Definition: Cross-site scripting (XSS) is a type of computer security vulnerability. It is accounted for almost 85% of all website security vulnerabilities.
Description: Cross-site scripting (XSS) exploits the 'same-origin-policy' concept of web applications to allow hackers to extract information from the system.
How it works: Attackers conduct script injection that runs at the client side and is sometimes parsed at the server side. There are several ways to do this. The most common way is by putting some malicious data (script) in http query. This data is immediately parsed at the server side. It is a script in itself. When users surf these websites, this malicious script data is also served from the server and is displayed to users in the guise of some link. Users perceive this as simply a link. Once the user clicks on this link, the underlying malicious script gets executed.
How can it access the private data of the user? The injected script is now part of the same domain that the user is surfing. This script can read user information from cookies since the injected script unfortunately happens to be in the same domain. So after getting information from the cookie, the script can send it to the attacker's server domain. Another example of XSS is e-mail content. An XSS attacker sends an e-mail to us, which contains malicious script in the form of some clickable html element. Whenever we open that email and click on that html element, the script gets executed.