Cross-site scripting (often shortened to XSS) is an age-old yet persistent web vulnerability. Cybercriminals use it to steal data by injecting malicious code into web pages.
Even websites run by government agencies and major corporations are not immune to this threat.
Despite being an older exploit, it frequently appears on the OWASP Top 10 list of most critical cyber threats.
We wanted to see just how frequent these attacks are now compared to the past, so we gathered the most shocking Cross Site scripting statistics.
By the end of this little research project, we ended up with quite a few intriguing facts, and we’ll share them with you.
So, let’s dive in and explore the tremendous impact of this persistent web vulnerability!
Contents
Stunning cross-site scripting statistics
Before we go into the specifics, here are some shocking Cross-site scripting statistics:
- Cross-site scripting made up almost 50% of all web-based exploits in 2016.
- The average cost of an XSS attack is $1.8 million.
- According to cross-site scripting stats by Security Intelligence, XSS attacks saw a 39% increase in Q1 2017.
- OWASP’s 2017 Top 10 document ranks XSS as the second most common issue.
General cross-site scripting stats
The stats below reveal the impact cross-site scripting attacks had and still have over cybersecurity.
1. Cross-Site Scripting (XSS) accounted for 40% of 2019 cyber attacks
(Source: PreciseSecurity)
In 2019, cross-site scripting (XSS) was responsible for nearly 40% of most cyber-attacks globally. As a result of this, it became the most favored attack vector among hackers, followed by SQL injection and fuzzing.
2. 75% of large companies in Europe and North America were targeted by cyber attacks in 2019
(Source: PreciseSecurity)
3. MySpace XSS Worm infected over 1 million profiles back in the day
(Source: OWASP)
MySpace, in 2005, experienced the first recorded case of an XSS worm.
Sammy Kamkar, a user of the platform, exploited the vulnerability and infected over 1 million profiles in just 24 hours.
The worm spread exponentially. It finally resulted in a change in the platform’s security practices.
4. Cross-site scripting (XSS) represents over 10% of published vulnerabilities in late 2021 and early 2022.
(Source: Unit 42)
Between November 2021 and January 2022, cross-site scripting (XSS) was a factor in 10.6% of the 6,443 vulnerabilities.
5. Cross-Site Scripting (XSS) accounted for 50% of web-based exploits in 2016
(Source: Security Intelligence)
In 2016, cross-site scripting (XSS) accounted for half of all web-based exploits. So it was the most significant security threat websites face.
6. Cross-site scripting (XSS) traffic doubled in Q4 2020
(Source: Edgio)
Based on the data provided by Edgio, blocked XSS traffic increased two-fold from the second quarter of 2020 to the fourth quarter of 2020.
7. XSS attacks move up to third place among the top ten security threats
(Source: National Institute of Health)
XSS attacks moved up the list of top ten security threats from seventh place in 2017 to third in 2021, closely behind broken access control and cryptographic failures.
Real-Life examples of cross-site scripting attacks
(Source: Bright, Synk)
8. British Airways fell victim to an XSS vulnerability in 2018
(Source: Bright)
In 2018, the notorious card-skimming hacker group Megacart targeted British Airways.
The group exploited and XSS vulnerability on the British Airways website in order to steal sensitive information from the customers.
9. Fortnite’s XSS vulnerability exposed the data of over 200 Million users
(Source: Bright)
In 2019, an XSS vulnerability in the popular multiplayer game Fortnite went unnoticed by developers, exposing the data of over 200 million users.
The flaw was found on a retired, unsecured page that allowed attackers to gain unauthorized access to sensitive information.
10. eBay had severe XSS vulnerabilities in late 2015 and early 2016
(Source: Bright)
In late 2015 and early 2016, eBay had a severe cross-site scripting (XSS) vulnerability.
It had a flaw caused by the site’s URL parameter. Basically, it allowed attackers to inject malicious code into a page. As a result, this could lead to potential data theft and a takeover of the site.
