Problem solve

Cross-site scripting (XSS) explanation

Cross-site scripting issues are a type of validation weaknesses in a Web form. Though XSS issues can be fairly easy to fix, avoiding them all together is key, says an expert.

Kevin Beaver

Principle Logic, LLC

Follow:

What's the best way to describe cross-site scripting to people who don't fully understand the concept?

Cross-site scripting (XSS) is a weakness facilitated by the lack of input validation on a Web form, a URL, or any...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

other item that accepts user input. The flaw allows for both the submission of script code (typically JavaScript but sometimes VBScript) and the reflection of the code back to the browser/user. It's an attack that typically doesn't affect sensitive sensitive information on your system but could be used as an exploit against a user of your site or even a completely unrelated third-party.

The lack of input validation turns into a method for gleaning sensitive information such as login credentials, browser cookies, and more via specially crafted URLs sent in email links, posted on message boards, etc. You can think of XSS as an open spam relay on your email server. A direct exploit may or may not exist (depending on the context) but it still creates liability issues that your business probably doesn't want to take on.

Here are some other useful on how to handle XSS issues:

Finding cross-site scripting (XSS) application flaws checklist
Cross-site scripting (XSS) is a major concern, it can be unpredictable and requires multiple tools to test it. Expert Kevin Beaver sheds light on XSS issues and recommends tools.
Website security improved, but more can be done
A study of website security finds that although efforts are being made to prevent well-known attacks such as XSS and SQL injection, threats of newer attacks are rising.
Proactively stamp out XSS cross scripting errors
Web-based application development expert Dan Cornell explains how to proactively reduce cross site scripting and SQL injection vulnerabilities

This was last published in March 2010

Dig Deeper on Software Security Test Best Practices

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Q&A from Kevin Beaver

Unknown apps: How does Android Oreo control installation?

Android Oreo replaced the allow unknown sources setting with a new feature that enables users to selectively install unknown apps. Kevin Beaver ... Continue Reading

Android bootloader: How does it work and what is the risk?

Several vulnerabilities were recently discovered in Android bootloaders via the BootStomp tool. Kevin Beaver explains how they work and what risk ... Continue Reading

Vulnerability scans: How effective are they for web apps?

Equifax's Apache Struts vulnerability was an example of a scan not being read correctly. Kevin Beaver explains vulnerability scans and how issues can... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Software Quality experts

View all Software Quality questions and answers

SearchMicroservices

How to manage distributed apps built on microservices

Distributed applications can clearly benefit from the architectural benefits of microservices, but that has traditionally come ...

How to move beyond REST for microservices communication

Despite its popularity, REST isn't always the best protocol for microservices communication. There are other options that may be ...

Docker and Kubernetes monitoring tools that work on microservices

What does it take to manage your containers? Explore a wide range of monitoring tools specifically suited for Docker and ...

TheServerSide.com

How to become a good software architect in 13 steps

It's not easy to find your role in an IT enterprise setting. But if you can follow these 13 steps on how to become a software ...

When you compare Java build tools, Maven comes out on top

What is the best Java build tool on the market? Is it Gradle? Do people still use Ant? Here, we explore why Maven is still one of...

New CDNs bring edge JavaScript to the app performance world

With content distribution networks loaded with edge JavaScript, Cloudfare promises to improve application performance and ...

SearchCloudApplications

Microsoft Azure Dev Spaces, Google Jib target Kubernetes woes

Microsoft Azure and Google Cloud both added cloud application development tools that improve and simplify the process of creating...

With progressive web applications, developers blur the lines

With progressive web applications, single-page apps, motion UI and other innovations, app development meets the moment, giving ...

Web app development morphs as apps and websites merge

The lines between web and mobile app and websites are blurring, so development silos are out, and boning up on building ...

SearchAWS

AWS bare-metal instances target a niche market -- for now

AWS' addition of bare-metal instances runs counter to its heritage but is another example of how the vendor wants to keep users ...

Centralize AWS account management with native SSO tool

Some third-party tools have longer track records, but AWS SSO offers an appealing alternative as a native service to handle cloud...

Assess, manage AWS costs with third-party tools

An ecosystem of third-party products augment AWS' vast portfolio of cloud services, including cost management tools. Dig into ...

SearchBusinessAnalytics

Self-service analytics tools hand BI power to business users

Self-service BI software opens the door to wider analytics uses in organizations. This handbook compares top self-service tools ...

Tableau vs. Power BI vs. Qlik: How the BI rivals stack up

Tableau, Power BI and Qlik Sense offer similar self-service BI functionality, consultant Rick Sherman says. But he points to some...

Tibco analytics capabilities get upgrade in Spotfire X

New Tibco AI and natural language processing functions in the soon-to-be-released Spotfire X look to create a simpler and faster ...

SearchHRSoftware

SaaS HCM tilts power to business side of HR-IT partnership

HR leaders joined Deloitte consultants in describing a shift in responsibilities, ownership and technical challenges of SAP ...

How ADP's AI-based workforce metrics tool might disrupt HR

A new ADP mobile app feature is delivering workforce analytics into the hands of both HR and other business leaders, in turn, ...

At HR Technology Conference, Walmart says virtual reality works

Virtual reality may be on the cusp of mainstream adoption for HR. It provides an engaging learning experience for employees, ...

SearchHealthIT

CoxHealth gains from outsourcing to Cerner ITWorks

Cerner partners with more than 30 organizations to deliver outsourced IT operation management. One of those systems, CoxHealth, ...

CRM in healthcare: A look inside its muddled world

By some estimates it could be nearly 20 years before healthcare manages true patient engagement. Here's why healthcare CRM is ...

The importance of EHR tools in today's healthcare industry

A strong EHR system can effectively acquire and centralize vital patient information like lab orders, medications, medical ...

DevOpsAgenda

The journey to DevOps starts with solving problems

If you want to do DevOps, don't just follow the prescribed strategies and roadmaps that other companies lay out. Assess your own ...

The new developer role centers on open source technology

Open source technology, along with growing compute capabilities, has made the role of the developer more creative and valuable in...

Tips to adopt open source enterprise architecture tools

To really do DevOps, you will have to adopt open source enterprise architecture tools. Talend CTO Laurent Bride explains the ...

Related Resources

Dig Deeper on Software Security Test Best Practices

Related Q&A from Kevin Beaver

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.