Cross-site scripting (XSS) attacks affect Web applications such as ASP.NET Web applications. If you allow unchecked input to be combined with HTML—namely HTML script—the results can be just as devastating as input that is combined with SQL statements, which was just demonstrated in the previous section. As a simple example, if you ask for a user name and echo the user name to a welcome page, an attacker can take advantage of the unchecked user name by entering a user name that contains HTML, client-side script, or a combination of both.

Create a sample application vulnerable to a cross-site scripting attack

The following steps demonstrate how an ASP.NET Web application can be made to execute input.