Cross-site Scripting (XSS) is a security vulnerability usually found in websites and/or web applications that accept user input. Examples of these include search engines, login forms, message boards and comment boxes.
Cybercriminals exploit this vulnerability by inputting strings of executable malicious code into these functions. This injects the malicious code into the targeted website’s content, making it a part of the website and thus allowing it to affect victims who may visit or view that website. The code may also present itself as transient content that isn’t actually part of the website but only appears to be to the visitor. This makes it look like the website is indeed compromised by cybercriminals.
Cybercriminals may also use this vulnerability to take control or directly compromise a website, as well as exploit other existing vulnerabilities on the website's server or software.
As dangerous as XSS is, there are ways in order to patch such a vulnerability. Website owners must ensure that all their web applications that accept user input do so in such a way that they will sanitize the inputted strings first before creating the resulting page of the input. This prevents any code injection from taking place. Users, on the other hand, should disable scripting on their browsers, as well as avoid clicking on links from suspicious parties or senders.
Website developers/owners should:
Users should: