ソスyソスソスソスpソスKソスCソスhソスz

CWE-79

Weakness ID:79(Weakness Base)

Status: Draft

ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスO

ソスソスソス

ソスソスソスソスvソスソス

ソスソスソスフ脆弱性ソスフ托ソスソスンゑソスソスソス\ソスtソスgソスEソスFソスAソスヘ、ソスソスソス[ソスUソスソスソスソスフ難ソスソスヘに対ゑソスソス髢ウソスQソスソスソスソスKソスリに行ソスソスネゑソスソスワま、ソスソスソスフソスソス[ソスUソスノ提供ゑソスソスソス Web ソスyソス[ソスWソスフ出ソスヘに含めまゑソスソスB

ソスレ細な会ソスソス

ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスO (XSS) ソスフ脆弱性ソスヘ、ソスネ会ソスソスフ様ソスノ費ソスソスソスソスソスソスワゑソスソスB

1. ソスMソスソスソスナゑソスソスネゑソスソスfソス[ソス^ソスソスソスiソスソスハ的ソスソス Web ソスソスソスNソスGソスXソスgソスソスソスソスjWeb ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノ難ソスソスヘゑソスソスソスA

2. Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスAソスソスソスフ信ソスソスソスナゑソスソスネゑソスソスfソス[ソス^ソスソスソスワゑソス Web ソスyソス[ソスWソス動的ソスノ撰ソスソスソスソスソスソスワゑソスソスB

3. ソスソスソスフ搾ソス Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスヘ、ソスMソスソスソスナゑソスソスネゑソスソスfソス[ソス^ソスノ含まゑソスソス Web ソスuソスソスソスEソスUソスナ趣ソスソスsソスツ能ソスネコソスソスソスeソスソスソスc (JavaScriptソスAHTML ソス^ソスOソスAHTML ソスAソスgソスソスソスrソスソスソス[ソスgソスAソス}ソスEソスXソスCソスxソスソスソスgソスAFlashソスA ActiveX ソスソス) ソスソスrソスソスソスソスソスワゑソスソスソスB

4. ソスソスハソスソス[ソスUソスソスソスAWeb ソスuソスソスソスEソスUソスソスソスしソスト撰ソスソスソスソスソスソス黷スソスyソス[ソスWソスノアソスNソスZソスXソスソスソスワゑソスソスBソスソスソスソス Web ソスyソス[ソスWソスノは、ソスMソスソスソスナゑソスソスネゑソスソスfソス[ソス^ソス利用ソスソスソスト挿ソスソスソスソスソス黷スソスソスソスモゑソスソスソスXソスNソスソスソスvソスgソスソスソスワまゑソストゑソスソスワゑソスソスB

5. ソスXソスNソスソスソスvソスgソスソス Web ソスTソス[ソスoソスフ托ソスソスソスソスソス Web ソスyソス[ソスWソスノ由ソスソスソスソスソスト費ソスソスソスソスソスソストゑソスソス驍スソス゚、ソスソスQソスメゑソス Web ソスuソスソスソスEソスUソスヘ、ソスソスソスソス Web ソスTソス[ソスoソスフドソスソスソスCソスソスソスフコソスソスソスeソスLソスXソスgソスフ抵ソスソスナ茨ソスソスモゑソスソスソスXソスNソスソスソスvソスgソスソスソスソスソスsソスソスソスワゑソスソスB

6. ソスソスソスソスヘ趣ソスソスソスソスソスAWeb ソスuソスソスソスEソスUソスフ難ソスソス齔カソスソスソスソスソス|ソスソスソスVソスフ意図ソスノ違反ソスソスソストゑソスソスワゑソスソスBソスソスソス齔カソスソスソスソスソス|ソスソスソスVソスヘ、ソスソスソスソスhソスソスソスCソスソスソスフ抵ソスソスフスソスNソスソスソスvソスgソスソスソスAソスルなゑソスhソスソスソスCソスソスソスノゑソスソスソスソス驛奇ソス\ソス[ソスXソスヨのアソスNソスZソスXソスソスRソス[ソスhソスフ趣ソスソスsソスソスソスツ能ソスナゑソスソスソスソストはなゑソスネゑソスソスソスソスニゑソス示ゑソスソスソスソスソスフでゑソスソスB

XSS ソスノは趣ソスノ三ソスツの趣ソズに包ソスソズゑソスソスワゑソスソスB

ソス^ソスCソスv1ソスFソスソスソスヒ型ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスO (ソス持托ソスソスI)

ソスTソス[ソスoソスヘ、HTTP ソスソスソスNソスGソスXソスgソスソスソスソスfソス[ソス^ソス直接読み搾ソスソスン、ソスヌみ搾ソスソスだデソス[ソス^ソスソス HTTP ソスソスソスXソス|ソスソスソスXソスノ費ソスソスfソスソスソスワゑソスソスBソスソスソスヒ型 XSS ソスUソスソスソスヘ、ソスニ趣ソスソス Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノ対ゑソスソスト、ソスUソスソスソスメゑソスソスソスQソスメに危険ソスネコソスソスソスeソスソスソスcソス送信ソスソスソスソスソスソスロに費ソスソスソスソスソスソスワゑソスソスBソスソスソスフ危険ソスネコソスソスソスeソスソスソスcソスヘ、ソスソスQソスメに返ゑソスソスソス Web ソスuソスソスソスEソスUソスソスナ趣ソスソスsソスソスソスソスワゑソスソスBソスソスハ的ソスネ趣ソスiソスニゑソスソスト、ソスソスソスモゑソスソスソスRソスソスソスeソスソスソスcソスソス URL ソスフパソスソスソスソスソス[ソス^ソスノ含めて鯉ソスソスフ擾ソスノ掲ソスソスソスソスソスソスAソスワゑソスソスヘ、ソスソスQソスメに電ソスqソスソスソス[ソスソスソス直接托ソスソスソスツゑソスソス驍アソスニゑソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスソスソスフフソスBソスbソスVソスソスソスOソスソスソス\ソスノゑソスソスソスソストゑソスソスAソスソスソスフようソスソス URL ソスソスソスUソスソスソスフ要ソスニなゑソスソストゑソスソスワゑソスソスBソスUソスソスソスメは費ソスQソスメゑソスMソスソスソスソスソスワゑソスソスソス URL ソスノアソスNソスZソスXソスソスソスソスソスワゑソスソスソスソスAソスQソスニ撰ソスヘ脆趣ソスネサソスCソスgソスナゑソスソスBソスTソスCソスgソスソスソスUソスソスソスメのコソスソスソスeソスソスソスcソスソスソスQソスメに返ゑソスソスニ、ソスソスQソスメのブソスソスソスEソスUソスソスナゑソスソスフコソスソスソスeソスソスソスcソスソスソスソスソスsソスソスソスソスワゑソスソスB

ソス^ソスCソスv 2: ソスiソス[ソス^ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスO (ソスソスソスソスソスI)

ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスヘ、ソス険ソスネデソス[ソス^ソスソスソスAソスfソス[ソス^ソスxソス[ソスXソスAソスソスソスbソスZソス[ソスWソスtソスHソス[ソスソスソスソスソスAソスKソスソスメのソスソスOソスAソスワゑソスソスヘ托ソスソスフ信ソスソスソスナゑソスソスソスfソス[ソス^ソスXソスgソスAソスノ保托ソスソスソスソスワゑソスソスBソスソスソスフデソス[ソス^ソスヘ、ソスソスソスフ鯉ソスAソスソスソスフアソスvソスソスソスPソス[ソスVソスソスソスソスソスノ読み戻ゑソスソスソスAソスソスソスIソスRソスソスソスeソスソスソスcソスノ含まゑソスワゑソスソスB
ソスUソスソスソスメの観点ソスナは、ソスソスソスモゑソスソスソスRソスソスソスeソスソスソスcソスソス}ソスソスソスソスソスソスフに最適ソスネ場所ソスヘ、ソスソスソスソスソスフソスソス[ソスUソスワゑソスソスヘ標ソスIソスノゑソスソストゑソスソス驛ソス[ソスUソスノ表ソスソスソスソスソスソスソスフ茨ソスナゑソスソスBソスUソスソスソスメは概ソスソスソスト、ソスソスソスYソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスナ難ソスソスハな鯉ソスソスソスソスソスLソスソスソストゑソスソス驍ゥソスAソスUソスソスソスメにとゑソスソスト会ソスソスlソスフゑソスソスソス@ソスソスソスソスソスソスソスソス闊オソスソスソストゑソスソス驛ソス[ソスUソスソスWソスIソスニゑソスソスワゑソスソスBソスソスソスソスソスソスソスソスソスソスソス[ソスUソスソスソスソスソスモゑソスソスソスRソスソスソスeソスソスソスcソスソスソスソスソスsソスソスソスソスニ、ソスUソスソスソスメはゑソスソスフソスソス[ソスUソスノなりすソスワゑソスソスAソスソスソスソスソスソスソスKソスvソスネ托ソスソスソスソスソスソスソスsソスソスソスソスAソスワゑソスソスヘソスソス[ソスUソスフ保有ソスソスソスソス@ソスソスソスfソス[ソス^ソスノ対ゑソスソストアソスNソスZソスXソスソスiソス得ゑソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソス痰ヲソスホ、ソスヌ暦ソスソスメにゑソス驛搾ソスOソスQソスニの際に適ソスリに茨ソスソスソスソスネゑソスソスソスソスOソスソスソスbソスZソス[ソスWソスソス XSS ソスソス}ソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

ソス^ソスCソスv 0: DOMソスxソス[ソスXソスフクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスO

ソスソスソスフ趣ソズゑソス XSS ソスナは、ソスTソス[ソスoソスソス Web ソスyソス[ソスWソスノ対ゑソスソスソス XSS ソスソス}ソスソスソスソスソスワゑソスソスソスソスADOM ソスxソス[ソスXソスソス XSS ソスナは、ソスNソスソスソスCソスAソスソスソスgソスソス XSS ソスソス Web ソスyソス[ソスWソスノ挿ソスソスソスソスソスワゑソスソスBソスソスハに、DOM ソスxソス[ソスXソスソス XSS ソスヘ、ソスTソス[ソスoソスソスソスソスソス艪キソスソスAソスMソスソスソスソスソス黷スソスXソスNソスソスソスvソスgソスナゑソスソスソスソストクソスソスソスCソスAソスソスソスgソスノ托ソスソスMソスソスソスソスソスソスソスソス (ソスソスソス[ソスUソスソスソスソスソスeソスソスソスソスOソスノフソスHソス[ソスソスソスソスナサソスjソスeソスBソス`ソスFソスbソスNソスソスソスsソスソス JavaScript ソスソス) ソスソスソスヨ与ソスソスソスワゑソスソスBソスTソス[ソスoソスフ提供ゑソスソスソスXソスNソスソスソスvソスgソスソスソスAソスソスソス[ソスUソスフ提供ゑソスソスソスfソス[ソス^ソスソスソスソスソスソスソスソスソスソスソスソスノ、ソスソスソスフスソスNソスソスソスvソスgソスソス (ソスソスソスI HTML ソスソスソスフ趣ソスiソスノゑソスソス) Web ソスyソス[ソスWソスノ厄ソスソス゚搾ソスソスソスナ返ゑソスソスニ、DOM ソスxソス[ソスXソスソス XSS ソスソスソスツ能ソスニなゑソスワゑソスソスB

ソスソスxソスソスソスモゑソスソスソスXソスNソスソスソスvソスgソスソスソス}ソスソスソスソスソスソスソスニ、ソスUソスソスソスメは様ソスXソスネ茨ソスソスモゑソスソスソスsソスソスソスソスソスソス驍アソスニゑソスソスナゑソスソスワゑソスソスBソスUソスソスソスメはセソスbソスVソスソスソスソスソスソスソスソスソスワゑソス cookie ソスフようソスネ個人ソスソスソスソスソスAソスソスQソスメのマソスVソスソスソスソスソスソスUソスソスソスメ趣ソスソスgソスフマソスVソスソスソスヨと転ソスソスソスソスソス驍アソスニゑソスソスツ能ソスナゑソスソスBソスワゑソスソスAソスソスQソスメを装ゑソスソスト茨ソスソスモゑソスソス驛奇ソスNソスGソスXソスgソスソス web ソスTソスCソスgソスノ托ソスソス驍アソスニゑソスソスツ能ソスナゑソスソス驍スソス゚、ソスソスソスノ費ソスQソスメゑソスソスTソスCソスgソスフ管暦ソスソスメ鯉ソスソスソスソスソスソスソスソスソスソストゑソスソスソスソス鼾ソスヘ費ソスソスノ危険ソスナゑソスソスBソスtソスBソスbソスVソスソスソスOソスUソスソスソスヘ信ソスソスソスソスソス黷ス web ソスTソスCソスgソスソスヘ倣しソスAソスソスQソスメにパソスXソスソスソス[ソスhソスフ難ソスソスヘを促ゑソスソスワゑソスソスBソスソスソスフ攻ソスソスソスソスソスソスソスソスソスソスソスソスニ、ソスUソスソスソスメはゑソスソスソス web ソスTソスCソスgソスノゑソスソスソスソスト費ソスQソスメのアソスJソスEソスソスソスgソスソスソスソスソスpソスソスソス驍アソスニゑソスソスツ能ソスナゑソスソスBソスナ終ソスIソスノ、ソスXソスNソスソスソスvソスgソスソス web ソスuソスソスソスEソスUソスソスソスフゑソスソスフの脆弱性ソスソスソスツゑソスソスAソスソスQソスメマソスVソスソスソスソスソスソスソスソスソス驍アソスニゑソスソスツ能ソスナゑソスソスB"
ソスソスソスソスソスフ場合ソスAソスソスQソスメゑソスソスUソスソスソスノ気ソスtソスソスソス驍ゥソスロゑソスソスノ関ゑソス轤クソスUソスソスソスヘ趣ソスソスsソスソスソスソスワゑソスソスBソスソスソスモ深ソスソスソスソスソス[ソスUソスナゑソスソスソスソストゑソスソスAソスUソスソスソスメゑソスソスソスソスモゑソスソスソスUソスソスソスフ一部ソスソスソスGソスソスソスRソス[ソスhソスソスソスソスソスソス@ (URL ソスGソスソスソスRソス[ソスfソスBソスソスソスOソスワゑソスソスソス Unicode) ソス利用ソスソスソスソスフで、ソスUソスソスソスフソスソスNソスGソスXソスgソスノ気ソステゑソスソスノゑソスソスソスソスネゑソスワゑソスソスB

ソスハ厄ソス

XSS


CSS

"CSS" ソスヘゑソスソスツて本ソスニ弱性ソスフ暦ソスソスフとゑソスソスト使ソスpソスソスソスソストゑソスソスワゑソスソスソスソスソスソスA"ソスJソスXソスPソス[ソスfソスBソスソスソスOソスXソス^ソスCソスソスソスVソス[ソスg" ソスニの搾ソスソスソスソスソスソスソスソスソスソスソスソス゚、ソスソスソスフ暦ソスソスフはゑソスソスワり利ソスpソスソスソスソストゑソスソスワゑソスソスソスB

ソスニ弱性ソスフ費ソスソスソスソスソスソスソス

ソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計
ソスソスソスソス

ソスYソスソスソスソスソスソスvソスソスソスbソスgソスtソスHソス[ソスソス

ソスソスソスソス

ソスソスソスソスノ依托ソス

ソスAソス[ソスLソスeソスNソス`ソスソスソスフパソスソスソス_ソスCソスソス

Web ソスxソス[ソスX 

ソスZソスpソスソスソスソス

Web ソスTソス[ソスo

ソスvソスソスソスbソスgソスtソスHソス[ソスソスソス竭ォ

XSS ソスフ脆弱性ソスフ擾ソスソスソスソスノは開ソスソスソスメに対ゑソスソス髑スソスソスソスフ訓ソスソスソスソスソスKソスvソスネゑソスソス゚、ソス{ソスニ弱性ソスソス Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノ托ソスソスソスソスソスソスソスソスンゑソスソスワゑソスソスB

ソスソスハ的ソスネ影ソスソス

 

ソスeソスソスソスソスソスけゑソスヘ茨ソス ソスeソスソス
ソス@ソスソスソスソス ソスZソスpソスIソスCソスソスソスpソスNソスgソスFソスロ護メソスJソスjソスYソスソスソスフ会ソスソスソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスfソス[ソス^ソスフ読み搾ソスソスソス

ソスwソスヌのクソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスノゑソスソスUソスソスソスヘ、ソスソスソス[ソスUソスフ保有ソスソスソスソス cookie ソスノ含まゑソスソスソスソスフ漏ソスkソス伴ゑソスソスワゑソスソスB ソスソスハ的ソスノは、ソスソスソスモゑソスソス驛ソス[ソスUソスソスソスNソスソスソスCソスAソスソスソスgソスTソスCソスhソスフ不ソスソスソスネスソスNソスソスソスvソスgソスソスソス成ソスソスソスA Web ソスuソスソスソスEソスUソスソスソスソスヘゑソスソスソスソスニゑソスソスノ、ソスソスソス轤ゥソスフ難ソスソスソス (ソスSソストのサソスCソスgソスソス cookie ソスソス^ソスソスソスソス黷スソスdソスqソスソスソス[ソスソスソスAソスhソスソスソスXソスノ托ソスソスMソスソスソス體) ソスソスソスソスソスワゑソスソスBソスソスソスフスソスNソスソスソスvソスgソスソス Web ソスTソスCソスgソスソスソス{ソスソスソスソスソスソスソスeソスソスソス[ソスUソスノゑソス閭搾ソス[ソスhソスソスソスソスAソスソスソスsソスソスソスソスワゑソスソスBソスXソスNソスソスソスvソスgソスソスソスsソスソスvソスソスソスソスソスソスTソスCソスgソスヘ厄ソスソスソス cookie ソスノアソスNソスZソスXソスツ能ソスナゑソスソス驍スソス゚、ソスソスソスモゑソスソスソスXソスNソスソスソスvソスgソスソス cookie ソスノアソスNソスZソスXソスツ能ソスナゑソスソスB
ソスAソスNソスZソスXソスソスソスソス ソスZソスpソスIソスCソスソスソスpソスNソスgソスFソスソスソスソスソスフなゑソスソスRソス[ソスhソスソスRソス}ソスソスソスhソスフ趣ソスソスs

