Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

CISA, FBI Urge Organizations to Eliminate XSS Vulnerabilities

CISA and the FBI have released an alert on XSS vulnerabilities, urging organizations to adopt a secure by design approach and eliminate them.

The US cybersecurity agency CISA and the FBI have issued a Secure by Design alert on the prevalence of cross-site scripting (XSS) vulnerabilities, urging organizations to eliminate them from their products.

XSS flaws, the two agencies note in the alert (PDF), exist because user input is not properly validated, sanitized, or escaped, which allows threat actors to inject malicious scripts into web applications, leading to data manipulation, theft, or misuse.

“Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures,” CISA and the FBI note.

The two agencies urge organizations to “review instances of these defects” and implement plans to prevent them in their products.

Organizations are advised to review written threat models, ensure that software validates input for both structure and meaning, conduct code reviews, implement adversarial product testing to verify the quality and security of code, and use modern web frameworks that ensure proper escaping or quoting.

Modern web frameworks, the two agencies argue, can distinguish between user input and application code, and their use makes it easier for developers to ensure that user input is properly escaped. Otherwise, proper escaping and sanitization falls onto the developer.

“Senior executives and business leaders should ask their teams how they are working to eliminate these defects and whether they are implementing a secure by design approach in their products,” CISA and the FBI note.

They also advise organizations to implement three secure by design principles to protect their products from XSS exploits: taking ownership of customer security outcomes, embracing radical transparency and accountability, and building organizational structure and leadership to achieve these goals.

Advertisement. Scroll to continue reading.

“To demonstrate their commitment to building their products that are secure by design, software manufacturers should consider taking the Secure by Design Pledge. The pledge lays out seven key goals that the signers commit to demonstrating measurable progress towards, including reducing systemic classes of vulnerability like cross-site scripting,” the two agencies note.

Related: CISA, FBI Urge Immediate Action on OS Command Injection Vulnerabilities in Network Devices

Related: Federal Push for Secure-by-Design: What It Means for Developers

Related: CISA Introduces Secure-by-design and Secure-by-default Development Principles

Related: Quad Nations Commit to Fostering a Secure Technology Ecosystem

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.