Tech

Google aims to fix XSS, make the web safer

Ninety-five percent of the one billion websites Google scanned recently were vulnerable to Cross-Site Scripting, or XSS, attacks, allowing hackers to load malicious code onto the computers of anyone who visited their page. This week the company issued tools to help web developers identify and mitigate XSS vulnerabilities.

By Shaun Waterman

September 27, 2016

Tech giant Google has issued tools to help web developers identify and mitigate cross-site scripting vulnerabilities, one of the most common forms of hacking attacks.

Servers that host websites, which run advertisements or any other imported content, must be able to accept HTML and other programming from outside sources. But that creates a way in which hackers can load malicious code into a website and attack anyone who even visits the site. Google recently found that 95 percent of one billion websites recently scanned by the company were vulnerable to XSS attacks, allowing hackers to load malicious code onto the computers of anyone who visited their page.

One such XSS attack is called a drive-by download. Because of the way browsers work — especially with the way autoplay video and audio content works — the unsuspecting visitor doesn’t even have to click on anything to become infected. Drive-by downloads enable watering-hole attacks, where hackers aiming at a highly secure enterprise will target an outside website that employees frequently visit.

For website developers, the answer to XSS is a content security policy, or CSP — essentially a set of instructions that tells the web server which programming inputs can be trusted.

But, wrote Google engineers in a blog post Monday launching the new tools, “In a recent Internet-wide study we analyzed over 1 billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS” because they were poorly configured.

The tools — CSP Evaluator and CSP Mitigator — are designed to help website developers check that their CSP settings are correct. The engineers also suggest the use of the “nonce” — a one-time encryption code that validates an input from an outside source.

Google aims to fix XSS, make the web safer

More Like This

Federal data, security leaders release zero-trust guide ahead of White House deadline

Agencies face ‘inflection point’ ahead of looming zero-trust deadline, CISA official says

Federal CIO: The TMF has been vital to government’s improved cybersecurity stature

Top Stories

EPA CIO Vaughn Noga details slew of new modernization efforts underway

OpenAI further expands its generative AI work with the federal government

USAID updated policy to allow use of Signal, Telegram in some circumstances

Commerce looking to publish AI-ready data guidance in coming months

GSA chief advocates for simplified cloud buying, ‘best value’ contracting as Congress considers legislation

How federal IT officials are navigating the post-AI executive order ‘hype cycle’

More Scoops

Chrome takes another step toward squashing HTTP-only websites

The fixes needed to fight phishing

Dan Kaminsky’s plan to make a better internet

Chinese web browser found beaconing back to Beijing

Pentagon expanding bug bounties after inaugural success

New Senate bill aims to put the boot to botnets

How Apple can help the FBI

Latest Podcasts

The Biden administration releases a new zero-trust data guide; How the GSA is working to teach federal employees about AI prompt engineering

How CMS is approaching AI adoption with CDSO Andrea Fletcher

What AI means for public sector training and upskilling

What’s at stake in the AI national security memo; the DOD braces to modernize defenses against quantum hacking

Tech

Defense

Cyber

FedScoop TV