An abbreviation of
cross-site scripting. XSS is a security breach that takes advantage of
dynamically generated Web pages. In an XSS attack, a Web
application is sent with a
script that activates when it is read by an unsuspecting user’s
browser or by an application that has not protected itself against cross-site scripting. Because dynamic Web sites rely on user input, a malicious user can input malicious script into the page by hiding it within legitimate requests. Common exploitations include
search engine boxes, online
forums and public-accessed
blogs. Once XSS has been launched, the attacker can change user settings, hijack accounts, poison
cookies with malicious code, expose
SSL connections, access restricted sites and even launch false advertisements. The simplest way to avoid XSS is to add code to a Web application that causes the dynamic input to ignore certain command
tags.
Scripting tags that take advantage of XSS include <SCRIPT>, <OBJECT>, <APPLET>, <EMBED> and <FORM>. Common languages used for XSS include JavaScript, VBScript, HTML, Perl, C++, ActiveX and Flash.
Cross-site scripting also is referred to as malicious tagging and sometimes abbreviated as CSS, though CSS is more commonly used as an abbreviation for cascading style sheets.
