MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness www.darkreading.com/application-... - ThreadSky

webappsec.dev • 93 days ago

MITRE: Cross-Site Scripting Is 2024's Most Dangerous Software Weakness

https://www.darkreading.com/application-security/cross-site-scripting-is-2024-most-dangerous-software-weakness

Comments

mvsamuel.bsky.social•93 days ago

Someone oughta do something about that.

evaristegal0is.bsky.social•93 days ago

I wanted to write a thread about this when CISA and FBI released an alert for this vulnerability class. I see at least two main issues about XSS: observability and good practices. The CISA's post didn't directly mention CSP in their recommendations, and CSP v3 is still not popular enough even if 1/👇

evaristegal0is.bsky.social•93 days ago

it can help to mitigate the majority of common JS injections. Unlike TLS versions or the HSTS header, I don't remember reading questions about the CSP header in the security questionnaires I filled out. I have a feeling that we don't have visibility on XSS exploits because they could happen 2/👇

evaristegal0is.bsky.social•93 days ago

on "mutable" software (e.g. websites), and vendors tend to release CVEs only for patchable software, not cloud software. In addition, vendors may not know about exploited XSS vulnerabilities, if they are not massively exploited because they may have a lack of observability, especially for 3/👇

evaristegal0is.bsky.social•93 days ago

client-side XSS. So, if I had an XSS on a critical service, I would probably try to sell to the highest bidder - often they are not good guys - or use it on specific high-value targets, by making hardest the detection. So, all this thread to ask: is XSS underevaluated due to a lack of observability?

webappsec.dev•93 days ago

These are all good points. One way to get good visibility into XSS issues on sensitive services is via bug bounty programs.
At least this worked very well for us.
Also CSP was a part of our approach of mitigating XSS at scale. See page 7: https://static.googleusercontent.com/media/publicpolicy.google/en//resources/google_commitment_secure_by_design_overview.pdf

evaristegal0is.bsky.social•93 days ago

Yep - but Google is ...Google :) I know almost all Google services have CSP. About the visibility: BBP sounds like a good complementary solution, but I don't think we can consider it a good technical solution. And we know some actors can pay more than a standard BBP for a good vulnerability. And 1/👇

misfir3.bsky.social•87 days ago

Always curious about the methodology to get to 'highest risk' or 'most dangerous' ... any background info you are aware of on that?

webappsec.dev•86 days ago

I haven't looked into MITRE's methodology, but at Google we're using "domain tiers": https://bughunters.google.com/blog/4562175388155904/externalizing-the-google-domain-tiers-concept
On TIER0 domains a critical vulnerability (e.g. XSS or authorization bypass) could lead to a full compromise of a user's account or execution of code on their or a cloud system.

misfir3.bsky.social•86 days ago

Absolutely agree on the Tier 0 XSS being most dangerous as a specific vuln (in terms of impact). When it’s “most dangerous of 2025”, I’m really curious about the data and methodology behind that. This goes to my general interest these days in the “likelihood” side of risk

misfir3.bsky.social•86 days ago

Or 2024 😃, kind of getting ahead of myself there

j-opdenakker.bsky.social•93 days ago

I'd hope with several frameworks being secure by default when it comes to XSS that this wouldn't be the case anymore, but slow progress I guess?

webappsec.dev•93 days ago

Yes, this works (and imho the only approach that works at scale). See page 7 of Google's secure by design whitepaper: https://static.googleusercontent.com/media/publicpolicy.google/en//resources/google_commitment_secure_by_design_overview.pdf

emilpls.bsky.social•86 days ago

any idea why CSRF is +5 since last year? I rarely see CSRF reports these days.

Comments

Posting Rules

Reply