14 DAY TRIAL // A study performed by security researchers from IBM revealed that around one in seven websites belonging to the world's wealthiest companies is plagued by DOM-based cross-site scripting vulnerabilities or open redirects.
The research was performed on a set of 675 websites, those of all Fortune 500 companies plus an additional 175 handpicked ones, belonging to security vendors, reputable IT firms or social networks.
Researchers used a crawler to retrieve 200 random pages from each website with complete HTML, JavaScript and CSS code and then scanned them in a controlled environment with an internally-developed tool called JavaScript Security Analyzer (JSA).
The JSA technology is meant to detect client-based JavaScript vulnerabilities, like DOM-based (Document Object Model) cross-site scripting (XSS) and open redirects.
Unlike the more common reflected or persistent XSS attacks that rely on flaws in form parsing scripts, DOM-based cross-site scripting leverages weaknesses in JavaScript code.
This third type of XSS vulnerabilities are generally considered the hardest to locate automatically and the attacks exploiting them can also prove harder to detect for the webmaster.
They can be exploited to infect users with malware, hijack visitors' sessions or launch phishing and other social engineering attacks.
Pages downloaded from a number of 92 websites were found vulnerable to DOM-based XSS, while open redirects - vulnerabilities that can redirect the visitor's browser - were found in 11 sites.
Another interesting find resulting from this research was that third-party code, like external JavaScript libraries, were responsible for the weaknesses in 38% of cases.
Third-party vulnerable code included JavaScript snippets used for marketing campaigns, Flash embeddings, social networking and AJAX applications.
"Lastly, based on the dataset that we analyzed, we may extrapolate that the likelihood that a random page on the internet contains a client-side JavaScript vulnerability is approximately one in 55," the researchers conclude in their whitepaper [pdf].