The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint alert urging software developers to eliminate cross-site scripting (XSS) vulnerabilities in their products. The alert emphasizes the importance of addressing these vulnerabilities, which can be exploited by threat actors to inject malicious scripts into web applications and manipulate, steal, or misuse data across various contexts. CISA and the FBI are calling on technology manufacturers to thoroughly review their software and ensure that future releases are free of XSS vulnerabilities before shipping.
They recommend that executives initiate formal reviews of their software development processes to implement mitigations and adopt a secure-by-design approach. The alert states, “Cross-site scripting vulnerabilities arise when manufacturers fail to properly validate, sanitize, or escape inputs. These failures allow threat actors to inject malicious scripts into web applications, exploiting them to manipulate, steal, or misuse data across different contexts.
To prevent XSS vulnerabilities, CISA and the FBI advise technical leaders to review threat models, ensure software validates input for structure and meaning, and use modern web frameworks with built-in output encoding functions.
They also recommend maintaining code security and quality through detailed code reviews and adversarial testing throughout the development lifecycle. XSS vulnerabilities were listed among the top 25 most dangerous software weaknesses by MITRE, surpassed only by out-of-bounds write security flaws.
Addressing XSS vulnerabilities in software
This latest alert is part of CISA’s “Secure by Design” series, which aims to highlight the prevalence of widely known vulnerabilities that persist in software products despite available mitigations. The agencies encourage manufacturers to adopt principles that focus on customer security outcomes, transparency, and accountability. They emphasize that relying solely on detecting and patching vulnerabilities after identification is not a sustainable security strategy.
Instead, effective mechanisms to prevent vulnerabilities early in the development cycle must be employed. Senior executives at software manufacturers are urged to take responsibility for customer security by regularly testing and reviewing code for product vulnerabilities. They should follow proven methods for thorough testing and lead with transparency in disclosing vulnerabilities to customers.
To date, more than 150 software manufacturers have signed CISA’s “Secure by Design” pledge, demonstrating their commitment to prioritizing secure technology from the start. By implementing these guidelines, software manufacturers can significantly reduce the risk of XSS vulnerabilities and enhance the overall security of their products, protecting users from potential exploits.
