search menu icon-carat-right cmu-wordmark

2001 Tech Tip: Cross-Site Scripting Vulnerabilities

January 2001 White Paper
Jason Rafail

In this paper, Jason Rafail discusses cross-site scripting vulnerabilities.


Software Engineering Institute


Have you ever mistyped the address of a website and received a message like "Error - page name could not be found" or "The page you requested: page name does not exist"? Certainly you have, and odds are you never gave it a second thought; you simply corrected the address or went to a different site altogether. It happens all the time. There are plenty of dead links or links with typos to stumble upon. However, when you encounter an error message like the two listed above, you are actually witnessing a potential security breach—not necessarily against the site, but rather against you directly.

Suppose you entered the following valid URL:

If the document "FILENAME.html" did not exist, the website could return an error message such as

404 page does not exist: FILENAME.html

Notice that "FILENAME.html" is a string that you entered. The web site has included it in the page returned straight through to your browser.

This may seem harmless, but now imagine that you are browsing through auctions on a popular site; let’s call it You come across several auctions that someone has posted and would like to see more items that the same person has for sale; let’s assume this person is a “bad guy” (though you don’t know it) and call him BG12345. You click on BG12345’s website and see a listing of his auctions. You click on a link on his page that interests you and are taken to’s site displaying that item. You scroll down to place a bid, and the auction site prompts you for your name and password to sign in. You enter all the information and hit the submit button. Everything looks fine, but in reality, the information that you submit is getting sent back to BG12345. How can this be? The answer is that has what is known as a cross-site scripting (CSS) vulnerability.