Security Experts:

Google Launches Game to Teach XSS Bug Discovery Skills

Google has launched a new game to teach Web application developers how to spot cross-site scripting (XSS) bugs in their code.

XSS vulnerabilities are highly common in websites, but can be quite dangerous. In fact, Google pays up to $7,500 for XSS bugs discovered in important products.

The XSS Game, which requires a modern web browser with JavaScript and cookies enabled, is mainly addressed to Web application developers who don’t specialize in security. However, Google believes that while security experts might find the first levels easy, they could also learn a few things.

XSS Atacks

“This security game consists of several levels resembling real-world applications which are vulnerable to XSS - your task will be to find the problem and attack the apps, similar to what an evil hacker might do,” Google noted.

“XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code.”

For example, the first level, which is called the “Hello, world of XSS,” consists of a simple website with a search feature. Users must find a way to make the vulnerable application execute arbitrary JavaScript code. Up to three hints are provided, the source code and network traffic being available for analysis just like on a regular website.

Google admits that users can cheat at the game by accessing page internals in developer tools or by editing HTTP traffic.

“Cross-site attacks are dangerous because of what they do, but also because the three distinct types of each strike from different angles,” Chris Hinkley, a Senior Security Engineer at FireHost, explained in a late 2012 SecurityWeek column.

Cross-site scripting (CSS) can either be persistent or reflected, and cross-site request forgery (CSRF), where attackers use an authenticated session on one Website to perform unauthorized actions on another site, are also especially dangerous.

“Cross-site scripting is harmful in either of its two forms, but persistent cross-site scripting packs slightly more poison due to its widespread reach,” Hinkley noted. “An example of persistent cross-site scripting would be when an attacker posts a comment to a blog that would include a malicious JavaScript payload – essentially embedding it in that page.”

The XSS Game is not the first security game from Google. Back in 2010, the company released Gruyere, a small web application designed to teach developers how to identify XSS, CSRF, information disclosure, denial-of-service (DoS), and remote code execution vulnerabilities, and how to protect a website against these types of attacks.

RelatedRecently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability

RelatedCrossing XSS Off Your Threat Landscape

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.