(CROSS-Site Scripting) Causing a user's Web browser to execute a malicious script. There are several ways this is done. One approach is to hide code in a "click here" hyperlink attached to a URL that points to a non-existent Web page. When the page is not found, the script is returned with the bogus URL, and the user's browser executes it.
An "XSS hole" is a vulnerability in an application that enables cross-site scripting to be exploited. See parameter tampering and CSRF.
An "XSS hole" is a vulnerability in an application that enables cross-site scripting to be exploited. See parameter tampering and CSRF.
 | Reproduced with permission from Computer Desktop Encyclopedia. Copyright (c) 1981-2009 The Computer Language Company Inc. All rights reserved. |
Additional Resources
- News to know: Droid, Moffat, Android, Amazon, 3D HDTV, Net Neutrality
- Here are today's notable headlines. You can get News To Know via email alert and RSS daily. For continuous updates see BNET's around-the-Web tech coverage. Andrew Nusca: Verizon unveils 30-second ad for Droid Android phone; slams iPhone Jason Perlow:DROID aims to make Apple...
- Blog posts 2009-10-19
- phpMyAdmin Plugs SQL Injection, XSS Flaws
- More secure than Windows solutions...You can put a Linux distro facing the public Internet however you cannot put a WindowsServer on the public Internet...
- Discussion threads 2009-10-16
- phpMyAdmin Plugs SQL Injection, XSS Flaws
- A new version of phpMyAdmin has been released to plug two serious security holes that could lead to SQL injection and cross-site scripting attacks. by Ryan Naraine
- Blog posts 2009-10-16
- CyD Network Utilities 2010 (Windows)
- CyD Network Utilities is a set of network tools useful in diagnosing networks and monitoring your computer's network connections. This is an excellent collection of easy-to-use network utilities for any network administrator. CyD NET Utils offers many TCP/IP utilities in one program. Its capabilities include: check oopen ports (checking running...
- Software downloads 2009-10-12
- Microsoft says Google Chrome Frame doubles IE attack surface
- Actually, it means that some of the browsing will be much safer by using Chrome. Notice that Microsoft's ONLY arguments here are bogus security arguments. They do not even try to deny that Chrome is much faster and better.RE: Microsoft says Google Chrome Frame doubles IE attack surfaceIf Google Chrome...
- Discussion threads 2009-09-24
- Scareware scammers hijack Twitter trending topics
- Researchers from F-Secure and Sophos are reporting on an ongoing scareware serving campaign abusing the popular micro-blogging service Twitter. Hundreds of tweets using four different URL shortening services are currently spammed through the automatically registered Twitter accounts, relying on a pseudo-random text generation using Twitter's trending topics....
- Blog posts 2009-09-23
- Citizens Financial sued for insufficient E-Banking security
- If a fraudulent transaction ever takes place on one of your bank accounts due to their compromise, who's to blame - the bank, for not providing you as a customer with state-of-the-art security mechanisms that could have prevented it, or you, as a customer whose insecure online behavior led to...
- Blog posts 2009-09-10
- IE8 outperforms competing browsers in malware protection -- again
- A recently released study by NSS Labs is once again claiming that based on their internal tests, Microsoft's Internet Explorer 8 outperforms competing browsers like Google's Chrome, Mozilla's Firefox, Opera and Apple's Safari in terms of protecting their users against "socially engineered malware" and phishing attacks. Not...
- Blog posts 2009-08-19
- Does Twitter's malware link filter really work?
- Today, researchers from F-Secure stumbled upon a long-anticipated feature in Twitter's fight against malicious abuse of its service - a malware URL filter preventing automatically registered or compromised legitimate accounts from tweeting known malicious links. Whenever a Twitter user is attempting to post a link to a...
- Blog posts 2009-08-03
- ThreatSentry 3.0.94.0 (Windows)
- ThreatSentry is a multi-layered Web Application Firewall that protects Microsoft Windows Web servers from a broad range of web application threats including Cross Site Request Forgery (CSRF/XSRF), Structured Query Language SQL Injection, Cross-Site Scripting XSS and other attacks. ThreatSentry combines an advanced web application firewall, a proprietary NDIS driver, and...
