Intershyte scripting has become the main threat to web applications
Since the beginning of the year, the number of cyber attacks has been growing in Russia through the introduction of malicious scripts into popular web applications. Using sites vulnerability, attackers can access user data. Such attacks can lead to data leaks, for which from the end of May, business has been threatened with large fines. Experts believe that this « eternal » vulnerability and owners of web services need to constantly update their protective equipment.
“Kommersant” got acquainted with the statistics of web-gross in the first quarter of 2025, webmonitorex, from which it follows that out of 270 million, 40% attacks recorded during this period, 40% were on the intersight scripting (XSS-Atak), which is 10 p. More than in the same period of the last year. Information was analyzed about more than 160 large organizations from various industries, including the state sector, IT, retail, finance, healthcare, industry, telecom, etc.
XSS (CROSS-SITE Scripting)-a cyber attack in which the attacker introduces a malicious code (usually JavaScript) to a vulnerable site, web application or in API (Application Programming Interface, allows you to receive information from the site bypassing the user interface). When the user enters such a site, the script is automatically executed in his browser, which can lead to theft of data, substitution of pages or other attacks.
The trend for an increase in the intersyight scripting is confirmed by the founder of the Internet Writing Igor Bederov: XSS attacks remain among the most common threats for web applications. Interspective scripting is most often aimed at the sites of online stores, aviation and transport companies, since their resources are much higher than the likelihood of the theft of user data, especially bank cards, explains Timofey Voronin, deputy director of the Central Committee of the NTI Central Committee of the NTI on the basis of the Moscow State University. Of the last large such attacks, Igor Bederov gives a leakage of customers of a large logistics company: then attackers using malicious scripts gained access to cookies and accounts.
In addition to the theft of user data, the inter-sequencing script can be used for cryptodjing (unauthorized cryptocurrency mining on the victim resources), compromising the site and placing someone else’s content, said the head of the IBC of the Telecom Exchange, Alexander Blemosyzov. Another problem for resource owners is the risk of data loss: 152-ФЗ liability for leakage of personal data lies on the operator. For the first leak, according to the new rules entering into force from the end of May, the company faces a fine of up to 15 million rubles. Depending on the number of records in the leak, with a repeated leak, working fines are introduced – up to 3% (but not more than 500 million rubles).
Most of the experts respondents agree that the XSS will remain “eternal” vulnerability. “This is due to the human factor in the development, the complexity of protection from such attacks and their evolution due to the use of AI,” notes Mr. Bederov. At the same time, modern frameworks for the development of web applications are realized in such a way as to reduce the likelihood of such vulnerabilities, says Vyacheslav Vasin, head of the Center for competence of the security of the “Kaspersky Laboratory”, and browsers developers, in turn, implement protective mechanisms that find the operation of attackers. But due to the error of users, vulnerabilities will continue to appear, he concludes.
