Mozilla unveils cure for Web 2.0 world run amok

Putting XSS worms on notice


The Mozilla Foundation has unveiled an early version of its Firefox browser that it says could virtually eliminate one of the most common attack forms now menacing the web.

It implements an inchoate technology the foundation calls CSP, short for the Content Security Policy specification. It allows web developers to embed a series of HTML headers into their sites that by default block some of the most abused features from being offered. Newer versions of Firefox, and other browsers if they adopt the standard, would then enforce those policies across the site's entire domain.

The primary aim of CSP is to immunize websites from attacks based on XSS, or cross-site scripting. The exploits frequently target javascript, Adobe Flash and other user-supplied content that allows attackers to inject malicious content and code into trusted websites. Administrators then have the option of whitelisting only the types of content they need to make their sites work as designed.

"A lot of the big sites who are dealing with user content and who are seeing some of these problems with cross-site scripting, we've heard excitement from them," said Johnathan Nightingale, whose official title at Mozilla is human shield. "It's hard to filter out all the potentially bad things that a malicious user can include."

The CSP preview builds are designed to give web developers a sneak peek at the specification and chime in with suggestions for making it better. Mozilla hopes it will become an open standard and is already shepherding it through the World Wide Web Consortium.

Over the past few years, XSS attacks have emerged as one of the most common ways to exploit web surfers and Web 2.0 sites alike. A recent rash of Twitter worms relied on XSS vulnerabilities in the microblogging site. Such self-replicating attacks date back to at least 2005, when the so-called Samy Worm knocked MySpace out of commission by adding more than 1 million users to the creator's friends list.

CSP has the ability to do more than stamp out XSS. By erecting a wall in front of a company's intranet and other protected resources, CSP could insulate organizations from so-called DNS rebinding attacks. Those techniques use HTML sleight of hand to trick web browsers behind an organization's firewall into attacking routers and other vital targets.

Of course, all of this is still no more than a gleam in the eyes of Mozilla developers. For it to catch on, large websites will have to invest heavily in it, and given Mozilla's still-modest market share, that will almost certainly require other browser suppliers (read: Microsoft) to get on board.

That's an awful lot of ifs. Still, CSP is worth watching - and if you're a web developer, even playing around with. If it works as intended, it could prove to be one of the more promising solutions for a Web 2.0 world that's built first and is only later, if ever, patched. ®

Similar topics

Broader topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022