Google aims to fix XSS, make the web safer
Tech giant Google has issued tools to help web developers identify and mitigate cross-site scripting vulnerabilities, one of the most common forms of hacking attacks.
Servers that host websites, which run advertisements or any other imported content, must be able to accept HTML and other programming from outside sources. But that creates a way in which hackers can load malicious code into a website and attack anyone who even visits the site. Google recently found that 95 percent of one billion websites recently scanned by the company were vulnerable to XSS attacks, allowing hackers to load malicious code onto the computers of anyone who visited their page.
One such XSS attack is called a drive-by download. Because of the way browsers work — especially with the way autoplay video and audio content works — the unsuspecting visitor doesn’t even have to click on anything to become infected. Drive-by downloads enable watering-hole attacks, where hackers aiming at a highly secure enterprise will target an outside website that employees frequently visit.
For website developers, the answer to XSS is a content security policy, or CSP — essentially a set of instructions that tells the web server which programming inputs can be trusted.
But, wrote Google engineers in a blog post Monday launching the new tools, “In a recent Internet-wide study we analyzed over 1 billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS” because they were poorly configured.
The tools — CSP Evaluator and CSP Mitigator — are designed to help website developers check that their CSP settings are correct. The engineers also suggest the use of the “nonce” — a one-time encryption code that validates an input from an outside source.