Cross Site Scripting, User Behavior and Phishing

Read a paper titled “Why Phishing Works” a couple of days back.  It provides some very cool analysis of how users develop trust in websites and when this trust causes people to fall prey to phishing attacks.  They break users’ strategies for determining website legitimacy into five different levels or categories:

  1. Security indicators in website content only
  2. Content and domain name only
  3. Content and addresses, plus HTTPS
  4. All of the above, plus padlock icon
  5. All of above, plus certificates

Let’s face it – if users only look at website content then there may be no hope for them.  There is basically nothing that can be done to help prevent phishing attacks against these folks except for user education.

But – for all the other user groups preventing cross-site scripting (XSS) attacks against web applications will block attackers from using those applications to support phishing attacks.  XSS flaws let attackers abuse the site itself (identified by the domain name, URL and potentially even HTTPS-served content) and if you take that power away users have a fighting chance.

Asserting “fixing XSS flaws helps to prevent phishing” is certainly not news, but this article provides actual numbers of the impact based on user behavior studies.  Great ammunition if you have to make a case for remediating application security vulnerabilities before implementing the next great feature.

dan _at_

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *