Cross-site scripting is the cockroach of web application security vulnerabilities, enjoying continued longevity despite the abundant availability of scanning tools and programming advice designed to squash it.
Google yesterday took another shot at eradicating XSS attacks with the release of two tools aimed at helping developers that help developers write better policies for web applications using the Content Security Policy standard.
Content Security Policy is a web standard supported in most browsers and defines what content should and can be loaded by a browser. CSP implementations are supposed to curb cross-site scripting attacks where hackers are able to load malicious scripts into a web session.
The tools, called CSP Evaluator and CSP Mitigator, are meant to help developers visualize and enforce CSP, respectively. Google hopes the use of both tools will help combat not only XSS attacks, but also close gaps in CSP that allow attackers to relatively simply bypass its protections. Google, for example, cites a recent analysis it conducted of more than one billion domains that revealed 95 percent of CSP policies do not stop XSS as promised.
“One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections,” Google said in a blog post on Monday written by information security engineers Artur Janc, Michele Spagnuolo, Lukas Weichselbaum and David Ross. “We believe it’s important to improve this, and help the web ecosystem make full use of the potential of CSP.”
CSP Evaluator, Google said, can be used by web app developers to visualize how policies will affect application security and expose misconfigurations. The tool, Google said, is used by its security engineers internally.
CSP Evaluator works hand-in-hand with a nonce-based CSP policy that kicks in should a CSP policy be bypassed.
“Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with rresources that allow CSP to be bypassed. Here’s where the idea of a nonce-based CSP policy comes in,” Google said. “Instead of whitelisting all allowed script locations, it’s often simpler to modify the application to prove that a script is trusted by the developer by giving it a nonce—an unpredictable, single-use token which has to match a value set in the policy.”
This approach, Google said, has already been used in a number of its web apps and documentation aimed at developers that includes strategies and sample policies. Code change examples were published yesterday as well.
CSP Mitigator is a Chrome extension that can be used by developers to check an application’s compatibility with nonce-based CSP, Google said.
“The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP,” Google said. “This includes identifying scripts which do not have the correct nonce attribute, detecting inline event handlers, javascript: URIs, and several other more subtle patterns which might need attention.”
Google also announced that it has rolled CSP-related research into its Patch Reward Program, which will reward research that helps open source web frameworks gain compatibility with nonce-based CSP.