XSS
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/glossary/xss/" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/glossary/xss/Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/glossary/xss/)Use the native HTML custom element.
定義
クロスサイトスクリプティング(Cross-Site Scripting)。攻撃者が他のユーザーの閲覧するWebページに悪意のあるスクリプトを注入できるWebの脆弱性。セッションCookieの窃取、ユーザーのリダイレクト、Webサイトの改ざんなどを引き起こす可能性があり、出力エンコーディングとCSPヘッダーで緩和できる。
Reflected vs. Stored vs. DOM XSS
Cross-Site Scripting injects malicious scripts into web pages viewed by other users. Reflected XSS embeds the payload in a URL parameter; the server echoes it back and the browser executes it. Stored XSS persists the payload in a database (a comment, a username) and fires for every visitor who loads that content. DOM-based XSS never touches the server — client-side JavaScript writes attacker-controlled data into the DOM without sanitization.
Real-World Impact
XSS payloads can steal session cookies (bypassing HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. if the HttpOnly flag is missing), redirect users to PhishingA social engineering attack that uses fraudulent emails, websites, or messages to trick users into revealing credentials, financial data, or installing malware. Spear phishing targets specific individuals with personalized content. pages, log keystrokes, or silently exfiltrate form data. When combined with CSRFCross-Site Request Forgery. An attack that tricks an authenticated user's browser into sending an unintended request to a web application. Prevented by anti-CSRF tokens, SameSite cookies, and verifying the Origin header., XSS can perform authenticated actions on behalf of the victim without any user interaction.
Defense Strategies
- Content Security Policy (CSP) — HTTP header that restricts which scripts can execute; verify with HTTP Header Analyzer
- Output encoding — HTML-encode all user-supplied data before rendering
HttpOnlyandSecurecookie flags — prevent JavaScript from reading session tokens- WAFWeb Application Firewall. A security layer that filters, monitors, and blocks HTTP/HTTPS traffic to and from a web application, protecting against attacks like SQL injection, XSS, and CSRF at the application layer. rules — block common XSS vectors (
<script>,onerror=,javascript:URIs) at the edge
SQL InjectionA code injection attack that inserts malicious SQL statements into application input fields to manipulate or extract data from a backend database. Prevented by parameterized queries and input validation. and XSS are the two most widespread web injection vulnerabilities; both are addressed by the same principle — never trust user input.