Google has just released two new tools for developers with the purpose to shield web domains from XSS scripting vulnerabilities. XSS, or cross-site scripting, is a common issue in cybersecurity.
XSS Flaws Prevail in Google’s Apps
Just in the past 2 years Google alone has awarded researchers over $1.2 million for reporting XSS flaws in their applications via the Vulnerability Reward Program.
The good news is that web technologies such as the strict contextual auto-escaping assist developers in evading mistakes exposing apps to XSS attacks. There are also automated scanners that detect classes of vulnerabilities during testing. Nonetheless, when an app is more complex catching the bug on time becomes more difficult.
Content Security Policy (CSP) is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources.
CSP is a versatile tool enabling developers to set a wide range of policies and it is supported by all modern browsers, in some cases partially. However, in a recent study where 1 billion domains were analyzed Google found that 95% of deployed CSP policies don’t work against XSS.
One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.
The CSP Evaluator
This is how we get to CSP Evaluator – a tool employed by Google engineers to have a deeper look into the effect of setting a policy. The CSP Evaluator also alerts whenever small misconfigurations could eventually lead to XSS issues. In addition, Google advises developers to set a “nonce”- an unpredictable, single-used token which serves to match a value set in CSP policies. This is done to improve web security.
The CSP Mitigator
The other tool Google recently promoted is the CSP Mitigator. It’s a Chrome extension for developers to review compatibility apps with nonce-based CSP.