As of 2007, cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities.  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.

The diagram attached shows exactly how Cross Site Scripting (XSS) dupes online customers. During an XSS attack everything looks fine to the unsuspecting online customer, who may be subject to unauthorized access, theft of sensitive data, and financial loss.

Tim Wilson of Dark Reading reports American Express has been wrestling for more than a week with cross-site scripting vulnerabilities that could jeopardize the personal information of its customers, according to security researchers.

This vulnerability violates the PCI Data Systems Security (PCI DSS) guidelines that Amex itself helped to create, McCree observes. The PCI DSSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.

The PCI DSS establishes a set of comprehensive requirements for enhancing payment account data security, which was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. Inc. International, to help facilitate the broad adoption of consistent data security measures on a global basis.

The ARegister’s Dan Goodin previously reported “The notice comes days after The Register reported Amex unnecessarily put its users at risk by failing to fix a glaring vulnerability more than two weeks after a security research first alerted company employees to the problem. An Amex spokesman later said the hole had been plugged.”

An American Express company spokesperson said security is a top concern at Amex and said company employees would investigate the two reported vulnerabilities.

On its Bugzilla@Mozilla site the Mozzilla organization provides some historical development notes on fixes it has been working on for its web browser to thwart XSS.