Cross-Site Scripting
Cross-site scripting (XSS) vulnerabilities let visitor-provided input, such as text in a search or form, influence how a website functions or displays for another visitor.
Attackers use XSS to exploit the trust between visitors and websites by entering text, usually browser-executable scripts such as JavaScript®, Adobe® Flash, or HTML, to perform a variety of malicious acts. Typical attacks access other visitors' session data or cookies, bypass log-in requirements, or redirect visitors to another malicious site.
For example: A blog site lets visitors comment on posts. The site doesn't check the content to make sure it's valid, and displays comments without sanitizing them.
Attackers can add comments with malicious links containing scripts that let them take over another user's session on the site.
You can prevent XSS flaws on your website by keeping visitor-provided information separate from the rest of your content. A "whitelist" can help validate acceptable input, but it might not be effective if your forms allow special characters.
You can check your website for XSS and other common vulnerabilities with a daily vulnerability scanner, such as SiteLock.
To learn more about XSS, see Cross-site Scripting (XSS) at the Open Web Application Security Project's site.
