Abstract: Web application and in particular Web 2.0 application gains more and more popularity nowadays, while malicious codes are now targeting more at Web application. In this paper, we provide a detailed overview of threats to Web application at first and then turn to the discussion on malicious scripts at the client-side of Web application, which includes the history, variation and upgrade of XSS, JavaScript function hook technology at runtime and the new trends of client-side malicious scripts in the context of Web 2.0 application. The Web browser’s vulnerability discovery and exploit related technologies are also introduced. At last, we predict the future development of client-side malicious code of Web application and give some advices on the security enhancements of Web application client-side.