϧϓ͸ͯͳμΠΞϦʔ944ରࡦ
    wIUUQIBUFOBEJBSZHIBUFOBOFKQ
    LFZXPSE͸ͯͳμΠΞϦʔ944ରࡦ

    View Slide

  29. ͸ͯͳͱݴ͑͹944

    View Slide

  30. View Slide

  31. ͸ͯͳϒϩά
    wϦϦʔε
    wIUUQIBUFOBCMPHDPN
    wIBUFOBOFKQ͡Όͳ͍ॳͷຊαʔϏε
    w+4ϑϦʔ

    View Slide

  32. ϔομͷJGSBNFԽ
    iframe blog.hatena.ne.jp
    onishi.hatenablog.com

    View Slide

  33. ͦͷ৔ฤू

    View Slide

  34. ͦͷ৔ฤू

    View Slide

  35. ΫϩευϝΠϯ௨৴

    wXJOEPXQPTU.FTTBHF
    w΢Οϯυ΢ ϑϨʔϜ
    ؒͰϝοηʔδͷ
    ૹड৴Λߦ͏ͨΊͷ࢓૊Έ
    // message Πϕϯτ؂ࢹ
    window.addEventListener(“message”, function() {...},
    false);
    // message ૹ৴
    window.postMessage(data, “targetOrigin”);

    View Slide

  36. ΫϩευϝΠϯ௨৴

    wQPTU.FTTBHFඇରԠϒϥ΢β ݹ͍*&

    wMPDBUJPOIBTIʹΑΔυϝΠϯؒ௨৴
    wϑϨʔϜͷMPDBUJPOIBTIॻ͖׵͑
    wϑϨʔϜ಺͸MPDBUJPOIBTIͷมԽ
    Λ؂ࢹ
    w5$1෩σʔλ௨৴
    w63-௕੍ݶ *&ͰόΠτ
    ʹΑΔύ
    έοτ෼ׂ

    View Slide

  37. ΫϩευϝΠϯ௨৴ͷར༻
    wͦͷ৔ฤू
    wӾཡऀͷฤूݖݶ֬ೝ
    w͸ͯͳελʔ
    wίϝϯτ
    w௨஌
    wϑΟʔυόοΫϑΥʔϜ

    View Slide

  38. αʔυύʔςΟ$PPLJF
    wJGSBNF΍TDSJQUཁૉͰຒΊࠐ·Εͨ
    ֎෦Ϧιʔεʹ$PPLJFΛૹ৴͢Δ͔
    w'JSFGPY͔ΒσϑΥϧτ0''
    wJGSBNFʹΑΔΫϩευϝΠϯ௨৴͕࢖
    ͑ͳ͍

    View Slide

  39. αʔυύʔςΟ$PPLJF0''ରࡦ
    wCMPHIBUFOBOFKQυϝΠϯͷ"1*Ξ
    ΫηεDPPLJFૹ৴͋Δ͔νΣοΫ
    wJGSBNF͔ΒXJOEPXPQFOʹ͢Δ
    wϢʔβʔ৘ใ͕औΕͳ͍ͷͰ୅ସ৘
    ใΛදࣔ͢Δ

    View Slide

  40. JGSBNF

    View Slide

  41. JGSBNF

    View Slide

  42. XJOEPXPQFO

    View Slide

  43. ୅ସϔομ

    View Slide

  44. ΞΫηείϯτϩʔϧ
    wϒϩάͷ͸ϓϥΠϕʔτ
    wೝূͷ࢓૊ΈͷෳࡶԽ
    w֎෦ͷιʔγϟϧάϥϑೝূ
    wηογϣϯϋΠδϟοΫ๷ࢭ
    wϒϩάຖʹผυϝΠϯ
    wผϢʔβʔʹ࿙Εͯ΋ͳΔ΂͘໰୊ͳ͍
    wηογϣϯຖʹ%#ΞΫηε͠ͳ͍

    View Slide

  45. ΞΫηείϯτϩʔϧ

    ॳճΞΫηε࣌ͷΈೝূػ͕ؔ
    %#ΛҾ͘
    UPLFO෇ͰϒϩάʹϦμΠϨΫτ
    ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ
    ΞΫηε࣌ʹ͸DPPLJFͷଥ౰ੑ
    ݕূͷΈ
    ೝূػؔ
    .hatena.ne.jp
    ϒϩά
    anydomain
    Ϣʔβʔ

    View Slide

  46. ΞΫηείϯτϩʔϧ

    ॳճΞΫηε࣌ͷΈೝূػ͕ؔ
    %#ΛҾ͘
    UPLFO෇ͰϒϩάʹϦμΠϨΫτ
    ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ
    ΞΫηε࣌ʹ͸DPPLJFͷଥ౰ੑ
    ݕূͷΈ
    ೝূػؔ
    .hatena.ne.jp
    ϒϩά
    anydomain
    Ϣʔβʔ
    UPLFO

    View Slide

  47. ΞΫηείϯτϩʔϧ

    ॳճΞΫηε࣌ͷΈೝূػ͕ؔ
    %#ΛҾ͘
    UPLFO෇ͰϒϩάʹϦμΠϨΫτ
    ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ
    ΞΫηε࣌ʹ͸DPPLJFͷଥ౰ੑ
    ݕূͷΈ
    ೝূػؔ
    .hatena.ne.jp
    ϒϩά
    anydomain
    Ϣʔβʔ
    DPPLJF

    View Slide

  48. ΞΫηείϯτϩʔϧ

    ॳճΞΫηε࣌ͷΈೝূػ͕ؔ
    %#ΛҾ͘
    UPLFO෇ͰϒϩάʹϦμΠϨΫτ
    ϒϩάຖʹӾཡ༻DPPLJFΛൃߦ
    ΞΫηε࣌ʹ͸DPPLJFͷଥ౰ੑ
    ݕূͷΈ
    ೝূػؔ
    .hatena.ne.jp
    ϒϩά
    anydomain
    Ϣʔβʔ

    View Slide

  49. ΫϦοΫδϟοΩϯάରࡦ
    w9'SBNF0QUJPOT%&/:
    wϑϨʔϜ༻ͷཁૉ͸໌ࣔతʹڐՄ
    wͦͷ৔߹ɺ*/165ཁૉͷมߋΛ؂ࢹ

    View Slide

  50. ΫϦοΫδϟοΩϯάରࡦ

    View Slide

  51. ·ͱΊ
    w͸ͯͳμΠΞϦʔ
    wIBUFOBOFKQυϝΠϯͳͷͰపఈ͠
    ͨϗϫΠτϦετରࡦ
    w͸ͯͳϒϩά
    wಠࣗυϝΠϯΫϩευϝΠϯ௨৴

    View Slide

  52. ਓࡐืू
    wגࣜձࣾ͸ͯͳͰ͸ΤϯδχΞͦͷଞ
    શ৬छΛืू͍ͯ͠·͢
    wҰॹʹϒϩάΛ࡞Γ·͠ΐ͏ʂ
    www.hatena.ne.jp/company/staff

    View Slide

  53. αϚʔΠϯλʔϯ
    w िؒ

    w8FCαʔϏε։ൃίʔε໊ఔ౓
    wେن໛γεςϜݚڀίʔε໊ఔ౓
    wۙʑืू։࢝͠·͢ʂʂ
    developer.hatenastaff.com

    View Slide