Cross site scripting errors are hackers' best friend

WITH CHIP makers working out new ways of avoiding buffer overflows, hackers are looking to cross site scripting bugs as the best way to bring down a system.

Languages, such as Java, .Net and PHP, have same-origin policies, to allow interaction between Web objects and pages only as long as they come from the same domain. But some sites have coding flaws that allow malicious Web sites to find ways around these policies, potentially accessing sensitive data in other objects or browser windows.

The technique is proving extremely popular with hackers according to figures from security outfit Mitre. Mitre says that out of about 20,000 reported vulnerabilities it recorded, 21.5 per cent were XSS related. The next highest, 14 pe rcent, used SQL injection which allows attackers to execute malicious SQL statements within a database.

Third most popular, at 9.5 per cent were PHP "include" vulnerabilities where an attacker runs execute arbitrary script on a server by including them in an existing script. The good old fashioned Buffer overflow came in fourth at 7.9 per cent.

The findings of the report were made public over the weekend and can be found here. µ