Cross site scripting (XSS) is a technique for attacking web users viewing sites that generate dynamic web pages. Basically, the attacker provides a user with a link to a legitimate web site that has an XSS vulnerability. The link includes both the legitimate URL for the site and parameters that will cause the information sent to the user to contain malicious elements. These are usually disguised to look innocuous. If the user clicks on the malicious element the site will appear. Probably looking innocuous. Meanwhile an attack on his/her PC is initiated by the combination of faulty scripts at the site and the attacker's parameter strings. This can result in account hijacking, accessing of the user's cookies, etc.

Vulnerabilities to XSS are not uncommon and may be present at times even on major websites. Since XSS attacks those viewing the site, not the site per se, and the problems do not affect normal usage of the site, the staff at the site generally will not be aware of the vulnerability. The fact that a link provided in an email or on a web site is to a reputable website does not mean that the major website could not have a scripting error that will be manipulated by a malicious link provided in the email or web site.

The best defense against XSS is to access web sites directly whenever possible. e.g. Go to Google or eBay or whatever directly, not through a link on a website or in an eMail.



Return To Index Copyright 1994-2002 by Donald Kenney.