Problem solve

Cross-site scripting (XSS) explanation

Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key, says an expert.

Kevin Beaver

Principle Logic, LLC

Follow:

What's the best way to describe cross-site scripting to people who don't fully understand the concept?

Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.

The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.

Here are some other useful on how to handle XSS issues:

Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test it. Expert Kevin Beaver sheds light on XSS issues and recommends tools.
Website security improved, but more can be done
A study of website security finds that although efforts are being made to prevent well-known attacks such as XSS and SQL injection, threats of newer attacks are rising.
Proactively stamp out XSS cross scripting errors
Web-based application development expert Dan Cornell explains how to proactively reduce cross site scripting and SQL injection vulnerabilities

This was last published in March 2010

Dig Deeper on Software Security Test Best Practices

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Q&A from Kevin Beaver

Unknown apps: How does Android Oreo control installation?

Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading

Android bootloader: How does it work and what is the risk?

Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading

Vulnerability scans: How effective are they for web apps?

Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Software Quality experts

View all Software Quality questions and answers

SearchMicroservices

How to control state for so-called stateless microservices

How do you control state in a stateless microservices environment? Front-end and back-end state control can be two viable ...

Docker and Kubernetes monitoring tools for microservices

Learn more about what it takes to manage your containers, and explore a wide range of monitoring tools specifically suited for ...

Why digital process automation is now essential to BPM

The increased speed of application development has made automation in BPM a necessity. Learn about digital process automation and...

TheServerSide.com

Attain Jenkins Git integration with a GitHub pull request

This Jenkins Git integration tutorial demonstrates how to create a freestyle build job that performs a Jenkins GitHub pull ...

Financial firms, vendors push self-service software delivery

Self-service DevOps automation appeals to enterprises that must push out new code as they adapt to changing requirements.

IT projects and software teams need to include Agile people

Not every idea deserves equal weight in a software development project, but Agile people know that garnering input from a wide ...

SearchCloudApplications

With progressive web applications, developers blur the lines

With progressive web applications, single-page apps, motion UI and other innovations, app development meets the moment, giving ...

Web app development morphs as apps and websites merge

The lines between web and mobile app and websites are blurring, so development silos are out, and boning up on building ...

Cloud-based applications pose tough integration challenges

Even though SaaS applications are now indispensible to many enterprises, their lack of flexibility still presents a challenge ...

SearchAWS

Assess AWS serverless costs and learn how to reduce them

Serverless architectures help teams deploy to production faster but also introduce an entirely new cost structure. Use this ...

Master AWS CloudFormation templates with these five tips

AWS CloudFormation enables businesses to automate much of their cloud infrastructure. Read this expert advice to ramp up with the...

Breadth of AWS features acts as a double-edged sword for IT

AWS offers a wide variety of cloud tools but, in some cases, still lacks the core IT management and ops features that enterprises...

SearchBusinessAnalytics

Heat map view sets table for food warehouse optimization

Inspired by the vivid views of stadium heat maps, a Midwest food distributor worked with Information Builders to gain a better ...

Streamlining predictive analytics in retail marketing

Online flash-sale retailer Zulily uses BigQuery and Tableau to help power its predictive analytics, which, in turn, boosts its ...

Airbnb, Univision highlight best practices in BI

At the Real Business Intelligence conference, Airbnb and Univision execs presented some of the BI strategies their organizations ...

SearchHRSoftware

Automated recruiting solves Groupon's sourcing talent woes

Building a talent pool through effective sourcing is a major effort by Groupon. It is using a recruiting automation tool to find ...

New HR tools for hourly workers, employee retention announced

This week's news roundup includes an HR tool designed just for hourly workers, a new offering from Limeade to help with talent ...

Eight human capital management functions every HR department needs

Employee self-service and wellness portals are no longer enough. Now, you need a multipronged strategy that tackles the most ...

SearchHealthIT

A web-based approach to preauthorization for insurance

Most specialty medicine needs preauthorization for insurance coverage and it's a headache for providers and staff. ZappRX hopes ...

AI lowers hurdles to digital transformation of healthcare

Depending on the organization, the digital transformation of healthcare comes in many stages and flavors. Consensus dictates that...

Hacking and fraud escalate concerns about AI in healthcare

While many in healthcare tout the benefits of AI in clinical settings, artificial intelligence isn't immune to nefarious misuses,...

DevOpsAgenda

Satisfy GDPR standards and identify issues early in the pipeline

GDPR requirements are here to stay. Get your developers involved early and shift security left to make your pipeline secure. ...

Salary snapshot: Embrace an entry-level DevOps role

New DevOps engineers make much more than their software engineer counterparts. If you have DevOps skills, maybe it's time to ...

The cloud for DevOps: Tools and tips to consider

DevOps without cloud computing doesn't fly in today's digital technology landscape. One expert has advice for those who want to ...

Related Resources

Dig Deeper on Software Security Test Best Practices

Related Q&A from Kevin Beaver

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.