Cross-site scripting issues remain a big problem of the web: using a combination of big data mining and relatively simple detection methods, we have identified attackers successfully exploiting XSS flaws on over 1,000 vulnerable pages on hundreds of websites, spanning multiple countries, types of organizations, all major TLDs, and well known international companies. We also found numerous malicious attacks of different severity leveraging existing XSS vulnerabilities.
In this talk first we summarize our findings, presenting both unusual cases and various statistics, and then we follow up with present state-of-the art methods of protection from probing for XSS vulnerabilities and XSS attacks, showing that they are capable of intercepting over 95% of the real-world malicious samples. We will also introduce a new research tool called detectXSSlib, which is a lightweight module for nginx server dedicated to real-time detection of XSS attacks.