XSS Trends and Internet Explorer

As far back as 2005, cross-site scripting (XSS) was recognized as
the most commonly reported type of software vulnerability. A more recent

study by Veracode using data from the
Web Hacking Incident Database shows that XSS is the most prevalent vulnerability
in Web applications and the second most likely to be
leveraged in real-world attacks.

Chart showing cross-site scripting (XSS) as the top vulnerability with 68% of Web applications affected. Information leakage is number 2 with 66% of Web applications affected.
Chart courtesy of Veracode; used by permission

Data from the Microsoft
Security Response Center
(MSRC) demonstrates the growth in reported XSS
vulnerabilities:

Chart showing the growth in reported cross-site scripting vulnerabilities from 1 in 2004, 3 in 2005, 7 in 2006, 16 in 2007, 9 in 2008, 7 in 2009, 8 in 2010, 22 in 2011, to 39 in the first half of 2012.
Growth in reported XSS vulnerabilities 2004 – 2012 (first half)

The chart above illustrates how we are seeing XSS actually start to crowd out other
types of reported vulnerabilities percentage-wise, year-over-year.

To help protect users, Internet Explorer pioneered the implementation of multiple
overlapping mitigations targeting XSS, including
httpOnly cookies,
security=restricted IFRAMES,
toStaticHTML(), and the
IE XSS Filter. IE10 introduces support for the new
HTML5 standard IFRAME Sandbox,
which allows developers of Web applications to more tightly control the behavior
of embedded content. We’re intent on continuing these investments, as real-world
data continues to show an uptick in the relative quantity of XSS vulnerabilities
in the wild.

To review the impact of the IE XSS Filter, we’ve done a deep analysis of all vulnerabilities
reported to MSRC in the first half of 2012. This analysis has shown that currently
the IE XSS Filter applies for 37% of all legitimate vulnerabilities
that are reported to the MSRC. (For some perspective, another highly reported vulnerability
class is memory safety, accounting for 24% of vulnerabilities within the
same data set.)

The IE XSS Filter is just one example of how our browser’s threat-mitigation strategy
doesn’t stop with memory safety mitigations like
ASLR and DEP/NX. As more customers and businesses leverage Web technologies,
mitigating XSS and other Web application vulnerabilities has become increasingly
important. We are happy to see the impact mitigations have made against the threat
of XSS, and are looking to continuously innovate in this space going forward.

—David Ross, Principal Security Software Engineer, Microsoft Security Response Center