Thursday 29 December 2011

XSS and Verizon DBIR

I recently gave a short talk at OWASP Switzerland. One of the slides I showed was a figure taken from the Verizon 2011 Data Breach Investigations Report. (DBIR) (below) which was published in April 2011. The chart shows the type of hacking used as a percentage. The DBIR report looked at approximatelay 761 data breaches - not only those caused by web application vulnerabilities. It's worth reading.
The main discussion point at the chapter meeting was the value for Cross site scripting (XSS). According to the DBIR only 1% of data breaches are as a result of XSS vulnerabilites and less than 1% of stolen records. SQL injection accounts for 14%  (and 24% of records stolen), That said, there is no direct mapping from the types of hacking to the OWASP Top 10.

The value for XSS seems low given the focus that the AppSec community and OWASP place on it. One question that arises is whether these figures are accurate. Verizon does talk about "Sample Bias", but it should be noted that much of the data comes from outside organisations.

A few thoughts:
  • Based on these figures it would be difficult to persuade managers with a limited security budget to invest significantly in preventing XSS.
  • Issues with authentication and passwords are much more prevalent according to DBIR. Does this indicate that XSS should fall a few places in the next version of OWASP Top 10 and that "A3: Broken Authentication and Session Management" should climb? This, especially as the OWASP Top 10 is meant to reflect actual risk.
  •  XSS vulnerabilities are prevalent in many web applications but are not actually exploited all that much to breach data.

Here is the DBIR chart. The quality isn't great. Best to see it in the original Verizon 2011 DBIR report on page 32. Figure 23 a few pages later is also interesting. It shows that Web Applications attacks were used in 22% of the breaches, but result in 38% of the records breached. So you get more bang for your buck if you attack an online application.

Social: DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot


  1. A couple of points to note:

    The Verizon DBIR is very oriented to PCI DSS. In fact 96% of the records lost from the 761 cases are Payment card numbers/data. The number for lost intellectual property is 0%.

    Also, of the 761 companies involved, 522 had fewer than 101 or an unknown number of employees.

    So I would be cautious when drawing conclusions.

  2. RiskPundit,

    I agree that the figures should be taken with caution. I was originally thinking of calling this post "Lies, Damn Lies and XSS".


  3. A few more thoughts:

    1. Would many organisations count XSS as a "Breach"?

    2. Would many organisations even know they had an XSS problem?

    3. Would the organisations care, especially if the effects were more significant for individual users than for the organisation?

    If we look at the impact from the user's perspective (and some organisations in the government and not-for-profit sectors might do this), the impact ranking would be different.

  4. Clerkendweller,

    I think it's only a breach if the XSS vulnerability is exploited. And that's the main point of the Verizon DBIR - if you accept it. While it is prevalent, how often is it exploited? That is the risk factor.

    Then the question for me is whether too much too much emphasis is placed on XSS at the expense of the other types of problems as presented in the Verizon DBIR chart.