In 2005, a MySpace user named Samy discovered a unique way to expand his buddy list. Within 24 hours, the number of friends on his page grew from 73 to more than 1 million. He achieved this instant popularity by creating the first self-propagating cross-site scripting (XSS) worm and by exploiting the lax security in many Web browsers.

Most Web sites today use MySpace-like dynamic content features to connect communities of users, enhance users’ site experiences and extract detailed user information. However, the applications that generate dynamic content are vulnerable to infiltration by XSS, which can be employed for far more nefarious aims than instant popularity. A better understanding of this threat is critical to detection and prevention.

XSS is an attack on the client side or front end of a vulnerable Web site. The malicious code is typically JavaScript that is encapsulated in HTML or IFRAME tags that aid the disguise of the payload and help avoid any input validity checks. The code is accepted by a vulnerable Web site because the Web application believes it is valid user input. In reality, the XSS code will ultimately attempt to steal confidential visitor information which will be used later to impersonate the victim on the visited site.

XSS attacks come in a variety of forms. The most popular on the Web today are stored, reflected or based on the JavaScript document object model.

* Stored or persistent XSS attacks are the easiest to carry out and most expansive. Similar to an e-mail worm, Stored XSS gets created once and is then injected into a vulnerable site where it is stored in files, databases or forums to be executed by any unsuspecting visitor. When visitors log on to a Web page that has been infected their authentication information is duplicated and routed to the attacker’s credential collection server. After that the attacker can use the collected information on that Web site and possibly on other sites where the victim has used the same credentials.

* Reflected or nonpersistent XSS attacks are similar to phishing scams. Reflected XSS uses the skeleton of a trusted Web site -- the same look, feel and information passes back and forth from the visitor to the site -- only the attacker has created a tunnel to a different site to capture the traffic.

* Instead of targeting weaknesses in Web sites like Stored XSS or in people like Reflected XSS, DOM (document object model)-based XSS attacks -- which are still in their infancy -- target the way JavaScript handles its object structure. JavaScript uses DOM, a hierarchical, object-oriented model, to map the elements within a Web page. DOM-based XSS attacks exploit the trust relationships in the DOM model. Once elements are parsed by DOM, they can be trusted by other domains, and this is especially true with newer, more JavaScript-driven Web sites. If malicious XSS code can be injected into the DOM, it can be used on more than one site since DOM can be referenced by the Web browser across different domains.