This article first appeared in EnableSecurity newsletter 0×0001. Subscribe to the newsletter by sending an email to newsletter@enablesecurity.com.

It is often easy to calculate risk incorrectly. This may be due to lack of information or because one is not looking at the big picture. One particular topic that came up a month or so was prioritizing XSS on a main website which has no sensitive information, only informational content. The sensitive information is available on a different site to which the main website links. In many cases, such sites are not considered worth fixing within a reasonable time and tend to stay vulnerable because other tasks of higher priority come up. That is, until one of the following scenarios happens:

• Blackhat SEOs target your site to help increase their google ranking
• No better or worse phishing attack than having your website include a form asking for a username and password which are sent to a Taiwanese webserver. This especially applies if your service is a target of phishers.
• Displaying of fake articles and press releases on your website, or redirection to malicious executables making it appear that your legit site is sending malware.
• The media catches on and publishes details of the vulnerability – this is what just happened to American Express in the past days.