[B! xss] teppeisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

teppeis id:teppeis

xssã«é–¢ã™ã‚‹teppeisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (139)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Still X.S.S. - ãªãœã„ã¾ã ã«XSSã¯ç”Ÿã¾ã‚Œã¦ã—ã¾ã†ã®ã‹ï¼Ÿ - GMO Flatt Security Blog
XSSã“ã‚ã„ è‹¥é : ãŠã„ãŠå‰ã‚‰ã€ãªã«ã‹ãŠã‚‚ã—ã‚ã„éŠã³ã‚’ã—ããˆã‹ã€‚ã“ã‚“ãªã«ã¿ã‚“ãªã§é›†ã¾ã‚‹æ©Ÿä¼šã‚‚ãã†ããˆã ã‚ã† ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ä½è—¤: ãã†ã§ã™ããˆã€ã“ã‚“ãªã®ã¯ã©ã†ã§ã—ã‚‡ã†ã‹ã€‚äººé–“èª°ã—ã‚‚æ€–ã„ã‚‚ã®ãŒ1ã¤ã¯ã‚ã‚Šã¾ã™ã‹ã‚‰ã€ãã‚Œã‚’ã¿ã‚“ãªã§æ•™ãˆã‚ã£ã¦ã¿ã¾ã—ã‚‡ã†ã‚ˆ è‹¥é : ãã‚Šã‚ƒã‚ãŠã‚‚ã—ã‚Œãˆãªã€‚ãã†ã ãªã‚ã€ãŠã‚Œã¯ãƒ˜ãƒ“ãŒæ€–ã„ãã€‚ã‚ã‚Šã‚ƒæ°—å‘³ãŒæ‚ªãã¦ã—ã‚‡ã†ãŒããˆ ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢å±±ç”°: è‡ªåˆ†ã¯ã‚«ã‚¨ãƒ«ã‚’è¦‹ã‚‹ã¨ç¸®ã¿ä¸ŠãŒã£ã¦ã—ã¾ã„ã¾ã™ã€ãƒ†ã‚«ãƒ†ã‚«ã—ã¦ã„ã¦ã©ã†ã«ã‚‚è‹¦æ‰‹ã§ã€‚ä½è—¤ã•ã‚“ã¯ä½•ãŒæ€–ã„ã‚“ã§ã™ã‹ ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ä½è—¤: ç§ã¯ã€XSSãŒã“ã‚ã„ã§ã™ ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢å…«å³¶: ã‚ã¯ã¯ï¼ä½•è¨€ã£ã¦ã‚“ã§ã™ã‹ä½è—¤ã•ã‚“ã€‚XSSãªã‚“ã¦ã“ã‚ã„ã“ã¨ãªã„ã§ã™ã‚ˆ ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ä½è—¤: ã²ã„ã„ã€åå‰ã‚’èžãã®ã‚‚æ€–ã„ã§ã™ ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢å±±ç”°: XSSãªã‚“ã¦ã€ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã•ãˆä½¿ã£ã¦ã„ã‚Œã°ãã‚‡ã†ã³èµ·ã“ã‚‰ãªã„ã§ã™ã‹ã‚‰ããˆã€‚ä½è—¤ã•ã‚“ã¯è‡†ç—…ã ãªã‚ ãã®æ™©ã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ä½è—¤ã‚’ç›®ã®æ•µã«ã—ã¦ã„ã‚‹ç”º
teppeis 2025/07/03
xss
ãƒªãƒ³ã‚¯
ãƒã‚°ãƒã‚¦ãƒ³ãƒ†ã‚£ã«ãŠã‘ã‚‹ XSS ã®å…·ä½“çš„ãªè„…å¨ã®äº‹ä¾‹ã¾ã¨ã‚ - blog of morioka12
1. å§‹ã‚ã« ã“ã‚“ã«ã¡ã¯ã€morioka12 ã§ã™ã€‚ æœ¬ç¨¿ã§ã¯ã€ãƒã‚°ãƒã‚¦ãƒ³ãƒ†ã‚£ã§å®Ÿéš›ã«ã‚ã£ãŸè„†å¼±æ€§å ±å‘Šã®äº‹ä¾‹ã‚’ã‚‚ã¨ã«ã€XSS ã®å…·ä½“çš„ãªè„…å¨(Impact)ã«ã¤ã„ã¦ã„ãã¤ã‹ç´¹ä»‹ã—ã¾ã™ã€‚ 1. å§‹ã‚ã« å…è²¬äº‹é … æƒ³å®šèªè€… 2. XSS (Cross Site Scripting) HackerOne Top 10 Vulnerability Types Escalation (Goal) 3. XSS ã®è„…å¨ (Impact) 3.1 Response Body ã‹ã‚‰ Session ID ã®å¥ªå– 3.2 Local Storage ã‹ã‚‰ Access Token ã®å¥ªå– 3.3 IndexedDB ã‹ã‚‰ Session Data ã®å¥ªå– 3.4 ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã®æ”¹ã–ã‚“ 3.5 ãƒ‘ã‚¹ãƒ¯ãƒ¼ãƒ‰ã®æ”¹ã–ã‚“ 3.6 ç®¡ç†è€…ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã®æ‹›å¾… 3.7 POST Based Reflected XSS 4.
teppeis 2024/01/23
xss

security
ãƒªãƒ³ã‚¯
ã€PoCç·¨ã€‘XSSã¸ã®è€æ€§ã«ãŠã„ã¦ãƒ–ãƒ©ã‚¦ã‚¶ã®ãƒ¡ãƒ¢ãƒªç©ºé–“æ–¹å¼ã¯Local Storageæ–¹å¼ã‚ˆã‚Šå®‰å…¨ã‹ï¼Ÿ - GMO Flatt Security Blog
ã¯ã˜ã‚ã« ã“ã‚“ã«ã¡ã¯ã€‚ ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®@okazu-dm ã§ã™ã€‚ ã“ã®è¨˜äº‹ã¯ã€Auth0ã®ã‚¢ã‚¯ã‚»ã‚¹ãƒˆãƒ¼ã‚¯ãƒ³ã®ä¿å˜æ–¹æ³•ã«ã¤ã„ã¦è§£èª¬ã—ãŸå‰å›žã®è¨˜äº‹ã®è£œè¶³ã¨ãªã‚‹è¨˜äº‹ã§ã™ã€‚å‰å›žã®è¨˜äº‹ã®è¦æ—¨ã‚’ã–ã£ãã‚Šã¾ã¨ã‚ã‚‹ã¨ä»¥ä¸‹ã®ã‚ˆã†ãªã‚‚ã®ã§ã—ãŸã€‚ Auth0ã¯ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆã§ã¯ã‚¢ã‚¯ã‚»ã‚¹ãƒˆãƒ¼ã‚¯ãƒ³ã‚’ãƒ–ãƒ©ã‚¦ã‚¶ã®ãƒ¡ãƒ¢ãƒªç©ºé–“ä¸Šã«ã®ã¿ä¿å˜ã™ã‚‹in-memoryæ–¹å¼ã§ã‚ã‚Šã€XSSã¸ã®è€æ€§ã®ãªã•ç‰ã®ç†ç”±ã§localStorageã§ä¿å˜ã™ã‚‹ã“ã¨ã‚’æŽ¨å¥¨ã—ã¦ã„ãªã„ ã—ã‹ã—ã€XSSã§ã‚¢ã‚¯ã‚»ã‚¹ãƒˆãƒ¼ã‚¯ãƒ³ã‚’å¥ªå–ã§ãã‚‹ã®ã¯in-memoryæ–¹å¼ã§ã‚‚åŒã˜ã®ã¯ãš(æ¤œè¨¼ã¯è¡Œã„ã¾ã›ã‚“ã§ã—ãŸ)ã€‚localStorageæ–¹å¼ã‚’éŽåº¦ã«å¿Œé¿ã™ã‚‹å¿…è¦ã¯ãªã„ã®ã§ã¯ãªã„ã‹ ãªãŠã€Flatt Securityã®æä¾›ã™ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£è¨ºæ–ã¯Auth0ã«é™ã‚‰ãšFirebase Authenticationã‚„Amazon Cognitoãªã©ã®IDaaSã®ã‚»ã‚ãƒ¥ã‚¢ãªåˆ©ç”¨
teppeis 2022/08/15
xss

auth0

security

auth
ãƒªãƒ³ã‚¯
GitHub - shhnjk/cursed_types: List of Trusted Types bypasses
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
teppeis 2022/06/25
xss

trusted-types
ãƒªãƒ³ã‚¯
New XSS vectors
Published: 20 April 2022 at 14:00 UTC Updated: 20 April 2022 at 14:07 UTC Transition based events without style blocksSo, recently, I was updating our XSS cheat sheet to fix certain vectors that had been made obsolete by browser updates. Whilst looking at the vectors, the transition events stuck in my head. They needed a style block as well as the event: <style>:target {color:red;}</style> <xss id
teppeis 2022/04/25
xss

svg
ãƒªãƒ³ã‚¯
XSSã®è„…å¨ã‚’è€ƒå¯Ÿã™ã‚‹ - ã‚»ã‚ãƒ¥ã‚¢ã‚¹ã‚«ã‚¤ãƒ—ãƒ©ã‚¹
ã¯ã˜ã‚ã« ã“ã‚“ã«ã¡ã¯ï¼CTOã®ã¯ã›ãŒã‚ã§ã™ã€‚ å…ˆæ—¥å…¬é–‹ã•ã‚ŒãŸã€Flatt Securityã•ã‚“ã®ãƒ–ãƒã‚°ã€Œé–‹ç™ºè€…ãŒçŸ¥ã£ã¦ãŠããŸã„ã€ŒXSSã®ç™ºç”ŸåŽŸç†ä»¥å¤–ã€ã®è©±ã€ã€ãŠã‚‚ã—ã‚ã„ã§ã™ãã€‚ã“ã®XSSã®è¨˜äº‹ã«é™ã‚‰ãšã€Flatt Securityã•ã‚“ã®ãƒ–ãƒã‚°ã¯å½¹ã«ç«‹ã¤è¨˜äº‹ãŒå¤šã„*1ã®ã§ã€å€‹äººçš„ã«ã¯è¨˜äº‹ãŒå…¬é–‹ã•ã‚Œã‚‹ã®ã‚’æ¯Žå›žæ¥½ã—ã¿ã«ã—ã¦ã„ã¾ã™ï¼*2 ãŸã—ã‹ã«ã€XSSã®è„…å¨ã«ã¤ã„ã¦ã¯ãªã‹ãªã‹ç†è§£ã—ã¦ã‚‚ã‚‰ã†ã“ã¨ãŒé›£ã—ãã€ã¾ãŸä¸€èˆ¬çš„ã«ã¯SQLã‚¤ãƒ³ã‚¸ã‚§ã‚¯ã‚·ãƒ§ãƒ³ç‰ã¨æ¯”ã¹ã¦ã‚‚è„…å¨ãŒä½Žãè¦‹ã‚‰ã‚Œã‚‹ã“ã¨ã‚‚å¤šã„ãŸã‚ã€XSSã®è„…å¨ã«ã¤ã„ã¦å°‘ã—æŽ˜ã‚Šä¸‹ã’ã¦è€ƒå¯Ÿã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚ ãªãŠã€ã“ã®è¨˜äº‹ã¯ã€ŒXSSã®ç™ºç”ŸåŽŸå› ãã‚‰ã„ã¯çŸ¥ã£ã¦ã‚‹ã‚ˆã€ã¨ã„ã†äººã‚’å¯¾è±¡ã«ã—ã¦ã„ã¾ã™ã€‚ã€ŒXSSã£ã¦ä½•ã ã£ã‘ã€ã¨ã„ã†æ–¹ã¯ ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°å¯¾ç– ãƒ›ãƒ³ã‚ã®ã‚ãƒ›ãƒ³ (1/3)ï¼šCodeZineï¼ˆã‚³ãƒ¼ãƒ‰ã‚¸ãƒ³ï¼‰ ãªã©ã®è¨˜äº‹ã‚’å‚ç…§ã—ã¦ãã ã•ã„ã€‚ æŠ€è¡“çš„ãªé¢ã‹ã‚‰ã®è§£
teppeis 2022/03/15
alertå‡ºãŸã‚ˆã€ã®å…ˆã®è©±ã€‚ãƒ—ãƒãƒ€ã‚¯ãƒˆãƒãƒ¼ãƒ ã§ã¯ã“ã†ã„ã†ãƒ‰ãƒ¡ã‚¤ãƒ³å›ºæœ‰ã®è„…å¨ã‚’è©•ä¾¡ã‚’ã—ã¦ã„ãã¾ã™ã‚ˆã

