Google Releases CSP Web Developer Tools To Combat XSS Cyber Attacks

Google has launched a tool to help web administrators cut out cross-site scripting (XSS) attacks, after it paid out more than $1.2 million to researchers reporting the threats across the past two years.

XSS attacks are one of the most common web app attacks and pose a threat as they allow malicious code to be injected into client-side scripts of web pages by bypassing the access controls such as same-origin policy designed to protect web applications.

Content security policy (CSP) is designed to curtail these threats by stepping in when bugs are detected and allow developers to restrict the scripts that can be executed so that in the event of a HTML infection malicious code cannot be loaded.

But in practice, the flexibility of CSP to allow for a multitude of policies means its easy for developers to set polices that appear to work but have no real security benefit.

“We analysed over one billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS,” said Google’s Information Security team.

“One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.”

In XSS

The prevalent threat of XXS attacks prompted Google to release CSP Evaluator, a tool Google’s developers use to visualise the effect of setting a policy and detect misconfigurations in scripts.

“CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers,” the Information Security team explained.

However, Google indicated it will take more than just the CSP Evaluator to make web apps immune to XSS attacks.

“Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed,” the team explained.

“Here’s where the idea of a nonce-based CSP policy comes in. Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce — an unpredictable, single-use token which has to match a value set in the policy.”

To improve this uses of nonce-based CSP policy Google has also released its CSP Mitigator tool, a Chrome browser extension that helps developers review the impact of enabling nonce-based CSP, such as highlighting any compatibility errors it may throw up.

Hopefully these tools will help developers combat XSS attacks, as they have the nasty effect of putting users of popular domains at risk from hackers.

Are you a security pro? Try our quiz!

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

Huawei Asks Judge To Dismiss Charges In US Federal Case

Huawei asks judge to dismiss many charges in US controversial federal case that dates back…

20 hours ago

Japan To Invest $65bn In Chip Industry

Japan announces $65bn in subsidies and other incentives to boost production of advanced chips and…

20 hours ago

FTX Sues Binance Over Alleged $1.8bn Fraud

Bankrupt FTX sues former rival Binance for allegedly fraudulent transfer of $1.8bn weeks before crypto…

21 hours ago

Amazon Developing Smart Glasses For Delivery Drivers

Amazon reportedly developing smart glasses to provide delivery drivers with step-by-step instructions for last mile…

22 hours ago

Australian States Support Social Media Ban For Under-16s

Australian states and territories unanimously support social media ban for youths under 16, amidst growing…

22 hours ago

US Orders TSMC To Halt AI Chip Sales To China

US Commerce Department orders Taiwan's TSMC to halt sales of advanced AI accelerators to mainland…

23 hours ago