Cross-Site Scripting

⚔️ Attack Types Related 27
slug: xss

Explanation

XSSは「Webページの中に、攻撃者の悪意あるJavaScriptを忍び込ませる」攻撃です。 例えば掲示板に `<script>盗む()</script>` のような投稿をして、それを見た他のユーザーのCookie (ログイン情報) を盗む、といった攻撃が典型的です。 対策は「ユーザー入力を画面に出すときに、HTMLとして無害化 (エスケープ) する」こと。多くのフレームワークでは標準で対策されています。
📌 Example
2005年MySpaceワーム「Samy」: 1人の投稿が見るだけで他人のプロフィールにコピーされ、24時間で100万人に感染した有名事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 3,383

ID Title
CVE-2016-6283 Cross-Site Scripting (XSS) in atlassian (CVE-2016-6283)
CVE-2015-8667 Cross-Site Scripting (XSS) in exponentcms (CVE-2015-8667)
CVE-2015-8684 Cross-Site Scripting (XSS) in exponentcms (CVE-2015-8684)
CVE-2016-7149 Cross-Site Scripting (XSS) in b2evolution (CVE-2016-7149)
CVE-2016-7150 Cross-Site Scripting (XSS) in b2evolution (CVE-2016-7150)
CVE-2016-7981 Cross-Site Scripting (XSS) in spip (CVE-2016-7981)
CVE-2017-5515 Cross-Site Scripting (XSS) in metalgenix (CVE-2017-5515)
CVE-2017-5516 Cross-Site Scripting (XSS) in metalgenix (CVE-2017-5516)
CVE-2017-5494 Cross-Site Scripting (XSS) in b2evolution (CVE-2017-5494)
CVE-2017-5488 Cross-Site Scripting (XSS) in wordpress (CVE-2017-5488)
CVE-2017-5490 Cross-Site Scripting (XSS) in wordpress (CVE-2017-5490)
CVE-2017-3890 Cross-Site Scripting (XSS) in blackberry (CVE-2017-3890)
CVE-2016-3150 Cross-Site Scripting (XSS) in barco (CVE-2016-3150)
CVE-2016-5737 Cross-Site Scripting (XSS) in openstack (CVE-2016-5737)
CVE-2015-5720 Cross-Site Scripting (XSS) in misp-project (CVE-2015-5720)
CVE-2016-2279 Cross-Site Scripting (XSS) in rockwellautomation (CVE-2016-2279)
CVE-2015-6477 Cross-Site Scripting (XSS) in nordex (CVE-2015-6477)
CVE-2015-1347 Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
CVE-2015-1176 Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in osTicket before 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the status parameter in a search action.
CVE-2014-4744 Multiple cross-site scripting (XSS) vulnerabilities in osTicket before 1.9.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Phone Number field to open.php or (2) Phone numbe...
CVE-2010-0606 Cross-site scripting (XSS) vulnerability in scp/ajax.php in osTicket before 1.6.0 Stable allows remote authenticated users to inject arbitrary web script or HTML via the f parameter, possibly related...
CVE-2005-1436 Multiple cross-site scripting (XSS) vulnerabilities in osTicket allow remote attackers to inject arbitrary web script or HTML via (1) the t parameter to view.php, (2) the osticket_title parameter to h...
CVE-2004-2320 Information Disclosure in express (CVE-2004-2320)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →