The Latest in IT Security

Google Launches Game to Teach XSS Bug Discovery Skills

30
May
2014

Google has launched a new game to teach Web application developers how to spot cross-site scripting (XSS) bugs in their code.

XSS vulnerabilities are highly common in websites, but can be quite dangerous. In fact, Google pays up to $7,500 for XSS bugs discovered in important products.

The XSS Game, which requires a modern web browser with JavaScript and cookies enabled, is mainly addressed to Web application developers who don’t specialize in security. However, Google believes that while security experts might find the first levels easy, they could also learn a few things.

“This security game consists of several levels resembling real-world applications which are vulnerable to XSS – your task will be to find the problem and attack the apps, similar to what an evil hacker might do,” Google noted.

“XSS bugs are common because they have a nasty habit of popping up wherever a webapp deals with untrusted input. Our motivation is to highlight common coding patterns which lead to XSS to help you spot them in your code.”

For example, the first level, which is called the “Hello, world of XSS,” consists of a simple website with a search feature. Users must find a way to make the vulnerable application execute arbitrary JavaScript code. Up to three hints are provided, the source code and network traffic being available for analysis just like on a regular website.

Google admits that users can cheat at the game by accessing page internals in developer tools or by editing HTTP traffic.

“Cross-site attacks are dangerous because of what they do, but also because the three distinct types of each strike from different angles,” Chris Hinkley, a Senior Security Engineer atFireHost, explained in a late 2012 SecurityWeek column.

Cross-site scripting (CSS) can either bepersistent or reflected, and cross-site request forgery (CSRF), where attackers use an authenticated session on one Website to perform unauthorized actions on another site, are also especially dangerous.

“Cross-site scripting is harmful in either of its two forms, but persistent cross-site scripting packs slightly more poison due to its widespread reach,” Hinkley noted. “An example of persistent cross-site scripting would be when an attacker posts a comment to a blog that would include a malicious JavaScript payload – essentially embedding it in that page.”

The XSS Game is not the first security game from Google. Back in 2010, the company released Gruyere, a small web application designed to teach developers how to identify XSS, cross-site request forgery (CSRF), information disclosure, denial-of-service (DoS), and remote code execution vulnerabilities, and how to protect a website against these types of attacks.

Related:Recently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability

Related:Crossing XSS Off Your Threat Landscape

Tweet

Previous Columns by Eduard Kovacs:Alleged Creator of BlackShades RAT Pleads Not GuiltyGoogle Launches Game to Teach XSS Bug Discovery SkillsSymantec Acquires NitroDesk to Expand Mobile Security OfferingsPinterest Launches Bug Bounty ProgramHackerOne Secures $9 Million, Appoints Katie Moussouris Chief Policy Officer

sponsored links

Tags: NEWS INDUSTRY

Vulnerabilities

Comments are closed.

Categories

THURSDAY, JULY 29, 2021
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments