Happy 10th birthday Cross-Site Scripting!

On the 16th of January, 2000, the following names were suggested and bounced around among a small group of Microsoft security engineers:

Unauthorized Site Scripting
Unofficial Site Scripting
URL Parameter Script Insertion
Cross Site Scripting
Synthesized Scripting
Fraudulent Scripting

The next day there was consensus – Cross Site Scripting.  In retrospect, I think this was a good choice given the options on the table.

By early February there was a coordinated advisory release with CERT:
<www.cert.org/advisories/CA-2000-02.html>

The research leading up to the disclosure dates to mid-December 1999 – exactly ten years ago.

Over the years, the definition of Cross-Site Scripting has expanded somewhat.  What we once referred to as simply “Cross Site Scripting” might now be classified as the reflected / non-persistent form of the attack.

Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!