September 29, 2016 By Douglas Bonderud 2 min read

Google recently introduced new tools for developers to help them create a better web content security policy. Specifically, the initiatives should target cross-site scripting (XSS) vulnerabilities, which Threatpost said are the “cockroach of web application security,” forever skittering away into dark application corners and avoiding tools designed to track them down.

But will efforts to exterminate really work, or will they just push this content cockroach deeper into the dark?

Stomping Out XXS Bugs

XSS flaws are everywhere. That’s no exaggeration — read the patch notes of any major content release for Windows, WordPress, Google Chrome or any other popular connected offering and chances are at least one bug fix addresses an XSS vulnerability.

Despite the stated role of content security policy (CSP) standards, which define the content a web browser can load, very few offer solid cross-site scripting protection. In fact, 14 of the 15 most commonly whitelisted domains allow attackers to bypass CSP protections, Google noted.

SC Magazine recently reported the discovery of network attached storage (NAS) devices that are subject to a stored XSS flaw, executed after an unsuccessful login attempt with the wrong username. Infosecurity Magazine, meanwhile, discussed the dangers of XSS attacks in compromising network management systems, which provide cybercriminals with a “treasure map” to valuable IT targets.

And, as noted by Softpedia, not even Google is immune to XSS attacks. A French security researcher recently discovered a flaw a widget attached to the search giant’s main interface.

While Google patched the flaw in just four days, not all tech companies are so eager. Some companies exclude cross-site attacks from their bug bounty programs and don’t even consider them vulnerabilities in the classic sense, opening the door for a new wave of security-resistant insects.

Fumigate Your Content Security Policy

So how does Google plan to tackle the XSS problem? By giving developers a way to visualize and test their content security policy with a pair of new tools.

The first, CSP Evaluator, is already being used by Google engineers. It provides a visualization of how content policies will affect application security and expose potential configuration issues. Paired with a nonce-based CSP policy, which skips whitelisting in favor of unpredictable, single-use tokens that conform to set values, it’s possible to significantly reduce the chance of XSS attacks due to CSP bypasses.

Google’s other tool, CSP Mitigator, is a Chrome extension that checks app compatibility with nonce-based security policies. Companies can enable the tool for any URL prefix and get data about any areas that need to be refactored for CSP support. In effect, Google is trying to cover both ends of the security spectrum by giving companies the tools to both check their current CSP setup and redesign applications that expose potential flaws.

Exterminating XSS is no easy task. The tech industry has been trying for years with minimal success. Google seems to be on the right track, however, by taking cross-site scripting seriously and making it easy for developers to design XSS-inhospitable application environments.

More from

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally.The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets.Who is exploiting the NGFW zero-day?As of now, little is known about the actors behind the…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today