Mozilla working to defend web against XSS attacks
Firefox's makers have been working on new tech to possibly shut down the threat of legitimate websites corrupted by malicious code.
XSS vulnerabilities allow malicious code to be injected into legitimate websites, which users are persuaded to click on leading to an attack such as a drive-by download.
This is made possible because currently all the content received from a web server's response is treated the same legitimate or malicious by the browser that requests it.
However, with Mozilla's new technology snappily named Content Security Policy' (CSP), the makers of Firefox aim to stop XSS by telling the browser which content is legitimate. The browser can then disregard the malicious code.
Brandon Sterne, security programme manager for Mozilla, said on the Mozilla security blog that the new model it was suggesting would be very different to the current unrestricted model for the web.
But Sterne said that CSP could be implemented in phases, that complex sites could be modified to support it, and that it could drive a stake through the heart of XSS.
"XSS vulnerabilities have real value to attackers and are shared rapidly across the web once discovered. Sites can breathe a little easier knowing their users are protected, even if a XSS bug slips through," he said.
"Because CSP can be configured to notify the protected site when an attack is blocked, CSP will even benefit users of older browsers, by helping sites and plug vulnerabilities quickly."
Sterne said that CSP was a collaboration of many individuals and had input from different websites, browser vendors and web application security experts.
Mozilla has already begun implementation of the CSP specification.
As recently as May, Google had to fix an XSS vulnerability that could have left its services open to attack.
The case for a marketing content hub
Transform your digital marketing to deliver customer expectationsDownload now
Fast, flexible and compliant e-signatures for global businesses
Be at the forefront of digital transformation with electronic signaturesDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now
IT faces new security challenges in the wake of COVID-19
Beat the crisis by learning how to secure your networkDownload now