Cross-Site Scripting Tops CWE's Most Dangerous List

Cross-site scripting has topped the 2020 list of the 25 Most Dangerous Software Weaknesses compiled by the Common Weakness Enumeration (CWE). 

The vulnerability, described by the CWE as "improper neutralization of input during web page generation," was given a threat score of 46.82. 

Describing the dangers posed by cross-site scripting (XSS), CWE wrote: "The attacker could transfer private information, such as cookies that may include session information, from the victim's machine to the attacker. The attacker could send malicious requests to a web site on behalf of the victim, which could be especially dangerous to the site if the victim has administrator privileges to manage that site. 

"Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site. Finally, the script could exploit a vulnerability in the web browser itself possibly taking over the victim's machine, sometimes referred to as 'drive-by hacking.'"

By comparison, last year's CWE list topper was far more dangerous. The biggest software threat in 2019—improper restriction of operations within the bounds of a memory buffer—received a threat score of 75.56.

The CWE Top 25 is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. 

To create the 2020 list, the CWE team leveraged Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). The team also took into account the Common Vulnerability Scoring System (CVSS) scores associated with each CVE. 

The second biggest weakness identified in this year's list was "out-of-bounds write." This vulnerability was given a threat score of 46.16, just marginally lower than the threat occupying pole position. 

"These aren’t new risks, so why have organizations failed to find these problems before releasing code to production, or failed to protect these vulnerabilities against attack in production?" commented Jayant Shukla, CTO and co-founder of K2 Cyber Security.

"Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect."

What’s Hot on Infosecurity Magazine?