Cross Site Scripting

What is XSS?

"XSS", or cross-site scripting, is an attack to other users. It won't give you 'root' or SYSTEM access on a web server. It lives purely on application level (forget about the OSI model for just a minute), so it'll get you some privileges/information about the web application. Nothing more, nothing less.

Roughly speaking, XSS is the ability of injecting HTML tags in the input of a web application. A "web application" can be many things, going from a web based e-mail client to 'online forums' to e-shopping malls. This list is only limited due human creativity.

To give a very basic example, imagine a guestbook where people can discuss what they think about that very website. When viewing a guestbook, a user sees whatever previous users say about this particular website, furthermore sometimes even HTML tags are allowed. Why not putting your text in a red 'comic sans' font, so that your message will be noticed.

This is dangerous.