Google announces a new defense against DOM-based XSS attacks, the Trusted Types browser API.
Google has created a new browser API to help Chrome combat certain types of vulnerabilities in cross-site scripting (XSS), adding another level of browser protection to protect users from hacking.
This new feature is called Trusted Types and Google has been working on this browser API for the past few months. The company’s engineers are planning to test Trusted Types throughout 2018, between Chrome 73 and Chrome 76, before rolling out and enabling it as a permanent security feature for all Chrome users later this year-if everything goes according to plan.
This new security feature was developed to protect users from one of three types of cross-site scripting defects-namely DOM-based XSS (or type-0). The other two XSS types are “reflected” and “stored.”
For readers who want to learn more about XSS, a detailed breakdown of all three XSS types is available here. DOM-based XSS is basically security vulnerability in a website’s source code. Hackers use so-called injection points to insert code into the DOM (source code) of the browser, which carries out unwanted malicious operations-such as stealing cookies, manipulation of page content, redirecting users, etc.
Trusted Types blocks such attacks by allowing website owners to lock in the code of a website known “injection points,” which are often the root cause of XSS based on DOM. Website owners can enable the upcoming protection of trusted types of Chrome by setting a certain value in the HTTP response header for content security policy (CSP).
Once enabled, Chrome’s built-in Trusted Types API will restrict access to DOM injection points, blocking attacks before the XSS exploit code can use the DOM (source code page) to attack users.
On the Google Developers blog, a tutorial on how owners of websites can enable Trusted Types via CSP headers and how users can configure Chrome to use early versions of the Trusted Types API. In the same tutorial, Krzysztof Kotowicz, a software engineer in the Google Information Security Engineering team, was so confident about the success of the Trusted Types API that he claimed that this new feature would “help eliminate DOM XSS.”
More information on the Trusted Types API is available in the official specification of the Web Platform Incubator Community Group (WICG). Trusted Types will be the second XSS protection feature of Chrome after the XSS auditor, which Google shipped with Chrome 4 in 2010.
XSS vulnerabilities were the most common form of web-based attacks in 2014, 2015, 2016 and 2017, according to an Imperva report published last month.
It was last year’s second most common form of web-based attacks, missing only because of an unusual spike in SQL injection attacks in the top position. Companies and security experts often downplay XSS vulnerabilities because they do not always cause direct damage to users who access a website.
They are often the first step in complex routines of exploitation, which facilitates more damaging hacks. In many cases, the elimination of XSS attacks would keep users safe from more complex attacks that would not be possible without an initial XSS footprint.
For example, this week, a DOM-based XSS has affected Bootstrap, a UI framework used somewhere between 15 and 20 percent of all internet sites.