Problem solve

Cross-site scripting (XSS) explanation

Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key, says an expert.

Kevin Beaver

Principle Logic, LLC

Follow:

What's the best way to describe cross-site scripting to people who don't fully understand the concept?

Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.

The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.

Here are some other useful on how to handle XSS issues:

Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test it. Expert Kevin Beaver sheds light on XSS issues and recommends tools.
Website security improved, but more can be done
A study of website security finds that although efforts are being made to prevent well-known attacks such as XSS and SQL injection, threats of newer attacks are rising.
Proactively stamp out XSS cross scripting errors
Web-based application development expert Dan Cornell explains how to proactively reduce cross site scripting and SQL injection vulnerabilities

This was last published in March 2010

Dig Deeper on Software Security Test Best Practices

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Q&A from Kevin Beaver

Unknown apps: How does Android Oreo control installation?

Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading

Vulnerability scans: How effective are they for web apps?

Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading

Android bootloader: How does it work and what is the risk?

Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Software Quality experts

View all Software Quality questions and answers

SearchMicroservices

DevOps is key to low-code BPM, digital process automation

Low-code BPM and emerging digital process automation tools empower business-side app development. But without BPM developers and ...

How proper networking supports microservices security

Security shouldn't be an afterthought when it comes to microservices. Learn about the challenges of microservices security and ...

An up-close and in-depth look at APM software vendors

Read this in-depth roundup on some of the top APM tools in today's market and what they can provide for root cause analysis, ...

TheServerSide.com

How JPA and Hibernate simplify data persistence

JPA is the Java standard for data persistence, especially for relational systems. Here, we explore how Hibernate and JPA work ...

Let's talk bitcoin and building blockchain apps fast with Hyperledger

If you're thinking about building blockchain apps, you're probably looking for the right tools and technologies. Hyperledger ...

The best web programming languages for development

Many technologies have emerged to facilitate browser-based development. Here, we look at those technologies in an effort to ...

SearchCloudApplications

Four options to manage stateful apps in the cloud

Stateful applications in the cloud pose an ongoing challenge for development and operations teams. Review four ways to address ...

BPM in cloud evolves to suit line of business, IoT

While on-premises BPM tools have caused a tug of war between lines of business and IT, the cloud helps appease both sides. Here's...

Use LinuxKit to increase container portability

With LinuxKit, Docker continues its push for better container portability. Learn how the tool can help your apps run across ...

SearchAWS

Amazon FreeRTOS aims to simplify, secure IoT deployment

Operational technology teams have been slow to update microcontroller software due to safety and logistics concerns, but Amazon ...

Test your knowledge of GDPR rights and AWS data protection

Is your enterprise GDPR-compliant? Take this quick quiz to test your knowledge of the EU regulation, as well as relevant AWS data...

Support for Node.js in AWS Lambda slowly, but surely, evolves

Developers who need the latest version of Node.js for a serverless platform might turn to Lambda rivals to meet that need. But ...

SearchBusinessAnalytics

Cambridge Analytica-Facebook case shows need for ethical data mining

Ethical data collection practices are becoming even more important, as cases like Cambridge Analytica's misuse of Facebook data ...

Rethinking analytics processes spurs enterprise innovation

By taking a fresh look at the makeup of their analytics organizations, enterprises can innovate their business models and take ...

Diversified data sets for analytics deliver top results

Analytics teams should focus on data diversity to ensure that their projects deliver the most meaningful insights -- but they ...

SearchHRSoftware

Video interview platforms make headway against consumer tech

Some recruiters prefer the familiarity of popular video tools, like FaceTime and Skype, but they may be missing out on the rich ...

Workday payroll system covers Minnesota healthcare network

A big physicians group affiliated with the University of Minnesota Medical School opted for a Workday cloud payroll system to ...

Federal HR seeks corporate simplicity, says its new chief

Federal HR has a new reformer, Jeff Pon, the director of the U.S. Office of Personnel Management. He wants to modernize federal ...

SearchHealthIT

Health informaticians weave medicine, tech and science

Natalie Pageler, M.D., explains the setup of informaticist teams at Stanford Children's Health and what motivates clinicians to ...

Facebook's medical data sharing plan raises privacy concerns

Facebook's proposal to match anonymized patient data with user profiles has some experts worried about the possible privacy ...

Medical imaging informatics is the next data step forward

Weaving the science of health informatics and the data within medical images presents a tremendous opportunity for healthcare ...

DevOpsAgenda

Embrace change to make the DevOps operating model succeed

Operations pros have more to gain and less to lose from DevOps than they understand. Brian Kirsch offers the reasons why ops ...

Why DevOps? The simple answer is it creates safer processes

Is it possible to take an old-fashioned organization actually hostile to technology and move it into the 21st-century DevOps ...

The DevOps process is hard. But here are seven ways it's easy

Attend a DevOps conference and it seems every company struggles with the methodology. We asked seven experts to tell us how ...

Related Resources

Dig Deeper on Software Security Test Best Practices

Related Q&A from Kevin Beaver

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.