XSSの入力値を調べてみた / searching xss insertion value

XSSの入力値を調べてみた / searching xss insertion value

2018/02/03 学生LT at freee

49116ff34041caf0476b170ab193ebc5?s=128

Tomoyuki KOYAMA

February 03, 2018
Tweet

Transcript

  1. 1.

    XSS

  2. 3.

    XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input

    During Web Page Generation ('Cross-site Scripting') (3.0)
  3. 4.

    ... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];

    ?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
  4. 5.

    ... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];

    ?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
  5. 9.

    XSS

  6. 11.

    ?

  7. 13.
  8. 17.

    ( )

  9. 19.
  10. 21.

    ?

  11. 22.

    JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider

    on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “