Written by: Gábor Pék, CEO of Avatao
XSS, or cross site scripting, is one of the most widespread security problems today, as confirmed by statistics from bug-hunting companies such as Hackerone.
This presentation was given on 9 June 2022, at the Balasys API Meetup. You can re-watch Gábor’s presentation (in Hungarian) here.
It is essential to look at Trusted Types and Cross Site Scripting (XSS) when taking stock of ongoing developments in the IT world. XSS is a relatively popular term. During XSS attacks, malicious scripts are injected into otherwise benign and trusted websites. According to the HackerOne security platform and hacker program, 23% of all vulnerabilities transmitted through bug bounty platforms are XSSs. In one of his speeches in 2018, Mario Heinrich, CEO of Cure53, declared that “XSS is dead. We just don't get it.” This means that though the tools needed to mitigate XSS are available, developers lack the intention to implement them. However, he acknowledged that it is not necessarily possible to cover every single XSS with the available tools, so there are XSSs that are still out there and do need to be taken care of.
During a six-year research period, Google introduced Safe Types in its core services. As a result, they noticed a drastic reduction in DOM XSS – in fact, the company has now managed to eliminate it completely. The experiment was considered ready to be opened to the public. As a result, Trusted Types was born, though the standard is still officially a work in progress. According to Trusted Types, not only string assignment is possible, but an object can also be specified as a value. And if you can specify an object as a value, you can also define trusted objects. This contribution enables the DOM API to accept solely and exclusively trusted values. Defining a policy to create a trusted object is essential, which means that the Trusted Types policy receives a string as input and returns an object that has already been sanitized by it. Policy-based correction is enforced by the browser, so there is no option to specify exceptions.
Each value assignment that is placed in the DOM is validated, as only trusted objects can be placed into it. Moreover, it drastically simplifies code review. It is no longer necessary to manually review the code, since items and security measures that are centralized in the policy and deemed safe in advance have already been reviewed. In simple terms, if the policy file is okay, everything will be fine.
Gábor and his team at Avatao tested how Trusted Types is able to function within a relatively large code base. In their case, research and implementation took roughly 32 hours. Trusted Types were warmly received in Chromium-based browsers, while other types of browsers had to be experimented with with polyfills. For non-Chromium-based browsers, Avatao claims the technology is still a bit immature, but the DOM API and DOM library are expected to be supplemented with the parameters needed for successful implementation in the foreseeable future.
Ez a blogposzt a Creative Commons Attribution-ShareAlike 4.0 International (CC-BY-SA 4.0) License feltételei mellett licencelődik.
API security: there is nothing new under the sun
There is really nothing new under the sun: APIs are secured by exactly the same precautions as anything else you publish on the internet.
Wars and Cyber Warfare in the Age of APIs
A new chapter in the security of our world opened on 24 February 2022. APIs are expected to be the most attacked interfaces in 2022.