Cross-site scripting (XSS) explanation

Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key, says an expert.

Principle Logic, LLC

What's the best way to describe cross-site scripting to people who don't fully understand the concept?

Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.

The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.

Here are some other useful on how to handle XSS issues:

Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test it. Expert Kevin Beaver sheds light on XSS issues and recommends tools.
Website security improved, but more can be done
A study of website security finds that although efforts are being made to prevent well-known attacks such as XSS and SQL injection, threats of newer attacks are rising.
Proactively stamp out XSS cross scripting errors
Web-based application development expert Dan Cornell explains how to proactively reduce cross site scripting and SQL injection vulnerabilities

This was last published in March 2010

Dig Deeper on Software Security Test Best Practices

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Q&A from Kevin Beaver

How can IT prevent mobile cryptojacking on devices?

While most mobile platforms provide levels of security from mobile cryptojacking, IT must still be aware of the risks and procedures to address an ... Continue Reading

Unknown apps: How does Android Oreo control installation?

Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading

Vulnerability scans: How effective are they for web apps?

Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Software Quality experts

View all Software Quality questions and answers

SearchMicroservices

How shared Lambda functions help microservices access control

Shared Lambda functions can help combat error message issues that arise when developers create custom authentication and ...

5 common traps lurking in RESTful development

Unfortunately, many RESTful API developers fall into the same traps during design. Here are five common mistakes that you can ...

These tools help build microservices in Java

Depending on the mission, developers need to align their tool choices with one of two paths for Java microservices. Here's what ...

TheServerSide.com

Convert JPEG to SVG to improve webpage performance

Vector images open the door for multiple benefits on HTML webpages. Consider SVGs instead of raster images to boost HTML speed ...

Master-slave terminology alternatives you can use right now

Software companies have found alternatives for master-slave terminology to describe their distributed systems. It's time for the ...

RESTful parameters antipattern considerations for queries, paths

Choose carefully for path and query parameters in URL design. Lackluster choices in the design phase can plague client resource ...

SearchCloudApplications

Microsoft Azure Dev Spaces, Google Jib target Kubernetes woes

Microsoft Azure and Google Cloud both added cloud application development tools that improve and simplify the process of creating...

With progressive web applications, developers blur the lines

With progressive web applications, single-page apps, motion UI and other innovations, app development meets the moment, giving ...

Web app development morphs as apps and websites merge

The lines between web and mobile app and websites are blurring, so development silos are out, and boning up on building ...

SearchAWS

AWS predictive scaling boosts cloud's resource management

AWS Auto Scaling offers adjustable resources for workloads with fluctuations in demand. With predictive scaling, AWS applies ...

Use AWS Firecracker to build micro VMs for containerized apps

Firecracker has many of the benefits of containers and VMs, without some of their limitations. Here are a few things to know if ...

AWS Lambda functions become more flexible, but use caution

AWS Lambda added custom runtimes and longer timeouts. Review the benefits, such as flexibility and easier migration, along with ...

SearchBusinessAnalytics

Avoid turbulence when shifting to data analytics in the cloud

When migrating BI and data analytics to the cloud, factor existing analytics processes, software evaluation, data protection and ...

Upswing in cloud business intelligence spawns migration issues

More organizations are looking to run BI and analytics applications in the cloud. This handbook offers insights into moving ...

Information Builders CEO on cloud-first approach, machine learning

Information Builders' new CEO, Frank Vella, said the company's focus on cloud and machine learning will help it solidify a firm ...

SearchHRSoftware

AI in recruiting may be above HR's head

Video job interviews are powerful tools. HireVue's AI algorithm can watch a candidate without losing focus and notice things a ...

Cybersecurity education: How HR can plan for the inevitable

Cybersecurity is a major concern for any organization, but employees continue to be a top threat. HR can help mitigate insider ...

LinkedIn's recruiting platform billed as 'Intelligent Hiring Experience'

LinkedIn's use of AI requires the sharing of data. It is one reason why the company is combining its talent tools into one system...

SearchHealthIT

3 technologies to improve the patient check-in process

Allowing patients to check in electronically, whether from a kiosk or tablet, can improve the patient experience and reduce the ...

ONC, CMS strive for a competitive healthcare market with open APIs

Newly proposed rules from CMS and ONC aren't just about fostering interoperability and patient data access, they're also about ...

Population health management programs require goal alignment

In this Q&A, KLAS population health researcher Bradley Hunter says successful population health management programs hinge on goal...

DevOpsAgenda

How to bust security silos and secure your operation

DevOps means velocity, though, not at security's expense. Rapid7's Jen Andre thinks automation and orchestration strategies can ...

The first step from Agile to DevOps is a pilot project

Agile to DevOps isn't as perilous as Waterfall to Agile, but it will take measurable goals and an efficient pilot project to ...

Best practices for DevOps compliance and reusability

You know you want to scale with a model-driven process. So how do you make it work? Start with these best practices for ...

Dig Deeper on Software Security Test Best Practices

Related Q&A from Kevin Beaver

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.