What Does XSS Hole Mean?
An XSS hole is a Web application that renders dynamic content to users with a computer security vulnerability. This application is cross-site scripting (XSS), and it enables an attacker to exploit a user's confidential data without passing an access control mechanism such as a same-origin policy. This defect is more appropriately known as an XSS hole.
Techopedia Explains XSS Hole
For example, the user may come across a hyperlink in a Web application pointing to some malicious content. The user may click the link and be led to another page containing some advertisement or email bulletin. This page gathers user information in the form of a password. It also generates a malicious output page that indicates some fake response tailored to appear as genuine to the user. Either the data entered by the user can be misused or the user's session can be hijacked by cookie theft. Based on the sensitivity of the data collected, cross-site scripting can range from a mere vulnerability to a serious security loophole. After exploitation of the XSS vulnerability, the attacker may bypass the organization's access control policies.
As per statistics gathered by Symantec in 2007, cross-site scripting accounts for 80 percent of all the security attacks executed using computers. There are three types of cross-site scripting:
- Non-Persistent XSS: The non-persistent type of cross-site scripting is seen during HTTP requests in which the client embeds data into an HTTP request. When the server uses data sent by the client to generate pages, the XSS holes can be active if the request has not been sanitized properly. HTML pages are composed of both content and presentation. If the malicious user adds some content that has not been validated, then markup injection occurs. The user will compromise his security by entering information requested by the malicious code. The attacker can mislead the user to a different URL, which may contain a more sophisticated virus and acquire important user information.