XSS
Cross-Site Scripting
An attack injecting malicious scripts into web pages viewed by other users, stealing data or session tokens.
技術的詳細
XSS attacks exploit the browser's trust in page content. Stored XSS persists in the database (most dangerous). Reflected XSS appears in URL parameters. DOM-based XSS occurs entirely in client-side JavaScript. Defenses: output encoding (HTML entities, JavaScript escaping), Content Security Policy (CSP) headers, HttpOnly cookies (preventing JavaScript access), and framework auto-escaping (React, Django, Angular). The primary rule: never insert untrusted data into HTML without context-appropriate escaping.
例
```javascript
// XSS — Web Crypto API example
const data = new TextEncoder().encode('sensitive data');
const hash = await crypto.subtle.digest('SHA-256', data);
const hex = Array.from(new Uint8Array(hash))
.map(b => b.toString(16).padStart(2, '0')).join('');
```
関連フォーマット
関連ツール
P
Password Generator
P
Password Strength Checker
H
Hash Generator
H
HMAC Generator
A
AES Encrypt / Decrypt
R
Random String Generator
C
CSP Header Generator
T
Text Redactor
C
CORS Header Generator
S
SRI Hash Generator
B
Base64 Encoder / Decoder
J
JWT Decoder
U
UUID Generator
T
TOTP Configurator
S
SSL Certificate Decoder