Security

Google tries to cross out XSS attacks by releasing its own test tool

Just about every content security policy does it wrong


Google has spent more than US$1.2 million (£920,400, A$1.6 million) in the last two years paying researchers for reporting cross-site scripting (XSS) attacks and has kicked off an effort to help crush the threat.

XSS attacks are one of the most pervasive and enduring web application security threats because they allow attackers to bypass same origin policies and feed malicious scripts to target users.

Mountain View spent the cash under its vulnerability rewards program to shutter the bugs.

Many of those would arise thanks to the complexity of Google web applications, rather than lax security checks.

The stubborn proliferation of XSS vulnerabilities across the web has spurred the tech giant to release its internal testing tool dubbed the content security policy (CSP) evaluator, a mechanism to help security-minded administrators crush the threat.

Google uses the CSP evaluator for assets including its Cloud Console, Photos, History, and Maps Timeline among others, and will expand the list.

It also released the CSP Mitigator to help administrators apply custom CSP policy to applications and to better understand the impact of enabling CSP including highlighting parts that may break.

The evaluator tool verifies the presence of CSP, a measure first supported by web browsers Mozilla Firefox and Google Chrome in 2013 as a measure to help prevent the execution of malicious scripts and code injection attacks.

But most administrators who deploy CSP bork it. Google found in a study On the Insecurity of Whitelists and the Future of Content Security Policy [PDF] that 95 per cent of some 1.6 billion domains with CSP applied still did not crush XSS.

Google's study, the largest of its kind, points much blame to 14 of the 15 domains most often whitelisted for loading external scripts as they expose patterns that let hackers bypass CSP protections.

Those sites' poor behavior has the following consequences:

"... as a consequence, 75.81 percent of distinct policies use script whitelists that allow attackers to bypass CSP. In total, we find that 94.68 percent of policies that attempt to limit script execution are ineffective, and that 99.34 percent f hosts with CSP use policies that offer no benefit against XSS."

Mountain View security wonks Artur Janc; Michele Spagnuolo; Lukas Weichselbaum, and David Ross launched the CSP Evaluator saying it will assist administrators to deploy effective CSPs.

"... the flexibility of CSP also leads to its biggest problem: it makes it easy to set policies which appear to work, but offer no real security benefit," the quartet say.

"We believe it's important to improve this, and help the web ecosystem make full use of the potential of CSP.

"Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed."

Google has also added CSP to the scope of its open source patch bounty effort known as the Patch Rewards in which the company will doll out money for helpful fixes for some important open source projects. ®

Send us news
Post a comment

Google sued by more than 30 European media orgs over adtech

Meanwhile, the Google News Initiative is pushing AI tools for publishers

Google dresses up services for the EU's Digital Markets Act

Apple also unpeels its offerings before Europe makes its pips squeak

Google wants regulators to take Microsoft down a notch before it stifles AI

Ad giant that owns over 80 percent of search traffic yells at cloud monopoly

Canada poutine more pressure on Google by expanding ad biz antitrust probe

Court order means ad giant will have to cough evidence of possible market manipulation

YouTube workers laid off mid-plea at city hall meeting

Caught on camera: 'Our jobs are ended today, effective immediately'

Google advances with vector search in MySQL, leapfrogging Oracle in LLM support

Meanwhile, only 22% of orgs are looking at GenAI strategy for databases

It's crazy but it's true: Apple rejected Bing for wrong answers about Annie Lennox

Cupertino only wanted to be with Google for search – despite the prospect of buying Bing outright

Amazon bends to Euro watchdogs, waives egress fees for folks ditching AWS

Now the pressure is on for Microsoft to stop holding user data hostage

Google sends Gemini AI back to engineering to adjust its White balance

Big Tech keeps poisoning the well without facing any consequences for its folly

40k servers, 400k CPUs and 40 PB of storage later... welcome to Google Cloud

Sabre Technology shutters 17 datacenters, says 90% of workloads transferred

Reddit signs AI training deal with Google – and why OpenAI's Altman could be the winner

IPO docs drop showing just who has a stake in the forum

Google Maps leads German tourists to week-long survival saga in Australian swamp

Pair had to dodge croc on trek back to civilization