{"id":581,"date":"2024-10-10T06:00:00","date_gmt":"2024-10-10T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=581"},"modified":"2024-10-10T06:00:00","modified_gmt":"2024-10-10T06:00:00","slug":"whats-old-is-new-again-ai-is-bringing-xss-vulnerabilities-back-to-the-spotlight","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=581","title":{"rendered":"What\u2019s old is new again: AI is bringing XSS vulnerabilities back to the spotlight"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a Secure by Design alert<\/a> in September urging tech manufacturers to remove cross-site scripting vulnerabilities (XSS), which have long plagued security professionals, from their products.<\/p>\n

The alert warns CEOs and other leaders at technology manufacturers \u201cto direct their technical teams to review past instances of these defects and create a strategic plan to prevent them in the future.\u201d Experts say that AI models are poised to compound the problem as they take in data containing XSS.<\/p>\n

The two agencies issued more details<\/a> outlining what technical leaders should do to help eliminate XSS defects from their products, including conducting code reviews, examining threat models, and using \u201cmodern web frameworks that offer easy-to-use functions for output encoding to ensure proper escaping or quoting.\u201d<\/p>\n

This alert is notable given that XSS vulnerabilities<\/a> have been a widespread problem for cybersecurity professionals since the earliest days of the modern internet era. They originated in the 1990s and have appeared on the OWASP Top Ten<\/a> Web Application Security Risks since 2003 (although in OWASP\u2019s latest \u00a0list<\/a>, they appear under the broader super set of \u201cinjection\u201d vulnerabilities.) They have also been omnipresent on MITRE\u2019s list<\/a> of the top 25 most dangerous software weaknesses for years.<\/p>\n

As was true of a March 2024 CISA and FBI Secure by Design alert<\/a> on eliminating SQL injection vulnerabilities, another software flaw that dates back 30 years, a logical question arises: why are US federal authorities suddenly seeking to address what, in internet terms, is an ancient software vulnerability that never seems to go away?<\/p>\n

An informal survey of over a dozen software security experts yields various answers to this question. However, the experts agree that unless developers fix the XSS flaws in their code soon, the top generative artificial intelligence players, currently incorporating software replete with XSS vulnerabilities into their models, could perpetuate the problem.<\/p>\n

What are cross-site scripting vulnerabilities?<\/h2>\n

In their alert, CISA and the FBI define XSS vulnerabilities as those flaws that \u201carise when manufacturers fail to properly validate, sanitize, or escape inputs. These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts.\u201d<\/p>\n

An XSS vulnerability is \u201cany opportunity that you have to not sanitize data, and then it gets used in some other capacity,\u201d Tim Mackey, head of software supply chain risk strategy at the Synopsys Software Integrity Group, tells CSO. \u201cThis is essentially, \u2018Can I put HTML script tags in things? Can I go and render human-provided data in a context in which it wasn\u2019t supposed to be used?’\u201d<\/p>\n

Fundamentally, the problem with XSS is the constant need to sanitize data input by users so that it does not get interpreted as HTML code that can transfer to other sites. \u201cIn cross-site scripting, when you display something, you have to make sure that if it\u2019s coming from a user, that you\u2019re escaping it, so that it doesn\u2019t get interpreted as HTML code and executed in the context of that website,\u201d Yves Younan, who leads the vulnerability discovery & research team at Cisco Talos, tells CSO.<\/p>\n

Why are the US authorities flagging XSS?<\/h2>\n

It is unclear why this perennial problem has become a focus of attention. Some experts think CISA and the FBI are pushing generally outmoded federal government agencies and departments to update their technologies to modern software development frameworks that typically correct for XSS flaws.<\/p>\n

\u201cThe problem is that many government agencies use older frameworks that still have cross-site scripting,\u201d Andrew van der Stock, Executive Director OWASP and the Project Co-Lead of OWASP Top Ten, tells CSO. \u201cSo, the reason I think CISA and FBI are asking their agencies and others to look at this is because of these agencies that are using 10, 15, 20-year-old frameworks that don\u2019t have the protections of the modern frameworks.\u201d<\/p>\n

Other experts say that the alert is aimed at C-level executives, who have the most power to order their organizations to clean up any XSS vulnerabilities. \u201cOne of the things that CISA is doing is recognizing that you need executive buy-in to get anything done,\u201d Chris Wysopal, co-founder and CTO of Veracode, tells CSO.<\/p>\n

\u201cUnless you have executive attention, it\u2019s not going to happen because developers aren\u2019t in charge of their tasks,\u201d Wysopal adds. \u201cThey\u2019re not in charge of how much time they must dedicate to security. You need to have the people allocating the work to be done to prioritize security at the right level. Whoever is in charge of product, whoever is in charge of building these things to meet a certain functionality, is ultimately in charge of that.\u201d<\/p>\n

Still, other experts feel that CISA is addressing this old vulnerability to just generally promote better software security development and the agency\u2019s Secure by Design initiative. Dick O\u2019Brien, principal intelligence analyst on Symantec\u2019s Threat Hunter Team at Broadcom, tells CSO the alert \u201cdoes a good job at raising awareness of the issue and also providing guidance on how to avoid introducing these vulnerabilities. CISA is taken seriously by public and private organizations, and whatever they say, people tend to sit up and notice.\u201d<\/p>\n

