Cross-site scripting

Cross-site scripting (XSS)[a] is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec.[1] XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

OWASP considers the term cross-site scripting to be a misnomer. It initially was an attack that was used for breaching data across sites, but gradually started to include other forms of data injection attacks.[2]


Cite error: There are <ref group=lower-alpha> tags or {{efn}} templates on this page, but the references will not show without a {{reflist|group=lower-alpha}} template or {{notelist}} template (see the help page).

  1. ^ "Symantec Internet Security Threat Report: Trends for July–December 2007 (Executive Summary)" (PDF). Yahoo. April 2008. pp. 1–3. Archived (PDF) from the original on June 25, 2008. Retrieved January 1, 2024.
  2. ^ "Cross Site Scripting Prevention - OWASP Cheat Sheet Series". OWASP. Retrieved March 19, 2003.