XSS – The never ending story

Cross-Site Scripting (XSS) has lost one rank in the newly released OWASP Top Ten 2013 candidate. Compared to the 2010 version, it’s now on rank three, overtaken by “Broken Authentication and Session Management”. Has XSS become less common then? No, I don’t think so.

Compass Security has always been strong in web application security testing and not surprisingly, has a huge experience in identifying all kinds of web app related weaknesses, including Cross-Site Scripting. To wrap up quickly, here’s OWASP’s pretty decent definition:

“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”

Just in the last two months, I’ve been releasing three advisories, all related to XSS:

So why is XSS still so wide-spread? Here’s my personal top three:

  1. Developers tend to care more about features than security. This might be driven by marketing or sales, time constraints or other well-founded reasons – but at the end, it doesn’t matter. Sloppy coding, not being well trained and cheap outsourcing complete this picture.
  2. People suffer from the NIH syndrome (Not-Invented-Here). Instead of building their product on a well-tested code base, e.g. some common framework, they re-invent software in an insecure matter, also due to point 1.
  3. People underestimate the effort of maintaining software, which is always dynamic per se. This often leads to unpatched Content-Management-Systems being used in the wild: set up once, forgotten forever.

So, what’s the solution?

Software development should always be embedded in a Secure Development Lifecycle, in order to ensure its quality in development, improvements and operation. Besides, professional software companies and communities need to treat security incidents seriously. A positive example of the three above has been the Drupal community, which has shown it’s a professional approach from day one I contacted them.

Cross-Site Scripting is so easy to fix but so powerful to exploit. However, XSS is either not treated as a concrete threat or its impact is underestimated. We can just hope that someday all web developers understand its impacts and care more about their software – and customers.

Meanwhile, we’ll stay calm and continue testing …