Report: attackers still using old vulnerabilities to fuel new attacks
Cyber criminals are still using cross-site scripting (XSS) attacks and other oft-overlooked methods of entry to gain access to compromised users, a new study has found.
According to white hat hacking platform HackOne, which maintains a community of 200,000 security experts aiming to combat the efforts of online attackers, XSS vulnerabilities are the most commonly used route of entry for many.
These are a form of injection security breach whereby a hacker will inject some kind of malicious data, such as a script, into content on an otherwise trustworthy website.
XSS attacks occur most often when an unknown source is allowed to add code to a web application, before that code is then delivered to a victim’s browser via adaptable content.
According to HackOne’s report, it represents one example of several vulnerabilities that still exist because organisations have no capacity to validate the code being inputted into their sites, letting hackers get websites to react in ways that were not foreseen by their makers.
The firm’s report also states that despite XSS attacks being well-known to the security community, there is a dearth of guidance on how to avoid the problem or deal with it once encountered.
Indeed, XSS was the most exploited vulnerability in every industry studied by HackOne, other than financial services and banking where false authentication attacks take spot. Overall, cross-site scripts account for 12 per cent of currently existing vulnerabilities.
HackerOne’s CEO Marten Mickos said that identifying such overlooked vulnerabilities was one of the main advantages of using white hack hackers to oversee an organisation’s cyber security practices.
He explained: “One advantage of our model is the diversity of people we can call upon, and the fact that they have no previous information about the system, so they are not ‘blinded’ by knowing too much, so they try things dedicated teams are less likely to try.
“As a result, they statistically produce better results because they come from the outside, just like the criminals, and they look more broadly and creatively because they have no preconceived notion or bias about what to look for.”