ソスソスソスソスフ状況会ソスソスナは、ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスソスソスソスソスフ脆弱性ソスニ鯉ソスソスム付ソスソスソスソスソス鼾ソスAソスソスQソスメのコソスソスソスsソスソスソス[ソス^ソスソスナ任ソスモのコソス[ソスhソスソスソスソスソスsソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB
ソス@ソスソスソスソスソスA
ソスソスソスSソスソスソスA
ソスツ用ソスソス		 ソスZソスpソスIソスCソスソスソスpソスNソスgソスFソスソスソスソスソスフなゑソスソスRソス[ソスhソスソスRソス}ソスソスソスhソスフ趣ソスソスsソスAソスロ護メソスJソスjソスYソスソスソスフ会ソスソスソスAソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスfソス[ソス^ソスフ読み搾ソスソスソス

XSS ソスUソスソスソスフ鯉ソスソスハは、ソスiソス[ソス^ XSSソスAソスソスソスヒ型 XSS ソスソスソスずソスソスソスソスソスナゑソスソスBソス痰「ソスヘ、ソスヌのようソスノペソスCソスソスソス[ソスhソスソスソスTソス[ソスoソスノ届ゑソスソスフゑソスソスノゑソスソスソスワゑソスソスB

XSSソスヘ、ソスソスソスQソスフ厄ソスソスソスソスソスソスフゑソスソスソスAソスJソスEソスソスソスgソスフ漏ソスソスソスソスソスワで、ソスGソスソスソスhソスソスソス[ソスUソスノとゑソスソスト様ソスXソスネ危険ソスxソスフ厄ソスソスソスソスソスソスソスソスNソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスソス XSS ソスフ脆弱性ソスソス cookie ソスフ不ソスソスソスソスソスpソス笂撰ソスソスノ茨ソスソスpソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスAソスLソスソスソスネソスソス[ソスUソスソスソスソスフソスソスNソスGソスXソスgソスノ偽ソスソスソスソスソスソスソスソスソスNソスGソスXソスgソスソスソス成ソスソスソスソスAソス@ソスソスソスソスソスノ不ソスソスソスAソスNソスZソスXソスソスソスソスAソスソスソス驍「ソスヘ様ソスXソスネ不ソスソスソスネ目的ソスソスソスソスAソスソスソスモゑソスソスソスRソス[ソスhソスソスソスGソスソスソスhソスソスソス[ソスUソスフシソスXソスeソスソスソスソスナ趣ソスソスsソスソスソスワゑソスソスBソスソスソスノ、ソスGソスソスソスhソスソスソス[ソスUソスtソス@ソスCソスソスソスフ開ソスソスソスAソスgソスソスソスCソスフ木馬ソスvソスソスソスOソスソスソスソスソスフイソスソスソスXソスgソス[ソスソスソスAソスソスソスソス Web ソスyソス[ソスWソスワゑソスソスソス Web ソスTソスCソスgソスヨのソスソス_ソスCソスソスソスNソスgソスAソスMソスソスソスナゑソスソスソスソスソスソスネサソスCソスgソスソスソスソス "Active X" ソスRソスソスソスgソスソスソス[ソスソスソスフ趣ソスソスs (Microsoft Internet Explorer ソスソスソスメ難ソスソスソスソストゑソスソスソス鼾)ソスAソスワゑソスソスヘコソスソスソスeソスソスソスcソスソスソスソスソスソスソスソスソスソスソスソスNソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスUソスソスソスソスソスけゑソスツ能ソスソス

ソスソスソスソス ソス` ソスソスソスノ搾ソスソスソス

ソスUソスソスソスソスソスツ能ソスノゑソスソスソスvソスソス

ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスUソスソスソスヘ、ソスソスソスソスソスネソスソス[ソスUソスソスソスソスソスフ信ソスソスソスナゑソスソスソス Web ソスTソスCソスgソスノ対ゑソスソスAソスソスソスモゑソスソス驛ソス[ソスUソスソスソスAソスソスソスソスソスソスソスソストゑソスソスネゑソスソスfソス[ソス^ソス送信ソスツ能ソスネ場所ソスナゑソスソスソスホどゑソスソスナでゑソスソスソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスMソスソスソスナゑソスソスソス Web ソスTソスCソスgソスニゑソスソストは、ソスソスソス Web ソスxソス[ソスXソスフソスソス[ソスソスソスソスソスOソスソスソスXソスgソス`ソスソスソスフ機ソス\ソスソス供ゑソスソスソスfソスソスソスソス Web ソスTソスCソスgソスソスソスソスソスソスソスソスワゑソスソスB

ソスuソスQソスXソスgソスuソスbソスNソスvソスソスソスソスソスソス Web ソスTソスCソスgソスナは、ソスQソスXソスgソスuソスbソスNソスフフソスHソス[ソスソスソスソスソスソス XSS ソスフ攻ソスソスソスソスソスけゑソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスUソスソスソスメゑソスソスQソスXソスgソスuソスbソスNソスヨの擾ソスソスソスソスソスソスンの抵ソスソスソス JavaScript ソスノゑソス驤ォソスモゑソスソスソスRソス[ソスhソスソスソスソスソス驍アソスニで、ソスQソスXソスgソスuソスbソスNソスyソス[ソスWソスノアソスNソスZソスXソスソスソスソスソスlソスヘゑソスソスフコソス[ソスhソスソスソスソスソスsソスソスソストゑソスソスワゑソスソスワゑソスソスBソスソスソスフ例かソス逡ェソスソスソスソス謔、ソスノ、XSS ソスフ脆弱性ソスソス HTTP ソスソスソスXソス|ソスソスソスXソスソスソスノ不ソスソスソスネデソス[ソス^ソスソスソスワむコソス[ソスhソスソスソスソスソスソスソスノなゑソスワゑソスソスB

ソスソスソスoソスソスi

ソスソスソスソスソステ的ソスソスソスソス
ソス{ソスニ弱性ソスソスソスソスソスoソスツ能ソスネ趣ソスソスソスソステ的ソスソスソスヘツソス[ソスソスソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスナ近の托ソスソスソスソスフ趣ソス@ソスヘ、ソスtソスHソス[ソスソスソスXソス|ソスWソスeソスBソスuソスソスソスナ擾ソスソスソスソスソスソス驍スソス゚にデソス[ソス^ソスtソスソスソス[ソスソスソスヘゑソスソスgソスpソスソスソストゑソスソスワゑソスソスBソスソスソスノツソス[ソスソスソスノゑソス骭滂ソスoソスナは、ソスソスソスソスソスフコソスソスソス|ソス[ソスlソスソスソスgソスソスソスワまゑソストゑソスソスソス鼾ソスノは、100% ソスフ撰ソスソスxソスソスJソスoソス[ソスヘ趣ソスソスソスソスsソスツ能ソスナゑソスソス驍スソス゚、ソスソスソスソスソスネ会ソスソスソスソスソスニはなゑソスワゑソスソスソスB

ソスLソスソスソスソスソスFソスソス

ソスuソスソスソスbソスNソス{ソスbソスNソスX
XSS Cheat Sheet [REF-14] ソスソスソスgソスpソスソスソス驍ゥソスAweb ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスノ対ゑソスソス髑スソスlソスネ攻ソスソスソスソスソスソスソス{ソスソスソスソス謔、ソスネテソスXソスgソスソスソスソスソスソスソスナ撰ソスソスソスソスソスソスソスcソス[ソスソスソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBCheat Sheet ソスヘ、ソスnソスソスソス XSS ソスホ搾ソスソス_ソスソスソスソスソスIソスソスソスソス XSS ソスノゑソスソスホ会ソスソスソスソストゑソスソスワゑソスソスB

ソスLソスソスソスソスソスFソスソス
ソスiソス[ソス^ソスNソスソスソスXソスTソスCソスgソスXソスNソスソスソスvソスeソスBソスソスソスOソスヘ、ソスfソス[ソス^ソスXソスgソスAソスソスソスすソス驍アソスニにゑソスソスヤ接的ソスノ厄ソス閧ェソスソスソスソスソスソスソス驍スソス゚、ソスソスソスoソスソスソスソスソスソスナゑソスソスBソスeソスXソスgソスソスソスsソスソスソスlソスヘ、ソスnソス゚にデソス[ソス^ソスXソスgソスAソスフ抵ソスソスソス XSS ソスソスソスソスソスソスソス}ソスソスソスソスソスAソスソスソスフ鯉ソスAXSS ソスソスソスソスソスソス他のソスソス[ソスUソスヨ托ソスソスMソスソスソスソスAソスvソスソスソスPソス[ソスVソスソスソスソスソス@ソス\ソスソスTソスソスソスKソスvソスソスソスソスソスソスワゑソスソスBソスソスソス゚ゑソス XSS ソスソスソスfソス[ソス^ソスXソスgソスAソスノ挿ソスソスソスソスソスソストゑソスソスソスAソスソスソスロに厄ソスソスニなゑソスワでには、ソスソスソスソスソスAソスソスソスソスソスヤ、ソスソスソス驍「ソスヘ会ソスソスソスソスソスソスフ趣ソスソスヤゑソスソスソスソスソスソスソスワゑソスソスB

