For those of you who don't know, Cross Site Scripting or XSS is when an application displays input that originated from the client.  This could be a URL, cookie variables, as well as form field variables.  Virtually every site is susceptible to these types of attacks, regardless of the server or client environments.

On every penetration test I have ever performed on a web application (since XSS became a known vulnerability in 2001 and was first demonstrated on a massive scale which was an attack on Microsoft, where any Hotmail user who opened an email that contained an XSS attack had their Passport credential sent to an attacker allowing for impersonation), I was able to find a XSS vulnerability.

Most people don’t consider it as significant of a threat when compared to SQL Injection or a Buffer Overflow, but a well crafted attack against the proper target can cause massive amounts of identity theft or at minimum, ruin the reputation of your company.

Last week, Microsoft released an Anti-XSS library to use in your web applications.  They have a tutorial you can view here which shows not only how XSS Attacks works, but also how to use the library to prevent them.

I haven’t used the new library in an application yet, but considering some of the factors they took into consideration, it looks like they did a great job.  It’s the perfect library to help anyone from MySpace (who have had several XSS attacks allowing an attacker to see anything from who is viewing their page, to automatically adding them as a friend just by looking at a page on the site) to a Bank of America which has highly sensitive personal information.