New Tech to Quash Drive by Downloads, XSS Attacks

Dennis Faas's picture

Makers of the popular Firefox web browser, Mozilla, are working on new technology that it hopes will remove the threat of Cross-Site Scripting (XSS) attacks that have compromised legitimate websites for years by injecting pages with malicious code.

XSS vulnerabilities allow hackers to unsuspectingly inject malicious code into pages that persuade users to click on links launching drive-by downloads.

Content Security Policy (CSP) to Stop XSS Attacks

Drive-by downloads are made possible because content received from a web server's response is treated the same, regardless of whether it's legitimate or malicious, by the browser that is requesting it. (Source: itpro.co.uk)

Mozilla's new technology, named 'Content Security Policy' (CSP) was developed with the intent of stopping XSS attacks by telling the browser which content is legitimate so the browser can disregard the malicious code.

Complex Sites Can Use CSP

According to Mozilla's Security blog, Content Security Policy requires that all JavaScript for a page be loaded from an external file and served from an explicitly approved host site. In techie terms: all inline script called from a script tag pointing to a white-listed host will be treated as valid.

CSP will also allow several other common-sense security restrictions to be enforced. (Source: mozilla.com)

Brandon Sterne, security program manager for Mozilla, wrote that Content Security Policy could be implemented in phases and that complex sites could be modified to support it.

Webmasters Notified if Vulnerabilities Found

CSP can also be configured to notify the protected site when an XSS attack is blocked so webmasters can identify and plug vulnerabilities more quickly, making it extremely difficult to mount a successful XSS attack against a CSP-enabled website.

CSP is the result of collaboration between many individuals, websites, browser vendors and web application security experts. Mozilla has already begun implementing CSP specification because of the level of stability in its design. (Source: mozilla.com)

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet