CWE-79
ypKChz

CWE-79

Weakness ID:79(Weakness Base)

Status: Draft

NXTCgXNveBO

v

̐Ǝ㐫݂̑\tgEFÁA[U̓͂ɑ΂閳QK؂ɍsȂ܂܁Ã[Uɒ񋟂 Web y[W̏o͂Ɋ܂߂܂B

ڍׂȉ

NXTCgXNveBO (XSS) ̐Ǝ㐫́Aȉ̗lɔ܂B

1. MłȂf[^iʓI Web NGXgjWeb AvP[Vɓ͂A

2. Web AvP[VA̐MłȂf[^܂ Web y[W𓮓Iɐ܂B

3. ̍ Web AvP[V́AMłȂf[^Ɋ܂܂ Web uEUŎs”\ȃRec (JavaScriptAHTML ^OAHTML Agr[gA}EXCxgAFlashA ActiveX ) r܂B

4. ʃ[UAWeb uEUĐꂽy[WɃANZX܂B Web y[Wɂ́AMłȂf[^𗘗pđ}ꂽӂXNvg܂܂Ă܂B

5. XNvg Web T[ȏ Web y[WɗRĔĂ邽߁AQ҂ Web uEÚA Web T[õhC̃ReLXg̒ňӂXNvgs܂B

6. ͎AWeb uEU̓ꐶ|V̈Ӑ}ɈᔽĂ܂Bꐶ|V́AhC̒̃XNvgAقȂhCɂ郊\[Xւ̃ANZXR[h̎s”\łĂ͂ȂȂƂ񎦂̂łB

XSS ɂ͎ɎO‚̎ނɕނ܂B

^Cv1Fˌ^NXTCgXNveBO (񎝑I)

T[óAHTTP NGXgf[^𒼐ړǂݍ݁Aǂݍ񂾃f[^ HTTP X|Xɔf܂Bˌ^ XSS ÚAƎ Web AvP[Vɑ΂āAU҂Q҂Ɋ댯ȃRec𑗐Mۂɔ܂B̊댯ȃRećAQ҂ɕԂ Web uEUŎs܂BʓIȎiƂāAӂRec URL ̃p[^Ɋ܂߂Č̏ɌfA܂́AQ҂ɓdq[𒼐ڑ‚邱Ƃ܂B̃tBbVO\ɂĂÂ悤 URL U̗vƂȂĂ܂BU҂͔Q҂M܂ URL ɃANZX܂AQƐ͐ƎȃTCgłBTCgU҂̃RecQ҂ɕԂƁAQ҂̃uEUł̃Recs܂B

^Cv 2: i[^NXTCgXNveBO (I)

AvP[V́A댯ȃf[^Af[^x[XAbZ[WtH[AK҂̃OA܂͑̐Młf[^XgAɕۑ܂B̃f[^́ǍÃAvP[Vɓǂݖ߂AIRecɊ܂܂܂B
U҂̊ϓ_ł́AӂRec}̂ɍœKȏꏊ́Ã[U܂͕WIɂĂ郆[Uɕ\̈łBU҂͊TāAYAvP[VœʂȌLĂ邩AU҂ɂƂĉl̂@舵Ă郆[UWIƂ܂B[UӂRecsƁAU҂͂̃[UɂȂ肷܂AKvȑsA܂̓[Uۗ̕L@f[^ɑ΂ăANZXi𓾂”\܂BႦ΁AǗ҂ɂ郍OQƂ̍ۂɓK؂ɈȂObZ[W XSS }”\܂B

