June 22nd, 2009
Mozilla tackles XSS vulnerabilities with new technology
Mozilla’s security engineers are working on new technology that promises to mitigate a large class of Web application vulnerabilities, especially the cross-site scripting (XSS) plague against modern Web browsers.
The project, called Content Security Policy, is designed to shut down XSS attacks by providing a mechanism for sites to explicitly tell the browser which content is legitimate. It can also help mitigate clickjacking and packet sniffing attacks.
[ SEE: Webcam hijack demo highlights clickjacking threat ]
Here’s how Content Security Policy can provide a way for server administrators to reduce or eliminate their XSS attack surface.
- Website administrators specify which domains the browser should treat as valid sources of script.
- The browser will only execute script in source files from the white-listed domains and will disregard everything else, including inline scripts and event-handling HTML attributes.
- Note: event-handling is still enabled in CSP without using HTML attributes.
- Sites that never want to have JavaScript included in their pages can choose to globally disallow script.
To combat clickjacking, which allows cicks on one Web page to actually apply to clicks on another page that’s invisible to the end user, Mozilla said Content Security Policy allows a site to specify which sites may embed a resource.
The open-source group said Content Security Policy will be fully backward compatible and will not affect sites or browsers which don’t support it.
For more information, see Mozilla’s FAQ and this blog post by security program manager Brandon Sterne.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
