Wednesday 28 September 2016

Google Releases Content Security Policy Tool To Prevent XSS Attack

Google Releases Content Security Policy Tool To Prevent XSS Attack

Google Releases Content Security Policy Tool To Prevent From cross-site scripting (XSS), Clickjacking and other Malicious script.

Cross-site scripting XSS is one of the top most popular Vulnerability attack. Google already paid Bug Bounties approx $1.2 Million over XSS attack vulnerability in last 2 years .

Google released CSP Evaluator tool to detect web design code misconfiguration. To visualize the effect of setting a policy and detect subtle misconfigurations. CSP Evaluator is used by security engineers and developers at Google to make sure policies provide a meaningful security benefit and cannot be subverted by attackers.

 Developers can now set a single, short policy such as:

script-src 'nonce-random123' 'strict-dynamic'; object-src 'none'

Also Google released CSP Mitigator. A Chrome extension designed to help developers review an application for compatibility with nonce-based CSP. The extension can be enabled for any URL prefix and will collect data about any programming patterns that need to be refactored to support CSP.

Credit: Google

What is Content Security Policy (CSP)?

Content Security Policy (CSP) provides a standard method for website owners to declare approved origins of content that browsers should be allowed to load on that website types are JavaScript, CSS, HTML frames, web workers, fonts, images, embeddable objects such as Java applets, ActiveX, audio and video files, and other HTML5 features.

CSP is a mechanism designed to step in precisely when such bugs happen; it provides developers the ability to restrict which scripts are allowed to execute so that even if attackers can inject HTML into a vulnerable page, they should not be able to load malicious scripts and other types of resources. CSP is a flexible tool allowing developers to set a wide range of policies; it is supported  though not always in its entirety by all modern browsers.


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer