Cross-site scripting (XSS) explanation

Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key, says an expert.

Principle Logic, LLC

What's the best way to describe cross-site scripting to people who don't fully understand the concept?

Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.

The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.

Here are some other useful on how to handle XSS issues:

Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test it. Expert Kevin Beaver sheds light on XSS issues and recommends tools.
Website security improved, but more can be done
A study of website security finds that although efforts are being made to prevent well-known attacks such as XSS and SQL injection, threats of newer attacks are rising.
Proactively stamp out XSS cross scripting errors
Web-based application development expert Dan Cornell explains how to proactively reduce cross site scripting and SQL injection vulnerabilities

This was last published in March 2010

Dig Deeper on Software Security Test Best Practices

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Q&A from Kevin Beaver

Unknown apps: How does Android Oreo control installation?

Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading

Vulnerability scans: How effective are they for web apps?

Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading

Android bootloader: How does it work and what is the risk?

Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Software Quality experts

View all Software Quality questions and answers

SearchMicroservices

What to look for in an API development SaaS platform

Not all SaaS API development platforms are made the same. Learn about the fundamental capabilities that API SaaS tools should ...

5 fundamental steps of managing APIs

API management is undeniably essential, but it requires a comprehensive plan. Here are the five steps of an API management ...

Test yourself on the challenges of microservices security

Think you know what complicates microservices security and what precautions to take to maximize protection? Challenge yourself, ...

TheServerSide.com

Amazon Corretto extends OpenJDK support

With Java among the most popular languages on AWS, Amazon spins out its own distribution of the OpenJDK open source Java ...

Is it a mistake to teach Java as a first programming language?

Is it right to teach Java to students as an introductory programming language? If not, what are the alternatives to Java when it ...

The 4 essential Java cyclomatic complexity testing tools

Code that's less complex is easier to troubleshoot and maintain. If developers can calculate code cyclomatic complexity metrics, ...

SearchCloudApplications

Microsoft Azure Dev Spaces, Google Jib target Kubernetes woes

Microsoft Azure and Google Cloud both added cloud application development tools that improve and simplify the process of creating...

With progressive web applications, developers blur the lines

With progressive web applications, single-page apps, motion UI and other innovations, app development meets the moment, giving ...

Web app development morphs as apps and websites merge

The lines between web and mobile app and websites are blurring, so development silos are out, and boning up on building ...

SearchAWS

EC2 Fleet Auto Scaling targets diverse workloads

Autoscaling is table stakes for public cloud providers. Now AWS customers can apply it to their EC2 Fleet instance groups for ...

How CloudFormation Macros stack up against other IaC tools

Developers can use an updated CloudFormation feature to manage and deploy IaC templates with Lambda. However, other native and ...

AWS, Oracle trash talk spotlights cloud database migration

Amazon says its consumer division has dumped Oracle's database platform, and the company will offload most workloads by year's ...

SearchBusinessAnalytics

ThoughtSpot SearchIQ enables voice analytics

Part of the ThoughtSpot 5 update, which adds a number of upgrades to the BI platform, SearchIQ allows users to take advantage of ...

At Logi Analytics and Tableau, beta feedback drives creation

Constructive commentary from software beta testing can help work out bugs and bring about new ideas, which BI vendors Logi ...

6 big data visualization project ideas and tools

These data visualization project examples and tools illustrate how enterprises are expanding the use of "data viz" tools to get a...

SearchHRSoftware

Adoption of HR onboarding software accelerating, says one study

HR onboarding is an area of talent acquisition that is getting a lot of focus. First impressions count, and there's a link ...

News briefs: Glint acquisition ties into LinkedIn recruiting

Find out how LinkedIn may use the engagement platform Glint; a fix is developed for the coding problems created by Google for ...

Reporting harassment at work eased by new enterprise chatbot

New tool Spot uses natural language processing -- an AI technology -- to help people file harassment and discrimination ...

SearchHealthIT

Social engineering scams must be on hospitals' radars

Social engineering continues to be a threat to healthcare organizations. Hospital IT departments must be aware of the common ...

Will AthenaHealth sale alter customer service, consultant wonders

AthenaHealth announces it is set to be purchased for $5.7 billion by two private equity firms. One consultant plans to watch the ...

Mobile device security in healthcare must become a priority

As mobile devices become more common in healthcare, cybercriminals are taking advantage of the increased attack surface. Health ...

DevOpsAgenda

How to bust security silos and secure your operation

DevOps means velocity, though, not at security's expense. Rapid7's Jen Andre thinks automation and orchestration strategies can ...

The first step from Agile to DevOps is a pilot project

Agile to DevOps isn't as perilous as Waterfall to Agile, but it will take measurable goals and an efficient pilot project to ...

Best practices for DevOps compliance and reusability

You know you want to scale with a model-driven process. So how do you make it work? Start with these best practices for ...

Related Resources

Dig Deeper on Software Security Test Best Practices

Related Q&A from Kevin Beaver

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.