[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Severity Rating of Cross Site Scripting

From: Jeremiah Grossman <jeremiah@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Severity Rating of Cross Site Scripting
Date: Tue, 26 Sep 2006 13:54:43 -0700

Cross Site Scripting (XSS) has really come into its own during the past 6 months. XSS now tops Mitre's CVE [1] and the WHID [2], not to mention all the media coverage during the last week. We've come to understand how incredibly severe XSS attacks can be considering Intranet Hacking [3] and Web Worms [4]. Typical cookie theft seems harmless by comparison. As a result, one of the questions that has resurfaced is severity rating.

In previous years, most vulnerability assessment reports I've read understandably assign XSS vulnerabilities as "Medium". The same is true at WhiteHat Security. We rate non-persistent as "Medium", persistent as "High", with the vast majority being non-persistent. Today what's happening is the potential business impact of XSS has grown much greater and the threat differential between non-persistent and persistent is diminishing. For vulnerability reporting purposes we're compelled to increase the severity rating of almost all XSS issues to "High". This would seem to make more sense based on what we now know.

What I'm interested to know how others in the industry view XSS in terms of severity rating. Are there plans to increased reported severity?


Regards,

Jeremiah Grossman
Chief Technology Officer
WhiteHat Security, Inc.
http://www.whitehatsec.com/


[1] Vulnerability Type Distribution in CVE
http://www.attrition.org/pipermail/vim/2006-September/001032.html

[2] Web Hacking Incidents Database
http://www.webappsec.org/projects/whid/

[3] Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" http://jeremiahgrossman.blogspot.com/2006/08/home-from-blackhat-and- defcon.html

[4] Teen uses worm to boost ratings on MySpace.com http://www.computerworld.com/securitytopics/security/holes/story/ 0,10801,105484,00.html

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
  - From: Ryan Barnett
- Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
  - From: Achim Hoffmann
- Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
  - From: Irene Abezgauz

Prev by Date: RE: [WEB SECURITY] Looking for Addressing some Questions
Next by Date: Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
Previous by thread: [WEB SECURITY] Duplicate jsessionid cookies in request
Next by thread: Re: [WEB SECURITY] Severity Rating of Cross Site Scripting
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org