Cross-site Scripting (XSS) has been making the Top 5 list of exploitable vulnerabilities since it was first discovered way back in the 1990s. The term XSS refers to a client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS is notoriously amongst the most rampant of web application vulnerabilities and occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
For an in depth analysis of Cross-site Scripting, you may read the full article on Cross-site Scripting (XSS) which explains exactly how it works, what an attacker can do with such a vulnerability, as well as including some examples of Cross-site Scripting attack vectors.
Types of XSS
Since its inception in 1990, XSS has evolved and it can now be classified into three major categories – Stored XSS, Reflected XSS and DOM-based XSS. Read the article on Types of XSS which gives you an indepth explanation of these 3 types of XSS and the effects they may have on your website.
XSS in the real world
In March 2015, Acunetix issued a Web Application Vulnerability Report referring to the analysis of the results of over 15,000 scans performed using Acunetix Online Vulnerability Scanner over the previous 12 months. The studies showed Cross-Site Scripting (XSS) topping the list of vulnerabilities with a significant 38% of websites being vulnerable to an XSS attack. 95% of these XSS vulnerabilities involved Reflected Cross-site scripting, with 5% being made up of DOM-based and Stored XSS.