Report: Web App Vulnerabilities Caused by Lax Coding Techniques

Cross-site scripting (XSS) errors are now responsible for more than half of all Web application vulnerabilities, but nearly all could be prevented by developers practicing secure coding techniques, according to a new report from online security firm Veracode.

Cross-site scripting (XSS) errors are now responsible for more than half of all Web application vulnerabilities, but nearly all could be prevented by developers practicing secure coding techniques, according to a new report from online security firm Veracode.

XSS flaws occur whenever an, “application takes untrusted data and sends it to a Web browser without proper validation and escaping,” meaning removing or blocking characters that might be used to launch an attack, according to the Open Web Application Security Project (OWASP), a non-profit focused on software security.

Veracode found in its study of various Web apps that developers are not doing the “upfront work” necessary prevent XSS errors from being introduced in the first place, thereby opening the door for attackers to exploit the system, bypass security controls and unleash malicious scripts on users’ browsers.

“We strongly believe that many XSS errors are straightforward and easy to fix, and that much can be done to greatly reduce their occurrence,” concluded Matt Moynahan, CEO of Veracode, in a statement. “Developer and product security teams must accept greater accountability for writing better code.”

Veracode’s earlier ‘State of Software Security Report’, released in September 2010, found that XSS accounted for 51 percent of all vulnerabilities uncovered in a testing process. This latest research confirms that XSS errors can be fixed relatively easily and cost-effectively if they are caught early in the process, and made a priority.

“We see thousands — sometimes tens of thousands — of XSS vulnerabilities a week,” said Chris Eng, senior director of security research at Veracode. “Many are those we describe as ‘trivial’ and can be fixed with a single line of code.”

Veracode found the average time required to fix an XSS bug, based on companies that used its service, was sixteen days.

But, when made a high priority, fixes can be made in a much shorter time, as seen in the wake of XSS exploits against popular Web sites such as Facebook and Twitter.

“Sometimes those companies push XSS fixes to production in a matter of hours. Are their developers really that much better? Of course not. The difference is how seriously the business takes it. When they believe it’s important, you can bet it gets fixed,” said Eng.

To reach its goal “to rid the world of cross-site scripting,” Veracode has also announced the launch of a free XSS detection service to offer companies recommendations on reducing vulnerabilities and education and training for developers.

Users sign up for the service, submit one Java application free of charge and the platform will search for XSS errors and produce a detailed report with location and remediation information.