{"provider_url":"https://hatena.blog","url":"https://cysec148.hatenablog.com/entry/2025/08/19/173058","description":"Hello there, ('\u03c9')\u30ce \u306d\u3089\u3044 \u3053\u306eLAB\u306f\u3001\u691c\u7d22\u7d50\u679c\u306b\u53cd\u5c04\u578bXSS\u304c\u3042\u308b\u4e00\u65b9\u3067\u3001\u30ec\u30b9\u30dd\u30f3\u30b9\u30d8\u30c3\u30c0\u306eCSP\uff08Content-Security-Policy\uff09\u306b\u3088\u3063\u3066\u5b9f\u884c\u304c\u6b62\u3081\u3089\u308c\u307e\u3059\u3002\u3068\u3053\u308d\u304cCSP\u306e\u4e2d\u306b\u3042\u308breport-uri \u306e token \u30d1\u30e9\u30e1\u30fc\u30bf\u304c\u30e6\u30fc\u30b6\u5165\u529b\u306b\u4f9d\u5b58\u3057\u3066\u304a\u308a\u3001\u3053\u3053\u304b\u3089CSP\u30c7\u30a3\u30ec\u30af\u30c6\u30a3\u30d6\u3092\u8ffd\u8a18\u6ce8\u5165\u3067\u304d\u307e\u3059\u3002 \u72d9\u3044\u306f\u3001token \u306b\u300c;script-src-elem 'unsafe-inline'\u300d\u3092\u5dee\u3057\u8fbc\u3093\u3067\u30dd\u30ea\u30b7\u30fc\u3092\u4e0a\u66f8\u304d\u3057\u3001\u30a4\u30f3\u30e9\u30a4\u30f3\u30b9\u30af\u30ea\u30d7\u30c8\u3092\u8a31\u53ef\u3055\u305b\u3066 alert(1) \u3092\u51fa\u3059\u3053\u3068\u3002 \u203b \u3053\u306e\u89e3\u6cd5\u306fChrome\u524d\u63d0\u3067\u3059\uff08LAB\u306e\u6ce8\u8a18\u3069\u304a\u308a\uff09\u3002 \u5168\u2026","published":"2025-08-19 17:30:58","categories":["Web Security Academy","XSS"],"html":"","author_name":"ThisIsOne","height":"190","provider_name":"Hatena Blog","blog_url":"https://cysec148.hatenablog.com/","blog_title":"Shikata Ga Nai","type":"rich","image_url":null,"title":"\u3010\u6709\u6599\u8a66\u4f5c\u7248\u3011PortSwigger LAB\u89e3\u8aac\uff1aReflected XSS protected by CSP, with CSP bypass\uff08CSP\u3092\u201c\u30d8\u30c3\u30c0\u6ce8\u5165\u201d\u3067\u306d\u3058\u66f2\u3052\u3066XSS\uff09","version":"1.0","author_url":"https://blog.hatena.ne.jp/ThisIsOne/","width":"100%"}