As we draw near the end of 2024, MITRE have taken a look back at the security vulnerabilities discovered throughout the year and published their list of the Top 25 Most Dangerous Software Weaknesses, and Report URI is here to help you with the #1 Top Threat: XSS.
Common Weakness Enumeration
The CWE Program is a standardised way of referring to types of security vulnerabilities with a unique ID, allowing a common classification to be used for a particular type of vulnerability across industry. This makes it really easy to ensure that we're referring to the same type of issue, no matter what the source of information is.
The project is maintained and operated by MITRE, and is sponsored by the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), notable company to keep!
The particular CWE finding itself in the #1 spot of Most Dangerous Software Weakness of 2024 is, XSS!
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
I guess that's impressive or concerning, depending on how you look at this, but XSS has managed to get itself promoted from the #2 spot in the 2023 ranking!
Common Vulnerabilities and Exposures
In order to see just how common these XSS vulnerabilities are, I decided to take a look at the data from the CVE Program. The CVE Program is another DHS and CISA backed project that tracks publicly disclosed cybersecurity vulnerabilities in the wild. They assign a unique ID to each vulnerability so they can be tracked, and vulnerabilities can map back to a CWE ID so we know what caused the particular vulnerability. Think of it like this:
Alpha Bank is breached (CVE-1234) with an XSS vulnerability (CWE-79).
Zulu Bank is breached (CVE-5678) with an XSS vulnerability (CWE-79).
I grabbed the latest copy of the CVE JSON data and did some quick parsing to come up with some numbers for the CWE Top 25. In the below table, you can see each type of vulnerability by CWE ID, and then how many occurrences of that type of vulnerability have been discovered in the wild. Let's just say, it's pretty clear why XSS (CWE-79) is the #1 spot, and it's not even close!
| CWE ID | Vulnerabilities Caused |
|---|---|
| CWE-79 | 4,632 |
| CWE-89 | 2,070 |
| CWE-352 | 858 |
| CWE-862 | 826 |
| CWE-22 | 643 |
| CWE-125 | 610 |
| CWE-200 | 570 |
| CWE-434 | 524 |
| CWE-20 | 521 |
| CWE-78 | 505 |
| CWE-416 | 474 |
| CWE-94 | 447 |
| CWE-787 | 415 |
| CWE-77 | 358 |
| CWE-269 | 292 |
| CWE-502 | 287 |
| CWE-400 | 272 |
| CWE-918 | 254 |
| CWE-863 | 248 |
| CWE-476 | 201 |
| CWE-287 | 172 |
| CWE-119 | 145 |
| CWE-306 | 128 |
| CWE-190 | 127 |
| CWE-798 | 101 |
I think it's fair to say that we have some work to do on this, and for almost a decade now, Report URI has been working on precisely this problem, so we're ready to help.
Detecting and Mitigating XSS
Regular readers will know that I've been a fan of Content Security Policy for a very long time, and any time you see someone talking about CSP, it's almost always going to be in the context of protecting against XSS. That's because CSP is a very flexible and powerful mechanism, but XSS is the most dangerous thing it can protect you against, so that's often the focus of conversation.
CSP is, quite literally, the ultimate defence mechanism for XSS for many reasons, and Report URI makes it easy to get started with your deployment. Think of CSP as 'The Final Boss' for XSS, and we're here to make sure it's not defeated.
I'm not going to go into the technical details of CSP here as I have, quite literally, been talking about CSP for more than a decade on this very blog! What I am going to do is say that we're ready to help, and all you have to do is reach out.
Over the years, we've launched countless new features at Report URI to make our tools more effective and easier to use, we've fully aligned with the PCI DSS v4.0 requirements (6.4.3 and 11.6.1), we regularly process over 1,000,000,000 pieces of telemetry for our customers every single day, and we want to make a difference.
If you'd like more information, we have a dedicated XSS Solution page, or PCI DSS / Magecart solutions pages if that's more your bailiwick, or you can just reach out to us to get the conversation started.
Let's make sure that XSS isn't #1 in 2025!