CROSS SITE SCRIPTING (CSS Attack)

Cross Site Scripting (also known as XSS or CSS) generally occurs when a dynamic web page gathers malicious data from a user and displays the input on the page without it being properly validated. The data is usually formatted in the form of a hyperlink which contains malicious content within it and is distributed over any possible means on the internet.

This generally happens when Developers pass strings through QueryString and those are directly used in SQL-Queries or printed on Page. Attackers can pass complete scripts by manipulating these strings and gain control of your site.

Please note that ASP.NET prevents XSS attack to a greater extent. In order to prevent this attack in ASP or PHP, please do not use the Query String directly in Code. Before printing or executing any variable in Query String, please check it for malicious data.

For Example,
you have a variable "msg" passed through querystring through which you pass a message that is to be printed on screen (like "Invalid User"). Your URL will somehow look like this...
http://localhost/mysite/
default.asp?msg=Invalid%20User

And if on your page you are printing this variable as it is, than any hacker, even a beginner can misuse this vulnerability.

One can write
http://localhost/mysite/
default.asp?msg=<script>alert("hi");</script>

This will inject a script in your page and when the page is loader, and alert will be displayed. This example uses a simple alert. Real hacker/cracker would use something more disastrous.