XSS flaws jump to top of CVE rankings, but is the threat overblown?

Share this article:

Hackers are posting cross-site scripting (XSS) flaws found in a number of prominent websites to a hacking site, according to a leading security researcher.

Jeremiah Grossman, WhiteHat Security CTO, told SCMagazine.com on Thursday that links for PCWorld.Com, HP.com, MySpace.com, PhotoBucket.com and Dell.com are posted as having XSS flaws on http://sla[dot]ckers.org.

Grossman said XSS flaws are now the No. 1 flaw on Mitre's Common Vulnerabilities and Exposures (CVE) site - a considerable growth from 12 months ago.

"XSS is now No.1. It literally took one year and probably less to reach No. 1," he said. "It actually pushed buffer overflow down to No. 4."

XSS flaws range from hacker's harmless pranks to financially motivated hackings, Grossman said.

"It's pretty stark, it pretty much depends on the type of exploit," he said. "It could be nothing. It could be a simple defacement, or in the case of several weeks ago when PayPal was used for XSS attacks."

Chris Wysopal, CTO of Veracode, said this week that XSS flaws are easy to for hackers to find, and are especially rampant because of the popularity of social networking sites.

The number of XSS flaws may be blown out of proportion "because there are so many small web applications that are vulnerable," he said.

"This is important to realize because XSS is now ranked by CVE as the most prevalent vulnerability, even more prevalent than buffer overflows," he said.

Click here to email Frank Washkuch Jr.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.