Menu

XSS Trends and Internet Explorer

September 10th, 2012

As far back as 2005, cross-site scripting (XSS) was recognized as the most commonly reported type of software vulnerability. A more recent

study by Veracode
using data from the
Web Hacking Incident Database
shows that XSS is the most prevalent vulnerability
in Web applications and the second most likely to be
leveraged in real-world attacks
.

Data from the Microsoft
Security Response Center
(MSRC) demonstrates the growth in reported XSS
vulnerabilities:

The chart above illustrates how we are seeing XSS actually start to crowd out other
types of reported vulnerabilities percentage-wise, year-over-year.

To help protect users, Internet Explorer pioneered the implementation of multiple
overlapping mitigations targeting XSS, including
httpOnly
cookies,
security=restricted IFRAMES
,
toStaticHTML()
, and the
IE XSS Filter
. IE10 introduces support for the new
HTML5 standard
IFRAME Sandbox,
which allows developers of Web applications to more tightly control the behavior
of embedded content. We’re intent on continuing these investments, as real-world
data continues to show an uptick in the relative quantity of XSS vulnerabilities
in the wild.

To review the impact of the IE XSS Filter, we’ve done a deep analysis of all vulnerabilities
reported to MSRC in the first half of 2012. This analysis has shown that currently
the IE XSS Filter applies for 37% of all legitimate vulnerabilities
that are reported to the MSRC. (For some perspective, another highly reported vulnerability
class is memory safety, accounting for 24% of vulnerabilities within the
same data set.)

The IE XSS Filter is just one example of how our browser’s threat-mitigation strategy
doesn’t stop with memory safety mitigations like
ASLR and DEP/NX
. As more customers and businesses leverage Web technologies,
mitigating XSS and other Web application vulnerabilities has become increasingly
important. We are happy to see the impact mitigations have made against the threat
of XSS, and are looking to continuously innovate in this space going forward.

—David Ross, Principal Security Software Engineer, Microsoft Security Response Center