xss

security
ãƒªãƒ³ã‚¯
é–‹ç™ºè€…ãŒçŸ¥ã£ã¦ãŠããŸã„ã€ŒXSSã®ç™ºç”ŸåŽŸç†ä»¥å¤–ã€ã®è©± - GMO Flatt Security Blog
ã¯ã˜ã‚ã« ã“ã‚“ã«ã¡ã¯ã€‚æ ªå¼ä¼šç¤¾Flatt Securityã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®å†¨å£«ã§ã™ã€‚ æœ¬ç¨¿ã§ã¯ã€XSS(ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°)ãŒæ”»æ’ƒã«ç”¨ã„ã‚‰ã‚ŒãŸæ™‚ã®ãƒªã‚¹ã‚¯ã®å¤§ãã•ã‚’ç´¹ä»‹ã—ã¦ã„ãã¾ã™ã€‚ä»¥é™ã¯ã‚¯ãƒã‚¹ã‚µã‚¤ãƒˆã‚¹ã‚¯ãƒªãƒ—ãƒ†ã‚£ãƒ³ã‚°ã‚’XSSã¨è¨˜è¼‰ã—ã¦ã„ãã¾ã™ã€‚ XSSã¯ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãªã‚‰ã‚‚ã¡ã‚ã‚“ã€é–‹ç™ºã‚’è¡Œã£ã¦ã„ã‚‹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®å¤šãã®æ–¹ãŒçŸ¥ã£ã¦ã„ã‚‹è„†å¼±æ€§ã§ã™ã€‚ã§ã™ãŒã€ç§ã¯Webã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³ã®è„†å¼±æ€§è¨ºæ–ã‚’è¡Œã£ã¦ããŸçµŒé¨“ã®ä¸ã§å¤šãã®XSSã‚’ç›®ã«ã—ã¦ãã¾ã—ãŸã—ã€ä¾ç„¶ã¨ã—ã¦æ¤œå‡ºçŽ‡ã®å¤šã„è„†å¼±æ€§ã®ä¸€ã¤ã ã¨æ„Ÿã˜ã¦ã„ã¾ã™ã€‚ ãã®èªçŸ¥åº¦ã‚„ã€ä¸€èˆ¬çš„ãªå¯¾ç–æ–¹æ³•ã®ãƒãƒ¼ãƒ‰ãƒ«ã®ä½Žã•(è¨è¨ˆã‚„ä»•æ§˜ã«ã‚ˆã£ã¦ã¯å¯¾ç–å·¥æ•°ãŒå¤§ãã„å ´åˆã‚‚ã‚ã‚Šã¾ã™ãŒ)ã«ã‚‚é–¢ã‚ã‚‰ãšXSSã®æ¤œå‡ºçŽ‡ãŒå¤šã„ã®ã¯ã€ç›´æ„Ÿçš„ã«ãƒªã‚¹ã‚¯ãŒã‚ã‹ã‚Šã¥ã‚‰ãã€ã‚¢ãƒ©ãƒ¼ãƒˆã‚’ã‚ã’ã‚‹ã ã‘ã®ç´¹ä»‹ãŒå¤šã„ã“ã¨ãŒä¸€ã¤ã®è¦å› ã§ã¯ãªã„ã‹ã¨è€ƒãˆã¦ã„ã¾ã™ã€‚ ã™ãªã‚ã¡ã€èˆˆå‘³ç¯„å›²ãŒã€Œã©ã®ã‚ˆã†
teppeis 2022/03/04
xss
ãƒªãƒ³ã‚¯
Trusted Typesã®æ¦‚å¿µã¨èƒŒæ™¯
ä»Šå›žã¯Trusted Typesã«å¯¾ã™ã‚‹å€‹äººã®è¦‹è§£ã‚’æ›¸ã„ã¦ã¿ã¾ã™ã€‚ Trusted Typesã¯ãƒ–ãƒ©ã‚¦ã‚¶ãŒæ–‡å—åˆ—ã‚’æ–‡å—åˆ—ä»¥å¤–ã®åž‹ã¨ã—ã¦æ‰±ã†Sinkã«å¯¾ã—ã¦ã€é–‹ç™ºè€…ã«åž‹ã®å¤‰æ›ã‚’å¼·åˆ¶ã™ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£æ©Ÿèƒ½ã§ã™ã€‚Trusted Typesã«ã‚ˆã‚ŠDOM-based XSSã‚’åŽŸç†çš„ã«æ¸›ã‚‰ã—ã€DOM-based XSSã«å¯¾ã™ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒ¬ãƒ“ãƒ¥ãƒ¼ã‚’ç°¡æ½”ã«ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã™ã€‚ å®‰å…¨ã§ãªã„ãƒ‡ãƒ•ã‚©ãƒ«ãƒˆè¿‘é ƒã®Webé–‹ç™ºã§ã¯TypeScriptãŒã‚ˆãä½¿ã‚ã‚Œã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã—ãŸã€‚ã“ã‚Œã¯åž‹ã‚’æ˜Žç¤ºã™ã‚‹ã“ã¨ã«ã‚ˆã‚Šã€ã‚¨ãƒ©ãƒ¼ã‚’äº‹å‰ã«é˜²ã’ã‚‹ã‹ã‚‰ã§ã™ã€‚ ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã§ã‚‚åŒã˜ã“ã¨ãŒè¨€ãˆã¾ã™ã€‚ãã‚‚ãã‚‚element.innerHTMLã«Stringã‚’ä»£å…¥å‡ºæ¥ã‚‹ã“ã¨è‡ªä½“ãŒé–“é•ã£ã¦ã„ã‚‹ã®ã§ã™ã€‚innerHTMLã¯HTMLã‚’ä»£å…¥ã™ã‚‹ç‚ºã®ã‚‚ã®ã§ã‚ã‚Šã€Stringã‚’ä»£å…¥ã—ã¦ã‚‚HTMLã¨ã—ã¦åž‹ã®å¤‰æ›ãŒã•ã‚Œã¦ã—ã¾ã†ã‹ã‚‰ã§ã™ï¼ˆi.e. re-pars
teppeis 2021/06/12
xss

trusted-types
ãƒªãƒ³ã‚¯
HTML Sanitizer API
This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups. 1. Introduction This section is not normative. Web applications often nee
teppeis 2021/05/04
xss

w3c
ãƒªãƒ³ã‚¯
HTML Sanitizer API Playground
teppeis 2021/05/04
HTML Sanitizer API

xss

web
ãƒªãƒ³ã‚¯
Eliminating XSS from WebUI with Trusted Types
Posted Mar 26, 2021 2021-03-26T09:30:00-07:00 by Jun Kokatsu After the research on Site Isolation, it became clear that the most common probl em with extensions is calling chrome.tabs.create with a URL received from a content script message. While such a bug can be used to steal local files, it can also open up an interesting attack surface, which is the navigation to WebUI. In this blog post, we w
teppeis 2021/03/28
edge

chrome

xss

trusted-types
ãƒªãƒ³ã‚¯
Cheatsheet: XSS that works in 2021
Itâ€™s been a year since my last XSS cheatsheet, and a year of developments in XSS exploitology. Hereâ€™s a new and updated version jam-packed full of goodies that I use myself! Note: This cheat-sheet focuses on up to date and relevant it ems only. Would you take a cheat sheet with you to an exam that has a bunch of irrelevant stuff? No, of course not. I hate cheat sheets that waste space on methods th
teppeis 2021/02/11
xss

cheatsheet
ãƒªãƒ³ã‚¯
GitHub - oskarsve/ms-teams-rce
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
teppeis 2020/12/08
Electronè£½MS Teamsã‚¢ãƒ—ãƒªã®RCEè„†å¼±æ€§ã«ã¤ã„ã¦ã®è§£èª¬ã€‚AngularJSã®expressionã‚’åˆ©ç”¨ã—ã¦CSPã‚„Electronã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚’ãƒã‚¤ãƒ‘ã‚¹ã™ã‚‹

teams

electron

angular

vulnerability

xss
ãƒªãƒ³ã‚¯
https://wicg.github.io/purification/
teppeis 2020/07/06
DOMPurifyçš„ãªHTMLæ–‡å—åˆ—ã«ã‚µãƒ‹ã‚¿ã‚¤ã‚ºAPIã‚’ãƒ–ãƒ©ã‚¦ã‚¶ã«ç”Ÿã‚„ã™ä»•æ§˜ææ¡ˆ / Marioæ°ãŒeditorã«

xss

chrome

browser

spec
ãƒªãƒ³ã‚¯
Chrome Platform Status
teppeis 2020/07/06
DOMPurifyçš„ãªAPIã‚’ãƒ–ãƒ©ã‚¦ã‚¶ã«ç”Ÿã‚„ã™ææ¡ˆ

xss

chrome

browser

spec
ãƒªãƒ³ã‚¯
blink-dev â€º Intent to Prototype: Sanitizer API | Google ã‚°ãƒ«ãƒ¼ãƒ—
teppeis 2020/07/06
blink-dev â€º Intent to Prototype: Sanitizer API

xss

browser

spec
ãƒªãƒ³ã‚¯
The Curious Case of Copy & Paste - on risks of pasting arbitrary content in browsers - research.securitum.com
teppeis 2020/06/22
xss

contenteditable

clipboard
ãƒªãƒ³ã‚¯
GitHub - orchitech/gfm-escape: The only Markdown escaper passing backtranslation tests.
teppeis 2020/05/03
markdown

xss
ãƒªãƒ³ã‚¯
markedã§å®‰å…¨ã«Markdownã‹ã‚‰HTMLã‚’ç”Ÿæˆã™ã‚‹safe-marked
Markdownã‚’HTMLã«ã‚³ãƒ³ãƒ‘ã‚¤ãƒ«ã™ã‚‹markedã¯0.7.0ã§sanitizeã‚ªãƒ—ã‚·ãƒ§ãƒ³ã‚’éžæŽ¨å¥¨ã«ã—ã¦ã„ã¾ã™ã€‚ ã“ã‚Œã¯ã‚µãƒ‹ã‚¿ã‚¤ã‚ºã®å‡¦ç†ã‚’markedã‹ã‚‰å¤–ã™ç›®çš„ã§ã™ã€‚ Sanitize and sanitizer Â· Issue #1232 Â· markedjs/marked ã“ã®sanitizeã‚ªãƒ—ã‚·ãƒ§ãƒ³ã®ä»£ã‚ã‚Šã«DOMPurifyã‚’åˆ©ç”¨ã™ã‚‹ã“ã¨ã‚’æŽ¨å¥¨ã—ã¦ã„ã¾ã™ãŒã€ DOMPurifyã¯ãƒ–ãƒ©ã‚¦ã‚¶ã¨Node.jsä¸¡æ–¹ã§ä½¿ã†ã«ã¯ç™–ãŒã‚ã‚‹ãŸã‚ã¡ã‚‡ã£ã¨ã‚„ã‚„ã“ã—ã„ã§ã™ã€‚ ãªãœãªã‚‰DOMPurifyã¯DOM APIã«ä¾å˜ã—ã¦ã„ã‚‹ãŸã‚ã€ Node.jsã§å‹•ã‹ã™å ´åˆã¯jsdomä½¿ã†ãŸã‚ã§ã™ã€‚ å˜ç´”ã«jsdomã‚’ä½¿ã£ã¦ã—ã¾ã†ã¨ãƒ–ãƒ©ã‚¦ã‚¶ã§ã‚‚jsdomãŒå«ã¾ã‚Œã¦ã—ã¾ã„ã€ãƒ•ã‚¡ã‚¤ãƒ«ã‚µã‚¤ã‚ºãŒå·¨å¤§ã«ãªã£ã¦ã—ã¾ã„ã¾ã™ã€‚ ãã®ãŸã‚ã€ãƒ–ãƒ©ã‚¦ã‚¶å‘ã‘ã®å ´åˆã§ã¯ç›´æŽ¥DOMPurifyã‚’ä½¿ã„ã€ Node.jsã®å ´åˆã¯DOMP
teppeis 2020/04/21
DOMPurifyã‚’Node.jsã§ã¯jsdomçµŒç”±ã§ä½¿ã†ã‚ˆã†ãªmarkedãƒ©ãƒƒãƒ‘ãƒ¼

markdown

xss

node.js

module
ãƒªãƒ³ã‚¯
One XSS cheatsheet to rule them all
Published: 26 September 2019 at 15:00 UTC Updated: 04 September 2020 at 14:33 UTC PortSwigger are proud to launch our brand new XSS cheatsheet. Our objective was to build the most comprehensive bank of information on bypassing HTML filters and WAFs to achieve XSS, and to present this information in an accessible way. Each vector includes a hosted proof of concept and which browser it successfully
teppeis 2019/09/27
xss
ãƒªãƒ³ã‚¯
1 2 3 4 5 6 7 æ¬¡ã®ãƒšãƒ¼ã‚¸