cross-site scripting (XSS)

Cross-site scripting (XSS) is a security exploit in which the attacker inserts malicious coding into a link that appears to be from a trustworthy source. When someone clicks on the link, the embedded programming is submitted as part of the client's Web request and can execute on the user's computer, typically allowing the attacker to steal information.

Web forms that dynamically return an error message including user input data make it possible for attackers to alter the HTML that controls the behavior of the form and/or the page. Attackers do this in a number of ways, for example by inserting coding into a link in a forum message or in a spam message. The attacker may use e-mail spoofing to pretend to be a trusted source.

Like other Web-based exploits, such as SQL injection, much of the blame for cross-site scripting is placed on the insecure applications that make it possible. Web server applications that generate pages dynamically are vulnerable to a cross-site scripting exploit if they fail to validate user input and to ensure that pages generated are properly encoded. A vulnerability that enables cross-site scripting is sometimes referred to as an XSS hole.

To protect against cross-site scripting, experts recommend that Web applications should include appropriate security mechanisms and servers should validate input as a matter of course.

See also: application security, phishing, session hijacking

This was last updated in September 2010
Posted by: Margaret Rouse
View the next item in this Essential Guide: zero-day exploit or view the full guide: How to hone an effective vulnerability management program

More News and Tutorials

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Research More Tech Terms

  • Search thousands of tech definitions
  • Browse tech definitions
    Browse Alphabetically:

Powered by WhatIs.com

File Extensions and File Formats

File Extension and File Formats List:

Powered by WhatIs.com