From previous articles, you should be aware that Cross-Site Scripting (XSS) is an issue that is not going away any time soon.
Unlike it's buzzword predecessor, SQL injection, Cross-Site Scripting is a difficult vulnerability to quantify. What is the risk of not remediating a Cross-Site Scripting vulnerability in your web application?
If you have recently gone through a web application assessment, the report most likely indicates the risk factor of having XSS is high. But, what evidence does the report writer have to support this statement?
Basic security teaches us that risk can be quantified as:
Risk = (Probability of the event occurring) x (The impact if the event occurs)
To support the consultants statement, we would need to identify the probability of an attacker using a Cross-Site Scripting vulnerability as an attack vector and what the impact is, if the user is exploited.
Impact
It is important to realize that XSS is a means, not an end. XSS is simply a transportation mechanism. It is used to facilitate the actual attack which could be system compromise or stealing a users session. The only limitation on XSS is that it operates in a browser enviroment.
Do to the numerous things an attacker can do with XSS, it is hard to quantify an impact for all XSS vulnerabilities. Since XSS has different severities in regards to impact, an orginization should always choose the impact that is most severe. In other words, the worst-case-scenario.
If a user is exploited through an XSS attack, an orginzation can assume the attacker is doing the most damaging thing imaginable. Therefore, if a user is compromised from XSS, the impact is high.
We have now identified that the impact of Cross-Site Scripting is high. But, what about the probability of it actually occuring?
It is difficult to find evidence of people using Cross-Site Scripting as an an attack vector? There are cases where XSS was used, in conjunction with SQL injection, to insert an offsite iframe into a web page in order to attempt a traditional overflow. Should these attacks be included into the equation for probability of it happening? Since it can be argued that these attacks used SQL injection, and not XSS for propigation, these attacks need to be excluded.
The only evidence I can find is Verizon's 2009 Data Breach Investigation Report. That docuement however, doesn't go into much detail about the specifics of the XSS attack.
Due to the lack of overwhelming evidence, XSS currently is not a common attack method. The probability of a Cross-Site Scripting attack occuring is low.
Cost-Benefit Justification of Fixing Cross-Site Scripting
Since it is difficult to quantify the cost of having an XSS, it is just as difficult to do a cost-benefit analysis on fixing XSS vulnerabilities.
Why should merchants spend money on remediating their XSS vulnerabilities when there is no supporting evidence of attacks occuring?
Until more web applications are compromised through XSS vectors and there is more evidence to support this happening, not much security budget will go towards remediating Cross-Site Scripting vulnerabilities.