Google recently introduced new tools for developers to help them create a better web content security policy. Specifically, the initiatives should target cross-site scripting (XSS) vulnerabilities, which Threatpost said are the “cockroach of web application security,” forever skittering away into dark application corners and avoiding tools designed to track them down.
But will efforts to exterminate really work, or will they just push this content cockroach deeper into the dark?
Stomping Out XXS Bugs
XSS flaws are everywhere. That’s no exaggeration — read the patch notes of any major content release for Windows, WordPress, Google Chrome or any other popular connected offering and chances are at least one bug fix addresses an XSS vulnerability.
Despite the stated role of content security policy (CSP) standards, which define the content a web browser can load, very few offer solid cross-site scripting protection. In fact, 14 of the 15 most commonly whitelisted domains allow attackers to bypass CSP protections, Google noted.
SC Magazine recently reported the discovery of network attached storage (NAS) devices that are subject to a stored XSS flaw, executed after an unsuccessful login attempt with the wrong username. Infosecurity Magazine, meanwhile, discussed the dangers of XSS attacks in compromising network management systems, which provide cybercriminals with a “treasure map” to valuable IT targets.
And, as noted by Softpedia, not even Google is immune to XSS attacks. A French security researcher recently discovered a flaw a widget attached to the search giant’s main interface.
While Google patched the flaw in just four days, not all tech companies are so eager. Some companies exclude cross-site attacks from their bug bounty programs and don’t even consider them vulnerabilities in the classic sense, opening the door for a new wave of security-resistant insects.
Fumigate Your Content Security Policy
So how does Google plan to tackle the XSS problem? By giving developers a way to visualize and test their content security policy with a pair of new tools.
The first, CSP Evaluator, is already being used by Google engineers. It provides a visualization of how content policies will affect application security and expose potential configuration issues. Paired with a nonce-based CSP policy, which skips whitelisting in favor of unpredictable, single-use tokens that conform to set values, it’s possible to significantly reduce the chance of XSS attacks due to CSP bypasses.
Google’s other tool, CSP Mitigator, is a Chrome extension that checks app compatibility with nonce-based security policies. Companies can enable the tool for any URL prefix and get data about any areas that need to be refactored for CSP support. In effect, Google is trying to cover both ends of the security spectrum by giving companies the tools to both check their current CSP setup and redesign applications that expose potential flaws.
Exterminating XSS is no easy task. The tech industry has been trying for years with minimal success. Google seems to be on the right track, however, by taking cross-site scripting seriously and making it easy for developers to design XSS-inhospitable application environments.