Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/14/2006
05:45 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cross-Site Scripting: Attackers' New Favorite Flaw

XSS has surpassed buffer overflow as the main software weakness attackers target, according to new findings from Mitre

For years buffer overflow has been the favorite target of online attackers, but no more: Cross-site scripting is now the biggest culprit

That's the scoop from Mitre Corp., which later this week will release its latest findings about the flaws behind publicly-disclosed vulnerabilities.

The number two favorite flaw is SQL injection, says Robert Martin, lead for compatibility and outreach at Mitre, who first discussed the new data at yesterday's Cyber Security Executive Conference in New York. The number of buffer overflow flaws exploited dropped to number three in 2005 and number four so far this year, according to Mitre.

Martin says he was surprised to find that cross-site scripting has become the main flaw that attackers exploit in software. "We hadn't heard anything about this shift."

Mitre has recorded about 20,000 common vulnerability and exposures (CVE) -- the designation given to all publicly reported vulnerabilities -- with around 150 coming in per week. The statistics were based on samples of these CVEs, he says.

For 2006, 21.5 percent of the CVEs were XSS; 14 percent SQL injection; 9.5 percent php "includes" and 7.9 buffer overflow. Last year was the first time XSS jumped ahead of buffer overflows, with 16 percent; SQL injection accounted for 12.9 percent; and buffer overflows accounted for 9.8 percent.

Why the shift? "Attackers go with what they know," says Matt Fisher, senior security engineer with SPI Dynamics. "Cross-site scripting and SQL injection are the easiest to attack."

Since buffer overflows are a C language phenomenon, the new data suggests that more vulnerabilities being reported lately are for non-C-based software platforms, notes Mitre's Martin. That means .NET, Java, and PHP are probably getting hit more, he says.

SQL injection is hard to defend against, too, he notes. "The database is where the good stuff is... it's an attractive target, so a lot of people are hammering on it," he says. Mitre's numbers are based only on publicly reported flaws -- there are likely more out there, he says.

Jeremiah Grossman, CTO for White Hat Security, says cross-site scripting has been mostly downplayed, with phishing getting the most attention.

Knowing which weaknesses attackers are exploiting can help enterprises in their software platform purchases, as well as their purchases of vulnerability assessment tools, security experts say.

"The selection of [more secure] Web platforms means a lot," Grossman says. You should also do software scans and vulnerability assessments regularly, he says.

Meanwhile, Mitre is also heading up a Department of Homeland Security effort to create a Common Weakness Enumeration (CWE) dictionary, which will establish "standard" definitions of a specific flaw and its variants. Just calling a flaw "XSS" doesn't mean it's the same variant (there are eight of them so far) of an XSS exploit as the one your software vendor protects itself against, for instance.

"From a defensive point of view, there's not just one type of thing you have to be looking through code for," he says. "That's where CWE comes in -- to make sure there's agreement on what" type of XSS or other flaw is in a software package, Martin says.

The information can also help organizations in their security audits. "It helps you prioritize your [remediation] resources and lets your security audit get more detailed," he says.

The CWE data could also help enterprises get more details about vulnerability assessment tools. "You'll be able to ask what specific CWE their tools scan for," Martin says.

The CWE will also provide more details in the public CVE vulnerability reports. "In a perfect world, every researcher will know the CWE dictionary," Martin says. This knowledge will help researchers report more details about the roots of a newfound vulnerability, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • WhiteHat Security
  • Mitre
  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    FluBot Malware's Rapid Spread May Soon Hit US Phones
    Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
    Slideshows
    7 Modern-Day Cybersecurity Realities
    Steve Zurier, Contributing Writer,  4/30/2021
    Commentary
    How to Secure Employees' Home Wi-Fi Networks
    Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-24259
    PUBLISHED: 2021-05-05
    The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    CVE-2021-24260
    PUBLISHED: 2021-05-05
    The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
    CVE-2021-24261
    PUBLISHED: 2021-05-05
    The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
    CVE-2021-24262
    PUBLISHED: 2021-05-05
    The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
    CVE-2021-24263
    PUBLISHED: 2021-05-05
    The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...