Google has released several new tools and documentation that are created to aid developers in mitigating cross-site-scripting (XSS) attacks using the Content Security Policy standard.
Google Helps Programmers Fight XSS Attacks
Google wants to help developers in battling the notorious cross-site scripting vulnerabilities, also known as XSS attacks. The company has a track record of actively fighting against these breaches. An efficient solution for defending against them is using Content Security Policies (CSPs) – they allow developers to restrict the execution of certain scripts. If the policies are set up in a proper manner, the attackers are unable to load their malicious scripts and other resources, even when dangerous HTML code is injected in the web pages. However, there are a lot of cases where CSP policies can be bypassed by hackers.
One of the released tools is called the CSP Evaluator. This is an online utility, also available as a Chrome extension, which helps to identify CSP misconfigurations. This is useful in preventing hackers from using such attack mechanisms.
Google has stated that there are a lot of popular sites that allow the CSP measures to be bypassed. This makes it difficult to create whitelists of safe scripts when working with complex applications.
Another counter measure is the use of a nonce-based policy where nonce token is assigned to each trusted script instance. This is an arbitrary number that is used only once in authenticating the execution.
Google uses this tactic for some of its own applications, including Maps Timeline, Cloud Console, History, Photos, Careers Search and Cultural Institute.
Google’s other tool is a Chrome Extension called CSP Mitigator. This can be used by developers to check if their applications are compatible with a nonce-based CSP policy. The company has also published the relevant documentation that describes best strategies to implement such policies.
Google invited security researchers and experts to submit their proposals on how to make various open-source frameworks compatible with these types of Content Security Policy standards. This initiative has been added to Google’s bug bounty program. This means that accepted submissions can qualify for bounty rewards.