Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Releases New XSS Prevention Tools

Google has released new tools and documentation designed to help developers mitigate cross-site scripting (XSS) attacks using the Content Security Policy (CSP) standard.

Google has released new tools and documentation designed to help developers mitigate cross-site scripting (XSS) attacks using the Content Security Policy (CSP) standard.

XSS vulnerabilities continue to affect numerous web applications, even ones developed by major companies. In the past two years, Google awarded researchers more than $1.2 million for these types of flaws.

One potentially efficient solution for mitigating XSS attacks is CSP, a mechanism that allows developers to restrict which scripts can be executed. If policies are configured properly, attackers are not able to load malicious scripts and other resources, even if they manage to inject HTML code into a webpage.

However, CSP policies fail to provide proper XSS protection if they are not configured properly. A study conducted recently by Google researchers on more than 1 billion domains showed that CSP policies can be bypassed in a vast majority of cases.

Google wants to help developers and security experts determine if a CSP is efficient against XSS attacks by releasing a tool called CSP Evaluator. The online tool, also available as a Chrome extension, helps identify subtle CSP misconfigurations that could be exploited by attackers.

While such a tool can be very helpful, Google pointed out that the large number of popular domains with resources that allow CSP to be bypassed makes it difficult to create a whitelist of safe scripts for complex applications. A better approach involves using a nonce-based CSP policy, where a nonce (i.e. an unpredictable token that can only be used once) is assigned to each trusted script.

Google has used this approach for several of its applications, including Cloud Console, History, Photos, Maps Timeline, Careers Search and Cultural Institute. In order to help developers determine if an application is compatible with a nonce-based CSP, Google released a Chrome extension called CSP Mitigator. The search giant has also published documentation describing best strategies for implementing CSP.

Advertisement. Scroll to continue reading.

Google has invited security experts to submit proposals on how to make popular open-source frameworks compatible with a nonce-based CSP. The initiative has been added to the company’s bug bounty program and submissions can qualify for a reward.

Related: Google Launches Game to Teach XSS Bug Discovery Skills

Related: Mozilla Launches Website Security Testing Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.