Summary: CISA and the FBI have issued a warning to technology manufacturers regarding the persistent issue of cross-site scripting (XSS) vulnerabilities in software, urging them to adopt a secure-by-design approach to eliminate these flaws. The agencies emphasize the importance of thorough software reviews and the implementation of robust security measures to prevent exploitation by threat actors.
Threat Actor: Various | threat actor
Victim: Technology Manufacturing Companies | technology manufacturing companies
Key Point :
- CISA and FBI highlight the need for manufacturers to review software for XSS vulnerabilities before release.
- Cross-site scripting vulnerabilities are preventable but still prevalent, allowing threat actors to exploit web applications.
- Agencies recommend using modern web frameworks and conducting detailed code reviews to enhance security.
- XSS vulnerabilities ranked second in MITRE’s top 25 most dangerous software weaknesses from 2021 to 2022.
- This alert is part of CISA’s ongoing “Secure by Design” initiative to address known vulnerabilities in software products.
CISA and the FBI urged technology manufacturing companies to review their software and ensure that future releases are free of cross-site scripting vulnerabilities before shipping.
The two federal agencies said that XSS vulnerabilities still plague software released today, creating further exploitation opportunities for threat actors even though they’re preventable and should not be present in software products.
The cybersecurity agency also urged executives of technology manufacturing companies to prompt formal reviews of their organizations’ software to implement mitigations and a secure-by-design approach that could eliminate XSS flaws entirely.
“Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs. These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts,” today’s joint alert reads.
“Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures.”
To prevent such vulnerabilities in future software releases, CISA and the FBI advised technical leaders to review threat models and ensure that software validates input for both structure and meaning.
They should also use modern web frameworks with built-in output encoding functions for proper escaping or quoting. To maintain code security and quality, detailed code reviews and adversarial testing throughout the development lifecycle are also advised.
XSS vulnerabilities took second place in MITRE’s top 25 most dangerous software weaknesses plaguing software between 2021 and 2022, surpassed only by out-of-bounds write security flaws.
This is the seventh alert in CISA’s Secure by Design alert series, designed to highlight the prevalence of widely known and documented vulnerabilities that have yet to be eliminated from software products despite available and effective mitigations.
Some of these alerts have been released in response to threat actor activity, like an alert asking software companies in July to eliminate path OS command injection vulnerabilities exploited by the Chinese state-sponsored Velvet Ant threat group in recent attacks to hack into Cisco, Palo Alto, and Ivanti network edge devices.
In May and March, two more “Secure by Design” alerts urged software developers and tech executives to prevent path traversal and SQL injection (SQLi) security vulnerabilities.
CISA also urged manufacturers of small office/home office (SOHO) routers to secure their devices against Volt Typhoon attacks and tech vendors to stop shipping software and devices with default passwords.