Cross Site Scripting (XSS)

Cross Site Scripting is a hacking technique whereby malicious scripting code (usually javascript) is injected into user input forms (in a similar way to SQL injection attacks) or incorporated in a URL query string.

The threat is greatest when the user input is then output in a dynamically generated web page, and especially if the data is displayed as HTML code.

A malicious entry could include a piece of javascript which performs virtually any action on an innocent end-user's browser (typically a hacker would try to get users to visit the infected page, often by posting links in forums etc), including cookie theft (enabling the hacker to then log in as the other user and access their account), or logging the user's activity - for example recording keystrokes so as to intercept passwords etc.

The methods of counteracting cross site scripting are similar to those of SQL injection - all data entry (whether posted in a form or passed in a URL) must be carefully validated to ensure that it does not contain 'special characters' (such as greater than or less than symbols) which could allow scripting code to be embedded in the data. These special characters can be represented in hexadecimal notation as well as plain text, so both need to be checked for by the script. Where special characters are to be legitimately allowed, they must be converted to HTML character codes before being displayed in a web page - this prevents them from being interpreted as script by the browser.