Cross-site scripting (XSS), which occurs when cybercriminals insert malicious code into webpages to steal data or facilitate phishing scams, has been around almost since the dawn of the web itself. Although it is an older exploit, it still appears frequently enough to land on the OWASP Top 10 list.

It has even affected modern websites run by the FBI, the Obama administration, eBay and others. And last year, an ethical hacker breached a Dutch government website within a few days of its launch using a clientside XSS vulnerability.

A Growing Problem

According to WhiteHat Security’s “Web Applications Security Statistics Report 2016,” cross-site scripting accounts for nearly half of all web-based exploits last year. In fact, XSS has represented around 50 percent of website vulnerabilities since 2012.

These vulnerabilities are expected to grow by 166 percent in 2017, which would be the biggest jump in the past five years. If you need further convincing, Snyk reported that the rate of these attacks increased by 39 percent in the first quarter of 2017.

Why does XSS persist? Mainly because it is very easy to do, and opportunities abound. According to Wordfence, “XSS vulnerabilities are incredibly easy to write. If you simply write PHP in a way that feels intuitive, you will almost certainly write an XSS vulnerability into your code.”

XSS Mitigation Techniques

There are a few steps developers can take to prevent XSS. First, validate all your expected inputs. Most websites have numerous injection points, such as search fields, feedback forms, cookies and forums. Basically, anyplace where you are expecting an input can be vulnerable to XSS. Don’t just assume these inputs are coming from a trusted source. Validate using input type, length, format and range at all times within your code.

Second, use META tags and limit your input character sets. If you don’t need an extended character set for your site, exclude them in this fashion. You should also leverage automatic source code scanning tools and web vulnerability scanners to scour for issues. This must occur not just during development, but also periodically after deployment.

A great resource to study is the OWASP XSS Prevention Cheat Sheet. It is chock full of other suggestions for preparing your input and using open source tools. Understanding the threat cross-site scripting poses to all websites, as well as the most effective defensive techniques, can help organizations avoid becoming a victim.

Read the IBM X-Force research report: Beware of older cyber attacks

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…