I probably learned more about CSS by fiddling with my MySpace account in 2003 than I did during my web design class in high school (a course where we only learned FrontPage and the magically generated nested-table code).
It wasn’t too long after MySpace was launched that one of the world’s ‘fastest-spreading virus of all time’ was unleashed with over one million users affected within the first few days. The virus was the result of an XSS or Cross-Site-Scripting attack.
The author of the webworm was a fella named Samy who was experimenting with a way to automatically grow his friend count. The virus could have been malicious (exploiting vulnerabilities in IE to cause real damage) but luckily the virus didn’t do much more. Despite not being as evil as it could have been, MySpace had to temporarily shut down the site in order to remove the worm. (also, Samy was charged with a felony by the government)
Through an XSS attack, an attacker can hijack an account, spread webworms, access browser history, access clipboard data, control a web browser remotely and more.
Although an XSS attack is one of the most common types of attacks on vulnerable websites the solution for this is quite simple:
All input should be validated and sanitized prior to sending it to the server.