ソスニ趣ソスネコソス[ソスhソスソス

ソスソス 1:

 

ソスソスソスフ暦ソスヘ費ソスソスヒ型 XSS (ソス^ソスCソスv1) ソスフシソスiソスソスソスI ソスソス\ソスソスソストゑソスソスワゑソスソスB ソスネ会ソスソスノ記ソスレゑソスソスソス JSP ソスRソス[ソスhソスZソスOソスソスソスソスソスgソスソス employee ID ソスナゑソスソスソス eid ソスソス HTTP ソスソスソスNソスGソスXソスgソスソスソスソスヌみ趣ソスソスAソスソスソス[ソスUソスノ表ソスソスソスソスソスワゑソスソスB

Example Language: JSP (Bad Code) 
<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>

ソスネ会ソスソスノ掲ソスレゑソスソスソス ASP.NET ソスRソス[ソスhソスZソスOソスソスソスソスソスgソスヘ、employee ID ソスiソスソスソスoソス[ソスソス HTTP ソスソスソスNソスGソスXソスgソスソスソスソスヌみ趣ソスソスAソスソスソス[ソスUソスノ表ソスソスソスソスソスワゑソスソスB


Example Language: ASP.NET (Bad Code) 
...
protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;
... (HTML follows) ...
<p><asp:label id="EmployeeID" runat="server" /></p>
ソスc

ソスソスソスフ暦ソスナ記ソスレゑソスソスソストゑソスソスソスRソス[ソスhソスヘ、Employee ID ソスマ撰ソスソスソスソスWソスソスソスIソスネ英ソスソスソスソスソスeソスLソスXソスgソスフみゑソスソスワむ場合ソスヘ撰ソスソスソスソスソスソスソスソスしソスワゑソスソスBソスソスソス^ソスLソスソスソスソスソスNソス^ソスワゑソスソスヘソソス[ソスXソスRソス[ソスhソスソスソスlソスノ含まゑソスソス鼾ソスAWeb ソスuソスソスソスEソスUソスソス HTTP ソスソスソスXソス|ソスソスソスXソスソス\ソスソスソスソスソスソスロに、ソスソスソスフコソス[ソスhソスソスソスソスソスsソスソスソスソスワゑソスソスB
ソスソスソスソスソスソスソスgソスノ対ゑソスソスト茨ソスソスモゑソスソスソスRソス[ソスhソス動ゑソスソスソス URL ソスソスソスソスヘゑソスソスソスツ能ソスソスソスヘ低いソスソスソス゚、ソスdソスソスネ脆弱性ソスナはなゑソスソスニ認ソスソスソスソスソス黷ェソスソスソスナゑソスソスBソスソスソスソスソスソスソスAソス{ソスソスソスフ危険ソスソスソスヘ、ソスUソスソスソスメゑソスソスソスソスモゑソスソスソス URL ソスソスソス成ソスソスソスAソスdソスqソスソスソス[ソスソスソスソス\ソス[ソスVソスソスソスソスソスGソスソスソスWソスjソスAソスソスソスソスソスOソス利用ソスソスソスト費ソスQソスメゑソスソスソスソスソス URL ソスフソスソスソスソスNソスノアソスNソスZソスXソスソスソスソス謔、ソスUソスソスソスソスソズゑソスソスニにゑソスソスソスワゑソスソスBソスソスQソスメゑソスソスソスソスソスソスNソスソスソスNソスソスソスbソスNソスソスソスソスニ、ソスmソスソスネゑソスソスソスソスソスソスノ脆弱性ソスフゑソスソスソス Web ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスハゑソスソスト、ソスソスソスモゑソスソスソスRソスソスソスeソスソスソスcソスソスソスソスQソスメ趣ソスソスgソスフコソスソスソスsソスソスソス[ソス^ソスノはね返ゑソスソストゑソスソスワゑソスソスB

 

ソスソス 2:

 

ソスソスソスフ暦ソスヘ格ソス[ソス^ XSS (ソス^ソスCソスv 2) ソスフシソスiソスソスソスIソスソス\ソスソスソストゑソスソスワゑソスソスB ソスネ会ソスソスノ掲ソスレゑソスソスソスJSP ソスRソス[ソスhソスZソスOソスソスソスソスソスgソスヘ、ソス^ソスソスソスソス黷ス ID ソスフ従ソスニ茨ソスソスソスソスfソス[ソス^ソスxソス[ソスXソスノ問合ソスソスソスAソスソスvソスソスソスソス]ソスニ茨ソスソスフ厄ソスソスOソスソス\ソスソスソスソスソスワゑソスソスB

ソスTソスソスソスvソスソスソスRソス[ソスhソスFJSP ソスiソスソスソスソスソスソスj 
<%
...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
rs.next();
String name = rs.getString("name");
%>

Employee Name: <%= name %>

ソスネ会ソスソスノ掲ソスレゑソスソスソス ASP.NET ソスRソス[ソスhソスZソスOソスソスソスソスソスgソスヘ、ソス^ソスソスソスソス黷ス ID ソスフ従ソスニ茨ソスソスソスソスfソス[ソス^ソスxソス[ソスXソスノ問合ソスソスソスAソスソスソスソス ID ソスニ茨ソスvソスソスソスソス]ソスニ茨ソスソスフ厄ソスソスOソスソス\ソスソスソスソスソスワゑソスソスB

ソスTソスソスソスvソスソスソスRソス[ソスhソスF ASP.NET ソスiソスソスソスソスソスソスj 
protected System.Web.UI.WebControls.Label EmployeeName;
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;

ソスfソス[ソス^ソスxソス[ソスXソスフコソスソスソスeソスソスソスcソスヘアソスvソスソスソスPソス[ソスVソスソスソスソスソスノゑソスソスソスト管暦ソスソスソスソスソストゑソスソスソス謔、ソスノ鯉ソスソスソスソス驍スソス゚、ソスソスソスソスソスソスソスソス name ソスフ値ソスソスヌみ搾ソスソスソスナゑソスソスAソスソスソスルど危険ソスナはなゑソスソス謔、ソスノ思ソスソス黷ェソスソスソスナゑソスソスBソスソスソスソスソスソスソスAname ソスフ値ソスソスソスソスソス[ソスUソスソスソスソスフデソス[ソス^ソスソスソスソスソスノゑソスソスソス鼾ソスAソスfソス[ソス^ソスxソス[ソスXソスソスソスソスソスモゑソスソスソスRソスソスソスeソスソスソスcソスフ経ソスHソスニなゑソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスfソス[ソス^ソスxソス[ソスXソスノ保托ソスソスソスソスソストゑソスソスソスSソストのデソス[ソス^ソスノ適ソスリに難ソスソスヘの妥難ソスソスソスソスソスソスmソスFソスソスソスネゑソスソス鼾ソスAソスUソスソスソスメは茨ソスソスモゑソスソスソスRソス}ソスソスソスhソスソスソスソスソス[ソスUソスソス Web ソスuソスソスソスEソスUソスソスナ趣ソスソスsソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスB

 

ソスソスソスソスソスソスソス黷スソスソスソスソス

 

ソスQソスソス ソスレ搾ソス
CVE-2008-5080 Chain: protection mechanism failure allows XSS
CVE-2006-4308 Chain: only checks "javascript:" tag
CVE-2007-5727 Chain: only removes SCRIPT tags, enabling XSS
CVE-2008-5770 Reflected XSS using the PATH INFO in a URL
CVE-2008-4730 Reflected XSS not properly handled when generating an error message
CVE-2008-5734 Reflected XSS sent through email message.
CVE-2008-0971 Stored XSS in a security product.
CVE-2008-5249 Stored XSS using a wiki page.
CVE-2006-3568 Stored XSS in a guestbook application.
CVE-2006-3211 Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
CVE-2006-3295 Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS

 

