Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:45 AM
Connect Directly

Cross-Site Scripting: Attackers' New Favorite Flaw

XSS has surpassed buffer overflow as the main software weakness attackers target, according to new findings from Mitre

For years buffer overflow has been the favorite target of online attackers, but no more: Cross-site scripting is now the biggest culprit

That's the scoop from Mitre Corp., which later this week will release its latest findings about the flaws behind publicly-disclosed vulnerabilities.

The number two favorite flaw is SQL injection, says Robert Martin, lead for compatibility and outreach at Mitre, who first discussed the new data at yesterday's Cyber Security Executive Conference in New York. The number of buffer overflow flaws exploited dropped to number three in 2005 and number four so far this year, according to Mitre.

Martin says he was surprised to find that cross-site scripting has become the main flaw that attackers exploit in software. "We hadn't heard anything about this shift."

Mitre has recorded about 20,000 common vulnerability and exposures (CVE) -- the designation given to all publicly reported vulnerabilities -- with around 150 coming in per week. The statistics were based on samples of these CVEs, he says.

For 2006, 21.5 percent of the CVEs were XSS; 14 percent SQL injection; 9.5 percent php "includes" and 7.9 buffer overflow. Last year was the first time XSS jumped ahead of buffer overflows, with 16 percent; SQL injection accounted for 12.9 percent; and buffer overflows accounted for 9.8 percent.

Why the shift? "Attackers go with what they know," says Matt Fisher, senior security engineer with SPI Dynamics. "Cross-site scripting and SQL injection are the easiest to attack."

Since buffer overflows are a C language phenomenon, the new data suggests that more vulnerabilities being reported lately are for non-C-based software platforms, notes Mitre's Martin. That means .NET, Java, and PHP are probably getting hit more, he says.

SQL injection is hard to defend against, too, he notes. "The database is where the good stuff is... it's an attractive target, so a lot of people are hammering on it," he says. Mitre's numbers are based only on publicly reported flaws -- there are likely more out there, he says.

Jeremiah Grossman, CTO for White Hat Security, says cross-site scripting has been mostly downplayed, with phishing getting the most attention.

Knowing which weaknesses attackers are exploiting can help enterprises in their software platform purchases, as well as their purchases of vulnerability assessment tools, security experts say.

"The selection of [more secure] Web platforms means a lot," Grossman says. You should also do software scans and vulnerability assessments regularly, he says.

Meanwhile, Mitre is also heading up a Department of Homeland Security effort to create a Common Weakness Enumeration (CWE) dictionary, which will establish "standard" definitions of a specific flaw and its variants. Just calling a flaw "XSS" doesn't mean it's the same variant (there are eight of them so far) of an XSS exploit as the one your software vendor protects itself against, for instance.

"From a defensive point of view, there's not just one type of thing you have to be looking through code for," he says. "That's where CWE comes in -- to make sure there's agreement on what" type of XSS or other flaw is in a software package, Martin says.

The information can also help organizations in their security audits. "It helps you prioritize your [remediation] resources and lets your security audit get more detailed," he says.

The CWE data could also help enterprises get more details about vulnerability assessment tools. "You'll be able to ask what specific CWE their tools scan for," Martin says.

The CWE will also provide more details in the public CVE vulnerability reports. "In a perfect world, every researcher will know the CWE dictionary," Martin says. This knowledge will help researchers report more details about the roots of a newfound vulnerability, he says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • WhiteHat Security
  • Mitre
  • SPI Dynamics Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 8/3/2020
    Pen Testers Who Got Arrested Doing Their Jobs Tell All
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
    New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
    Nicole Ferraro, Contributing Writer,  8/3/2020
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Current Issue
    Special Report: Computing's New Normal, a Dark Reading Perspective
    This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
    Flash Poll
    The Changing Face of Threat Intelligence
    The Changing Face of Threat Intelligence
    This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
    PUBLISHED: 2020-08-08
    In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
    PUBLISHED: 2020-08-08
    JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
    PUBLISHED: 2020-08-08
    In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
    PUBLISHED: 2020-08-08
    In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.