CISA urges software devs to weed out XSS vulnerabilities

​CISA and the FBI urged technology manufacturing companies to review their software and ensure that future releases are free of cross-site scripting vulnerabilities before shipping.

The two federal agencies said that XSS vulnerabilities still plague software released today, creating further exploitation opportunities for threat actors even though they're preventable and should not be present in software products.

The cybersecurity agency also urged executives of technology manufacturing companies to prompt formal reviews of their organizations' software to implement mitigations and a secure-by-design approach that could eliminate XSS flaws entirely.

"Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs. These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts," today's joint alert reads.

"Although some developers employ input sanitization techniques to prevent XSS vulnerabilities, this approach is not infallible and should be reinforced with additional security measures."

To prevent such vulnerabilities in future software releases, CISA and the FBI advised technical leaders to review threat models and ensure that software validates input for both structure and meaning.

They should also use modern web frameworks with built-in output encoding functions for proper escaping or quoting. To maintain code security and quality, detailed code reviews and adversarial testing throughout the development lifecycle are also advised.

​XSS vulnerabilities took second place in MITRE's top 25 most dangerous software weaknesses plaguing software between 2021 and 2022, surpassed only by out-of-bounds write security flaws.

This is the seventh alert in CISA's Secure by Design alert series, designed to highlight the prevalence of widely known and documented vulnerabilities that have yet to be eliminated from software products despite available and effective mitigations.

Some of these alerts have been released in response to threat actor activity, like an alert asking software companies in July to eliminate path OS command injection vulnerabilities exploited by the Chinese state-sponsored Velvet Ant threat group in recent attacks to hack into Cisco, Palo Alto, and Ivanti network edge devices.

In May and March, two more "Secure by Design" alerts urged software developers and tech executives to prevent path traversal and SQL injection (SQLi) security vulnerabilities.

CISA also urged manufacturers of small office/home office (SOHO) routers to secure their devices against Volt Typhoon attacks and tech vendors to stop shipping software and devices with default passwords.