Q

Cross-site scripting (XSS) explanation

Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key, says an expert.

What's the best way to describe cross-site scripting to people who don't fully understand the concept?

Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any

other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.

The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.

Here are some other useful on how to handle XSS issues:

This was first published in March 2010

Dig deeper on Software Security Test Best Practices

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close