XSS flaws jump to top of CVE rankings, but is the threat overblown?

Hackers are posting cross-site scripting (XSS) flaws found in a number of prominent websites to a hacking site, according to a leading security researcher.

Jeremiah Grossman, WhiteHat Security CTO, told SCMagazine.com on Thursday that links for PCWorld.Com, HP.com, MySpace.com, PhotoBucket.com and Dell.com are posted as having XSS flaws on http://sla[dot]ckers.org.

Grossman said XSS flaws are now the No. 1 flaw on Mitre's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago.

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."

XSS flaws range from hacker's harmless pranks to financially motivated hackings, Grossman said.

"It's pretty stark, it pretty much depends on the type of exploit," he said. "It could be nothing. It could be a simple defacement, or in the case of several weeks ago when PayPal was used for XSS attacks."

Chris Wysopal, CTO of Veracode, said this week that XSS flaws are easy to for hackers to find, and are especially rampant because of the popularity of social networking sites.

The number of XSS flaws may be blown out of proportion "because there are so many small web applications that are vulnerable," he said.

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said.

Click here to email Frank Washkuch Jr.