Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers:
Unauthorized Site Scripting
Unofficial Site Scripting
URL Parameter Script Insertion
Cross Site Scripting
Synthesized Scripting
Fraudulent Scripting
The next day there was consensus – Cross Site Scripting. In retrospect, I think this was a good choice given the options on the table.
By early February there was a coordinated advisory release with CERT:
<www.cert.org/advisories/CA-2000-02.html>
The research leading up to the disclosure dates to mid-December 1999 – exactly ten years ago.
Over the years, the definition of Cross-Site Scripting has expanded somewhat. What we once referred to as simply “Cross Site Scripting” might now be classified as the reflected / non-persistent form of the attack.
Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!