Google aims to fix XSS, make the web safer

Ninety-five percent of the one billion websites Google scanned ​recently were vulnerable to Cross-Site Scripting, or XSS, attacks, allowing hackers to load malicious code onto the computers of anyone who visited their page. This week the company issued tools​ to help web developers identify and mitigate XSS vulnerabilities.

Tech giant Google has issued tools to help web developers identify and mitigate cross-site scripting vulnerabilities, one of the most common forms of hacking attacks.

Servers that host websites, which run advertisements or any other imported content, must be able to accept HTML and other programming from outside sources. But that creates a way in which hackers can load malicious code into a website and attack anyone who even visits the site. Google recently found that 95 percent of one billion websites recently scanned by the company were vulnerable to XSS attacks, allowing hackers to load malicious code onto the computers of anyone who visited their page. 

One such XSS attack is called a drive-by download. Because of the way browsers work — especially with the way autoplay video and audio content works — the unsuspecting visitor doesn’t even have to click on anything to become infected. Drive-by downloads enable watering-hole attacks, where hackers aiming at a highly secure enterprise will target an outside website that employees frequently visit.

For website developers, the answer to XSS is a content security policy, or CSP — essentially a set of instructions that tells the web server which programming inputs can be trusted. 


But, wrote Google engineers in a blog post Monday launching the new tools, “In a recent Internet-wide study we analyzed over 1 billion domains and found that 95 percent of deployed CSP policies are ineffective as a protection against XSS” because they were poorly configured.

The tools — CSP Evaluator and CSP Mitigator — are designed to help website developers check that their CSP settings are correct. The engineers also suggest the use of the “nonce” — a one-time encryption code that validates an input from an outside source. 

Shaun Waterman

Written by Shaun Waterman

Contact the reporter on this story via email, or follow him on Twitter @WatermanReports. Subscribe to CyberScoop to get all the cybersecurity news you need in your inbox every day at

Latest Podcasts