On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

July 19th, 2007

Firefox raises barrier to cross-site scripting attacks

Posted by Ryan Naraine @ 10:53 am

Categories: Apple, Botnets, Browsers, Data theft, Digital rights management, Exploit code, Firefox, Google, Hackers, Microsoft, Mozilla, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Wi-Fi security, Windows Vista, Zero-day attacks

Tags: Barrier, Mozilla Firefox, XSS, Web Browser, Mozilla Corp., Attack, Ryan Naraine

Mozilla has quietly fitted a new security feature into the latest Firefox update, adding the ability for the browser to prevent cross-site scripting attacks.

The change, which was not officially announced, implements httpOnly cookies in Firefox 2.0.0.5, the most recent refresh of the open-source browser.

Web application security experts are welcoming the move, which had been in the works for a few years.

Robert ‘RSnake’ Hansen, however, is noting that the new browser remains vulnerable to credential leakage via XMLHTTPRequest.

I saw a few different people mention over the last few days that httpOnly has been added to Firefox 2.0.0.5. Very exciting stuff - as this has long been missing for over two years. There are some major pros and cons when using httpOnly on cookies. The pros are that httpOnly cookies aren’t visible in JavaScript space using document.cookie and that makes XSS much more difficult when using it in context of credential theft. The cons are that it doesn’t work in all browsers and in some browsers, like WebTV and IE5.5 on Mac it can actually cause the page to fail to load. Granted the user base on those browsers is pretty minimal but that may be a show stopper for some people.

The only problem I see with using this as protection against credential theft is that the cookies are still visible using XMLHTTPRequest. If you look at [this example], it looks secure because the cookie is not visible. But if you look at this example you can see that using XMLHTTPRequest you can still get access to the cookie by looking at the headers. This has been one of those long standing problems with httpOnly, but it does raise the barrier by shutting down the most obvious way of getting at the cookies, using document.cookie.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 11 Talkback(s)
Update makes Firefox crash often
Firefox updated itself to version 2.0.0.5 and it has crashed for several times (at least 4 times in the last 24 hours). I hope they can patch this soon

My config:

- XP Pro SP2
- Firefox 2.0.0.5... (Read the rest)
Posted by: markbn Posted on: 07/21/07 You are currently: a Guest | | Terms of Use
httponly doesn't prevent XSS  jwiens | 07/19/07
so close ... and yet so far  ttocsmij | 07/20/07
httpOnly is in IE6 since years!  qmlscycrajg | 07/20/07
IE6 has httpOnly since years!  qmlscycrajg | 07/20/07
IE6 has httpOnly protection since years!  qmlscycrajg | 07/20/07
Yeah... we heard you the FIRST time.  James T. Kirk | 07/20/07
Maybe...  Dr. John | 07/20/07
no worries  ttocsmij | 07/20/07
Add no-script to Firefox  clareJ | 07/20/07
The example shows nothing in IE7 and Firefox  Golem_Ro | 07/20/07
Update makes Firefox crash often  markbn | 07/21/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement
Click Here

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads