What is cross-site scripting?

Cross-site scripting, also known as an XSS attack, is a hacking attack on a client's Web browser using malicious code to hijack the browser. An XSS attack corrupts a trusted Web link by exploiting security weaknesses within a Web application, which allows a hacker to steal a user's information.

Hackers use different cross-site attacks such as reflective XSS, where a user receives an email with a malicious link. Once the user clicks on the link, the malicious code is executed on the user's browser during the current browsing session. An attacker can use a cross-script attack to hijack a user's account, to control the browser remotely and to access a victim's browser history.

Web servers that generate dynamic responses are vulnerable to XSS attacks. Such servers should validate user input and code Web pages properly to prevent cross-site scripting attacks. Attackers typically use JavaScript to deliver malicious code to users of vulnerable applications. The victim of such attacks is the user, not the application.

A cross-site scripting attack is dangerous because it occurs during a user's browsing session and bypasses normal security measures. If an XSS attack is successful, the attacker typically gains control of the user's browser via the vulnerable application.