^Cv 0: DOMx[X̃NXTCgXNveBO

̎ނ XSS ł́AT[o Web y[Wɑ΂ XSS }܂ADOM x[X XSS ł́ANCAg XSS  Web y[Wɑ}܂BʂɁADOM x[X XSS ́AT[o䂷AMꂽXNvgłăNCAgɑM ([UeOɃtH[ŃTjeB`FbNs JavaScript ) ֗^܂BT[o̒񋟂XNvgA[U̒񋟂f[^ɁÃXNvg (I HTML ̎iɂ) Web y[WɖߍŕԂƁADOM x[X XSS ”\ƂȂ܂B

xӂXNvg}ƁAU҂͗lXȈӂs邱Ƃł܂BU҂̓ZbV܂ cookie ̂悤ȌlAQ҂̃}VUҎg̃}VւƓ]邱Ƃ”\łB܂AQ҂𑕂Ĉӂ郊NGXg web TCgɑ邱Ƃ”\ł邽߁AɔQ҂TCg̊ǗҌĂꍇ͔Ɋ댯łBtBbVOU͐Mꂽ web TCg͕킵AQ҂ɃpX[h̓͂𑣂܂B̍UƁAU҂͂ web TCgɂĔQ҂̃AJEgp邱Ƃ”\łBŏIIɁAXNvg web uEÛ̂̐Ǝ㐫‚AQ҃}V邱Ƃ”\łB"
̏ꍇAQ҂UɋCt邩ۂɊւ炸U͎s܂BӐ[[UłĂAU҂ӂÜꕔGR[h@ (URL GR[fBO܂ Unicode) 𗘗p̂ŁAŨNGXgɋCÂɂȂ܂B

ʖ

XSS


CSS

"CSS" ͂‚Ė{Ǝ㐫̗̂ƂĎgpĂ܂A"JXP[fBOX^CV[g" Ƃ̍߁Â̗͂܂藘pĂ܂B

Ǝ㐫̔

A[LeN`ѐ݌v

YvbgtH[

Ɉˑ

A[LeN`̃p_C

Web x[X 

Zp

Web T[o

vbgtH[⑫

XSS ̐Ǝ㐫̏ɂ͊J҂ɑ΂鑽̌PKvȂ߁A{Ǝ㐫 Web AvP[Vɑ݂܂B

ʓIȉe

 

e󂯂͈ e
@ ZpICpNgFی상JjỶAAvP[Vf[^̓ǂݍ

wǂ̃NXTCgXNveBOɂÚA[Uۗ̕L cookie Ɋ܂܂̘Rk𔺂܂B ʓIɂ́Aӂ郆[UNCAgTCh̕sȃXNvg쐬A Web uEU͂ƂɁA炩̓ (SẴTCg cookie ^ꂽdq[AhXɑM铙) ܂B̃XNvg Web TCg{e[Uɂ胍[hAs܂BXNvgsvTCg͖ cookie ɃANZX”\ł邽߁AӂXNvg cookie ɃANZX”\łB
ANZX ZpICpNgF̂ȂR[hR}h̎s

̏󋵉ł́ANXTCgXNveBO̐Ǝ㐫ƌѕtꍇAQ҂̃Rs[^ŔCӂ̃R[hs”\܂B
@A
SA
—p		 ZpICpNgF̂ȂR[hR}h̎sAی상JjỶAAvP[Vf[^̓ǂݍ

XSS Ǔʂ́Ai[^ XSSAˌ^ XSS 킸łBႢ́Aǂ̂悤ɃyC[hT[oɓ͂̂ɂ܂B

XSŚAQ̖̂AJEg̘R܂ŁAGh[UɂƂėlXȊ댯x̖N”\܂B XSS ̐Ǝ㐫 cookie ̕spⓐɈp”\ALȃ[ŨNGXgɋUNGXg쐬A@ɕsANZXA邢͗lXȕsȖړIAӂR[hGh[ŨVXeŎs܂BɁAGh[Ut@C̊JAgC̖ؔnvÕCXg[A Web y[W܂ Web TCgւ̃_CNgAMłȃTCg "Active X" Rg[̎s (Microsoft Internet Explorer ғĂꍇ)A܂̓RecN”\܂B

 

