Google says it paid over $1.2 million just for XSS bugs. Google released two new tools called CSP Evaluator and CSP Mitigator that help security researchers identify weaknesses that are often exploited to launch XSS attacks.
Both tools revolve around CSP, or Content Security Policy, a security mechanism implemented by all major browsers, albeit in a different manner.
CSP is a set of rules that allow developers to restrict which scripts can execute inside a page, so when attackers find a way to inject HTML code into a vulnerable application, they won’t be able to load malicious scripts and other types of resources, because CSP strictly prohibits and blocks those payloads at the browser level.
95% of all websites deploy incorrect CSP rules
Despite the advantages of this security mechanism, Google says that 95 percent of one billion domains it scanned during a recent study deployed improper CSP policies that allowed attackers to bypass CSP protections and load scripts to launch XSS (cross-site scripting) attacks.
With the launch of CSP Evaluator, in the form of a self-standing website scanner and Chrome extension, Google hopes that webmasters would be able to test their CSP policies and improve their website’s anti-XSS protection features.
Google also recommends that webmasters look into nonce-based CSP policies. Nonces, which is a term to describe random, one-time, and temporary tokens, are a safe method of deploying CSP policies that can’t be bypassed.
Two Chrome extensions are available
To help developers look into implementing nonce-based CSP policies on their websites and inside their web applications, Google has released a second Chrome extension called CSP Mitigator.
Moreover, according to the company, both extensions have been used internally in setting up CSP policies for various Google services, such as the Google Cloud Console, Google Photos, Google MyAccount History, Google Careers Search, Google Maps Timeline, and Google’s Cultural Institute.
After admitting to paying over $1.2 million just for XSS bugs via its internal bug bounty program, Google is now pro-actively trying to fix “the XSS problem” that plagues almost all of today’s websites.