Mozilla Firefox offers a more secure Internet browsing experience, with the NoScript extension providing extra protection. Follow our tips and take advantage of tools to stay safe whenever you're online.
Operating System: All
Applies To: UB students, faculty, staff, alumni, retirees and volunteers
Last Updated: September 9, 2016
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications by injecting HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to by-pass access controls such as the same origin policy.
Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities. Often during an attack "everything looks fine" to the person who may be subject to unauthorized access, theft of sensitive data and financial loss.
A spammer could capture your password and other information you believe is protected. You should also be concerned because malicious scripts can be used to expose restricted parts of your organization's local network (such as their Intranet) to attackers on the Internet.
Some Web browsers contain vulnerabilities in the security systems that determine what access a script should have to your computer or other Web sites. In the case of these cross-zone or cross-domain vulnerabilities, a malicious script could download and install arbitrary software on your computer, or read/ modify data on another Web site.
Malicious scripts can also alter the appearance of a browser, making social engineering or "phishing" attacks more successful. For example, a malicious script might open a browser window outside of the visible screen area or cover the address bar with a spoofed address.
Cross-site request forgery (CSRF (Sea-Surf) or XSRF), also known as a one-click attack, sidejacking or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a person that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a person has for a particular site, cross-site request forgery exploits the trust that a site has for a particular person.