Clearly we are living in an era of high-profile breaches and vulnerability exploits—including 1.2 billion usernames and passwords being lifted in the CyberVor campaign recently. But simple measures such as paying attention to the everyday, commonplace vulnerabilities that organizations have been alerted to can help stem the tide. To that end, XSSposed has launched- an XSS vulnerability archive.
The archive aims to inform companies of known security holes and the fixes that relate to them, but it also includes a shame element, by listing known compromised websites. The open-source approach is meant to incentivize the hunt for vulnerabilities where bug bounty programs may not; Yahoo! of course famously offered nothing more than a T-shirt for white hat work—a policy it has since revamped.
High-Tech Bridge, which regularly conducts research into website vulnerabilities and has in the past revealed security vulnerabilities in organizations such as Facebook, NASDAQ and the World Economic Forum's website, noted that since mid-June, the site received 876 reported vulnerabilities, and only 97 fixed vulnerabilities across 1328 vulnerable websites.
"I am not surprised that security researchers are motivated to report XSS vulnerabilities on one public archive,” High-Tech Bridge CEO Ilia Kolochenko told Infosecurity. “Today we have very few efficient bug bounties that work properly and fairly. A full disclosure approach may finally be the catalyst that will push web developers to secure their websites rapidly.”
And that leaves the door wide open to data thieves.
"Legions of bots have been crawling the web to find unpatched or outdated software for a dozen years already," Kolochenko noted. “The number of automated bots aimed at finding vulnerable websites, compromise, backdoor and even patch them (to prevent ‘competing’ hacking groups getting in) are growing, as does their efficiency. It's useful to alert people to the existence of such risks, but the CyberVor attack is definitely not a new news story."
He added, “Just by using Google, you can find millions of passwords in plaintext quite quickly on the web, or have a look on XSSposed.org – it has collected vulnerabilities on hundreds of the most famous websites over the last two months, and the researchers submit information there for free. So you can estimate how big the black market really is."
XSSposed.org also allows anyone to challenge hackers to find vulnerabilities on websites worldwide. To find out how secure a particular website really is, users can submit its URL – anonymously if they prefer – via an online contact form, for security researchers to verify if it has any vulnerabilities.
"It's interesting to see numerous Page Rank 10 websites there together with the largest e-commerce, government and information security websites,” Kolochenko said. “This definitely proves that the current state of affairs in web application security is far from being perfect and needs serious improvement.”
But not just big websites and their users are at risk. Many companies may think they are not big enough to attract the attention of hackers—but that’s not logical. “No matter what size your business is, hackers are fond of exploiting any vulnerabilities they know of and can find,” said Kolochenko. “Ignoring commonplace vulnerabilities that you’ve been alerted to damages not just your website but also your business’ finances, reputation and, as a result, your customers’ trust as they are far less likely to continue using your website if they know it has vulnerabilities that you haven’t patched or fixed.”