Google tackles XSS scripting flaws with new developer tools

The tech giant has released a set of new tools to help developers tackle common XSS vulnerabilities.
Written by Charlie Osborne, Contributing Writer

Google has released two new tools for developers looking to protect web domains against XSS scripting security flaws.

Cross-site scripting (XSS) is a common security issue web developers face today. The attack, which relies on vulnerabilities which allow the injection of malicious codes into trusted websites and applications, can lead to malvertising campaigns, watering hole attacks, and drive-by attacks which do not need victims, visiting a trusted site, to do anything more than open a page.

Content Security Policy (CSP) is often the answer for web developers to stay clear of such attacks. CSP, support by all major browsers, can be used to restrict programming input and scripts and prevent them executing, even if attackers are able to inject malicious code into vulnerable web pages.

This week, the Mountain View, California-based firm said in a blog post that in a recent study, Google found that 95 percent of deployed CSP policies deployed in over one billion domains were "ineffective" as a protection against XSS-based exploits and attacks.

"One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections," Google says. "We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP."

In order to ramp up CSP policy protections, Google has released the CSP Evaluator, a tool used by Google engineers which gives developers a visual glance into the effect of setting a policy. The tool also alerts the user when subtle, small misconfigurations could lead to the far more wide-reaching issue of XSS vulnerabilities.

The company also recommends that developers consider setting a "nonce" -- an unpredictable, single-used token which has to match a value set in CSP policies -- to further enhance web security.

The second tool Google has now released is the CSP Mitigator, a Chrome extension which helps developers review compatibility applications with nonce-based CSP. The extension can be configured to collect data on any programming patterns which need an overhaul to support CSP, including scripts with incorrect nonce attributes, JavaScript, and inline event handlers. CSP Mitigator can be enabled for any URL prefix.

Google commented:

"We hope that increased attention to this area will also encourage researchers to find new, creative ways to circumvent CSP restrictions, and help us further improve the mechanism so that we can better protect Internet users from web threats."

Top gadgets and apps to protect your mobile devices

Editorial standards