- Software downloads 2009-07-28
- Two ActiveX vulnerabilities make IE a toxic choice
- Two ActiveX vulnerabilities make IE a toxic choiceDude, you are the man.I just posted this at Ed Botts article.http://talkback.zdnet.com/5208-12354-0.html?forumID=1&threadID=66708&messageID=1260493Next I hit HOME, and VOILA, see you have just posted what I've been complaining about. GOOD JOB !LOL, let me feed your click-bait[i]I used to be a big fan of IE,...
- Discussion threads 2009-07-13
- News to know: Apple, iPhone 3GS; Google Voice; Blu-ray; Bartz
- Here are today’s notable headlines. You can get News To Know via email alert and RSS daily. For continuous updates see BNET’s around-the-Web tech coverage. Jason Hiner: Apple thumbs nose at Palm, reports 1 million iPhone 3G S units sold in 3 days CNBC:...
- Blog posts 2009-06-23
- Mozilla tackles XSS vulnerabilities with new technology
- Mozilla tackles XSS vulnerabilities with new technologysounds kinda like SPF, but for JavaScriptVery cool!On another note, any idea's why Firefox doesn't take advantage of the Sandbox framework provided by Vista?Is it because of Vista's market share, to ease cross platform porting, or something else?It's JavaScript not Java ScriptSome purists might...
- Discussion threads 2009-06-22
- Mozilla tackles XSS vulnerabilities with new technology
- Mozilla's security engineers are working on new technology that promises to mitigate a large class of Web application vulnerabilities, especially the cross-site scripting XSS plague against modern Web browsers. The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for...
- Blog posts 2009-06-22
- Coming in July: Month of Twitter Bugs
- A well-known security researcher plans to use the month of July to expose serious vulnerabilities in the Twitter ecosystem. The Month of Twitter Bugs, a project which launches on July 1, is the handiwork of Aviv Raff left, a researcher known for his work on Web-based security...
- Blog posts 2009-06-15
- N-Stalker Web Application Security Scanner 2009 (Windows)
- N-Stalker Web Application Security Scanner is a Web security assessment tool. Incorporates well-known N-Stealth HTTP Security Scanner and 35,000 Web attack signature database. Its patent-pending self-owned technology allows to scan Web applications against SQL XSS injection, buffer overflow, parameter tampering and much more. Component-oriented Web Security. Free Edition includes free...
- Software downloads 2009-06-06
- Ouch! Hacker-free e-mail gets hacked
- Did you hear the one about the hacker-free e-mail service that was so confident about its enhanced security measure that it offered up $10,000 to anyone who could hack into it? It got hacked. Here's the part that's really crazy, though. There was initially...
- Blog posts 2009-06-05
- News to know: FTC vs. botnets; Microsoft; Apple WWDC; Twitter
- Here are today’s notable headlines. You can get News To Know via email alert and RSS daily. For continuous updates see BNET’s around-the-Web tech coverage. Ryan Naraine: FTC shuts down notorious botnet ISP. FTC statement Patch Tuesday heads-up: Critical Windows, IE fixes coming Typo'd Google domains in Top...
- Blog posts 2009-06-05
- StrongWebmail CEO's mail account hacked via XSS
- StrongWebmail CEO's mail account hacked via XSSXSS is one way to do it.. But the telephone authentication is still a flawed 2-factor authentication method.Well, I was really hoping I'd get to it before Lance did, my hat's off to you brother. I would have just attacked it form the phone...
- Discussion threads 2009-06-04
- StrongWebmail CEO's mail account hacked via XSS
- A Webmail service that touts itself as hack-proof and offered $10,000 to anyone who could break into the CEO's e-mail has lost the challenge. A trio of hackers successfully compromised the e-mail using persistent cross-site scripting XSS vulnerability and are now claiming the bounty. ...
- Blog posts 2009-06-04
Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
SmartPlanet
- Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
- More from IBM
-
- Can your business work smarter? Learn more about Lotus Symphony
- Learn how to work smarter and optimize cost using the IBM Smart SOA approach Download the eBook
- Smarter ways to make smarter products Read the brief from IBM
