There’s an unfortunate misconception surrounding cross-site scripting (XSS) attacks that result in them being perceived as less impactful than other types of attacks, and often more theoretical than practical. I believe this mindset increases inherent risk for Internet users. Here’re some statistics that show why the addition of the XSS Filter to Internet Explorer is so significant.
The Web Application Security Consortium (WASC) recently released its findings from the Web Application Security Statistics Project 2007. The data in this report adds to the statistics cited in The Anatomy of an XSS Attack, for the June 2008 ISSA Journal.
Some highlights from the WASC study:
- Of the most prevalent vulnerabilities, including SQL injections, information leakage, predictable resource location, and cross-site scripting, XSS was the most prevalent at 41%.
- Of 10,297 sites analyzed for the WASC study, 28,796 XSS vulnerabilities were discovered, accounting for 31% of all sites surveyed.