The concept and functionality of scripting languages has grown since these two initial scripting languages were introduced. Always the goal has been to find more and better ways to dynamically update the web page with information that is new or unique to the user. To do this the scripting languages had to be able to pull information from the client computer or sometimes from databases housed on the server. The scripts are small programs that execute within the HTML code.
And therein lies the problem. If a legitimate web site or web developer can use active scripting like JavaScript, VBScript or ActiveX to dynamically gather information from your computer to aid in displaying custom data, then a malicious developer can use that same functionality against you. It didn’t take too long for malicious developers to figure out that they could create active scripting programs within web sites that would plant Trojan horse files or viruses on your computer or copy your personal information back to them.
It is an unfortunate fact that many of the features developed to make computing easier, more functional or more entertaining can be turned around and exploited for malicious purposes. Some sites that you visit may actually require active scripting to function properly. When using a web browser like Internet Explorer you can change the settings so that by default active scripting is not allowed. You can then add sites that require active scripting and that you feel are safe to your Trusted Sites security zone (See How To Configure Internet Explorer Security).
Another facet of dynamic content creating security issues is through cross site scripting (XSS). Sites that allow users to input data and don’t properly check for malicious script tags may be vulnerable to XSS attacks. Using XSS an attacker could get the server to redirect your connection to another web site entirely which could contain other malicious active scripting programs.
Typically the XSS attack is instigated by getting the targeted user to click on a link which contains malicious code. If the web site does not validate the script code or check it for malicious content the script will be executed and the attacker could cause all sorts of problems including stealing passwords or executing other programs on the target machine.
Cross site scripting vulnerabilities are not associated with any particular browser or web server. It doesn’t matter if the web site is hosted on Microsoft Internet Information Server (IIS) or Apache. It doesn’t matter whether you browse with Internet Explorer, Netscape or Opera. The problems that create XSS vulnerabilities lie in the way dynamic pages are generated and not having the proper checks and balances in place to validate the code before sending the output to the user.