U󂯂”\

 ` ɍ

U”\ɂv

NXTCgXNveBOÚAȃ[U̐Mł Web TCgɑ΂Aӂ郆[UAĂȂf[^𑗐M”\ȏꏊł΂ǂłł”\܂BMł Web TCgƂẮA Web x[X̃[OXg`̋@\񋟂f Web TCg܂B

uQXgubNv Web TCgł́AQXgubÑtH[ XSS ̍U󂯂”\܂BU҂QXgubNւ݂̏̒ JavaScript ɂ鈫ӂR[h邱ƂŁAQXgubNy[WɃANZXl͂̃R[hsĂ܂܂B̗Ⴉ番悤ɁAXSS ̐Ǝ㐫 HTTP X|Xɕsȃf[^܂ރR[hɂȂ܂B

oi

ÓI
{Ǝ㐫o”\ȎÓI̓c[gpĂBŋ߂̑̎@́AtH[X|WeBuŏ邽߂Ƀf[^t[͂gpĂ܂BɃc[ɂ錟oł́ÃR|[lg܂܂Ăꍇɂ́A100% ̐xJo[͎s”\ł邽߁AȉƂ͂Ȃ܂B

LF

ubN{bNX
XSS Cheat Sheet [REF-14] gp邩Aweb AvP[Vɑ΂鑽lȍU{悤ȃeXgŐc[gpĂBCheat Sheet ́An XSS ΍_I XSS ɂΉĂ܂B

LF
i[^NXTCgXNveBÓAf[^XgA邱ƂɂԐړIɖ肪邽߁AołBeXgsĺAn߂Ƀf[^XgA̒ XSS }ǍAXSS 𑼂̃[U֑MAvP[V@\TKv܂B߂ XSS f[^XgAɑ}ĂAۂɖƂȂ܂łɂ́AAԁA邢͉̎Ԃ܂B

ƎȃR[h

 1:

 

̗͔ˌ^ XSS (^Cv1) ̃ViI \Ă܂B ȉɋLڂ JSP R[hZOg employee ID ł eid HTTP NGXgǂݎA[Uɕ\܂B

Example Language: JSP (Bad Code) 
<% String eid = request.getParameter("eid"); %>
...
Employee ID: <%= eid %>

ȉɌfڂ ASP.NET R[hZOǵAemployee ID io[ HTTP NGXgǂݎA[Uɕ\܂B


Example Language: ASP.NET (Bad Code) 
...
protected System.Web.UI.WebControls.TextBox Login;
protected System.Web.UI.WebControls.Label EmployeeID;
...
EmployeeID.Text = Login.Text;
... (HTML follows) ...
<p><asp:label id="EmployeeID" runat="server" /></p>
c

̗ŋLڂĂR[h́AEmployee ID ϐWIȉpeLXĝ݂܂ޏꍇ͐삵܂B^LN^܂̓\[XR[hlɊ܂܂ꍇAWeb uEU HTTP X|X\ۂɁÃR[hs܂B
gɑ΂ĈӂR[h𓮂 URL ͂”\͒Ⴂ߁AdȐƎ㐫ł͂ȂƔFꂪłBA{̊댯́AU҂ӂ URL 쐬Adq[\[VGWjAO𗘗pĔQ҂ URL ̃NɃANZX悤UނƂɂ܂BQ҂NNbNƁAmȂɐƎ㐫̂ Web AvP[VʂāAӂRecQҎg̃Rs[^ɂ͂˕ԂĂ܂B

 

 2:

 

̗͊i[^ XSS (^Cv 2) ̃ViI\Ă܂B ȉɌfڂJSP R[hZOǵA^ꂽ ID ̏]ƈf[^x[Xɖ⍇Av]ƈ̖O\܂B

TvR[hFJSP ij 
<%
...
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("select * from emp where id="+eid);
if (rs != null) {
rs.next();
String name = rs.getString("name");
%>

Employee Name: <%= name %>

ȉɌfڂ ASP.NET R[hZOǵA^ꂽ ID ̏]ƈf[^x[Xɖ⍇A ID ƈv]ƈ̖O\܂B

TvR[hF ASP.NET ij 
protected System.Web.UI.WebControls.Label EmployeeName;
...
string query = "select * from emp where id=" + eid;
sda = new SqlDataAdapter(query, conn);
sda.Fill(dt);
string name = dt.Rows[0]["Name"];
...
EmployeeName.Text = name;

f[^x[X̃Rec̓AvP[VɂĊǗĂ悤Ɍ邽߁A name ̒lǂݍłAقNJ댯ł͂Ȃ悤ɎvꂪłBAname ̒l[Ũf[^ɂꍇAf[^x[XӂRečoHƂȂ”\܂Bf[^x[XɕۑĂSẴf[^ɓK؂ɓ͂̑ÓmFȂꍇAU҂͈ӂR}h[U Web uEUŎs”\܂B

 

 

Q ڍ
CVE-2008-5080 Chain: protection mechanism failure allows XSS
CVE-2006-4308 Chain: only checks "javascript:" tag
CVE-2007-5727 Chain: only removes SCRIPT tags, enabling XSS
CVE-2008-5770 Reflected XSS using the PATH INFO in a URL
CVE-2008-4730 Reflected XSS not properly handled when generating an error message
CVE-2008-5734 Reflected XSS sent through email message.
CVE-2008-0971 Stored XSS in a security product.
CVE-2008-5249 Stored XSS using a wiki page.
CVE-2006-3568 Stored XSS in a guestbook application.
CVE-2006-3211 Stored XSS in a guestbook application using a javascript: URI in a bbcode img tag.
CVE-2006-3295 Chain: library file is not protected against a direct request (CWE-425), leading to reflected XSS

 

Q̊ɘa

tF[YFA[LeN`ѐ݌v

헪F CuAt[[N
{Ǝ㐫̔hA邢͖{Ǝ㐫₷\񋟂A\ɌꂽCut[[NgpĂB
K؂ɃGR[hꂽo͂̐eՂɂ郉Cut[[N̗ƂāAMicrosoft  Anti-XSS CuAOWASP ESAPI Encoding W[AApache Wicket ܂B

tF[YFA[LeN`ѐ݌v

f[^gp󋵂wȉAъ҂GR[fBO𗝉ĂB́Aweb y[W}`p[g[̂悤ɁAقȂR|[lgԂŃf[^]ꍇA邢͓ɕ̃GR[fBO܂߂o͂𐶐ꍇAɏdvłBvGR[fBOj肷邽߂ɁASĂ̗\ʐMvgRƃf[^\ɂ‚ėĂB
 web y[Wɏo͂SẴf[^iɊO̓͂󂯎SẴf[^jɂāASẲpȊOɑ΂AK؂ȃGR[fBOgpĂBo̓hLgłAo͂ȉ̂ǂ̉ӏɊ܂܂邩ɂāAقȂGR[fBOv܂B

EHTML body
Evf̑ (Fsrc="XYZ")
EURI
EJavaScript ZNV
EJXP[fBOX^CV[gAy style vpeBA
HTML Entity Encoding  HTML body ɂĂ̂ݓK؂Ɏgp܂B

vGR[fBOGXP[v̎ނɂ‚Ă̏ڍׂ́AXSS Prevention Cheat Sheet [REF-16] QlɂĂB

tF[YFA[LeN`ѐ݌v

헪FUʂ̓Ək
\tgEFAɂĐMłȂ͂󂯕tӏSĔcĂB
Fp[^AcookieAlbg[NǂݍޑSāA‹ϐAt(reverse DNS lookups)ANGʁANGXgwb_AURL R|[lgAe-mailAt@CAt@CAf[^x[XAyуAvP[VɃf[^񋟂SĂ̊OVXe
̂悤ȓ͂ API ĂяoԐړIɉčs邱ƂɒӂĂB

LFI
̎@̌ʂ͌肳Ă܂BAcookieAwb_Ahidden tH[tB[h̑ƂāANCAg̏Ԃ@T[oɕۑ邱Ƃ”\ȏꍇɖ𗧂܂B

tF[YFA[LeN`ѐ݌v

CWE-602 h߂ɁANCAgōsSẴZLeB`FbNT[ołlɍsĂ邱ƂmFĂBU҂̓`FbNsꂽƂɒl񂷂A邢̓`FbNSɏ邱ƂŁANCAg̃`FbN邱Ƃ”\łB̏ꍇA񂳂ꂽlT[oɑM܂B

tF[YFA[LeN`ѐ݌v

헪Fp[^
”\ł΁AIɃf[^ƃR[hԂ̕悤ȁA\ꂽdg݂gpĂB
̂悤Ȏdg݂ɂAJ҂蓮ōsɁAo͂SẲӏɁA֘ApAGR[hA͂̑Ó`FbN̋@\Iɒ񋟂邱Ƃ”\łB

tF[YF

헪Fo̓GR[fBO
SĂ web y[Wɂ‚āAISO-8859-1 ܂  UTF-8 ̕GR[fBOwApĉBGR[hw肵ĂȂƁAWeb uEU Web y[WŎgĂGR[h𐄑AقȂGR[hI”\܂BɂAweb uEUɁAV[PXʂȂ̂ƂĈ킹邱ƂłAI XSS UNCAg󂯂댯܂BGR[h/GXP[vɊւɘaɂ‚Ă CWE-116 QƂĉB

tF[YF

Struts gpꍇAtrue ɐݒ肳ꂽ bean tB^gpASẴf[^tH[ bean 珑oKv܂B

tF[YF

[ŨZbV cookie ɑ΂ XSS Uɘa邽߁AZbV cookie  HttpOnly ݒ肵ĉBHttpOnly @\T|[guEU (rIV Internet Explorer  Firefox ) ɂẮAӂXNvgAdocument.cookie 𗘗pNCAg̃[ŨZbV cookie ɃANZX邱Ƃh܂BAHttpOnly ͑SẴuEUŃT|[gĂ킯ł͂Ȃ߁ASȑ΍ł͂܂BXMLHTTP NGXg⑼̋͂ȃuEŰZpAHttpOnly ̃tOݒ肳ꂽ Set-Cookie wb_ HTTP wb_ǂގi񋟂Ă邱ƂdvłB

tF[YF

SĂ͈̓͂ӂ̂̂Ƒz肵ĂBdlɌɏ]A͋‚zCgXggp铙Am̎󂯓Ă͂̑Ó`FbN@pĂBdlɔ͂ۂA邢͓͂dlɓK`ɕωĂBubNXgɈˑĂ܂Aӂ̂A邢͕sȓ͂TƂ݂̂ɗȂłBAubNXg͗\ǓmAɋۂׂsȓ͂肷ۂɖ𗧂܂B

͒l̑Ó`FbNہA֘AȑSĂ̗vfiA̓^CvAel͈̔́A͂̉ߕsA\A֘AtB[hԂ̈ѐAyуrWlX[̈vAjɂ‚člĂBrWlX[̗ƂāA"boat" ͉p܂܂Ȃߍ\IɗLłAJ҂ "red"  "blue" ̂悤ȐF̖Oz肷ꍇɂ͗Lł͂ȂAƂWbN܂B

