Google Launches All-Out War on XSS

Written by

Google has released a new set of tools designed to help firms better fortify their web systems against cross-site scripting (XSS) attacks using the Content Security Policy (CSP) mechanism.

After more than a decade at the top, XSS is still one of the most popular bugs affecting organizations across the globe and even Google has ended up paying out over $1 million over the past two years in related bug bounties.

CSP was designed to mitigate the risk of XSS vulnerabilities, allowing developers to set policies to restrict which scripts can execute, so that even if attackers can inject HTML into a vulnerable page, they shouldn’t be able to load malicious scripts and other resources, Google explained.

However, it doesn’t always work. Google claimed it analyzed over one million domains and found 95% of CSP policies are ineffective.

“One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections,” Google explained in a blog post.

“We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP.”

To help out, Google has released CSP Evaluator, a new tool designed to detect misconfigurations, ensure policies provide meaningful security benefit and make sure they can’t be subverted by hackers.

However, the tool might fall short because of the number of popular domains which allow the CSP to be bypassed. In those instances a “nonce-based” CSP policy is best.

“Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce – an unpredictable, single-use token which has to match a value set in the policy,” Google explained.

A new “strict dynamic” feature in the upcoming CSP3 specification apparently makes adopting the above much simpler, even in complex modern apps.

Google also announced the release of the CSP Mitigator – a Chrome extension designed to help developers review an application for compatibility with nonce-based CSP.

CSP adoption will be in its Patch Reward Program to reward any efforts that make popular open-source web frameworks compatible with nonce-based CSP.

Gareth O’Sullivan, EMEA director of solutions architecture at WhiteHat Security, revealed that 86% of the 30,000 sites his firm reviewed last year had at least one serious vulnerability where an attacker could compromise the system.

“You might be surprised to hear that it takes an average of 193 days to remediate website vulnerabilities that are fixed, ­not to mention that 39% of flaws are never closed,” he added.

“Remediation is a major problem and it is not enough for anyone just to find problems if they are never going to get fixed for whatever reason. We have to make remediation easier and cheaper, otherwise the web is just not going to get more secure."

What’s hot on Infosecurity Magazine?