The CISA and FBI jointly advised expertise manufacturers to conduct thorough assessments of their software, ensuring that all future releases are free from cross-site scripting vulnerabilities prior to distribution.
Two federal agencies have warned that despite advancements in software development, modern-day programs still harbor exploitable cross-site scripting (XSS) vulnerabilities, providing malicious actors with continued opportunities to launch attacks, despite these flaws being preventable and unnecessary in software products.
The cybersecurity firm emphasized the need for executives at expertise manufacturing companies to provide formal assessments of their organizations’ software, implementing mitigations and adopting a secure-by-design approach to eliminate XSS vulnerabilities altogether.
“Critically, cross-site scripting vulnerabilities arise when developers neglect to thoroughly validate, sanitise, and escape user input.” Cybercriminals are able to inject malicious code into online services, leveraging vulnerabilities to gain unauthorized access, pilfer sensitive information, and wreak havoc across diverse scenarios, according to today’s coordinated security warning.
“While some developers employ input sanitization tactics to mitigate XSS threats, these efforts alone are insufficient and must be reinforced by additional security safeguards.”
To preclude similar weaknesses in future software updates, CISA and the FBI advised industry experts to analyze threat scenarios and guarantee that software thoroughly verifies input across all formats and protocols.
To ensure accurate data transmission and avoid potential issues, developers must leverage cutting-edge web frameworks that natively support output encoding functionality for proper escaping or quoting mechanisms. To ensure top-tier code safety and excellence, comprehensive code reviews and rigorous adversarial testing throughout the development lifecycle are strongly recommended.
XSS vulnerabilities among the top 25 most damaging software weaknesses identified by MITRE, as reported between 2021 and 2022, actually exceeded only out-of-bounds write security flaws in terms of prevalence.
The seventh alert in CISA’s Safe by Design alert series focuses on the persistence of widely recognized and well-documented vulnerabilities that persist in software products despite the availability of effective mitigation strategies, highlighting the need for thorough remediation efforts.
In response to recent threat actor exercises, a few of these alerts have been issued, such as one in July that warned software companies about potential exploitation by the Chinese state-sponsored Velvet Ant group in ongoing attacks targeting network edge devices.
In February and March, the industry was reminded twice of the importance of “Safe by Design” principles, with urgent alerts issued to software developers and tech leaders to halt and address potential safety vulnerabilities.
The CISA has strongly advised manufacturers of small office/home office (SOHO) routers to secure their devices against cyber threats, while also urging tech distributors to take necessary precautions.
