Cross-site Scripting

Like SQL Injection and Buffer Overlow attacks, cross-site scripting aims to cause a computer to execute commands it shouldn't. In cross-site scripting, the attacker hides malicious code (a script) in an HTML link on an innocuous-looking Web page (or in an email).

Example: Let's say I find a URL which purports to link to a Web site I normally trust. Unbeknownst to me, the link includes an embedded HTML script. When I click on the link, my browser goes to that Web site's host and requests the page for that URL. If the host computer is vulnerable to cross-site scripting, it dynamically generates a Web page in response to the request, but the Web page it generates includes the embedded HTML script. Because my browser trusts that Web host, it executes the malicious script.

Copyright © 2004 IDG Communications, Inc.

8 pitfalls that undermine security program success