What is it
Cross site scripting (XSS) when exploited allows arbitrary script to be either stored at the application or allowed to run in the current execution context.
It is one of the most common vulnerabilities in the current crop of web applications and is widely identified. If properly executed an attacker can use it to bypass authentication mechanisms and view or modify secure pages and data.
XSS is also used to launch other attacks like SQL injection.
How serious is it
The impact of XSS varies from application to application sometimes resulting in possible system compromise and/or data leaks.
The impact of XSS may result in
- Launch of other attacks like SQL injection.
- Data thefts (Ex. session hijack etc.)
- Downloading an arbitrary file from a malicious server
- Installing malicious software like key loggers, virus, Trojans, worms etc.
- Gaining access to the data contained in your system (loss of Confidentiality)
- Possible loss of data (loss of Availability)
The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and implementation.
How to prevent
Sanitize user inputs. Use APIs (Application Programming Interfaces) that could handle / parse user inputs so that XSS can be avoided.
Implement Secure Software Development Lifecycle (SSDLC)
Secure Coding guidelines although critical form ONLY a piece of the puzzle. In order to ensure that applications are secure, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.