XSS flaws jump to top of CVE rankings, but is the threat overblown?

Share this article:

Hackers are posting cross-site scripting (XSS) flaws found in a number of prominent websites to a hacking site, according to a leading security researcher.

Jeremiah Grossman, WhiteHat Security CTO, told SCMagazine.com on Thursday that links for PCWorld.Com, HP.com, MySpace.com, PhotoBucket.com and Dell.com are posted as having XSS flaws on http://sla[dot]ckers.org.

Grossman said XSS flaws are now the No. 1 flaw on Mitre's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago.

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."

XSS flaws range from hacker's harmless pranks to financially motivated hackings, Grossman said.

"It's pretty stark, it pretty much depends on the type of exploit," he said. "It could be nothing. It could be a simple defacement, or in the case of several weeks ago when PayPal was used for XSS attacks."

Chris Wysopal, CTO of Veracode, said this week that XSS flaws are easy to for hackers to find, and are especially rampant because of the popularity of social networking sites.

The number of XSS flaws may be blown out of proportion "because there are so many small web applications that are vulnerable," he said.

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said.

Click here to email Frank Washkuch Jr.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.