Cross site scripting (called XSS for short) is when a hacker manages to get some of their code posted to a well-known webpage like Amazon or CNN. The problem comes because people think they can trust those sites and also because those sites get so much traffic that the hacker's code can affect more people.
How You Get Exposed to XSS
Without getting specific, the hacker usually gets their code posted by exploiting poor security practices in functions like comments, product reviews, or they can just buy ad-space through one of the banner ad services the target website subscribes to. So to review, you get nailed because the website either isn't paying attention to security or because they don't bother to only promote services they support (like I do) and instead subscribe to completely random advertisements through an service that sells space (basically like a billboard company).
What XSS Does
The main thing XXS does is steal your cookies. Since your cookies can contain interesting information about you like your name, address, phone number, credit card number, or anything else the site you're on knows about you (if that site stored the information in a cookie). More importantly, if you use the "Remember Me" feature of a page so you don't have to log in every time (which is done via cookies), then if a hacker steals your cookie, they can login AS YOU without knowing your name and password.
That's bad. But it gets worse
Did you ever notice that when you are on a page like Facebook or Paypal and you click some command like "Send money" or "Add friend" that all the data that is needed for the command is listed right in the URL in the address bar?
In this fictional, but approximate example, you can see the command "addfriend" followed by the id number of the friend to add. If you are logged into your account and you type the correct url similar to the one above, you can command Facebook and other sites to perform actions simply by knowing what codes to use.
The problem comes in with XSS. If a hacker can write the code to load in image into a comment, a review, or advertisement and you load it by loading the page the code is on, here's what they can do. Instead of telling the image to load an actual image, they can put the url command above in the image tag instead. This does two things
- Because it's an image tag that doesn't actually load an image, you won't even see that it's there.
- Because they used url commands, if you are currently logged into that service when you load the page with the hacker code, your browser will execute the command.
Granted, all the above code will do is force you to friend me on Facebook which might not seem like a big deal to you, but what if I did this instead:
So essentially, just by loading the wrong webpage, you could lose your money in an instant as long as you're logged into that service in another window or tab.
Most major web services have handled this issue, but not all of them have. Until the web-coding standards address the vulnerability that allows XSS in the first place (variable data in image calls), your best defense is to never use the "Remember Me" feature of a website and always log out of services when you're done with them (especially before browsing around in another window or tab).