This paper is intended to support and encourage application of best practices for control systems security. It describes the details of an information security attack, known as cross-site scripting, which could be used against control systems, and explains practices to mitigate this threat.

Cross-site scripting presents one entry point for attackers to access and manipulate control systems networks. It takes advantage of Web servers that return dynamically generated Web pages or allow users to post viewable content in order to execute arbitrary HTML and active content such as JavaScript, ActiveX, and VBScript on a remote machine browsing the site within the context of a client-server session. This potentially allows the attacker to redirect the Web page to a malicious location, hijack the client-server session, engage in network reconnaissance, and plant backdoor programs. 

Full Cross-Site Scripting document (PDF)