As far back as 2005, cross-site scripting (XSS) was recognized as the most commonly reported type of software vulnerability. A more recent study by Veracode using data from the Web Hacking Incident Database shows that XSS is the most prevalent vulnerability in Web applications and the second most likely to be leveraged in real-world attacks.
Chart courtesy of Veracode; used by permission
Data from the Microsoft Security Response Center (MSRC) demonstrates the growth in reported XSS vulnerabilities:
Growth in reported XSS vulnerabilities 2004 – 2012 (first half)
The chart above illustrates how we are seeing XSS actually start to crowd out other types of reported vulnerabilities percentage-wise, year-over-year.
To help protect users, Internet Explorer pioneered the implementation of multiple overlapping mitigations targeting XSS, including httpOnly cookies, security=restricted IFRAMES, toStaticHTML(), and the IE XSS Filter. IE10 introduces support for the new HTML5 standard IFRAME Sandbox, which allows developers of Web applications to more tightly control the behavior of embedded content. We’re intent on continuing these investments, as real-world data continues to show an uptick in the relative quantity of XSS vulnerabilities in the wild.
To review the impact of the IE XSS Filter, we’ve done a deep analysis of all vulnerabilities reported to MSRC in the first half of 2012. This analysis has shown that currently the IE XSS Filter applies for 37% of all legitimate vulnerabilities that are reported to the MSRC. (For some perspective, another highly reported vulnerability class is memory safety, accounting for 24% of vulnerabilities within the same data set.)
The IE XSS Filter is just one example of how our browser’s threat-mitigation strategy doesn’t stop with memory safety mitigations like ASLR and DEP/NX. As more customers and businesses leverage Web technologies, mitigating XSS and other Web application vulnerabilities has become increasingly important. We are happy to see the impact mitigations have made against the threat of XSS, and are looking to continuously innovate in this space going forward.
—David Ross, Principal Security Software Engineer, Microsoft Security Response Center