ソスソスQソスフ緩和ソスソス

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソス略ソスF ソスソスソスCソスuソスソスソスソスソスAソスtソスソスソス[ソスソスソスソスソス[ソスN
ソス{ソスニ弱性ソスフ費ソスソスソスソスソスhソスソスソスAソスソスソス驍「ソスヘ本ソスニ弱性ソスソスソスソスソスソスソスソス竄キソスソスソス\ソスソスソスソス供ゑソスソスソスAソス\ソスソスソスノ鯉ソスソスソスソスソスソス黷スソスソスソスCソスuソスソスソスソスソスソスtソスソスソス[ソスソスソスソスソス[ソスNソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスB
ソスKソスリにエソスソスソスRソス[ソスhソスソスソス黷スソスoソスヘの撰ソスソスソスソスソスeソスユにゑソスソス驛会ソスCソスuソスソスソスソスソスソスtソスソスソス[ソスソスソスソスソス[ソスNソスフ暦ソスニゑソスソスト、Microsoft ソスソス Anti-XSS ソスソスソスCソスuソスソスソスソスソスAOWASP ESAPI Encoding ソスソスソスWソスソスソス[ソスソスソスAApache Wicket ソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソスfソス[ソス^ソスソスソスgソスpソスソスソスソスソス況ゑソスwソスiソスフ擾ソスソスソスソスAソスソスソスソスム奇ソスソスメゑソスソスソスソスGソスソスソスRソス[ソスfソスBソスソスソスOソス理会ソスソスソスソストゑソスソスソスソスソスソスソスソスBソスソスソスソスヘ、web ソスyソス[ソスWソスソス}ソスソスソス`ソスpソス[ソスgソスソスソス[ソスソスソスフようソスノ、ソスルなゑソスRソスソスソス|ソス[ソスlソスソスソスgソスヤでデソス[ソス^ソスソスソス]ソスソスソスソスソスソスソス鼾ソスAソスソスソス驍「ソスヘ難ソスソスソスソスノ包ソスソスソスソスフエソスソスソスRソス[ソスfソスBソスソスソスOソスソスソスワめゑソスoソスヘを生撰ソスソスソスソスソス鼾ソスAソスソスソスノ重ソスvソスナゑソスソスBソスvソスソスソスソスソスソスソスGソスソスソスRソス[ソスfソスBソスソスソスOソスソスソスjソスソスソスソスソス閧キソス驍スソス゚に、ソスSソストの予ソスソスソスソスソスソスソスハ信ソスvソスソスソスgソスRソスソスソスニデソス[ソス^ソス\ソスソスソスノつゑソスソスト暦ソスソスソスソスソスソストゑソスソスソスソスソスソスソスソスB
ソスソスソスソス web ソスyソス[ソスWソスノ出ソスヘゑソスソスソスソスSソストのデソス[ソス^ソスiソスソスソスノ外ソスソスソスソスソスソスフ難ソスソスヘゑソスソスけ趣ソスソスソスソスソスSソストのデソス[ソス^ソスjソスノゑソスソスソスソスト、ソスSソストの英ソスソスソスソスソスネ外ソスノ対ゑソスソスAソスKソスリなエソスソスソスRソス[ソスfソスBソスソスソスOソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスソスソスソスソスoソスヘドソスLソスソスソスソスソスソスソスgソスソスソスナゑソスソスAソスoソスヘゑソスソスネ会ソスソスフどの箇擾ソスソスノ含まゑソス驍ゥソスノゑソスソスソスト、ソスルなゑソスGソスソスソスRソス[ソスfソスBソスソスソスOソスソスvソスソスソスソスソスソスワゑソスソスB

ソスEHTML body
ソスEソスvソスfソスソスソスフ托ソスソスソス (ソスソスFsrc="XYZ")
ソスEURI
ソスEJavaScript ソスZソスNソスVソスソスソスソス
ソスEソスJソスXソスPソス[ソスfソスBソスソスソスOソスXソス^ソスCソスソスソスVソス[ソスgソスAソスyソスソス style ソスvソスソスソスpソスeソスBソスAソスソス
ソスソスHTML Entity Encoding ソスソス HTML body ソスノゑソスソスソスソストのみ適ソスリに使ソスpソスソスソスソスワゑソスソスB

ソスvソスソスソスソスソスソスソスGソスソスソスRソス[ソスfソスBソスソスソスOソスソスGソスXソスPソス[ソスvソスフ趣ソズにつゑソスソストの詳細は、XSS Prevention Cheat Sheet [REF-16] ソスソスソスQソスlソスノゑソスソストゑソスソスソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソス略ソスFソスUソスソスソスハの難ソスソスソスニ縮ソスソス
ソス\ソスtソスgソスEソスFソスAソスノゑソスソスソスソスト信ソスソスソスナゑソスソスネゑソスソスソスソスヘゑソスソスけ付ソスソスソスソスモ擾ソスソスソスSソスト把ソスソスソスソスソストゑソスソスソスソスソスソスソスソスB
ソスソスFソスpソスソスソスソスソス[ソス^ソスソスソスソスソスソスAcookieソスAソスlソスbソスgソスソスソス[ソスNソスソスソスソスヌみ搾ソスソズ全ソスト、ソスツ具ソスソスマ撰ソスソスAソスtソスソスソスソス(reverse DNS lookups)ソスAソスNソスGソスソスソスソスソスハ、ソスソスソスNソスGソスXソスgソスwソスbソス_ソスAURL ソスRソスソスソス|ソス[ソスlソスソスソスgソスAe-mailソスAソスtソス@ソスCソスソスソスAソスtソス@ソスCソスソスソスソスソスAソスfソス[ソス^ソスxソス[ソスXソスAソスyソスムアソスvソスソスソスPソス[ソスVソスソスソスソスソスノデソス[ソス^ソスソス供ゑソスソスソスSソストの外ソスソスソスVソスXソスeソスソス
ソスソスソスフようソスネ難ソスソスヘゑソス API ソストび出ソスソスソスソスソスヤ接的ソスノ介しソスト行ソスソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスB

ソスLソスソスソスソスソスFソスソスソスソスI
ソスソスソスフ趣ソス@ソスフ鯉ソスソスハは鯉ソスソス閧ウソスソストゑソスソスワゑソスソスBソスソスソスソスソスソスソスAcookieソスAソスwソスbソス_ソスAhidden ソスtソスHソス[ソスソスソスtソスBソス[ソスソスソスhソスソスソスフ托ソスソスソスニゑソスソスト、ソスNソスソスソスCソスAソスソスソスgソスフ擾ソスヤゑソス@ソスソスソスソスソスソスソスTソス[ソスoソスノ保托ソスソスソスソス驍アソスニゑソスソスツ能ソスネ場合ソスノ役立ゑソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

CWE-602 ソスソスhソスソスソスソスソス゚に、ソスNソスソスソスCソスAソスソスソスgソスソスソスナ行ソスソスソスソスSソストのセソスLソスソスソスソスソスeソスBソス`ソスFソスbソスNソスソスソスTソス[ソスoソスソスソスナゑソスソスソスソスlソスノ行ソスソスソストゑソスソス驍アソスニゑソスソスmソスFソスソスソストゑソスソスソスソスソスソスソスソスBソスUソスソスソスメはチソスFソスbソスNソスソスソスsソスソス黷スソスソスソスニに値ソスソスソスソスソスソスソスすゑソスAソスソスソス驍「ソスヘチソスFソスbソスNソスソスソスソスソスSソスノ擾ソスソスソスソスソスソス驍アソスニで、ソスNソスソスソスCソスAソスソスソスgソスソスソスフチソスFソスbソスNソスソスソスソスソスソスソスソス驍アソスニゑソスソスツ能ソスナゑソスソスBソスソスソスフ場合ソスAソスソスソスソスソスされたソスlソスソスソスTソス[ソスoソスノ托ソスソスMソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソス略ソスFソスpソスソスソスソスソス[ソス^ソスソス
ソスツ能ソスナゑソスソスソスホ、ソスソスソスソスソスIソスノデソス[ソス^ソスニコソス[ソスhソスヤの包ソスソスソスソスソスソスソスソスソスソスソスソスソス謔、ソスネ、ソス\ソスソスソスソスソスソスソス黷スソスdソスgソスンゑソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスB
ソスソスソスフようソスネ仕ソスgソスンにゑソスソスAソスJソスソスソスメゑソスソス闢ョソスナ行ソスソスソスソスソスソスノ、ソスoソスヘゑソスソスソスソスソスソスソスソスソスソスSソストの箇擾ソスソスノ、ソスヨ連ソスソスソスソスソスソスpソスAソスGソスソスソスRソス[ソスhソスAソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスフ機ソス\ソスソスソスソスソスソスソスIソスノ提供ゑソスソス驍アソスニゑソスソスツ能ソスナゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソス略ソスFソスoソスヘエソスソスソスRソス[ソスfソスBソスソスソスO
ソスソスソスソスソスソスソスソスソスSソストゑソス web ソスyソス[ソスWソスノつゑソスソスト、ISO-8859-1 ソスワゑソスソスソス  UTF-8 ソスソスソスフ包ソスソスソスソスGソスソスソスRソス[ソスfソスBソスソスソスOソスソスソスwソスソスAソスソスソスpソスソスソスト会ソスソスソスソスソスソスBソスGソスソスソスRソス[ソスhソスソスソスwソス閧オソストゑソスソスネゑソスソスニ、Web ソスuソスソスソスEソスUソスソス Web ソスyソス[ソスWソスナ使ソスソスソストゑソスソスソスGソスソスソスRソス[ソスhソス推托ソスソスソスソスAソスルなゑソスGソスソスソスRソス[ソスhソスソスIソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスソスノゑソスソスAweb ソスuソスソスソスEソスUソスノ、ソスソスソスソスVソス[ソスPソスソスソスXソスソスソスソスハなゑソスソスフとゑソスソスト茨ソスソスせソス驍アソスニゑソスソスナゑソスソスAソスIソスソスソスソス XSS ソスUソスソスソスソスソスNソスソスソスCソスAソスソスソスgソスソスソスけゑソス険ソスソスソスソスソスソスワゑソスソスBソスGソスソスソスRソス[ソスh/ソスGソスXソスPソス[ソスvソスソスソスソスソスノ関ゑソスソスソスノ和ソスソスノつゑソスソストゑソス CWE-116 ソスソスソスQソスニゑソスソスト会ソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

