Monday, April 12, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Google working on new Chrome security feature to ‘obliterate DOM XSS’

February 16, 2019
in Internet Security
Google Chrome to add drive-by-download protection
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Google has created a new browser API that will help Chrome fight certain types of cross-site scripting (XSS) vulnerabilities, adding another level of protection at the browser level to keep users safe from hacking attempts.

This new feature is called Trusted Types and is a browser API that Google has been working on for the past months.

You might also like

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

Washington State educational organizations targeted in cryptojacking spree

Critical Zoom vulnerability triggers remote code execution without user input

The company’s engineers plan to test Trusted Types throughout 2018, between Chrome 73 and Chrome 76, before rolling out and enabling it as a permanent security feature for all Chrome users later in the year –if all goes as planned.

This new security feature was developed with the intent to protect users against one of the three types of cross-site scripting flaws –namely DOM-based (or type-0) XSS.

The other two XSS types are “reflected” and “stored.” A detailed breakdown of all three XSS types is available here, for readers looking to learn more on XSS.

Basically, DOM-based XSS is a security vulnerability that resides in the source code of a website. Hackers leverage so-called injection points to insert code in the browser’s DOM (the page’s source code) that executes unwanted malicious operations –like stealing cookies, manipulating page content, redirecting users, etc..

Trusted Types will block such attacks by allowing websites owners to lock down known “injection points” in a website’s code that are often the root cause of DOM-based XSS.

Website owners can enable Chrome’s Trusted Types upcoming protection by setting a certain value in the Content Security Policy (CSP) HTTP response header.

Once enabled, access to DOM injection points will be restricted by Chrome’s built-in Trusted Types API, blocking any attacks before the XSS exploit code can leverage the DOM (page’s source code) to attack users.

A tutorial on how website owners can enable Trusted Types via CSP headers, and how users can configure Chrome to use early versions of the Trusted Types API is available on the Google Developers blog.

In the same tutorial, Krzysztof Kotowicz, a Software Engineer in the Information Security Engineering team at Google, was so confident of the Trusted Types API’s success that he claimed this new feature would “help obliterate DOM XSS.”

More info on the Trusted Types API is available in the Web Platform Incubator Community Group (WICG) official specification.

Trusted Types will be Chrome’s second XSS protection feature after XSS Auditor, which Google shipped with Chrome 4 way back in 2010.

According to an Imperva report published last month, XSS vulnerabilities were the most prevalent form of web-based attacks in 2014, 2015, 2016, and 2017. It was the second most common form of web-based attacks last year, only missing on the top position because of an uncommon spike in SQL injection attacks.

XSS vulnerabilities are often downplayed by companies and security experts because they don’t always lead to direct damage to users accessing a site. However, they are often the first stepping stone in complex exploit routines, facilitating more damaging hacks. Eliminating XSS attacks would in many cases keep users safe from more complex attacks that wouldn’t be possible without an initial foothold provided by XSS.

For example, this week, Bootstrap, a UI framework used by somewhere between 15 and 20 percent of all internet sites was impacted by a DOM-based XSS. That’s a huge attack surface for any attacker today.

More browser coverage:

Credit: Source link

Previous Post

Here Are the Real Reasons Tech Struggles with Algorithmic Bias

Next Post

Do You Need To Be Good At Math To Excel At Machine Learning?

Related Posts

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out
Internet Security

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

April 12, 2021
Washington State educational organizations targeted in cryptojacking spree
Internet Security

Washington State educational organizations targeted in cryptojacking spree

April 10, 2021
Critical Zoom vulnerability triggers remote code execution without user input
Internet Security

Critical Zoom vulnerability triggers remote code execution without user input

April 10, 2021
Nation-state cyber attacks targeting businesses are on the rise
Internet Security

Nation-state cyber attacks targeting businesses are on the rise

April 10, 2021
These are the terrible passwords that people are still using. Here’s how to do better
Internet Security

These are the terrible passwords that people are still using. Here’s how to do better

April 9, 2021
Next Post
Do You Need To Be Good At Math To Excel At Machine Learning?

Do You Need To Be Good At Math To Excel At Machine Learning?

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021
Internet Privacy

Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021

April 12, 2021
Orphaned Analytics: The Great Destroyers of Economic Value
Data Science

Orphaned Analytics: The Great Destroyers of Economic Value

April 12, 2021
Tredence Launches ML Works, Machine Learning Ops Platform to Accelerate AI Innovation and Value Realization
Machine Learning

Tredence Launches ML Works, Machine Learning Ops Platform to Accelerate AI Innovation and Value Realization

April 12, 2021
An overview of Augmented reality applications and their future impact on AI
Data Science

An overview of Augmented reality applications and their future impact on AI

April 12, 2021
IIT Hyderabad Offers Interdisciplinary PhD in Artificial Intelligence, Machine Learning and Information Theory
Machine Learning

IIT Hyderabad Offers Interdisciplinary PhD in Artificial Intelligence, Machine Learning and Information Theory

April 12, 2021
Ransomware: The internet’s biggest security crisis is getting worse. We need a way out
Internet Security

Ransomware: The internet’s biggest security crisis is getting worse. We need a way out

April 12, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • Windows, Ubuntu, Zoom, Safari, MS Exchange Hacked at Pwn2Own 2021 April 12, 2021
  • Orphaned Analytics: The Great Destroyers of Economic Value April 12, 2021
  • Tredence Launches ML Works, Machine Learning Ops Platform to Accelerate AI Innovation and Value Realization April 12, 2021
  • An overview of Augmented reality applications and their future impact on AI April 12, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates