Mozilla working to defend web against XSS attacks

Firefox's makers have been working on new tech to possibly shut down the threat of legitimate websites corrupted by malicious code.

Mozilla is working on a new technology that it hopes will remove the threat of Cross-Site Scripting (XSS) attacks, which have plagued websites for several years.

XSS vulnerabilities allow malicious code to be injected into legitimate websites, which users are persuaded to click on leading to an attack such as a drive-by download.

Advertisement - Article continues below

This is made possible because currently all the content received from a web server's response is treated the same legitimate or malicious by the browser that requests it.

However, with Mozilla's new technology snappily named Content Security Policy' (CSP), the makers of Firefox aim to stop XSS by telling the browser which content is legitimate. The browser can then disregard the malicious code.

Brandon Sterne, security programme manager for Mozilla, said on the Mozilla security blog that the new model it was suggesting would be very different to the current unrestricted model for the web.

But Sterne said that CSP could be implemented in phases, that complex sites could be modified to support it, and that it could drive a stake through the heart of XSS.

"XSS vulnerabilities have real value to attackers and are shared rapidly across the web once discovered. Sites can breathe a little easier knowing their users are protected, even if a XSS bug slips through," he said.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Because CSP can be configured to notify the protected site when an attack is blocked, CSP will even benefit users of older browsers, by helping sites and plug vulnerabilities quickly."

Sterne said that CSP was a collaboration of many individuals and had input from different websites, browser vendors and web application security experts.

Mozilla has already begun implementation of the CSP specification.

As recently as May, Google had to fix an XSS vulnerability that could have left its services open to attack.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020
Visit/policy-legislation/data-protection/355835/nhs-yet-to-understand-the-risks-of-holding-test-and-trace
data protection

NHS yet to understand risks of holding Test and Trace data for 20 years

29 May 2020