Struts ソスソスソスgソスpソスソスソスソス鼾ソスAtrue ソスノ設定さソス黷ス bean ソスtソスBソスソスソス^ソスソスソスソスソスソスソスgソスpソスソスソスAソスSソストのデソス[ソス^ソスソスソスtソスHソス[ソスソス bean ソスソスソス迴托ソスソスソスoソスソスソスKソスvソスソスソスソスソスソスワゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスソスソス[ソスUソスフセソスbソスVソスソスソスソス cookie ソスノ対ゑソスソスソス XSS ソスUソスソスソスソスソスノ和ソスソスソス驍スソス゚、ソスZソスbソスVソスソスソスソス cookie ソスソス HttpOnly ソスソスン定しソスト会ソスソスソスソスソスソスBHttpOnly ソス@ソス\ソスソスソスTソス|ソス[ソスgソスソスソスソスuソスソスソスEソスU (ソスソスrソスIソスVソスソスソスソス Internet Explorer ソスソスソスソスソス Firefox ソスソス) ソスノゑソスソスソスソストは、ソスソスソスモゑソスソスソスXソスNソスソスソスvソスgソスソスソスソスAdocument.cookie ソス利用ソスソスソスソスNソスソスソスCソスAソスソスソスgソスフソスソス[ソスUソスフセソスbソスVソスソスソスソス cookie ソスノアソスNソスZソスXソスソスソスソス驍アソスニゑソスhソスソスソスワゑソスソスBソスソスソスソスソスソスソスAHttpOnly ソスヘ全ソストのブソスソスソスEソスUソスナサソス|ソス[ソスgソスソスソスソストゑソスソスソスけソスナはなゑソスソスソスソス゚、ソスソスソスSソスネ対搾ソスナはゑソスソスソスワゑソスソスソスBXMLHTTP ソスソスソスNソスGソスXソスgソス竭シソスフ具ソスソスヘなブソスソスソスEソスUソスフ技ソスpソスソスソスAHttpOnly ソスフフソスソスソスOソスソスソスン定さソス黷ス Set-Cookie ソスwソスbソス_ソスソスソスソス HTTP ソスwソスbソス_ソスソスヌむ趣ソスiソスソス供ゑソスソストゑソスソス驍アソスニゑソスソスdソスvソスナゑソスソスB

ソスtソスFソス[ソスYソスFソスソスソスソス

ソスSソストの難ソスソスヘは茨ソスソスモのゑソスソスソスソスソスフと想ソス閧オソストゑソスソスソスソスソスソスソスソスBソスdソスlソスノ鯉ソスソスソスソスノ従ソスソスソスAソスソスソスヘ具ソスソスツゑソスソスソスzソスソスソスCソスgソスソスソスXソスgソスソスソスgソスpソスソスソス體呻ソスAソスソスソスmソスフ受け難ソスソスソスソスソストゑソスソスソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスソス@ソスソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスdソスlソスノ費ソスソスソスソスソスソスソスヘゑソスソスソスソスロゑソスソスソスAソスソスソス驍「ソスヘ難ソスソスヘゑソスソスdソスlソスノ適ソスソスソスソスソスソス`ソスノ変会ソスソスソスソスソスソストゑソスソスソスソスソスソスソスソスBソスuソスソスソスbソスNソスソスソスXソスgソスノ依托ソスソスソスソストゑソスソスワゑソスソスソスソスAソスソスソスモのゑソスソスソスAソスソスソス驍「ソスヘ不ソスソスソスネ難ソスソスヘゑソスTソスソスソスソスソスニのみに暦ソスソスソスネゑソスソスナゑソスソスソスソスソスソスソスソスBソスソスソスソスソスソスソスAソスuソスソスソスbソスNソスソスソスXソスgソスヘ予ソスソスソスソスソスソスソスUソスソスソスフ鯉ソスソスmソスソスAソスソスソスソスソスソスソスノ具ソスソスロゑソスソスソスラゑソスソスsソスソスソスネ難ソスソスヘゑソスソスソスソス閧キソスソスロに役立ゑソスソスワゑソスソスB

ソスソスソスヘ値ソスフ妥難ソスソスソスソスソスソス`ソスFソスbソスNソスソスソスソスロ、ソスヨ連ソスソスソスソスソスソスソスネ全ソストの要ソスfソスiソスソスソスソスソスAソスソスソスヘタソスCソスvソスAソスソスソスeソスソスソスソスlソスフ範囲、ソスソスソスヘの過不ソスソスソスAソス\ソスソスソスAソスヨ連ソスソスソスソスtソスBソス[ソスソスソスhソスヤの茨ソスム撰ソスソスAソスyソスムビソスWソスlソスXソスソスソス[ソスソスソスフ茨ソスvソスAソスソスソスjソスノつゑソスソスト考ソスソスソスソスソストゑソスソスソスソスソスソスソスソスBソスrソスWソスlソスXソスソスソス[ソスソスソスフ暦ソスニゑソスソスト、"boat" ソスヘ英ソスソスソスソスソスソスソスソスソスワまなゑソスソスソスソス゚構ソスソスソスIソスノ有ソスソスソスナゑソスソスソスソスAソスソスソスソスソスJソスソスソスメゑソス "red" ソスソス "blue" ソスフようソスネ色ソスフ厄ソスソスOソスソスzソス閧キソスソス鼾ソスノは有ソスソスソスナはなゑソスソスAソスニゑソスソスソスソスソスソスWソスbソスNソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスソスソスIソスノ構ソスzソスソスソスソスソス web ソスyソス[ソスWソスフ場合ソスAソスpソスソスソスソスソス[ソス^ソス窿奇ソスNソスGソスXソスgソスニゑソスソスト予ソスソスソスソスソスソスソスlソスフ包ソスソスソスソスZソスbソスgソス制鯉ソスソスソスソス骭オソスソスソスソスソスzソスソスソスCソスgソスソスソスXソスgソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスソスソス[ソスUソスノゑソスソスwソス閧ウソスソスソスpソスソスソスソスソス[ソス^ソスノ鯉ソスソス轤クソスAソスソスソスNソスGソスXソスgソスソスソスフ全ソストのデソス[ソス^ (hidden ソスtソスBソス[ソスソスソスhソスAcookieソスAソスwソスbソス_ソスAURL ソスソス) ソスノ対ゑソスソストゑソスソステ難ソスソスソスソスソスソスmソスFソスソスソスト会ソスソスソスソスソスソスB
Web ソスTソスCソスgソスフ表ソスソスソスノ使ソスpソスソスソスソスtソスBソス[ソスソスソスhソスノゑソスソスソスソステ難ソスソスソスソスフ確ソスFソスソスソスsソスソスネゑソスソスソスソスニにゑソスソスAXSS ソスフ脆弱性ソスソスソスcソスソスソストゑソスソスワゑソスソスソスソスソスソスナゑソスソスBソスJソスソスソスメの想ソス閧オソストゑソスソスネゑソスソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスTソス[ソスoソスソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスソスAソスソスソスNソスGソスXソスgソスfソス[ソス^ソスソスソスヤゑソスソスソス驍アソスニゑソスソスソスソスソスソスAソスワゑソスソスAソスソスソスソスWebソスyソス[ソスWソスフ表ソスソスソスノ使ソスpソスソスソスソストゑソスソスネゑソスソスtソスBソス[ソスソスソスhソスソスソスAソスソスソスソスソスgソスpソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスフゑソスソス゚、HTTP ソスソスソスNソスGソスXソスgソスフ全ソストの包ソスソスソスソスソスソスソスソスリゑソスソス驍アソスニゑソスソスソスソスソスソスソスソスソスワゑソスソスB

