Cross-Site Scripting: Many Websites Remain Vulnerable to Common Web Exploit
- According to cybersecurity firm High-Tech Bridge, XSS accounts for 80% of website security flaws. In a recent study, another security firm, Tinfoil Security, tested the networks of 557 state universities and discovered that 25 percent were vulnerable to XSS.
- The two main types of XSS attacks are reflected (non-persistent) and stored (persistent). In a reflected attack, malicious script is injected into a component of a website, such as a search form, and reflected off the web server and executed within the victim’s browser. A stored attack occurs when malicious script is injected and stored on a targeted server, such as in a database or forum, and executed when a user visits the website. Whereas the reflected and stored types are server-side tactics, another XSS tactic known as DOM-based is a client-side attack.
- The information technology firm Cisco recently revealed an XSS vulnerability in the WeChat page of their SocialMiner product, a social media brand management tool. Cisco’s advisory stated the vulnerability could allow an unauthenticated, remote attacker to send a malicious script to an unsuspecting user, and that there is no security patch or workaround to mitigate the flaw.
The consequences of a successful XSS exploit include the compromise of user files or sensitive information, installation or spreading of malware, hijacking an account, redirecting victims to malicious sites, or modifying the presentation of content in the user’s browser. The manipulation of content can be problematic as an XSS vulnerability could allow an actor to modify proprietary documents such press releases, news publications, or other official communications, affecting the integrity of data and potentially impacting public trust and consumer confidence. Other possible results of XSS exploits include impersonating end-users, as well as hijacking users’ webcams and microphones.
To report an incident, or if your organization would like to learn more about the NJCCIC, please contact a Cyber Liaison Officer at NJCCIC@cyber.nj.gov or visit www.cyber.nj.gov.
Traffic Light Protocol: WHITE
TLP: WHITE INFORMATION MAY BE DISTRIBUTED WITHOUT RESTRICTION