Google Chrome is ditching its XSS detection tool
Google is removing a nine-year-old feature in its Chrome web browser, which spotted a common online attack. Don’t worry, though another, hopefully better, protection measure is on the way.
Introduced in 2010, XSS Auditor is a built-in Chrome function designed to detect cross-site scripting (XSS) vulnerabilities. In an XSS attack, a malicious actor injects their own code onto a legitimate website. They might do that by adding malicious code to a legitimate URL, or by posting content to a site that stores and displays what they’ve posted (persistent XSS).
When someone looks at the code injected by the attacker it executes a command in their browser, which might do anything from stealing the victim’s cookies to trying to infect them with a virus.
Websites should prevent this kind attack by sanitising user-submitted data, but many don’t.
XSS Auditor tries to detect XSS vulnerabilities while the browser is parsing HTML. It uses a blocklist to identify suspicious characters or HTML tags in request parameters, matching them with content to spot attackers injecting code into a page.
The beef that some developers have is that it doesn’t catch all XSS vulnerabilities in a site. XSS code that the feature doesn’t spot, called bypasses, are common online.
Google’s engineers had already adapted XSS Auditor to filter out troublesome XSS code rather than blocking access altogether, citing “undesirable consequences”, but this clearly wasn’t enough, and now they’re killing it off altogether.
Comments are closed.