Free Service Targets XSS Bugs in Java Apps

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:35:15


Veracode XSS bugsCross-site scripting bugs have been a major problem for Web site operators for years now, and while their causes and their solutions are both well-understood, they’re still quite pervasive. But a new free service is aiming to help site owners avoid the serious compromises that can follow an attack on an XSS flaw.

On Monday, software security firm Veracode released a new free service that is designed to enable Web site owners to scan their Java applets for XSS bugs. Site owners can upload their applets to Veracode’s servers and the company will scan the application for existing XSS vulnerabilities.

The new free service only is available for Java applications and will only look for XSS flaws, the company said. The service is a small subset of the larger binary-analysis services that Veracode performs on a paid basis. Those scans look for a multitude of other types of flaws in a variety of application types.

Although it’s a simple and common type of flaw, cross-site scripting has become a serious issue in Web applications on all different kinds of sites. Because it’s so pervasive and relatively easy to exploit, XSS also is a favorite vector for attackers looking for a quick way into a given site. OWASP lists XSS as the number two application security risk in its 2010 Top 10 list.

Veracode’s new service allows users to upload one binary for free.

“At Veracode, we see thousands — sometimes tens of thousands — of XSS
vulnerabilities a week. Many are those we describe as ’trivial’ and can
be fixed with a single line of code. Some of our customers upload a new
build the following day; others never do. Motivation is clearly a
factor,” Chris Eng, senior director of security research at Veracode, said in a statement.
“Think about the XSS vulnerabilities that hit highly visible websites
such as Facebook, Twitter, MySpace and others. Sometimes those companies
push XSS fixes to production in a matter of hours. Are their developers
really that much better? Of course not. The difference is how seriously
the business takes it. When they believe it’s important, you can bet it
gets fixed.”