The most common type of security vulnerability is one that allows
cross-site scripting (XSS). An XSS attack tries to execute unauthorized JavaScript in the context of the targeted site. The term is also used for similar attacks with other kinds of scripting, such as Flash and ActiveX. JavaScript is by far the most common vector.
Rogue JavaScript can alter nearly anything on a page. It can add an iframe, injecting the contents of an outside page. It can alter existing elements, replace images, change text, and add links. It can even redirect the whole page to a malicious site that looks almost the same as the real one.
Cross-site scripting can trick or force the user into unwanted situations such as:
- Downloading malware
- Injecting fraudulent ads linking to dangerous sites
- Redirection to a phishing or malware site
- Altering links on the page
Browsers try to spot XSS and warn users about it. The warnings may save people from becoming victims, but when they see the warning, they'll leave the site and probably not come back. Malware detection on a site is likely to lead to blacklisting, and it can take days to get off the blacklist even after removing the dangerous content. The damage in reputation can be severe. If the underlying vulnerability isn't fixed, more attacks will follow.