In light of Google’s announcement about releasing an open source tool for testing web app security scanners, Some new research gathered through web application security service ImmuniWeb and High-Tech Bridge’s IT security research team on exactly how dangerous commonly underestimated XSS vulnerabilities really are, would be of interest.
High-Tech Bridge’s post reveals that 95% of XSS vulnerabilities can be used to perform sophisticated drive-by-download attacks, which infect users who open harmless-looking URLs that they trust.
It’s also got lots of new facts and figures plus some interesting insights. Here are the key stats, but there are plenty more in the post for your use:
XSS does not require much social engineering or interaction with humans
- Over 90% of XSS vulnerabilities can be exploited in such a manner that even advanced users and IT people will not suspect anything.
- The structure and architecture of over 70% of web applications allows creation of a sophisticated XSS exploit that will perform several fully-automated consecutive actions, giving full administrative access to the attacker at the end.
- More than 95% of XSS vulnerabilities can be used to perform sophisticated drive-by-download attacks infecting users who just open a harmless-looking URL they trust.
- SSL certificate and HTTPS connection to the website have absolutely no impact on web application security and can never prevent XSS attack.
XSS on a subdomain puts the entire web application at risk
- Over 80% of websites set cookies in such a manner that they are accessible for several, or even all subdomains.
- Over 90% of large and reputable websites have subdomains with XSS vulnerabilities.
A WAF does not protect against XSS vulnerabilities anymore
- Over 70% of existing WAF rulesets can be bypassed via XSS obfuscation techniques.
- Around 30% of XSS on live websites are XSS inside JS code, and therefore cannot be blocked by WAF.
People ignore security best practices making XSS easily exploitable
- 85% of websites do not bind user sessions to user IP addresses, nor do they conduct proper session management.
- 80% of websites do not use httpOnly cookies.
A single XSS vulnerability renders CSRF protection mechanisms useless
- Over 95% of CSRF protection mechanisms can be bypassed via XSS vulnerability on the same site.
- Architecture of over 70% of websites gives almost unlimited functionality to administrator that can be used by hackers to compromise the entire website and even the web server.