Google wants to combat persistent XSS web app threats
Google has launched a tool to help web administrators cut out cross-site scripting (XSS) attacks, after it paid out more than $1.2 million to researchers reporting the threats across the past two years.
XSS attacks are one of the most common web app attacks and pose a threat as they allow malicious code to be injected into client-side scripts of web pages by bypassing the access controls such as same-origin policy designed to protect web applications.
Content security policy (CSP) is designed to curtail these threats by stepping in when bugs are detected and allow developers to restrict the scripts that can be executed so that in the event of a HTML infection malicious code cannot be loaded.
But in practice, the flexibility of CSP to allow for a multitude of policies means its easy for developers to set polices that appear to work but have no real security benefit.
“We analysed over one billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS,” said Google’s Information Security team.
“One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.”
“CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers,” the Information Security team explained.
However, Google indicated it will take more than just the CSP Evaluator to make web apps immune to XSS attacks.
“Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed,” the team explained.
“Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce — an unpredictable, single-use token which has to match a value set in the policy.”
To improve this uses of nonce-based CSP policy Google has also released its CSP Mitigator tool, a Chrome browser extension that helps developers review the impact of enabling nonce-based CSP, such as highlighting any compatibility errors it may throw up.
Hopefully these tools will help developers combat XSS attacks, as they have the nasty effect of putting users of popular domains at risk from hackers.
Are you a security pro? Try our quiz!