Cross-site scripting (XSS) is a computer vulnerability usually found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.
Since then, other similar access-control policies have been adopted in other browsers and client-side scripting languages to protect users from malicious Web sites. In general, cross-site scripting holes can be seen as vulnerabilities present in web pages which allow attackers to bypass these mechanisms. By finding clever ways of injecting malicious script into pages served by other domains, an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects.
The acronym CSS was often used in the early days to refer to cross-site scripting vulnerabilities, but this quickly became confusing in technical circles because both Cascading Style Sheets and the Content-scrambling system shared the same acronym. Perhaps the first use of the abbreviation XSS was by Steve Champeon in his Webmonkey article “XSS, Trust, and Barney”. In 2002, Steve also posted the suggestion of using XSS as an alternative abbreviation to the Bugtraq mailing list. In a rare show of unity, the security community quickly adopted the alternative, and CSS is seldom used today to refer to cross-site scripting, although a few existing pages still use it this way.
There are several classes of vulnerabilities or attack techniques which are related, and worth mentioning:
- Cross Zone Scripting vulnerabilities, which exploits “zone” concepts in software, usually execute code with a greater privilege.
- HTTP Header Injection vulnerabilities, which can be used to create cross-site scripting conditions in addition to allowing attacks such as HTTP response splitting.
- Cross-site request forgery (CSRF/XSRF) is almost the opposite of XSS, in that rather than exploiting the user’s trust in a site, the attacker exploits the site’s trust in the client software, submitting requests that the site believes come from its own pages.
Licensed under the GNU Free Documentation License. It uses materials from the Wikipedia.