Why is XSS still a problem after 30 years?<\/h2>\n

Regardless of why the feds are motivated to warn on the topic, XSS is still a significant cybersecurity problem after nearly three decades, with no clear-cut solutions. Many experts chalk up the longevity of this vulnerability to simple human error or software developers who don\u2019t keep the threat of XSS at the forefront of their minds when writing code.<\/p>\n

\u201cThe thing that\u2019s unfortunate when it comes to security is humans are always the weak link. Whether that\u2019s through phishing attacks, developers writing bad code, malicious actors, or insider threats, humans are always the weak link,\u201d Shane Fry, CTO at RunSafe Security, tells CSO.<\/p>\n

\u201cDevelopers are not looking to solve security even though they should be, right? But their first and foremost responsibility is getting something done,\u201d Fry adds. \u201cSo, you see often Stack Overflow answers that are a decade old where there\u2019s a comment attached to the top thing saying, \u2018this is wrong, don\u2019t do this. This is going to result in cross-site request forgery or cross-site scripting vulnerabilities.\u2019 But as a developer, \u2018you go, oh, this is the solution to my problem.’\u201d<\/p>\n

Other experts say writing code is fundamentally so complicated that software developers don\u2019t go the extra step to check for common security problems.<\/p>\n

\u201cWriting good software is hard,\u201d James Slaughter, senior threat intelligence engineer with Fortinet\u2019s FortiGuard Labs, tells CSO. \u201cWriting good software that\u2019s secure is even more difficult. It requires a conscious decision at design time to ensure best practices are followed all the way through the development cycle. This can be extremely difficult when teams are small, time is short, and margins are thin.\u201d<\/p>\n

Still, other experts think that as modern development frameworks supplant the older, less secure ones, fewer XSS vulnerabilities will appear in code products. \u201cWe do have very, very good defenses for SQL injection and cross-site scripting now that break that pattern; they use a different way of presenting the data to either the database engine or the user on the browser,\u201d OWASP\u2019s van der Stock says.<\/p>\n

\u201cSo, we\u2019ve solved SQL injection, we\u2019ve solved cross-site scripting if you use modern frameworks,\u201d he adds. \u201cA lot of the modern frameworks for doing visual presentations make it quite hard to do cross-site scripting. In 2021, we didn\u2019t have sufficient evidence for it to be its own thing, so it became squished into what it is, an injection pattern.\u201d<\/p>\n

How AI could exacerbate XSS<\/h2>\n

LLM models that underlie the rapidly emerging generative AI technologies are wholly dependent on existing internet content, including software from code repositories, to fuel their functions. To that end, AI organizations are ingesting vast amounts of code that contain XSS vulnerabilities and may inadvertently be pushing these flaws into the foreseeable future.<\/p>\n

\u201cThis is just going to keep going as a cycle because unless we have a way to eliminate it, the AI-generated code will have cross-site scripting in it, and the next time something comes to learn, it\u2019s going to learn from the code that has been generated by AI that still has cross-site scripting in it,\u201d Wysopal says. \u201cSo, it\u2019s getting baked into how we write code.\u201d<\/p>\n

If an AI was trained on code susceptible to cross-site scripting and the developer isn\u2019t checking the work, \u201cthe AI that is nominally supposed to be making things better may have just made it worse,\u201d Mackey says. \u201cSo, without having some concept of validating the results from the AI, this may be the thing that [causes us to be still] talking about cross-site scripting ten years from now.\u201d<\/p>\n

What CISOs should do about XSS<\/h2>\n

The CISA and FBI alert essentially advocates that organizations reduce XSS vulnerabilities to manageable and ideally negligible levels. Software security experts say that CISOs have a critical role in this process.<\/p>\n

\u201cI almost view [the alert] as a call to action to CISOs and CSOs and VPs of development to raise the game of cybersecurity within their development teams,\u201d Mackey says.<\/p>\n

\u201cCISO should think about customer outcomes,\u201d Wysopal says. \u201cThink about how the customer will purchase and use your application and think about the customer having a secure experience and how that adds value to the brand and the application. We want the customer to come back. We want them to have a good experience.\u201d<\/p>\n

OWASP\u2019s van der Stock thinks CISOs should embrace the idea of \u201csecurity champions<\/a>,\u201d volunteers from the developer community focused on helping staff with secure software development.<\/p>\n

\u201cLet the developers know if you\u2019ve got questions around security, then go to the security champions. Then, the security champions can go to the CISO team.\u201d van der Stock says. \u201cThey know what cross-site scripting and SQL injection are. They should be involved in the peer reviews of code retrospectives and things like that so that we can start to say, \u2018well, the security champions are helping people code more securely and creating a culture that is secure by design.\u2019\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a Secure by Design alert in September urging tech manufacturers to remove cross-site scripting vulnerabilities (XSS), which have long plagued security professionals, from their products. The alert warns CEOs and other leaders at technology manufacturers \u201cto direct their technical […]<\/p>\n","protected":false},"author":0,"featured_media":560,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-581","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/581"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=581"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/581\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/560"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=581"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=581"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=581"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}