Just about every content security policy does it wrong
Google has spent more than US$1.2 million (£920,400, A$1.6 million) in the last two years paying researchers for reporting cross-site scripting (XSS) attacks and has kicked off an effort to help crush the threat.
XSS attacks are one of the most pervasive and enduring web application security threats because they allow attackers to bypass same origin policies and feed malicious scripts to target users.
Mountain View spent the cash under its vulnerability rewards program to shutter the bugs.
Many of those would arise thanks to the complexity of Google web applications, rather than lax security checks.
The stubborn proliferation of XSS vulnerabilities across the web has spurred the tech giant to release its internal testing tool dubbed the content security policy (CSP) evaluator, a mechanism to help security-minded administrators crush the threat.
Google uses the CSP evaluator for assets including its Cloud Console, Photos, History, and Maps Timeline among others, and will expand the list.
It also released the CSP Mitigator to help administrators apply custom CSP policy to applications and to better understand the impact of enabling CSP including highlighting parts that may break.
The evaluator tool verifies the presence of CSP, a measure first supported by web browsers Mozilla Firefox and Google Chrome in 2013 as a measure to help prevent the execution of malicious scripts and code injection attacks.
But most administrators who deploy CSP bork it.
Google found in a study On the Insecurity of Whitelists and the Future of Content Security Policy [PDF] that 95 per cent of some 1.6 billion domains with CSP applied still did not crush XSS.
Google’s study, the largest of its kind, points much blame to 14 of the 15 domains most often whitelisted for loading external scripts as they expose patterns that let hackers bypass CSP protections.
Those sites’ poor behavior has the following consequences:
“… as a consequence, 75.81 percent of distinct policies use script whitelists that allow attackers to bypass CSP.
In total, we find that 94.68 percent of policies that attempt to limit script execution are ineffective, and that 99.34 percent f hosts with CSP use policies that offer no benefit against XSS.”
Mountain View security wonks Artur Janc; Michele Spagnuolo; Lukas Weichselbaum, and David Ross launched the CSP Evaluator saying it will assist administrators to deploy effective CSPs.
“… the flexibility of CSP also leads to its biggest problem: it makes it easy to set policies which appear to work, but offer no real security benefit,” the quartet say.
“We believe it’s important to improve this, and help the web ecosystem make full use of the potential of CSP.
“Even with such a helpful tool, building a safe script whitelist for a complex application is often all but impossible due to the number of popular domains with resources that allow CSP to be bypassed.”
Google has also added CSP to the scope of its open source patch bounty effort known as the Patch Rewards in which the compaby will doll out money for helpful fixes for some important open source projects. ®