

16% of web vulnerabilities are still XSS - bensedat
https://www.tinfoilsecurity.com/blog/100-000-security-vulnerabilities-and-counting

======
tptacek
I assume they're not tracking CSRF, since CSRF tends to be much more common
than XSS.

~~~
borski
We actually were, for a while, but are working through some bugs in that
particular module for the last couple of weeks. However, it still didn't show
up as often as XSS in our testing, actually.

------
compumike
Big variance in vulnerability seriousness across that spectrum... but if
you've found 100K+ vulns and 2.5% are SQL injection, that's a lot of big
holes!

~~~
borski
Yup! Some of those are less serious than others, though all are a beachhead
you don't want available to an attacker. And SQLi, I agree, is among the
worst.

------
bluetooth
How did you test for YAML injection? From my past experiences with Ruby
(hardly any) YAML injection is difficult to test from a blackbox perspective
as you need an understanding of the source code in order to be able to craft
the appropriate serialized YAML object to yield code execution.

~~~
borski
Couple of methods. For one thing, we test for status codes returned for
particularly crafted YAML/XML parameters. Aside from that, we also carefully
craft a YAML injection using a timing attack and test blind, that way.

------
sebcat
Title is wrong. Instead of saying that 16% of web vulns are XSS, it should say
that 16% of the findings reported by this particular product/service are XSS.

Web vulnerability scanners can diff a lot in their results. Crawling
algos/site coverage, finding and using different input vectors, specific
testing methods &c are all very different across various products.
Sectoolmarket is a good resource with results from WIVET (crawl tests more or
less) and WAVSEP (detecting vulnerabilities). Even so, those benchmarks only
cover a very small portion of possible web application attack vectors. And
let's not forget the problem of crawling "The Deep Web" i.e., stateful web
applications.

TL;DR: title is wrong.

------
sdevlin
16% of web vulnerabilities _found by a scanner_ are still XSS.

~~~
borski
Not sure what the implication is here - yes, 16% of the vulnerabilities found
by our scanner, of just over 100k now, are XSS. Are you implying XSS is less
widespread? In my appsec experience, it's possibly even more widespread, if
anything...

