Google has launched a new game to teach Web application developers how to spot cross-site scripting (XSS) bugs in their code.
XSS vulnerabilities are highly common in websites, but can be quite dangerous. In fact, Google pays up to $7,500 for XSS bugs discovered in important products.
“This security game consists of several levels resembling real-world applications which are vulnerable to XSS – your task will be to find the problem and attack the apps, similar to what an evil hacker might do,” Google noted.
“XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code.”
Google admits that users can cheat at the game by accessing page internals in developer tools or by editing HTTP traffic.
“Cross-site attacks are dangerous because of what they do, but also because the three distinct types of each strike from different angles,” Chris Hinkley, a Senior Security Engineer at FireHost, explained in a late 2012 SecurityWeek column.
Cross-site scripting (CSS) can either be persistent or reflected, and cross-site request forgery (CSRF), where attackers use an authenticated session on one Website to perform unauthorized actions on another site, are also especially dangerous.
The XSS Game is not the first security game from Google. Back in 2010, the company released Gruyere, a small web application designed to teach developers how to identify XSS, CSRF, information disclosure, denial-of-service (DoS), and remote code execution vulnerabilities, and how to protect a website against these types of attacks.
Related: Recently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability