XSS attacks remain top threat to web applications

Cross-site scripting (XSS) attacks remain the top threat to web applications, databases and websites, an analysis of 15 million cyber attacks in the third quarter of 2012 has revealed.

Download this free guide

Your exclusive guide to CIO trends

A collection of our most popular articles for IT leaders from the first few months of 2016, including: - Corporate giants recruit digitally-minded outsiders to drive transformation - Analytics platforms to drive strategy in 2016 - Next generation: The changing role of IT leaders.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

Other top attack techniques are directory traversals, SQL injections (SQLi), and cross-site request forgery (CSRF), according to the latest web application attack report by cloud hosting firm FireHost.

The increase in the number of cross-site attacks is one of the most significant changes in attack traffic between Q2 and Q3 2012, the report said. XSS and CSRF attacks rose to represent 64% of the group.

XSS is now the most common attack type, with CSRF now in second. FireHost’s servers blocked more than one million XSS attacks during the third quarter of 2012, up 69% from the previous quarter.

Cross-site attacks depend on the trust developed between site and user. XSS attacks involve a web application gathering malicious data from a user through a trusted site, often in the form of a hyperlink containing malicious content, while CSRF attacks exploit the trust that a site has for a particular user.

These malicious security exploits can also be used to steal sensitive information such as user names, passwords and credit card details without the site or user’s knowledge.

The severity of these attacks depends on the sensitivity of the data handled by the vulnerable site. This ranges from personal data found on social networking sites, to the financial and confidential details entered on e-commerce sites.

A great number of organisations have fallen victim to such attacks in recent years, including attacks on PayPal, Hotmail and eBay, which fell victim to a single CSRF attack in 2008 that targeted 18 million users of its Korean website.

In September 2012 Microsoft and Google Chrome both ran extensive patches targeted at securing XSS flaws, highlighting the prevalence of this growing online threat.

“Cross-site attacks are a severe threat to business operations, especially if servers aren’t properly prepared,” said Chris Hinkley, a senior security engineer at FireHost.

 “It’s vital that any site dealing with confidential or private user data takes the necessary precautions to ensure applications remain protected.

“Locating and fixing any website vulnerabilities and flaws is a key step in ensuring your business and your customers don’t fall victim to an attack of this nature. The consequences can be significant, in terms of both financial and reputational damage.”