The ROI of Protecting Against Cross-site Scripting

The ways in which your organization can be damaged by Cross-site Scripting (XSS) attacks are endless. Apart from the damage it can cause on its own, successful cross-site scripting can be used as a platform for delivering even more devastating attacks. First, the attack impacts your users and/or employees and may have serious repercussions on your business. Secondly, your organization can be impacted if the attackers successfully damage your website’s ability to generate revenue or your production web applications. Even if your organization don’t experience an XSS attack, the presence of an XSS vulnerability can cause significant PR damage, particularly if others find it first and the incident gets published on security websites or even in the news if the incident affects a lot of users. The main targets of cross-site scripting attacks are organizations relying massively on web technology to generate revenue  such as providers of online services, particularly services that store personal or financial information (such as online shops, online payment and banking services, etc.), since such data can generate income for hackers. Another important category of good targets for XSS are organizations that accommodate large online communities of users, such as social media and online news sites. In this case, the attacks have a higher chance of success, due to the large number of potential victims that can carry it out. Hackers exploiting XSS vulnerabilities have various goals, but their ultimate goal is to gain access to user information and sometimes, to perform website defacement.  If they succeed, the costs of the damage taken by the organization are difficult to predict. However, we will try to evaluate the cost for the most common types of XSS attacks.

Bad User Experience May Lead to Decreasing Customer Base

Cross-site scripting is a client-side attack, so it will impact your users first. If your website has an XSS vulnerability, the attacker will exploit the vulnerability to retrieve your online users’ cookies. Using the cookie, the attacker can replay the users’ sessions, thus gaining access to the information provided to the user from your site. In this case, your users become victims of the XSS attack, and this can have various repercussions, including data theft, deployment of malware (which seems to be coming from your site), and further escalation using other vulnerabilities, such as CSRF. Most often, users do not notice that they are the target of an XSS vulnerability, but when they do, their experience with your services becomes tainted, and this will lead to a decrease in customers.

The Cost of Responding to an Attack

The timing between identifying an XSS attack and resolving it is crucial. According to a study on the Cost of Cyber Crime, by the Ponemon Institute, the average time it took to resolve a cyber attack was 32 days – with an average cost of $1,035,769 (that’s $32,469 per day) for the participating sample of organizations.

Impact on Employee Productivity Leads to Loss of Business Revenue

For organizations that rely on internet facing web applications as part of the production flow, XSS vulnerabilities are, again, a major point of concern. Employees may become the victims of XSS attacks and their ability of using the production web application may be limited. Moreover, XSS attacks may be used to install malware, thus compromising the employees’ workstations, affecting productivity even further. In addition, a hacker that discovers an XSS vulnerability can gain access to your production web application, by stealing your users’ session. This would allow the hacker access to the functions in your web application which should be reserved to your employees. Thus, depending on the web application, the attacker will gain access to your customer or supplier data, information on how you do business, information on your business process, information on your company’s financials etc. Revenue loss from inability to perform day-to-day business operations by a number of employees, can be quantified using the average revenue generated by each employee per hour. If the webserver is compromised and the web application ceases to function, the impact will be even higher. If you have 25 employees who bring you an hourly revenue of $100 each, and 80% of them are impacted by not being able to use your business web application for one day, you will lose money in the range of $20,000 to which you must add the costs of working with your software vendor to fix the XSS vulnerability. Cost of critical web application downtime = NE*I*Rh*h NE= # of employees who bring revenue; I = impact – % of employees affected Rh = hourly revenue per employee h= #of hours web application is down

XSS Vulnerabilities May Lead to Downtime

A less obvious, but important, outcome of XSS vulnerabilities found in websites or web applications is; downtime. For companies relying on web technology to drive their main business, downtime takes a big toll, no matter what causes it. In the case of XSS vulnerabilities, downtime can result from fixing problems that permit the XSS condition, or from successful XSS attacks that deface the website. If your website has an XSS vulnerability, along with performing the usual restore operations (restore from backup, reset of security parameters, passwords, reboots, etc.), additional steps need to be taken to ensure that the XSS vulnerability is removed:

• Investigation to evaluate any damage which might have been caused by XSS attacks exploiting the vulnerability being found
• Investigation to identify the code responsible for the vulnerability
• Fixing the vulnerable code
• Testing and deploying the fix in the production environment.

Consequently, instead of taking a matter of minutes or hours, as is usually the case with downtime caused by hardware failure or other factors, in the case of successful web attacks or discovery of XSS vulnerabilities, it may be a matter of days or even weeks, until the compromised website can be back online safely. The math in this case is pretty simple: If your website generates $150 per hour, whenever your site is down due to an XSS vulnerability, you would be losing in the region of $5,000 – $30,000  assuming that the website is completely offline and inoperable for between two to ten days. In addition, you need to add the costs of finding and fixing the vulnerability which made the attack possible in the first place. Depending on who owns the code, your contract relationship and the availability of the website developers, the total costs can be even higher. Cost of website downtime = (HR * h) + IFC HR – hourly revenue from the website h – # of hours the website is down (in case of XSS attack, h is significantly higher) IFC – investigation and fixing costs for the XSS vulnerability

Bad PR and Reputation Loss Lead to Loss of Business Revenue

We have focused on how an XSS vulnerability affects users, employees and the business, which lead to direct costs, which can be easily calculated. However, the organization can suffer other indirect costs from the exploitation of XSS vulnerabilities, which also need to be taken into consideration when calculating the real costs of such flaws. Lately there has been significant development in communities of security researchers and companies specializing in security assessment. Most of them actively look for vulnerabilities in websites and web applications and make revenue from finding them, or use the findings for commercial purposes. When XSS vulnerabilities are found, they are published on security websites, such as http://xssed.com or, depending on the popularity of the target website, they may make the headlines of online IT news sites, such as The Register. In any case, the presence of XSS may lead to negative PR with consequences for the business revenue. Additionally, your organization can suffer reputation loss from successful XSS attacks which result in website defacement or data theft. Website defacement has a high impact because it damages the image of your organization and may allow website modifications that redirect users to malicious websites, recognized by antivirus software on the client machines. Hence it is highly likely that website defacement is noticed by customers, business Partners or legal authorities (if there is information leakage involved) leading to reputation loss and ultimately, business revenue loss. Defacement is quite popular among hacking communities because it allows hackers to demonstrate their skills against the security measures of top websites and allows them “to make a statement” in a visually concise manner, to the target audience of the defaced website. As if this is not bad enough, your website’s reputation as seen by search engines will be affected if your site is seen as being the conduit for malware distribution. This will lead to your site being blacklisted by search engines, and other sites which generate traffic to your site, nullifying your marketing efforts and investment.

Data Theft

XSS vulnerabilities that are successfully exploited by an attacker would generally lead to data theft. Depending on the nature of the website or web application, the type of data which can be stolen varies, and so do the costs. Attackers use XSS to trick users into providing security sensitive information. XSS vulnerabilities are also often used to steal cookies containing authenticated session details and gain access to information that can be used for more targeted attacks. If cookies belonging to users with elevated privileges are stolen, the impact is much bigger because the attackers may gain privileged access to the information being hosted or manipulated by the website or web application. When that happens, attackers usually try to steal customer / Partner personal information including; names, addresses, SSNs, and credit card numbers, because this information can easily be sold or used for criminal activity. The costs of losing private data may be:

• Reputation / credibility loss  leading to diminished business revenue due to decreased number of customers
• Costs with internal investigation
• Costs with crisis management
• Costs in compliance fees (depending on the data type being lost)

For example, most online shops outsource their entire payment logic and transactions to third-party service providers and do not fall under the scope of PCI DSS or similar compliance regulations. However pretty much any online business will record at least the following from a customer or prospect: name, address, identification (SSN, ID card number, sometimes even parts of the credit card number), phone / email address. When such information is lost, the general outcome is identity theft, with important implications for the victims and the online shop. According to the Federal Trade Commission, identity theft was the number one consumer complaint in 2013 and it has been so, for more than a decade.

The Likelihood of XSS Happening

Having seen the damage that XSS attacks can inflict, let’s have a look at the likelihood of being the target of such an attack. Cross-site scripting attacks  increased by 160% in the last quarter of 2012; from over 1M to 2.6M in one quarter, and accounted for 57% of the recorded attacks, according to FireHost, a secure cloud service provider. According to Trustwave security research, “82% of web applications are vulnerable to cross-site scripting”, and “over 6% of top 1,000 websites had a successful XSS attack”. Considering the latest trends in XSS activity and the findings of security teams measuring their effect, the likelihood of being hit by an XSS attack is significantly high and should not be overlooked. At the same time, the costs are high and sometimes difficult to quantify, making the investment in a cross-site scripting protection solution a wise choice for any security-aware business that relies on web technology.