Part
01
of one
Part
01
How big of a problem are XSS attacks
OVERVIEW
Hi there! Thank you for your question about the problem with XSS attacks. The short version is XSS is still a major issue plaguing web security and as JavaScript becomes ever more powerful, XSS becomes increasingly more dangerous with XSS vulnerabilities accounting for 66% of valid submissions. Statistics show that it takes an average of 175 days to repair an XSS attack which equates to more than half the year. PR Wire predicts that the Application Security Market will be worth $6.77 billion by 2021.
Below is a deep dive of my findings.
FINDINGS
We searched industry reports/databases and trusted media sites to gather information that will assist us in composing the most relevant response to the question. Unfortunately, we were unable to find any direct relation to financial impact so we have used general figures pertaining to cyberattacks. In addition, you may observe an unusual amount of quotes in the response; reason being the sources contain a lot of technical language that is challenging to paraphrase.
XSS ATTACKS
"XSS is amongst the most rampant of web application vulnerabilities," according to Acunetix, and "occurs when a web application makes use of unvalidated or unencoded user input within the output it generates." While XSS can be taken advantage of within VBScript, "ActiveX and Flash (although now considered obsolete), unquestionably, the most widely abused is JavaScript, primarily because JavaScript is fundamental to most browsing experiences."
Research shows that "Cross-site Scripting (XSS) and Cross-site Request Forgery (CSFR) are still the top vulnerability submissions to all Bugcrowd programs", which is consistent with other publicly available bug bounty data. It is said that "38% of all valid and duplicate submissions fall into the category of XSS, CSRF, mobile, SQLi and clickjack." Reports say "XSS vulnerabilities account for 66% of valid submissions, followed by 20% categorized as (CSRF)."
According to reports, there has been a 6% dip in XSS vulnerabilities from 2015, which is a sign of improvement. However, it is apparent that XSS is still a major issue plaguing web security. It is said "as JavaScript becomes ever more powerful, XSS becomes increasingly more dangerous."
CATEGORIES OF XSS
In a 2016 Web Application Vulnerability Report, Acunetix classifies XCC into four major categories. The report says, In all cases with XSS, "the goal of an attacker is to get a victim to inadvertently execute a maliciously injected script." The malicious script is often referred to as a "malicious payload", or simply a "payload."
1. Stored XSS - attacks involve an attacker injecting a script that is permanently stored on the target application.
inadvertently make an HTTP request containing an XSS payload
to a web server.
executed as a result of legitimate client-side JavaScript modifying
the Document Object Model (DOM) in a victim’s browser.
4. Blind XSS - it will load the attacker supplied content from a source that the application implicitly trusts, without properly encoding it.
FINANCIAL IMPACT OF XSS ATTACKS
When considering XCC types of attacks, there is no direct relation to cost available. So we have resorted to using general figures for cyberattacks as detailed by Datacenter Dynamics.
* Cyberattacks cost companies around the world $7.7 million per year (we assume this is cost per one company)
CNN Tech reports that cyber crime cost the US average firm $15 million a year in 2015. A survey from global cybersecurity company Kaspersky Lab revealed that cyberattacks typically cost large businesses $861,000, on average. For SMBs, the damages from cyberattacks usually end up costing the company an average of $86,500. Interestingly, PR Wire predicts that the Application Security Market will be worth $6.77 billion by 2021.
SOLUTIONS/REMEDIES FOR XSS ATTACKS
Reports say the crux of fighting XSS attacks in general is to not trust input that comes from your visitors. However, you can be protected against Cross-Site-Scripting with Output Filtering and Sanitization.
Forensic Analysis and Prevent of Cross Site Scripting Using the Open Web Application Project (OWASP) Framework covers three important stages, namely: Attacking stages, Analysis, and Patching.
The ShellShock vulnerability "is akin to command injection, exploiting the behavior of the bash shell to execute arbitrary code when malicious function definitions pass to the shell through User-Agent strings or other request parameters." SANS Institute states "App Defender detects ShellShock by searching for the string at the beginning of a form field, but its documentation does not address whether App Defender would detect the string elsewhere in a request."
OWASP gives an XSS Prevention Cheat Sheet which details seven rules for prevention of XSS attacks. (too much to include in this project)
Statistics show that it takes an average of 175 days to repair an XSS attack which equates to more than half the year.
CONCLUSION
To wrap it up, review of the data revealed XSS is still a major issue plaguing web security and as JavaScript becomes ever more powerful, XSS becomes increasingly more dangerous with XSS vulnerabilities accounting for 66% of valid submissions. Statistics show that it takes an average of 175 days to repair an XSS attack which equates to more than half the year. PR Wire predicts that the Application Security Market will be worth $6.77 billion by 2021.
Thank you for using Wonder. We hope this information is useful. Please let us know if we can do anything else to help.