ソスKソスリな出ソスヘのエソスソスソスRソス[ソスhソスAソスGソスXソスPソス[ソスvソスAソスNソスHソス[ソスgソスヘ、XSS ソスソスhソスソスソスソスソス゚に最ゑソスソスソスソスハ的ソスネ会ソスソスソスソスソスナゑソスソスソスフに対ゑソスソスAソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスヘ托ソスソスwソスhソスソスソス供ゑソスソスソスソスソスフでゑソスソス驍アソスニに抵ソスソスモゑソスソストゑソスソスソスソスソスソスソスソスBソスソスソスソスヘ、ソスソスソスロに出ソスヘゑソスソスソスソスソスソスeソスソスソスソスソスハ的ソスノ撰ソスソスソスソスソスソス驍ゥソスソスナゑソスソスBソスソスソスノ任ソスモの包ソスソスソスソスソスソスけ付ソスソスソスソスAソスソスソスRソス`ソスソスソスフテソスLソスXソスgソスtソスBソス[ソスソスソスhソスソスソスTソス|ソス[ソスgソスソスソスソスKソスvソスソスソスソスソスソス鼾ソスヘ、ソスSソストゑソス XSS ソスソスソスソスヘの妥難ソスソスソスソス`ソスFソスbソスNソスナ防ソスソスソスソスニゑソスソスソスソスソスナはゑソスソスソスワゑソスソスソスBソス痰ヲソスホ、ソス`ソスソスソスbソスgソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスナは、ソスnソス[ソスgソスフ絵ソスソスソスソス("<3")ソスヘ茨ソスハ的ソスノ使ソスソスソストゑソスソス驍スソス゚、ソステ難ソスソスソスソス`ソスFソスbソスNソスソスハ過ゑソスソスソス謔、ソスノ思ソスソスソスワゑソスソスBソスソスソスソスソスソスソスAソスGソスXソスPソス[ソスvソス竄サソスフ托ソスソスフ包ソスソス@ソスナ擾ソスソスソスソスソスソスソスKソスvソスフゑソスソスソス "<" ソスソスソスワむゑソスソス゚、web ソスyソス[ソスWソスノ抵ソスソスレ挿ソスソスソスソスソス驍アソスニは不ソスツ能ソスナゑソスソスBソスソスソスフ場合ソスA"<" ソスフ削除ソスノゑソスソスAXSS ソスフソスソスXソスNソスソスソスソスソスソスソス驍アソスニゑソスソスツ能ソスナゑソスソスソスソスAソスGソスソスソスソスソスソスソスLソス^ソスソスソスソスネゑソスソスソスソス゚、ソスソスソスソスソスソスソスネゑソスソスモゑソスワゑソスソスソスソスソスソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスラな厄ソスソスノ鯉ソスソスソスソスワゑソスソスソスソスAソスソスソスフ厄ソスソスヘ、ソス痰ヲソスホ不ソスソスソスソスソスソスソスgソスpソスソスソスソスソスソスソス謔、ソスネ撰ソスソスwソスノ関ゑソスソスソスfソスソスソスツにゑソスソスソスソストは重ソスソスネ厄ソスソスノなゑソスワゑソスソスB

ソステ難ソスソスソスソスフ確ソスFソスノゑソスソスソスソストミソスX (100 ソスフ難ソスソスヘフソスBソス[ソスソスソスhソスフゑソスソスソス 1 ソスツゑソスYソスソス體) ソスソスソスソスソスソスソスソスソスソスソストゑソスソスAソスKソスリなエソスソスソスRソス[ソスhソスfソスBソスソスソスOソスソスソスネゑソスソスソストゑソスソスソスネゑソスAソスCソスソスソスWソスFソスNソスVソスソスソスソスソスxソス[ソスXソスフ攻ソスソスソスソスhソスソスソス骭ゥソスソスソスンゑソスソスソスソスソスワゑソスソスBソスUソスソスソスフ対象となゑソスモ擾ソスソスソスソス蝠晢ソスノ鯉ソスソスソスソスソスソスAソスKソスリなエソスソスソスRソス[ソスfソスBソスソスソスOソスノは厄ソスソスソスソスAソスソスソスフセソスLソスソスソスソスソスeソスBソスソスフソスソスソスソスbソスgソスソスソスソスソスソスソス驍スソス゚、ソスソスソスソスソスソスソスト趣ソスソス{ソスソスソスソスネゑソスソスソスソスソスAソスソスソスヘに対ゑソスソスソステ難ソスソスソスソスフ確ソスFソスヘ有ソスソスソスネ技ソスpソスナゑソスソスB

ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスフ厄ソスソスmソスネイソスソスソス^ソス[ソスtソスFソス[ソスXソスナ難ソスソスヘに対ゑソスソスソステ難ソスソスソスソスmソスFソスソスソスsソスソスソストゑソスソス驍アソスニゑソスソスmソスFソスソスソスト会ソスソスソスソスソスソスBソスRソスソスソス|ソス[ソスlソスソスソスgソスソスソスソスソスナ再暦ソスソスpソスソスソス黷スソスソスAソスソスソスノ移難ソスソスソスソス黷スソス閧オソストゑソスソスAソスソスソスフアソスvソスソスソスPソス[ソスVソスソスソスソスソスソスロ護すソスソスフに有ソスソスソスナゑソスソスB

ソスtソスFソス[ソスYソスFソスAソス[ソスLソスeソスNソス`ソスソスソスソスソスソスム設計

ソス略ソスF ソスマ奇ソスソスノゑソス驪ュソスソス
ソスtソス@ソスCソスソスソスソスソスソスURLソスフようソスネ擾ソスソスソスソスノ適ソスソスソスソスソスソスIソスuソスWソスFソスNソスgソスソスソスソスソスソスソスソスソスソストゑソスソスソス鼾ソスAソスソスソス驍「ソスヘ奇ソスソスmソスナゑソスソスソス鼾ソスAソスナ定しソスソスソスソスソスヘ値ソスiソスソスソスソスソスソスIDソスソスソスjソスソスソスソスソスソスロのフソス@ソスCソスソスソスソスソスソスURLソスフマソスbソスsソスソスソスOソスソスソス成ソスソスソスAソスソスソスソスネ外ソスフ難ソスソスヘゑソスソスソスソスロゑソスソストゑソスソスソスソスソスソスソスソスB

ソスtソスFソス[ソスYソスFソスIソスyソスソスソス[ソスVソスソスソスソス

ソス略ソスF ソスtソス@ソスCソスAソスEソスHソス[ソスソス
ソス{ソスニ弱性ソスノ対ゑソスソスソスUソスソスソスソスソスソスソスmソスソスソスソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスtソス@ソスCソスAソスEソスHソス[ソスソスソスソスソスgソスpソスソスソストゑソスソスソスソスソスソスソスソスBソスソスOソスメゑソスソスソスソスしソスソスソス\ソスtソスgソスEソスFソスAソスナゑソスソス驍スソス゚コソス[ソスhソスソスソスCソスソスソスナゑソスソスネゑソスソス鼾ソスネどに、ソスソス闡搾ソスソスソスIソスネソソスtソスgソスEソスFソスAソスフ保証趣ソスiソスニなるたソス゚、ソスル急ソスソスソスソスソスニゑソスソスト、ソスワゑソスソスヘ托ソスソスwソスhソスソスフ目的ソスニゑソスソスト鯉ソスソスハ的ソスナゑソスソスB

ソスLソスソスソスソスソスFソスソス
ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスtソス@ソスCソスAソスEソスHソス[ソスソスソスヘ全ソストの難ソスソスヘベソスNソス^ソス[ソスソスヤ暦ソスソスソスソス驍アソスニゑソスソスナゑソスソスネゑソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスソスソスソスソスト、ソスソスソスヘゑソスソスソスソスリゑソスソス髀茨ソスソスソスノ対ゑソスソスト不ソスソスソスネ形ソスソスソスフ難ソスソスヘにゑソスソスAソスhソス艫ソスJソスjソスYソスソスソスソスソスIソスすゑソス謔、ソスネ行ソスラゑソスソスツ能ソスナゑソスソスBソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスtソス@ソスCソスAソスEソスHソス[ソスソスソスフ機ソス\ソスノゑソスソスソストは、ソスsソスpソスモに撰ソスソスソスソスネソスソスNソスGソスXソスgソスソスソスソスソスロ、ソスワゑソスソスヘ修ソスソスソスソスソストゑソスソスワゑソスソスツ能ソスソスソスソスソスソスソスソスワゑソスソスBソスナ終ソスIソスノ、ソス闢ョソスノゑソスソスJソスXソス^ソス}ソスCソスYソスソスソスKソスvソスナゑソスソスB

ソスtソスFソス[ソスYソスFソスIソスyソスソスソス[ソスVソスソスソスソスソスソスソスソスム趣ソスソスソス

ソス略ソスF ソスツ具ソスソスフ具ソスソスソス
PHP ソスソスソスgソスpソスソスソストゑソスソスソス鼾ソスヘ、register_globals ソスソスソスgソスpソスソスソスネゑソスソス謔、ソスノアソスvソスソスソスPソス[ソスVソスソスソスソスソスソスン定しソストゑソスソスソスソスソスソスソスソスBソスソスソスソスソスノゑソスソスソスソストは、ソスソスソスフ機ソス\ソスノ暦ソスソスソスネゑソスソス謔、ソスAソスvソスソスソスPソス[ソスVソスソスソスソスソスソスソスJソスソスソスソスソストゑソスソスソスソスソスソスソスソスBregister_globals ソスフ類趣ソスソス@ソス\ソスフ趣ソスソスソスソスノゑソスソスソスソストゑソス CWE-95ソスACWE-261 ソスyソスム類趣ソスソスソスソスソスニ弱性ソスフ対象となゑソスネゑソスソス謔、ソスxソスソスソスソスソストゑソスソスソスソスソスソスソスソスB

ソスwソスiソスフ詳搾ソス

ソスソスソス齔カソスソスソスソスソス|ソスソスソスV

ソスソスソス齔カソスソスソスソスソス|ソスソスソスVソスニは、ソスuソスソスソスEソスUソスソスソスAソスNソスZソスXソスナゑソスソス驛奇ソス\ソス[ソスXソスソスソスAソス^ソスソスソスソス黷ス Web ソスTソスCソスgソスナ趣ソスソスsソスソスソスソスソスXソスNソスソスソスvソスgソスソスソスuソスソスソスソスソスソスソスvソスソスソスAソスNソスソスソスCソスAソスソスソスgソスソスソスソス Web ソスTソスCソスgソスノ関連ソスソスソスソスソスソスフに撰ソスソスソスソスソスソスソスラゑソスソスナゑソスソスソスAソスソスソスフサソスCソスgソスフクソスソスソスCソスAソスソスソスgソスソスソスフソスソス\ソス[ソスXソスソスuソスソスソスソスソスソスソスvソスノはアソスNソスZソスXソスナゑソスソスネゑソスソス謔、ソスノゑソスソスソスソスヤでゑソスソスB
ソスソスソス齔カソスソスソスソスソス|ソスソスソスVソスヘ、ソスソスソスソスTソスCソスgソスソスソスソスAソスヨ連ソスソスソスフなゑソスソスTソスCソスgソスフコソスソスソスeソスソスソスcソスフ会ソスソスソスソスソスソスヌみ搾ソスソスンゑソスhソスソスソスソスソスニゑソスレ的ソスニゑソスソスソスソスソスソスフでゑソスソスBWorld Wide Webソスヘ、ソスソスソスソスソスフサソスCソスgソスニ通信ソスソスソス驍スソス゚、ソスソスソスフポソスソスソスVソスソスソスuソスソスソスEソスUソスノ具ソスソスソスソスソスソスソス驍アソスニは重ソスvソスナゑソスソスB

ソスhソスソスソスCソスソス

XSS ソスソスソスQソスニゑソスソスソスロゑソス Web ソスTソスCソスgソスフドソスソスソスCソスソスソスヘ、ソスNソスソスソスCソスAソスソスソスgソスソスソスフ接托ソスソスソスソストゑソスソスソスヨ連ソスソスソスソスソスソスソス\ソス[ソスXソスノほぼ難ソスソスソスソスソスソスネゑソスワゑソスソスBソスツまゑソスAソスソスソスフドソスソスソスCソスソスソスヘ、ソスuソスソスソスEソスUソスソスソスソスソスソスフサソスCソスgソスノ通信ソスソスソスト保托ソスソスソスソストゑソスソスソスSソストのソスソス\ソス[ソスXソスニ考ソスソスソスソスソスワゑソスソスB

ソスソスソスソスソスノゑソスソスソスソス髑シソスフ脆弱性ソスニの依托ソスソスヨ係

 

ソスヒ托ソスソスヨ係 ソスレ搾ソス
ソスヒ托ソスソスI ソスソスソスフ脆弱性ソスソスソスソスソスンゑソスソス驍アソスニにゑソス阡ュソスソス

 

ソスヨ係ソスソス

 

Nature Type ID Name View(s) this relationship pertains to Named Chain(s) this relationship pertains to
ChildOf Weakness Class 20 Improper Input Validation Seven Pernicious Kingdoms (primary)700
ChildOf Weakness Class 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ChildOf Category 442 Web Problems Development Concepts699
ChildOf Category 712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf Category 722 OWASP Top Ten 2004 Category A1 - Unvalidated Input Weaknesses in OWASP Top Ten (2004)711
ChildOf Category 725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf Category 751 2009 Top 25 - Insecure Interaction Between Components Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
ChildOf Category 801 2010 Top 25 - Insecure Interaction Between Components Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors(primary)800
ChildOf Category 811 OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) Weaknesses in OWASP Top Ten (2010)(primary)809
CanPrecede Weakness Base 494 Download of Code Without Integrity Check Research Concepts1000
PeerOf Compound Element: Composite 352 Cross-Site Request Forgery (CSRF) Research Concepts1000
ParentOf Weakness Variant 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 81 Improper Neutralization of Script in an Error Message Web Page Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 83 Improper Neutralization of Script in Attributes in a Web Page Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 84 Improper Neutralization of Encoded URI Schemes in a Web Page Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 85 Doubled Character XSS Manipulations Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 87 Improper Neutralization of Alternate XSS Syntax Development Concepts (primary)699
Research Concepts (primary)1000
MemberOf View 635 Weaknesses Used by NVD Weaknesses Used by NVD (primary)635
CanFollow Weakness Base 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Research Concepts1000
CanFollow Weakness Base 184 Incomplete Blacklist Research Concepts1000 Incomplete Blacklist to Cross-Site Scripting692

 

ソスソスソスソスソスフ撰ソスソスソス

ソスソスソスm

ソスソスソスgソスDソスナの包ソスソスソス

 

ソスgソスDソスソスソスワゑソスソスヘ組ソスDソスナの包ソスソスソス ソスmソス[ソスh ID CWEソスフ包ソスソズとの適ソスソスソスx ソスソスソズ厄ソス
PLOVER Cross-site scripting (XSS)
7 Pernicious Kingdoms Cross-site Scripting
CLASP Cross-site scripting
OWASP Top Ten 2007 A1 ソスソスソスソス Cross Site Scripting (XSS)
OWASP Top Ten 2004 A1 CWE ソスフ包ソスソスソスソスレ搾ソス Unvalidated Input
OWASP Top Ten 2004 A4 ソスソスソスソス Cross-Site Scripting (XSS) Flaws
WASC 8 Cross-site Scripting

 

ソスヨ連ソスソスソスソスUソスソスソスpソス^ソス[ソスソス

 

CAPEC-ID ソスUソスソスソスpソス^ソス[ソスソスソスソス (CAPEC Version 1.1)
232 Exploitation of Privilege/Trust
85 Client Network Footprinting (using AJAX/XSS)
86 Embedding Script (XSS ) in HTTP Headers
32 Embedding Scripts in HTTP Query Strings
18 Embedding Scripts in Nonscript Elements
19 Embedding Scripts within Scripts
63 Simple Script Injection
91 XSS in IMG Tags
106 Cross Site Scripting through Log Files
198 Cross-Site Scripting in Error Pages
199 Cross-Site Scripting Using Alternate Syntax
209 Cross-Site Scripting Using MIME Type Mismatch
243 Cross-Site Scripting in Attributes
244 Cross-Site Scripting via Encoded URI Schemes
245 Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
246 Cross-Site Scripting Using Flash
247 Cross-Site Scripting with Masking through Invalid Characters in Identifiers

 

ソスQソスソス

[REF-15] Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager and Seth Fogie. "XSS Attacks". Syngress. 2007. Attacks". Syngress. 2007.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 2: Web-Server Related Vulnerabilities (XSS, XSRF, and Response Splitting)." Page 31. McGraw-Hill. 2010.  
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 3: Web-Client Related Vulnerabilities (XSS)." Page 63. McGraw-Hill. 2010.  
"Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>.  "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>. "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>. "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>. "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 13, "Web-Specific Input Issues" Page 413. 2nd Edition. Microsoft. 2002.  M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003. M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003. M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003. M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
[REF-14] RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>.  RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>. RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>. RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>. RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>.
Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>.
Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>.
"OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>.
Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>.
OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>.
Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>.
RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19.
"XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>.
"Apache Wicket". <http://wicket.apache.org/>.
[REF-16] OWASP. "XSS (Cross Site Scripting) Prevention Cheat Sheet". <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>.
Jason Lam. "Top 25 series - Rank 1 - Cross Site Scripting". SANS Software Security Institute. 2010-02-22. <http://blogs.sans.org/appsecstreetfighter/2010/02/22/top-25-series-rank-1-cross-site-scripting/>. "Apache Wicket". <http://wicket.apache.org/>. "Apache Wicket". <http://wicket.apache.org/>. "Apache Wicket". <http://wicket.apache.org/>. "Apache Wicket". <http://wicket.apache.org/>.

ソスXソスVソスソスソスソス

[2011ソスN04ソスソス21ソスソス]
  2010ソスN10ソスソス12ソスソスソスソスソス_ソスフデソス[ソス^ソスソスソスソスソスノ更ソスV
[2009ソスN06ソスソス29ソスソス]
  2009ソスN02ソスソス02ソスソスソスソスソス_ソスフ会ソスソスL URL ソスソスソスソスソスノ作成
    http://cwe.mitre.org/data/definitions/79.html

ソスoソス^ソスソス 2011/04/21

ソスナ終ソスXソスVソスソス 2023/04/04

OSZAR »