Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.Security on the web is based on a variety of mechanisms, including an underlying concept of trust known as the same origin policy.
Exploiting one of these, they fold malicious content into the content being delivered from the compromised site.
When the resulting combined content arrives at the client-side web browser, it has all been delivered from the trusted source, and thus operates under the permissions granted to that system.
Some sources further divide these two groups into traditional (caused by server-side code flaws) and DOM-based (in client-side code).
The non-persistent (or reflected) cross-site scripting vulnerability is by far the most common type.
XSS vulnerabilities have been reported and exploited since the 1990s.
Prominent sites affected in the past include the social-networking sites Twitter, Facebook, My Space, You Tube and Orkut.
Historically XSS was first found in applications that performed all data processing on the server side.
User input (including XSS vector) would be sent to server, and then sent back to the user as web page.
These holes show up when the data provided by a web client, most commonly in HTTP query parameters or in HTML form submissions, is used immediately by server-side scripts to parse and display a page of results for and to that user, without properly sanitizing the request.