Google looking to reshape web defences with strict Content Security Policies
Google has taken to its Security Blog to announce their release of a tool designed to help web developers avoid leaving their web applications vulnerable to cross-site scripting (XSS) attacks.
According to Google, XSS attacks — the ability to inject undesired scripts into a trusted web application — has been one of the top web security vulnerabilities for over a decade.
Google has claimed that in the past two years it has awarded researchers over US$1.2 million (£924,734) for reporting XSS bugs in their applications via the Vulnerability Reward Programme.
To fight the problem, Google have today released a Content Security Policy (CSP) evaluation tool.
Describing CSPs, the company said they are a, “mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources.”
The tool will visualise the effect of setting a policy and detect subtle misconfigurations.
According to Google, the CSP Evaluator is currently used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.
However, Google has said the flexibility of CSP also leads to its biggest problem: it makes it easy to set policies which appear to work, but offer no real security benefit.
The company said, “In a recent internet-wide study we analysed over one billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS.”
It added, “One of the underlying reasons is that out of the 15 domains most commonly whitelisted by developers for loading external scripts as many as 14 expose patterns which allow attackers to bypass CSP protections.”
Google believes it's important to improve this, and help the web ecosystem make full use of the potential of CSP. To ensure this happens, the tool is supported — though not always in its entirety — by all modern browsers.
Finally, the company concluded, “today we're including CSP adoption efforts in the scope of the Patch Reward Programme; proactive work to help make popular open-source web frameworks compatible with nonce-based CSP can qualify for rewards (but please read the programme rules and CSP refactoring tips first).
Gareth O'Sullivan, EMEA director of solutions architecture at WhiteHat Security told SCMagazineUK.com: “One of the big draws of bug bounties is that they can help businesses access the very best of security research talent, which they probably don't have access to internally. The programmes also introduce contact with researchers who they may not be able to hire, or who might be unwilling to work with certain organisations on a more permanent basis. One consideration however, is the vetting and screening of the researchers involved. Obviously this becomes a significant issue if researchers are to have access to mission-critical software for testing. Some businesses make their programme invite-only as a way to vet the researchers who get involved."O'Sullivan added: "Vulnerabilities in websites are incredibly common, even among the largest brands. Many businesses are still unaware of online business risks, or have delayed taking appropriate action, which is unfortunate for them and their users. According to our 2015 website security statistics report, 86 percent of 30,000 websites have at least one serious vulnerability where an attacker could compromise the system and cause serious commercial or reputational damage. You might be surprised to hear that it takes an average of 193 days to remediate website vulnerabilities that are fixed, not to mention that 39 percent of flaws are never closed. Remediation is a major problem and it is not enough for anyone just to find problems if they are never going to get fixed for whatever reason. We have to make remediation easier and cheaper, otherwise the web is just not going to get more secure."