Cross site scripting or XSS vulnerabilities allow client side scripts (Javascript or Active X) from a third party to execute as if it originated from a trusted server.
This vulnerability is caused by unfiltered, unchecked input written to a web page by the trusted server. A third party may direct a user to send data to the trusted server. If the server expects non-script data but does nothing to ensure that no script is contained, it may pass the script back to the user to execute.
As a result a third party may be able to steal data such as the password of the user, read the user's private information, or act as the user.
More information
Sites 5
Answers questions on identification, threats, and prevention. Provides examples and links.
How the attack affects websites hosted on the Apache webserver and Apache specific issues.
Security consultant David deVitry offers background information, a free CSS vulnerability detector, and a list of vulnerable sites.
Paul Lindner, author of the mod_perl cookbook, explains how to secure our sites against Cross-Site Scripting attacks using mod_perl and Apache::TaintRequest.
(February 20, 2002)
Advisory published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC).
(February 02, 2000)
Answers questions on identification, threats, and prevention. Provides examples and links.
How the attack affects websites hosted on the Apache webserver and Apache specific issues.
Security consultant David deVitry offers background information, a free CSS vulnerability detector, and a list of vulnerable sites.
Paul Lindner, author of the mod_perl cookbook, explains how to secure our sites against Cross-Site Scripting attacks using mod_perl and Apache::TaintRequest.
(February 20, 2002)
Advisory published jointly by the CERT Coordination Center, DoD-CERT, the DoD Joint Task Force for Computer Network Defense (JTF-CND), the Federal Computer Incident Response Capability (FedCIRC), and the National Infrastructure Protection Center (NIPC).
(February 02, 2000)
