Google has just released two new tools for developers with the purpose to shield web domains from XSS scripting vulnerabilities. XSS, or cross-site scripting, is a common issue in cybersecurity.
An XSS-powered attack takes place when malicious actors implement malicious scripts to legitimate websites. An XSS vulnerability is exploited when you, for instance, send a website content that includes embedded malicious JavaScript. The website will later include the code in its reply. Such attacks can lead to malvertising campaigns, watering hole and drive-by attacks.
XSS Flaws Prevail in Google’s Apps
Just in the past 2 years Google alone has awarded researchers over $1.2 million for reporting XSS flaws in their applications via the Vulnerability Reward Program.
The good news is that web technologies such as the strict contextual auto-escaping assist developers in evading mistakes exposing apps to XSS attacks. There are also automated scanners that detect classes of vulnerabilities during testing. Nonetheless, when an app is more complex catching the bug on time becomes more difficult.
Content Security Policy (CSP) is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources.
CSP is a versatile tool enabling developers to set a wide range of policies and it is supported by all modern browsers, in some cases partially. However, in a recent study where 1 billion domains were analyzed Google found that 95% of deployed CSP policies don’t work against XSS.
One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.
The CSP Evaluator
This is how we get to CSP Evaluator – a tool employed by Google engineers to have a deeper look into the effect of setting a policy. The CSP Evaluator also alerts whenever small misconfigurations could eventually lead to XSS issues. In addition, Google advises developers to set a “nonce”- an unpredictable, single-used token which serves to match a value set in CSP policies. This is done to improve web security.
The CSP Mitigator
The other tool Google recently promoted is the CSP Mitigator. It’s a Chrome extension for developers to review compatibility apps with nonce-based CSP.
The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP. This includes identifying scripts which do not have the correct nonce attribute, detecting inline event handlers, javascript: URIs, and several other more subtle patterns which might need attention.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: