XSS flaws jump to top of CVE rankings, but is the threat overblown?

Share this article:

Hackers are posting cross-site scripting (XSS) flaws found in a number of prominent websites to a hacking site, according to a leading security researcher.

Jeremiah Grossman, WhiteHat Security CTO, told SCMagazine.com on Thursday that links for PCWorld.Com, HP.com, MySpace.com, PhotoBucket.com and Dell.com are posted as having XSS flaws on http://sla[dot]ckers.org.

Grossman said XSS flaws are now the No. 1 flaw on Mitre's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago.

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."

XSS flaws range from hacker's harmless pranks to financially motivated hackings, Grossman said.

"It's pretty stark, it pretty much depends on the type of exploit," he said. "It could be nothing. It could be a simple defacement, or in the case of several weeks ago when PayPal was used for XSS attacks."

Chris Wysopal, CTO of Veracode, said this week that XSS flaws are easy to for hackers to find, and are especially rampant because of the popularity of social networking sites.

The number of XSS flaws may be blown out of proportion "because there are so many small web applications that are vulnerable," he said.

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said.

Click here to email Frank Washkuch Jr.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

NIST finalizes cloud computing roadmap

NIST finalizes cloud computing roadmap

The NIST architecture is designed to accelerate the adoption of cloud computing.

Chinese MitM attack targets iCloud users

Chinese MitM attack targets iCloud users

The attack used a false certificate to trick iCloud users into handing over personal data and login credentials. With an attack of this size, some experts and researchers believe the ...

EPIC: driver data shared via V2V technology needs protection

The groups shared comments on V2V communications with the National Highway Traffic Safety Administration.