Cross-site Scripting (XSS) is the most recurring high-risk exploit. In recent years XSS surpassed buffer overflows to become the most common of all publicly reported security vulnerabilities.

XSS is an attack vector that targets the web application layer through embedded scripts on the client side (web browser). Common client-side scripting languages such as HTML, JavaScript, ActiveX, VBScript, and Adobe Flash are targeted. The idea is to manipulate client-side scripts of a web application to execute in the manner desired by the malicious user. XSS is often used in conjunction with phishing and spear-phishing attacks.

By injecting code into websites an attacker can gain elevated access privileges to sensitive page content, session cookies, and a variety of other objects. The website has not actually been hacked, however, it is made to appear as something other than it truly is.

XSS is often overlooked as a security vulnerability. As Web 2.0 and it’s future successor press on, this must change. Reasons why XSS vulnerabilities must receive attention include:

• Identity theft
• Accessing sensitive or restricted information
• Gaining free access to otherwise paid for content
• Spying on user’s web browsing habits
• Altering browser functionality
• Public defamation of an individual or corporation
• Web application defacement
• Denial of Service attacks

Continue reading..