Cross-site Scripting Issues

In a cross-site scripting attack, an attacker sends a link in e-mail to a user or otherwise points the user to a link to a Web site, and a malicious payload is in the query string embedded in the URL. The attack is particularly bad if the Web site creates an error message with the embedded query string as part of the error text.

Cross-site scripting attacks are becoming common. The main problem that causes the vulnerability is echoing user input. In addition, to be vulnerable, you need only one flawed page in your entire domain.

Note

• Using SSL/TLS does not mitigate cross-site scripting issues.

This section contains:

• How Cross-site Scripting Attacks Work

Copyright © 2005 Microsoft Corporation.
All rights reserved.