cross-site scripting (XSS) definition

This definition is part of our Essential Guide: How to hone an effective vulnerability management program

Cross-site scripting (XSS) is a security exploit which targets Web sites that accept user input but don't filter that input for common characters or strings used in scripts.

In a cross site exploit, the attacker finds a way to cheat a security rule that browsers are supposed to enforce, namely that everything that executes on a Web page has to come from the same source (generally, the Web site the visitor is currently looking at). Vulnerable web pages, which may be referred to as XSS holes, allow the attacker to insert malicious code into a user input field. If a visiting client's browser is not up-to-date with the latest XSS filters, the malicious code will be delivered unfiltered and the browser will execute the malicious script when it loads the page. Typical XSS exploits allow the attacker to hijack the user's session, redirect the user to a malicious website, manipulate what is displayed in the victim's browser or steal data and credentials.

Web server applications for large sites that aggregate code from multiple websites and generate Web pages dynamically are most vulnerable to cross-site scripting exploits because it can be difficult to validate code from multiple sources in a timely manner. When an XSS attack payload is injected into one application but reveals its presence in another Web application, it is called a distributed XSS attack.

To protect against cross-site scripting exploits, experts recommend that enterprises and individuals make sure they are using the latest version of their browser. Server administrators should validate input as a matter of course; there are many XSS filtering applications to help them do so.

This was first published in October 2015

Continue Reading About cross-site scripting (XSS)



Find more PRO+ content and other member only offers, here.

Related Discussions

Margaret Rouse asks:

How dangerous are XSS exploits in today's world?

1  Response So Far

Join the Discussion



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:


File Extensions and File Formats

Powered by: