Google has released two new tools for developers looking to protect web domains against XSS scripting security flaws.
Cross-site scripting (XSS) is a common security issue web developers face today. The attack, which relies on vulnerabilities which allow the injection of malicious codes into trusted websites and applications, can lead to malvertising campaigns, watering hole attacks, and drive-by attacks which do not need victims, visiting a trusted site, to do anything more than open a page.
Content Security Policy (CSP) is often the answer for web developers to stay clear of such attacks. CSP, support by all major browsers, can be used to restrict programming input and scripts and prevent them executing, even if attackers are able to inject malicious code into vulnerable web pages.
This week, the Mountain View, California-based firm said in a blog post that in a recent study, Google found that 95 percent of deployed CSP policies deployed in over one billion domains were "ineffective" as a protection against XSS-based exploits and attacks.
"One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections," Google says. "We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP."
In order to ramp up CSP policy protections, Google has released the CSP Evaluator, a tool used by Google engineers which gives developers a visual glance into the effect of setting a policy. The tool also alerts the user when subtle, small misconfigurations could lead to the far more wide-reaching issue of XSS vulnerabilities.
The company also recommends that developers consider setting a "nonce" -- an unpredictable, single-used token which has to match a value set in CSP policies -- to further enhance web security.
"We hope that increased attention to this area will also encourage researchers to find new, creative ways to circumvent CSP restrictions, and help us further improve the mechanism so that we can better protect Internet users from web threats."