Requires Free Membership to View
When you register, you'll receive targeted emails designed to keep you informed of the most relevant information on Agile development, application security, testing & QA, software requirements, and more.
Hannah Smalltree, Editorial Director
Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.
The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.
Here are some other useful on how to handle XSS issues:
- Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test it. Expert Kevin Beaver sheds light on XSS issues and recommends tools.
- Website security improved, but more can be done
A study of website security finds that although efforts are being made to prevent well-known attacks such as XSS and SQL injection, threats of newer attacks are rising.
This was first published in March 2010