Cross-Site Scripting

⚔️ Attack Types Related 27
slug: xss

Explanation

XSSは「Webページの中に、攻撃者の悪意あるJavaScriptを忍び込ませる」攻撃です。 例えば掲示板に `<script>盗む()</script>` のような投稿をして、それを見た他のユーザーのCookie (ログイン情報) を盗む、といった攻撃が典型的です。 対策は「ユーザー入力を画面に出すときに、HTMLとして無害化 (エスケープ) する」こと。多くのフレームワークでは標準で対策されています。
📌 Example
2005年MySpaceワーム「Samy」: 1人の投稿が見るだけで他人のプロフィールにコピーされ、24時間で100万人に感染した有名事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 3,310

ID Title
CVE-2016-4946 Cross-Site Scripting (XSS) in cloudera (CVE-2016-4946)
CVE-2016-4948 Cross-Site Scripting (XSS) in cloudera (CVE-2016-4948)
CVE-2016-7136 Cross-Site Scripting (XSS) in plone (CVE-2016-7136)
CVE-2016-9148 Cross-Site Scripting (XSS) in ca (CVE-2016-9148)
CVE-2017-5197 Cross-Site Scripting (XSS) in silverstripe (CVE-2017-5197)
CVE-2017-6503 WebUI in qBittorrent before 3.3.11 did not escape many values, which could potentially lead to XSS.
CVE-2017-6446 Cross-Site Scripting (XSS) in dotclear (CVE-2017-6446)
CVE-2017-6478 Cross-Site Scripting (XSS) in mangoswebv4-project (CVE-2017-6478)
CVE-2017-6479 Cross-Site Scripting (XSS) in fenix-hosting (CVE-2017-6479)
CVE-2017-6480 Cross-Site Scripting (XSS) in groovel-project (CVE-2017-6480)
CVE-2017-6481 Cross-Site Scripting (XSS) in phpipam (CVE-2017-6481)
CVE-2017-6483 Cross-Site Scripting (XSS) in atutor (CVE-2017-6483)
CVE-2017-6484 Cross-Site Scripting (XSS) in c (CVE-2017-6484)
CVE-2017-6485 Cross-Site Scripting (XSS) in php-calendar (CVE-2017-6485)
CVE-2017-6486 Cross-Site Scripting (XSS) in reasoncms (CVE-2017-6486)
CVE-2017-6487 Cross-Site Scripting (XSS) in epesi (CVE-2017-6487)
CVE-2017-6488 Cross-Site Scripting (XSS) in epesi (CVE-2017-6488)
CVE-2017-6489 Cross-Site Scripting (XSS) in epesi (CVE-2017-6489)
CVE-2017-6490 Cross-Site Scripting (XSS) in epesi (CVE-2017-6490)
CVE-2017-6491 Cross-Site Scripting (XSS) in epesi (CVE-2017-6491)
CVE-2015-8815 Cross-Site Scripting (XSS) in umbraco (CVE-2015-8815)
CVE-2017-5616 Cross-Site Scripting (XSS) in cpanel (CVE-2017-5616)
CVE-2017-5832 Cross-Site Scripting (XSS) in revive-adserver (CVE-2017-5832)
CVE-2017-5833 Cross-Site Scripting (XSS) in revive-adserver (CVE-2017-5833)
CVE-2016-10201 Cross-Site Scripting (XSS) in zoneminder (CVE-2016-10201)
CVE-2016-10202 Cross-Site Scripting (XSS) in zoneminder (CVE-2016-10202)
CVE-2016-10203 Cross-Site Scripting (XSS) in zoneminder (CVE-2016-10203)
CVE-2017-6102 Persistent XSS in wordpress plugin rockhoist-badges v1.2.2.
CVE-2017-6103 Persistent XSS Vulnerability in Wordpress plugin AnyVar v0.1.1.
CVE-2017-6394 Cross-Site Scripting (XSS) in open-emr (CVE-2017-6394)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →