In the security industry we’ve been dealing with Cross-Site Scripting (XSS) vulnerabilities for more than a decade now. It is still the #2 web application vulnerability according to OWASP TOP 10. Our friends at IBM X-Force show that XSS vulnerabilities appear in 41% of applications out there.
What is XSS? In a nutshell, it allows a bad guy to perform actions on your behalf. The hacker does that by injecting JavaScript that your browser executes when you view the page. Just imagine how bad that could be if it happened on your banking site, social network or your web mail provider.
Since it is clear that XSS isn’t going away, IBM is shipping a brand new XSS detection mechanism in the latest release of IBM Security AppScan 8.6. The new XSS Analyzer applies human-like learning techniques, allowing it to find vulnerabilities that were previously undetectable by automatic scanners.
XSS Analyzer takes a different approach. It uses a massive knowledge base, of more than 700 million potential tests, that was meticulously crafted by security experts. A learning system imitates the actions of a human expert. The tests it sends are designed to learn information about the application's behavior. It follows a disciplined step-by-step approach, where each step is carefully and uniquely crafted. Comprehensive testing shows that, on average, the new system is able to determine vulnerability using only 20 requests. This is a significant improvement over the state of the art.
With XSS Analyzer, security researchers at IBM have packaged their own penetration-testing expertise into a smart, learning system. By mimicking a human attacker, XSS Analyzer learns the defense patterns of an application and finds ways to defeat them. This allows XSS Analyzer to find vulnerabilities that could never be found automatically before, with higher accuracy and less time.
Are you excited by XSS Analyzer? Leave us a comment!
Comments