Cross-site scripting: An overview

Abstract

This chapter is a comprehensive survey on a currently relevant security threat to Web applications: cross-site scripting (XSS). The rise of reported XSS vulnerabilities has made this family of attacks an interesting area for computer security researchers. XSS consists of the injection of code in Web pages. As injected code is client side scripts, it is executed at the user's Web browser. Injected script can perform unauthorized accesses, identity theft, or even cause financial loss to the attack's victim. Main reason for the existence of this kind of vulnerabilities is the incorrect or insufficient handling of the input performed by Web applications. In this chapter, guidelines on proper input treatment for Web developers are offered. Additionally, existing proposals for XSS mitigations are exposed and future lines of research are indicated to interested researchers and developers. As any other computer program, Web applications are susceptible of including vulnerabilities that may not only disrupt the provided service, but also facilitate private and personal information to an attacker. As these applications are usually public or even publicized, attacks are expected to be more and more frequent, making it necessary to supply the means to provide an adequate level of security in the utilization of Web applications. © 2011, IGI Global.