Statistical Validation of the IE8 XSS Filter

  • Article

Greetings, I’m Russ McRee of Microsoft’s Online Services Security & Compliance Incident Management team. My team serves as incident handlers for the various types of attacks our online services face. High on the list of incidents we handle are cross-site scripting attacks. 

There’s an unfortunate misconception surrounding cross-site scripting (XSS) attacks that result in them being perceived as less impactful than other types of attacks, and often more theoretical than practical. I believe this mindset increases inherent risk for Internet users. I wanted to share some statistics that show why I think the addition of the XSS Filter to Internet Explorer is so significant.

The Web Application Security Consortium (WASC) recently released its findings from the Web Application Security Statistics Project 2007. The data in this report adds to the statistics I cited in The Anatomy of an XSS Attack, for the June 2008 ISSA Journal.

Some highlights from the WASC study:

  • Of the most prevalent vulnerabilities, including SQL injections, information leakage, predictable resource location, and cross-site scripting, XSS was the most prevalent at 41%.

  • Of 10,297 sites analyzed for the WASC study, 28,796 XSS vulnerabilities were discovered, accounting for 31% of all sites surveyed.

Additional statistics:

  • According to the Internet Security Threat Report from Symantec, during the last six months of 2007, 11,253 site-specific, cross-site scripting vulnerabilities were documented, compared to 6,961 between February and June in the first half of the year, for a 62% increase in six months.

  • According to a WhiteHat Security Statistics Report, 90% of all websites have at least one vulnerability, and 70% of all vulnerabilities are XSS.

While statistics can always be used to prove a point, more important are the actions taken to alleviate a problem. Since XSS vulnerabilities are of epidemic proportions, the XSS Filter in IE8 (intended to protect consumers from this massive attack vector) is a great thing.

David Ross, Security Software Engineer on the SWI team has driven the effort that discovers likely XSS in a cross-site request, and identifies & neuters the attack if it is replayed in the server’s response. Users are not presented with questions they are unable to answer – IE simply blocks the malicious script from executing.

Simply put, IE 8’s XSS Filter seeks to provide defense in depth via automatic detection and prevention of common XSS attacks, a pervasive security threat facing Internet users, without deterring performance or compatibility.

Referring back the statistics above, this translates into 70% of possible threats faced by IE 8 users deterred by the XSS Filter.  I’m really excited about the work that the Internet Explorer and SWI teams have been doing  here to provide new levels of protection for users.

Russ McRee