漏洞分类 — 通用跨站脚本

英文名字
UXSS
漏洞详情:
UXSS(Universal Cross-Site Scripting通用跨站脚本)是一种利用浏览器或者浏览器扩展漏洞来制造产生XSS的条件并执行代码的一种攻击类型。常见的XSS攻击的是因为客户端或服务端的代码开发不严谨等问题而存在漏洞的目标网站或者应用程序。这些攻击的先决条件是页面存在漏洞,而它们的影响往往也围绕着漏洞页面本身的用户会话。换句话说,因为浏览器的安全功能的影响,XSS攻击只能读取受感染的会话,而无法读取其他的会话信息,也就是同源策略的影响。 UXSS保留了基本XSS的特点,利用漏洞,执行恶意代码,但是有一个重要的区别: UXSS可以在漏洞触发时访问浏览器打开或缓存的页面的所有会话(即使不同域的情况),不管会话对应的网站或应用程序有无xss漏洞。

相关漏洞

SSV ID 漏洞名称
SSV-99044 Evernote uxss漏洞
SSV-97154 mavo中noscript xss的安全绕过
SSV-97113 chrome: UXSS in DocumentLoader::createWriterFor
SSV-97111 chrome:Persistent UXSS via SchemaRegistry(CVE-2016-1676)
SSV-97110 chrome:UXSS via window.open() via file:// pages
SSV-97107 WebKit: UXSS via ContainerNode::parserInsertBefore(CVE-2017-2508)
SSV-97057 Samsung Internet Browser 6.2.01.12 SOP Bypass / UXSS
SSV-96867 Chrome < 62 UXSS(CVE-2017-5124)
SSV-96616 Apple Safari uxss(CVE-2017-7089)
SSV-96298 WebKit: JSC: UXSS via JSObject::putInlineSlow and JSValue::putToPrimitive(CVE-2017-7037)
SSV-93184 WebKit: UXSS via Document::prepareForDestruction and CachedFrame
SSV-93183 WebKit: UXSS via CachedFrameBase::restore
SSV-93182 WebKit: UXSS: CachedFrame doesn't detach openers(CVE-2017-2528)
SSV-93150 WebKit: UXSS through HTMLObjectElement::updateWidget(CVE-2017-2493)
SSV-93148 WebKit enqueuePageshowEvent / enqueuePopstateEvent Universal XSS(CVE-2017-2510)
SSV-93147 WebKit: UXSS via Editor::Command::execute(CVE-2017-2504)
SSV-93146 WebKit: UXSS via ContainerNode::parserRemoveChild
SSV-93036 Chrome Universal XSS using IDBKeyRange static methods(CVE-2015-1268)
SSV-93035 Chrome Universal XSS via ContainerNode::parserInsertBefore (CVE-2015-6755)
SSV-93034 Chrome Universal XSS using navigator.serviceWorker.ready (CVE-2015-1292)
SSV-93033 Chrome Universal XSS by loading a javascript: URI from an unloaded window (CVE-2015-1293)
SSV-93032 Chrome Universal XSS using stack overflow exceptions (CVE-2015-1303)
SSV-93031 Chrome Universal XSS using exceptions thrown from Object.observe (CVE-2015-1304)
SSV-93030 Chrome Universal XSS via the unload_event module (CVE-2015-6769)
SSV-93029 Chrome Universal XSS using document.adoptNode (CVE-2015-6770)
SSV-93028 Chrome Universal XSS using plugin objects (CVE-2015-6772)
SSV-93027 Chrome Universal XSS via persistence of subframes (CVE-2015-6768)
SSV-93026 Chrome Universal XSS using widget updates in ContainerNode::parserRemoveChild (CVE-2016-1630)
SSV-93025 Chrome Universal XSS using Flash message loop (CVE-2016-1631)
SSV-93024 Chrome Universal XSS by circumventing the unload event ( CVE-2016-1623)
SSV-93023 Chrome Universal XSS using an intercepted native function (CVE-2016-1672)
SSV-93022 Chrome Universal XSS using a FrameNavigationDisabler bypass (CVE-2016-1673)
SSV-93021 Chrome Universal XSS via the interception of |Binding| with Object.prototype.create (CVE-2016-1674)
SSV-93020 Chrome Universal XSS using deferred history loads (CVE-2016-1675)
SSV-93019 Chrome Universal XSS using a flaw in the load deferral logic
SSV-93007 Chrome Universal XSS through adopting image elements (CVE-2016-1667)
SSV-93004 Chrome Universal XSS using iterables (CVE-2016-1668)
SSV-93003 Chrome Universal XSS via reentrancy in FrameLoader::startLoad (CVE-2016-1697)
SSV-93002 Chrome Universal XSS via same document navigations (CVE-2016-1711)
SSV-93001 Chrome Universal XSS by intercepting a UA shadow tree(CVE-2016-5204)
SSV-93000 Chrome Universal XSS via fullscreen element updates (CVE-2016-5207)
SSV-92999 Chrome Universal XSS using an <input type="color"> element (CVE-2016-5208)
SSV-92998 Chrome Security: Universal XSS through removing link elements (CVE-2017-5010)
SSV-92997 Chrome Universal XSS by polluting private scripts with named properties (CVE-2017-5008)
SSV-92996 Chrome Universal XSS through bypassing ScopedPageSuspender with closing windows (CVE-2017-5007)
SSV-92994 Chrome Universal XSS using late widget updates (CVE-2017-5006)
SSV-92974 WebKit: UXSS via operationSpreadGeneric
SSV-92969 Apple WebKit: UXSS via PrototypeMap::createEmptyStructure
SSV-92923 WebKit: UXSS via a synchronous page load(CVE-2017-2480)
SSV-92922 WebKit: UXSS via a focus event and a link element (CVE-2017-2479)
SSV-92883 Apple WebKit: UXSS via Frame::setDocument (1)(CVE-2017-2364)
SSV-92882 Apple Webkit: UXSS with JSCallbackData(CVE-2017-2442)
SSV-92881 Apple Webkit: UXSS by accessing a named property from an unloaded window (CVE-2017-2367)
SSV-92880 Apple WebKit: UXSS via disconnectSubframes (CVE-2017-2445)
SSV-92824 LastPass: FireFox error pages still load Content Scripts, allowing access to ExtensionProxyService
SSV-92802 Microsoft Internet Explorer Elevation of Privilege Vulnerability (CVE-2017-0154)
SSV-92801 Microsoft Edge allows remote attackers to bypass the Same Origin Policy(CVE-2017-0002)
SSV-92706 Apple WebKit: UXSS via Frame::setDocument (CVE-2017-2365)
SSV-92704 Apple WebKit: UXSS via FrameLoader::clear (CVE-2017-2363)
SSV-90964 Android Open Source Platform (AOSP) Browser UXSS
京ICP备10040895号 京公网安备 11010502034610号 Copyright @ 404 Team from Knownsec. English