Iɍ\z web y[W̏ꍇAp[^⃊NGXgƂė\l̕Zbg𐧌錵zCgXggpĂB[Uɂw肳p[^Ɍ炸ANGXg̑SẴf[^ (hidden tB[hAcookieAwb_AURL ) ɑ΂ĂÓmFĉB
Web TCg̕\ɎgptB[hɂÓ̊mFsȂƂɂAXSS ̐Ǝ㐫cĂ܂łBJ҂̑z肵ĂȂAvP[VT[oAvP[VANGXgf[^Ԃ邱ƂA܂AWeby[W̕\ɎgpĂȂtB[hAgp”\܂B̂߁AHTTP NGXg̑SĂ̕؂邱Ƃ܂B

K؂ȏo͂̃GR[hAGXP[vANH[ǵAXSS h߂ɍłʓIȉł̂ɑ΂A͂̑Ó`FbN͑wh񋟂̂ł邱ƂɒӂĂB́Aۂɏo͂eʓIɐ邩łBɔCӂ̕󂯕tAR`̃eLXgtB[hT|[gKvꍇ́ASĂ XSS ͂̑Ó`FbNŖhƂł͂܂BႦ΁A`bgAvP[Vł́An[g̊G("<3")͈ʓIɎgĂ邽߁AÓ`FbNʉ߂悤Ɏv܂BAGXP[v₻̑̕@ŏKv̂ "<" ܂ނ߁Aweb y[Wɒڑ}邱Ƃ͕s”\łB̏ꍇA"<" ̍폜ɂAXSS ̃XN邱Ƃ”\łAGL^Ȃ߁AȂӂ܂”\܂BׂȖɌ܂Á̖AႦΕsgp悤ȐwɊւf‚ɂĂ͏dȖɂȂ܂B

Ó̊mFɂă~X (100 ̓̓tB[ĥ 1 ‚Y铙) ĂAK؂ȃGR[hfBOȂĂȂACWFNVx[X̍Uh錩݂܂BȖΏۂƂȂӏ啝ɌAK؂ȃGR[fBOɂ͖ÃZLeB̃bg邽߁AĎ{ȂA͂ɑ΂Ó̊mF͗LȋZpłB

AvP[V̖mȃC^[tF[Xœ͂ɑ΂ÓmFsĂ邱ƂmFĉBR|[lgōėpꂽAɈړꂽ肵ĂÃAvP[Vی삷̂ɗLłB

tF[YFA[LeN`ѐ݌v

헪F ϊɂ鋭
t@CURL̂悤ȏɓKIuWFNgĂꍇA邢͊młꍇAŒ肵͒liIDjۂ̃t@CURL̃}bsO쐬AȊO̓͂ۂĂB

tF[YFIy[V

헪F t@CAEH[
{Ǝ㐫ɑ΂UmAvP[Vt@CAEH[gpĂBO҂삵\tgEFAł邽߃R[hCłȂꍇȂǂɁA葍Iȃ\tgEFA̕ۏ؎iƂȂ邽߁Aً}ƂāA܂͑wh̖ړIƂČʓIłB

LF
AvP[Vt@CAEH[͑SĂ̓̓xN^[ԗ邱ƂłȂ”\܂BāA͂؂鏈ɑ΂ĕsȌ`̓͂ɂAh䃁JjYI񂷂悤ȍsׂ”\łBAvP[Vt@CAEH[̋@\ɂẮAspӂɐȃNGXgہA܂͏CĂ܂”\܂BŏIIɁA蓮ɂJX^}CYKvłB

tF[YFIy[Vю

헪F ‹̋
PHP gpĂꍇ́Aregister_globals gpȂ悤ɃAvP[Vݒ肵ĂBɂẮA̋@\ɗȂ悤AvP[VJĂBregister_globals ̗ގ@\̎ɂĂ CWE-95ACWE-261 yїގƎ㐫̑ΏۂƂȂȂ悤xĂB

wȉڍ

ꐶ|V

ꐶ|VƂ́AuEUANZXł郊\[XA^ꂽ Web TCgŎsXNvguvANCAg Web TCgɊ֘ÂɐׂłÃTCg̃NCAg̃\[Xuvɂ̓ANZXłȂ悤ɂԂłB
ꐶ|V́ATCgA֘ÂȂTCg̃Rec̉ǂݍ݂hƂړIƂ̂łBWorld Wide Web́ÃTCgƒʐM邽߁Ã|VuEUɋ邱Ƃ͏dvłB

hC

XSS QƂۂ Web TCg̃hĆANCAg̐ڑĂ֘A\[XɂقړȂ܂B‚܂ÃhĆAuEŨTCgɒʐMĕۑĂSẴ\[Xƍl܂B

ɂ鑼̐Ǝ㐫Ƃ̈ˑ֌W

 