11. American Express XSS attack in 2008
(Source: The Register, via The Web Archive)
In December 2008, American Express was found to have a cross-site scripting (XSS) vulnerability on its website.
The vulnerability was publicly disclosed by Russ McRee after he spent more than two weeks trying to get someone at American Express to fix the problem.
This could allow attackers to access customer account sections. However, the company eventually fixed the vulnerability.
12. Barack Obama’s electoral campaign XSS attack in 2008
(Source: Netcraft)
In 2008, a hacker named Mox found an XXS vulnerability on Barack Obama’s electoral campaign website, so he decided to exploit it.
What did he do? He redirected visitors to Hillary Clinton’s website.
The vulnerability was found in the community blog section, which allowed the hacker to inject malicious code into the form’s response.
However, the attack was discovered and fixed within a few hours.
13. McAfee vulnerability in 2009
(Source: CNET News, via Web Archive)
A screenshot shared by security researcher Mike Bailey in 2009 revealed his successful access to McAfee Secure through a cross-site request forgery loophole.
This incident exposed the susceptibility of McAfee sites to cross-site scripting (XSS) and cross-site request forgery attacks, endangering customers with potential phishing risks.
However, McAfee later pledged to adapt their processes accordingly.
14. Semantec and Kaspersky XSS vulnerabilities in 2009
(Source: Softpedia)
In April 2009, Team Elite, an ethical hacking group, identified and documented cross-site scripting (XSS) vulnerabilities on Kaspersky and Symantec websites.
The flaws could have been leveraged by malicious actors to hijack authentication cookies and inject malicious code into the affected pages.
However, Team Elite promptly notified both companies and the vulnerabilities were fixed.
15. CIA XSS attack in 2011
(Source: GMA News Online)
In 2011, the US Central Intelligence Agency (CIA) experienced an XSS attack. An Indian hacker named ”lionaneesh” infiltrated and defaced the CIA website.
Exploiting an XSS vulnerability, the hacker, Aneesh Dogra, openly ridiculed the agency on their Twitter account, declaring, ”CIA is not so intelligent.”
The defaced page was subsequently taken down, mitigating the attack’s impact.
16. Cisco Webex XSS vulnerability in 2016
(Source: Cisco)
In July 2016, Cisco acknowledged an XSS vulnerability in its widely-used WebEx platform. The vulnerability stemmed from inadequate validation of user input in the affected software.
An attacker could leverage this vulnerability by enticing a user to click on a specifically crafted URL, enabling the submission of malicious code to the software.
However, Cisco promptly addressed the issue to mitigate the risk of data breaches.
Statistics on DOM-based XSS attacks and vulnerabilities on popular websites
DOM-based XSS is a type of cross-site scripting attack that targets the browser’s Document Object Model (DOM) environment. Attackers modify the DOM to execute their malicious code.
17. Gawker Media’s 2013 DOM-based XSS vulnerability
(Source: Acunetix)
In September 2013, Gawker Media, the parent company of renowned websites, including Lifehacker and Gizmodo, encountered a significant vulnerability involving DOM-based XSS.
Luckily, it was found by the security researcher David Sopas who had no malicious intent with it. But, if it landed in the wrong hands, attackers could have exploited an un-sanitized location .hash and exploit DOM-based XSS.
However, the vulnerability was resolved across multiple sites within a remarkable timeframe of less than 24 hours.
18. Amazon Alexa’s DOM-based XSS vulnerability in 2020
(Source: Research Check Point)
The security issues resulted from susceptible subdomains of Amazon Alexa, which suffered from Cross-Origin Resource Sharing (CORS) misconfiguration and cross-site scripting (XSS) vulnerabilities.
When the XSS flaw was exploited, researchers obtained CSRF tokens, enabling them to carry out actions on behalf of victims. Since then, Amazon has subsequently fixed the issue.
19. Microsoft website DOM-based XSS vulnerabilities in 2013
(Source: Softpedia, Acunetix)
In June 2013, researcher David Sopas found a serious DOM-based XSS vulnerability on Microsoft’s Pinpoint® website.
The issue originated from a vulnerable third-party system, Ensighten, which neglected to properly sanitize the location.hash property.
This made the company’s website susceptible to DOM-based XSS attacks. However, Microsoft acted swiftly to address and resolve all identified vulnerabilities.
20. Cybersecurity Vulnerability Discovered in 2018
(Source: Cyber Security Help)
A significant cybersecurity vulnerability in 2018 allowed remote attackers to execute malicious code on vulnerable websites via inadequate sanitization of user-provided data.
This could result in the theft of sensitive information, website alteration, phishing, and drive-by-download attacks. The vulnerability has since been patched.
21. DOM-based XSS vulnerability on Dow Jones in 2013
(Source: Acunetix)
In July 2013, security researcher David Sopas identified a DOM-based XSS vulnerability in an Oracle Eloqua script on the Dow Jones & Company website.
It could lead to document manipulation, hence access to sensitive information. However, it was fixed as soon as it was found.
22. WP-Pretty photo plugin vulnerability in 2013
(Source: Acunetix)
In 2013, security researcher Rafay Baloch identified the WP-Pretty Photo WordPress Plugin as vulnerable to DOM-based XSS attacks.
Had it not been discovered in time, it could have impacted many users because at that point it was installed on over 70, 000 websites.
The plugin, estimated to be installed on over 70,000 websites, could have impacted many users.
(Source: Minded Security)
In September 2012, a security researcher discovered a DOM-based XSS vulnerability in Facebook’s like button due to improper input sanitization.
The flaw allowed attackers to execute malicious scripts and steal sensitive information. However, a day after, the vulnerability was patched after receiving the advisory.
Cross-site scripting (XSS) attack trends
24. Cross-site scripting attacks caused nearly 3,000 data breaches in 2017
(Source: HailBytes)
25. Q1 2017 saw a 39% rise in XSS attacks
(Source: Synk)
27. 40% of all 2019 cyber-attacks were executed via Cross-site scripting (XSS)
(Source: Financial IT)
In 2019, hackers performed almost 40% of all cyber-attacks using cross-site scripting, according to research from PreciseSecurity.com.
26. Surge of XSS injection attacks was from 470 in 2011 to 22,000 in April 2022
(Source: PubMed Central)
In 2011, the number of cross-site script (XSS) injection attacks was only 470, but this figure has grown exponentially over the past decade.
According to recent cross-site scripting stats, the number of such attacks had surged to 22,000 in April 2022.
27. 75% of websites are vulnerable to XSS attacks
(Source: Ensighten)
28. 40% of XSS vulnerabilities are in web applications
(Source: Research Gate)
29. Almost all websites risk XSS attacks, with 92% potentially vulnerable
(Source: CyberNews)
30. Large-scale XSS vulnerability affected 685M users globally in 2018
(Source: Softpedia)
A significant XSS vulnerability was identified in 2018, which affected major social media and e-commerce services worldwide, putting 685 million users at risk.
Dangers of XSS Attacks on Healthcare Organizations
31. Mission Health, North Carolina, disclosed an XSS attack data breach in 2019
(Source: KirkpatrickPrice)
In October 2019, Mission Health, North Carolina’s sixth-largest health system, revealed a data breach from a cross-site scripting (XSS) attack.
Cross-site scripting in the financial sector
32. Cross-site Scripting (XSS) tops the list of most rewarded vulnerability types with $4.2M in bounties
(Source: Hacker One)
In 2020, Cross-site Scripting (XSS) was the most rewarded vulnerability type, with $4.2 million in total bounty awards, up 26% from the previous year.
33. A staggering 50% of websites possess vulnerabilities susceptible to DOM-Based Cross-Site Scripting (XSS)
(Source: Bright)
Security researchers detected DOM-based XSS vulnerabilities in high-profile internet companies like Google, Yahoo, and Amazon.
34. Acunetix report reveals 30% of web applications were vulnerable to XSS attacks in 2019
(Source: IBM Community)
35. Cross-Site Scripting (XSS) is the third most popular method of website hacking, with 8% incidents in 2018
(Source: IBM Community)
36. Google Cloud and Google Play XSS Vulnerabilities in 2022
(Source: Latest Hacking News)
In 2022, a security researcher, NDevTK, identified critical cross-site scripting (XSS) vulnerabilities in Google Cloud and Google Play.
The findings included a reflected XSS flaw in Google Cloud and a DOM-based XSS vulnerability in the Google Play app.
After receiving the bug report, Google promptly addressed the vulnerabilities and rewarded the researcher with a $5000 bounty.
37. Tesla rewards researcher $10,000 for discovering XSS vulnerability in 2019
(Source: Security Week)
In 2019, a Nebraska-based white hat hacker, Sam Curry, received a $10,000 reward from Tesla after uncovering a stored cross-site scripting (XSS) vulnerability.
Curry inserted an XSS payload in the ‘Name Your Vehicle’ field in his Tesla Model 3’s infotainment system, leveraging the XSS Hunter tool. This flaw demonstrated the potential to access and potentially modify vehicle information.
Tesla acknowledged the severity, swiftly released a hotfix within 12 hours, and recognized Curry’s responsible disclosure.
Wrap Up
The Cross-site scripting statistics above show the severity of its attacks on websites and the potential harm they can cause.
As more and more websites become vulnerable to XSS attacks, it is crucial to implement effective measures to prevent and mitigate them.
However, as technology evolves, so do the tactics of cybercriminals, making it imperative to stay vigilant and proactive in protecting website security.
FAQ
Over 60 percent of web applications are susceptible to XSS attacks. Additionally, it accounted for almost 40 percent of all cyber-attacks in 2019.
XSS is considered a high-risk vulnerability due to its potential to cause significant damage that can lead to data theft, such as usernames, passwords, or financial information.Â
Moreover, it opens doors to malware distribution, potentially causing device compromise, unauthorized access, and ransomware infections.
The most common type of cross-site scripting (XSS) is non-persistent (reflected) XSS.Â
Malicious scripts are injected and then “reflected” off the web server as a response to the user’s request.These scripts can be used to steal sensitive information, perform unauthorized actions, or redirect users to malicious websites.
Over 60 percent of web applications are susceptible to XSS attacks. Additionally, it accounted for almost 40 percent of all cyber-attacks in 2019.
Which XSS is most common?Â
The most common type of cross-site scripting (XSS) is non-persistent (reflected) XSS.Â
Malicious scripts are injected and then “reflected” off the web server as a response to the user’s request. These scripts can be used to steal sensitive information, perform unauthorized actions, or redirect users to malicious websites.
One of the biggest and most infamous cross-site scripting attacks is the Samy worm. In 2005, it rapidly impacted over a million users within 20 hours.Â
When users visited the infected profiles, the code was executed, allowing the worm to spread autonomously across other profiles without users’ knowledge or consent.ÂConsequently, it caused a great deal of disruption to MySpace users. Many users were bombarded with friend requests from the worm, and their profiles were defaced with spam messages.
How critical is XSS?
XSS can pose a critical threat to both users and organizations.Â
Malicious actors can exploit XSS vulnerabilities to steal sensitive data, impersonate users, deface websites, distribute malware, and execute other nefarious activities.
Sources:
- PreciseSecurity
- OWASP
- Unit 42
- Edgio
- National Institute of Health
- Bright
- The Register
- Netcraft
- CNET news
- Softpedia
- GMA News Online
- Cisco
- Acunetix
- Cyber Security Help
- Softpedia
- Research Check Point
- Minded Security
- HailBytes
- Financial IT
- PubMed Central
- Invicti
- Ensighten
- Research Gate
- CyberNews
- Softpedia
- KirkpatrickPrice
- HackerOne
- Bright
- IBM Community
- Latest Hacking News
- Security Week
- SecureCoding
- ENISA