CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust.

Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don’t attack the application itself but exploit user trust in a legitimate website.

Understanding cross-site scripting vulnerabilities

When an attacker successfully exploits an XSS vulnerability, they can hijack user sessions, steal sensitive information such as login credentials or even alter website content to trick users into providing personal data. For instance, XSS can be used to install malware on a user’s device, display phishing attack forms or redirect users to malicious websites.

A prime example of this is the 2024 data breach orchestrated by the hacker group “ResumeLooters.” By leveraging both SQL injection and XSS vulnerabilities, the group compromised over 65 job-listing and retail sites, stealing the personal information of over 2 million job seekers. The attackers injected malicious scripts into legitimate sites, which allowed them to harvest names, email addresses, phone numbers and more.

Another well-known XSS exploitation attack includes the 2019 breach of Fortnite. In this incident, intruders used a retired web page with an XSS vulnerability to target over 200 million users. The breach allowed hackers to steal in-game currency and eavesdrop on player conversations.

The secure-by-design approach

CISA’s latest secure-by-design alert emphasizes proactive defense mechanisms for eliminating XSS vulnerabilities. The agency urges developers and software manufacturers to adopt secure coding practices. At the core of this approach is the idea of building security into the design and architecture of applications from the ground up rather than as an afterthought.

The alert provides developers with a guide on how to prevent XSS vulnerabilities through techniques such as input validation, output encoding and the use of content security policies (CSP). These principles align with the broader secure-by-design framework, which advocates for secure product development that minimizes exploitable weaknesses.

Secure-by-design alerts trend

This latest alert on XSS vulnerabilities follows a series of previous secure-by-design recommendations from CISA, each tackling a specific category of vulnerabilities. These include alerts on SQL injection, OS command injection, directory traversal and security design improvements for SOHO devices. Each of these alerts addresses the importance of secure coding practices, emphasizing input validation, safe handling of user data and proactive vulnerability management.

For example, the alert on SQL injection vulnerabilities highlights the risk of improperly sanitized database queries, which can allow attackers to execute arbitrary commands on a database. Meanwhile, the OS command injection alert warns about attackers using vulnerable input fields to execute unauthorized operating system commands, potentially leading to full system compromise.

In all these alerts, CISA stresses the need for organizations to adhere to secure-by-design principles. These include comprehensive code reviews, automated testing and incorporating security into the software development lifecycle (also known as DevSecOps). The goal is to shift cyber efforts from reactive defense to proactive protection, ensuring that vulnerabilities like XSS, SQL injection and directory traversal are identified and remediated before they can be exploited.

Design with security in mind

By following CISA’s guidelines on eliminating XSS vulnerabilities and adopting secure coding practices, developers can significantly reduce the risk of exploitation, protect user data and ensure the long-term integrity of their applications. With this latest alert, CISA and the FBI are reminding us that security should never be an afterthought — it must be an integral part of the development process from day one.