Cross-site scripting (XSS) was, is and probably will be the most popular web application vulnerability to exploit—so it’s good news that Google has developed an internal web application security scanning tool, codenamed Inquisition (as in, no bug ever expects the Google Inquisition—get it?).
The scanner is built entirely on Google technologies like Chrome and Google Cloud Platform, with support for HTML5 features. And it’s being used in conjunction with the open-source Firing Range, which is a test ground for automated scanners. It’s a Java application built on Google App Engine and contains a wide range of XSS and, to a lesser degree, other web vulnerabilities.
“Securing modern web applications can be a daunting task—doubly so if they are built (quickly) with diverse languages and technology stacks,” said Claudio Criscione, security engineer for Google, in a blog post. He added, “Our testbed doesn’t try to emulate a real application, nor exercise the crawling capabilities of a scanner: it’s a collection of unique bug patterns drawn from vulnerabilities that we have seen in the wild, aimed at verifying the detection capabilities of security tools.”
Criscione said that Firing Range is different from the many vulnerable test applications already available, which have been historically focused on creating realistic-looking testbeds for human testers.
“We think that with automation in mind it is more productive, instead, to try to exhaustively enumerate the contexts and the attack vectors that an application might exhibit,” he said. “We have used Firing Range both as a continuous testing aid and as a driver for our development, defining as many bug types as possible, including some that we cannot detect (yet!).”
That’s important considering that, according to High-Tech Bridge, more than 90% of XSS vulnerabilities can be exploited in such a manner that even advanced users and IT staff will not suspect nefarious activity. XSS does not require much social engineering or interaction with humans; in fact, more than 95% of XSS vulnerabilities can be used to perform sophisticated drive-by-download attacks, infecting users who just open a harmless-looking URL they trust.
“The structure and architecture of over 70% of web applications allows creation of a sophisticated XSS exploit that will perform several fully-automated consecutive actions, giving full administrative access to the attacker at the end,” said High-Tech Bridge's CEO Ilia Kolochenko, in a posting. “SSL certificate and HTTPS connection to the website have absolutely no impact on web application security and can never prevent XSS attack. However, many people, including security engineers, team leaders and web developers, still seriously underestimate the impact of XSS vulnerabilities and their consequences.”