What cross-site scripting isn’t

By | June 23, 2006

XSS is another one of those buzzwords. You know what we’re talking about, the ones like CSS, Web 2.0, DHTML, AJAX, Google, and the rest. Except it’s dangerous. It’s dangerous because XSS is taken far out of proportions than it should be (just like the rest of the words on the list), but in XSS’ case, it can make perfect scripts look like Swiss cheese, even if they’re not.

XSS is short for “cross-site scripting” which it really isn’t – but that’s a whole ‘nother story. Basically, in XSS “vulnerabilities” scripts on a page are used to “steal” information from other open browser windows or tabs. XSS refers to scripts embedded in a page that when activated on an end-users system can (but not necessarily) result in a leak of sensitive information.

The problem isn’t so much in the attack itself as much as it is in the usage of the term. XSS is not a real security vulnerability in a product or script since it does not directly result in the loss of data integrity, but rather can be used as a tool in social engineering attacks and can never compromise the security of a server/host under any conditions nor that of an end-user on its own.Read Full Story

Leave a Reply