Cross-site scripting (XSS) online archive XSSposed has reported that it has received 1,087 vulnerabilities on 692 vulnerable websites reported by 90 security researchers in its first month.
An open, non-profit internet XSS archive where any security researcher can report a XSS vulnerability on any website, the authors said that the purpose of the project is to maintain a complete archive of XSS vulnerabilities on all possible websites and domains.
It said that the idea of the project is to facilitate vulnerability disclosure and for security researchers, XSSposed is a safe place to report an XSS vulnerability and gain public recognition or credit.
Commenting, Ilia Kolochenko, CEO of High-Tech Bridge, said he was not surprised that security researchers were motivated to report XSS vulnerabilities on one public archive. “Today we have very few efficient ‘Bug Bounties’ that work properly and fairly. A full disclosure approach may finally be the catalyst that will push web developers to secure their websites rapidly,” he said.
“XSSposed is quite an interesting project, we have been monitoring it for several weeks. This week we are going to integrate it into our ImmuniWeb Hacking Resource Monitor. It seems that the project has definitely replaced XSSed.org to become main source of publicly disclosed vulnerabilities.”
Tom Cross, director of security research at Lancope, told IT Security Guru that he felt that it was a good thing that these vulnerabilities are being identified and fixed, especially as XSS vulnerabilities remain a common problem on the internet, and they can have significant security consequences.
He said: “Ideally, it’s best for vulnerabilities to be disclosed to the public in coordination with the affected software vendor or website. Public disclosure before vendor notification creates a window of time when anyone can target the vulnerability.
“After the vulnerability has been repaired, full disclosure of details can help security researchers and software developers better understand how vulnerabilities occur in the first place.”