September 29, 2016 By Douglas Bonderud 2 min read

Google recently introduced new tools for developers to help them create a better web content security policy. Specifically, the initiatives should target cross-site scripting (XSS) vulnerabilities, which Threatpost said are the “cockroach of web application security,” forever skittering away into dark application corners and avoiding tools designed to track them down.

But will efforts to exterminate really work, or will they just push this content cockroach deeper into the dark?

Stomping Out XXS Bugs

XSS flaws are everywhere. That’s no exaggeration — read the patch notes of any major content release for Windows, WordPress, Google Chrome or any other popular connected offering and chances are at least one bug fix addresses an XSS vulnerability.

Despite the stated role of content security policy (CSP) standards, which define the content a web browser can load, very few offer solid cross-site scripting protection. In fact, 14 of the 15 most commonly whitelisted domains allow attackers to bypass CSP protections, Google noted.

SC Magazine recently reported the discovery of network attached storage (NAS) devices that are subject to a stored XSS flaw, executed after an unsuccessful login attempt with the wrong username. Infosecurity Magazine, meanwhile, discussed the dangers of XSS attacks in compromising network management systems, which provide cybercriminals with a “treasure map” to valuable IT targets.

And, as noted by Softpedia, not even Google is immune to XSS attacks. A French security researcher recently discovered a flaw a widget attached to the search giant’s main interface.

While Google patched the flaw in just four days, not all tech companies are so eager. Some companies exclude cross-site attacks from their bug bounty programs and don’t even consider them vulnerabilities in the classic sense, opening the door for a new wave of security-resistant insects.

Fumigate Your Content Security Policy

So how does Google plan to tackle the XSS problem? By giving developers a way to visualize and test their content security policy with a pair of new tools.

The first, CSP Evaluator, is already being used by Google engineers. It provides a visualization of how content policies will affect application security and expose potential configuration issues. Paired with a nonce-based CSP policy, which skips whitelisting in favor of unpredictable, single-use tokens that conform to set values, it’s possible to significantly reduce the chance of XSS attacks due to CSP bypasses.

Google’s other tool, CSP Mitigator, is a Chrome extension that checks app compatibility with nonce-based security policies. Companies can enable the tool for any URL prefix and get data about any areas that need to be refactored for CSP support. In effect, Google is trying to cover both ends of the security spectrum by giving companies the tools to both check their current CSP setup and redesign applications that expose potential flaws.

Exterminating XSS is no easy task. The tech industry has been trying for years with minimal success. Google seems to be on the right track, however, by taking cross-site scripting seriously and making it easy for developers to design XSS-inhospitable application environments.

More from

CISA hit by hackers, key systems taken offline

3 min read - The Cybersecurity and Infrastructure Security Agency (CISA) — responsible for cybersecurity and infrastructure protection across all levels of the United States government — has been hacked.“About a month ago, CISA identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses,” a CISA spokesperson announced.In late February, CISA had already issued a warning that cyber threat actors are exploiting previously identified vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. Ivanti Connect Secure is a widely deployed…

Cloud security evolution: Years of progress and challenges

7 min read - Over a decade since its advent, cloud computing continues to enable organizational agility through scalability, efficiency and resilience. As clients shift from early experiments to strategic workloads, persistent security gaps demand urgent attention even as providers expand infrastructure safeguards.The prevalence of cloud-native services has grown exponentially over the past decade, with cloud providers consistently introducing a multitude of new services at an impressive pace. Now, the contemporary cloud environment is not only larger but also more diverse. Unfortunately, that size…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today