ˑ֌W ڍ
ˑI ̐Ǝ㐫݂邱Ƃɂ蔭

 

֌W

 

Nature Type ID Name View(s) this relationship pertains to Named Chain(s) this relationship pertains to
ChildOf Weakness Class 20 Improper Input Validation Seven Pernicious Kingdoms (primary)700
ChildOf Weakness Class 74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Seven Pernicious Kingdoms (primary)700
Research Concepts (primary)1000
ChildOf Category 442 Web Problems Development Concepts699
ChildOf Category 712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) Weaknesses in OWASP Top Ten (2007) (primary)629
ChildOf Category 722 OWASP Top Ten 2004 Category A1 - Unvalidated Input Weaknesses in OWASP Top Ten (2004)711
ChildOf Category 725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws Weaknesses in OWASP Top Ten (2004) (primary)711
ChildOf Category 751 2009 Top 25 - Insecure Interaction Between Components Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors (primary)750
ChildOf Category 801 2010 Top 25 - Insecure Interaction Between Components Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors(primary)800
ChildOf Category 811 OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) Weaknesses in OWASP Top Ten (2010)(primary)809
CanPrecede Weakness Base 494 Download of Code Without Integrity Check Research Concepts1000
PeerOf Compound Element: Composite 352 Cross-Site Request Forgery (CSRF) Research Concepts1000
ParentOf Weakness Variant 80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 81 Improper Neutralization of Script in an Error Message Web Page Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 83 Improper Neutralization of Script in Attributes in a Web Page Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 84 Improper Neutralization of Encoded URI Schemes in a Web Page Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 85 Doubled Character XSS Manipulations Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages Development Concepts (primary)699
Research Concepts (primary)1000
ParentOf Weakness Variant 87 Improper Neutralization of Alternate XSS Syntax Development Concepts (primary)699
Research Concepts (primary)1000
MemberOf View 635 Weaknesses Used by NVD Weaknesses Used by NVD (primary)635
CanFollow Weakness Base 113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') Research Concepts1000
CanFollow Weakness Base 184 Incomplete Blacklist Research Concepts1000 Incomplete Blacklist to Cross-Site Scripting692

 

̐

m

gDł̕

 

gD܂͑gDł̕ m[h ID CWE̕ނƂ̓Kx ޖ
PLOVER Cross-site scripting (XSS)
7 Pernicious Kingdoms Cross-site Scripting
CLASP Cross-site scripting
OWASP Top Ten 2007 A1 Cross Site Scripting (XSS)
OWASP Top Ten 2004 A1 CWE ̕ڍ Unvalidated Input
OWASP Top Ten 2004 A4 Cross-Site Scripting (XSS) Flaws
WASC 8 Cross-site Scripting

 

֘AUp^[

 

CAPEC-ID Up^[ (CAPEC Version 1.1)
232 Exploitation of Privilege/Trust
85 Client Network Footprinting (using AJAX/XSS)
86 Embedding Script (XSS ) in HTTP Headers
32 Embedding Scripts in HTTP Query Strings
18 Embedding Scripts in Nonscript Elements
19 Embedding Scripts within Scripts
63 Simple Script Injection
91 XSS in IMG Tags
106 Cross Site Scripting through Log Files
198 Cross-Site Scripting in Error Pages
199 Cross-Site Scripting Using Alternate Syntax
209 Cross-Site Scripting Using MIME Type Mismatch
243 Cross-Site Scripting in Attributes
244 Cross-Site Scripting via Encoded URI Schemes
245 Cross-Site Scripting Using Doubled Characters, e.g. %3C%3Cscript
246 Cross-Site Scripting Using Flash
247 Cross-Site Scripting with Masking through Invalid Characters in Identifiers

 

Q

[REF-15] Jeremiah Grossman, Robert "RSnake" Hansen, Petko "pdp" D. Petkov, Anton Rager and Seth Fogie. "XSS Attacks". Syngress. 2007. Attacks". Syngress. 2007.
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 2: Web-Server Related Vulnerabilities (XSS, XSRF, and Response Splitting)." Page 31. McGraw-Hill. 2010.  
[REF-17] Michael Howard, David LeBlanc and John Viega. "24 Deadly Sins of Software Security". "Sin 3: Web-Client Related Vulnerabilities (XSS)." Page 63. McGraw-Hill. 2010.  
"Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>.  "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>. "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>. "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>. "Cross-site scripting". Wikipedia. 2008-08-26. <http://en.wikipedia.org/wiki/Cross-site_scripting>.
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 13, "Web-Specific Input Issues" Page 413. 2nd Edition. Microsoft. 2002.  M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003. M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003. M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003. M. Howard and D. LeBlanc. "Writing Secure Code". 2nd Edition. Microsoft. 2003.
[REF-14] RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>.  RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>. RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>. RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>. RSnake. "XSS (Cross Site Scripting) Cheat Sheet". <http://ha.ckers.org/xss.html>.
Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>. Microsoft. "Mitigating Cross-site Scripting With HTTP-only Cookies". <http://msdn.microsoft.com/en-us/library/ms533046.aspx>.
Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>. Mark Curphey, Microsoft. "Anti-XSS 3.0 Beta and CAT.NET Community Technology Preview now Live!". <http://blogs.msdn.com/cisg/archive/2008/12/15/anti-xss-3-0-beta-and-cat-net-community-technology-preview-now-live.aspx>.
"OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>. "OWASP Enterprise Security API (ESAPI) Project". <http://www.owasp.org/index.php/ESAPI>.
Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>. Ivan Ristic. "XSS Defense HOWTO". <http://blog.modsecurity.org/2008/07/do-you-know-how.html>.
OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>. OWASP. "Web Application Firewall". <http://www.owasp.org/index.php/Web_Application_Firewall>.
Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>. Web Application Security Consortium. "Web Application Firewall Evaluation Criteria". <http://www.webappsec.org/projects/wafec/v1/wasc-wafec-v1.0.html>.
RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19. RSnake. "Firefox Implements httpOnly And is Vulnerable to XMLHTTPRequest". 2007-07-19.
"XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>.
"Apache Wicket". <http://wicket.apache.org/>.
[REF-16] OWASP. "XSS (Cross Site Scripting) Prevention Cheat Sheet". <http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>. "XMLHttpRequest allows reading HTTPOnly cookies". Mozilla. <https://bugzilla.mozilla.org/show_bug.cgi?id=380418>.
Jason Lam. "Top 25 series - Rank 1 - Cross Site Scripting". SANS Software Security Institute. 2010-02-22. <http://blogs.sans.org/appsecstreetfighter/2010/02/22/top-25-series-rank-1-cross-site-scripting/>. "Apache Wicket". <http://wicket.apache.org/>. "Apache Wicket". <http://wicket.apache.org/>. "Apache Wicket". <http://wicket.apache.org/>. "Apache Wicket". <http://wicket.apache.org/>.

XV

[2011N0421]
  2010N1012_̃f[^ɍXV
[2009N0629]
  2009N0202_̉L URL ɍ쐬
    http://cwe.mitre.org/data/definitions/79.html

o^ 2011/04/21

ŏIXV 2023/04/04