Happy 10th birthday Cross-Site Scripting!


On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers:


Unauthorized Site Scripting
Unofficial Site Scripting
URL Parameter Script Insertion
Cross Site Scripting
Synthesized Scripting
Fraudulent Scripting


The next day there was consensus – Cross Site Scripting.  In retrospect, I think this was a good choice given the options on the table.


By early February there was a coordinated advisory release with CERT:
http://www.cert.org/advisories/CA-2000-02.html


The research leading up to the disclosure dates to mid-December 1999 – exactly ten years ago.


Over the years, the definition of Cross-Site Scripting has expanded somewhat.  What we once referred to as simply “Cross Site Scripting” might now be classified as the reflected / non-persistent form of the attack.


Let’s hope that ten years from now we’ll be celebrating the death, not the birth, of Cross-Site Scripting!

Comments (0)

Skip to main content