What Is Cross Site Scripting?
Injecting Scripts Into Otherwise Benign and Trusted Browser Rendered Content
Cross-site scripting attacks are attacks that target the end user instead of your actual site. Vulnerable web applications that don’t check or validate properly incoming data let arbitrary code to run on a client computer (such as Javascript). The end result can be anything from stealing cookie data or redirecting to a different site, to embedding a browser exploit on a page. Anything that can be done with Javascript (a lot!).
XSS attacks have the following characteristics:
Exploit the trust a user has for a particular site.
Users don't necessarily have a high level of trust for any web site, but the browser does. For example, when the browser sends cookies in a request, it is trusting the web site. Users may also have different browsing habits or even different levels of security defined in their browser depending on which site they are visiting.
Generally involve web sites that display external data.
Applications at a heightened risk include forums, web mail clients, and anything that displays syndicated content (such as RSS feeds).
Inject content of the attacker's choosing.
When external data is not properly filtered, you might display content of the attacker's choosing. This is just as dangerous as letting the attacker edit your source on the server.
How can this happen? If you display content that comes from any external source without properly filtering it, you are vulnerable to XSS.