Vulnerabilities, on the whole, come and go. I’ve been testing for seven years now, and I’ve seen the rise and fall of a number of them. When I started off, for example SQL Injection was relatively common (it shouldn’t have been because it was pretty venerable even then, but it was); now with the adoption of ORMs, it has pretty much died away, at least from the more mature applications which tend to be the ones that get tested. SSL flaws are also far, far less common than they used to be (I guess PCI is to be thanked for that), and whilst not entirely ubiquitous, HTTPs has largely taken over for authenticated sites. But the one vulnerability which never seems to die is good old XSS.
From time to time I test a series of sites that are all using frameworks along the lines of Angular, and I think to myself that the problem might be going away, then suddenly it comes back with a vengeance. In fact, I would say that out of all the sites I test, a good 60% to 70% still manifest this in some form or other. Some more observations…
- A surprising number of sites have no protection at all (and no attempt at protection). I’m not talking about little home-grown sites either.
- Of those that do, it is surprisingly uncommon to see the kind of elaborate black box style filtering that you see on excellent sites like https://html5sec.org/ The filtering you do get tends to be pretty lame and of the “filtering out the script tag will work won’t it?” variety.
- Apparently 72% of ASP.NET sites rely entirely on request validation for protection against XSS. From what I’ve seen, that doesn’t surprise me.
- Even sadder are the handful of ASP.NET sites that have XSS because they turned request validation off.
- An awful lot of sites which encode nearly everywhere, miss just a few (or even just one) fields. This is sad in more than one way, because it shows that validation is occurring on a field by field basis rather than going through a central function.
So I am expecting XSS to be keeping us busy for a few more years yet