Cross-site scripting (XSS) is a type of injection attack where malicious scripts are inserted into otherwise benign and trusted websites. With XSS, the attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. The end user’s browser has no way of knowing that the script should not be trusted, and will execute the script.
Attackers can use cross-site scripting vulnerabilities to bypass access controls such as the same-origin policy. The effect of XSS attacks can range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. Flaws that allow these attacks to succeed can occur whenever a web application uses input from a user within the output it generates, without validating or encoding it.
By contrast, cross-site request forgery exploits the trust that a website has for a user.
Cross-site scripting is one of the most common web vulnerabilities and can lead to phishing attacks, website defacement, session hijacking and installation of malware on a victim’s computer. Watch this webinar to learn more about cross-site-scripting attacks and how to best defend against them.