IBM researchers have found Document Object Model (DOM) vulnerabilities in the websites of some of the biggest corporations in the world.
In a survey of the websites belonging to all Fortune 500 listed companies and an additional selection of 175 other businesses, researchers found that nearly fifteen percent contained serious security flaws.
The vulnerabilities leave the sites open to cross-site scripting (XSS) and open redirect exploitations, both favorites of criminal hacking networks.
The researchers applied a JavaScript Security Analyzer (JSA) to randomly selected webpages from the surveyed websites in a controlled environment to determine the presence of the vulnerabilities.
DOM-based XSS is considered difficult to detect, as it relies on JavaScript code weaknesses, as opposed to the more common XSS that uses form parsing scripts.
More than one third of the vulnerabilities were due to the presence of third-party code, such as is used with JavaScript libraries.
The researchers concluded that, "based on the dataset that we analyzed, we may extrapolate that the likelihood that a random page on the internet contains a client-side JavaScript vulnerability is approximately one in 55."
The vulnerabilities leave visitors to the websites open to session hijacking, social engineering attempts, and drive-by malware exposure.