Avast WEBforum

Other => General Topics => Topic started by: polonus on June 23, 2009, 07:21:56 PM

Title: Mozilla hardens protection against XSS!
Post by: polonus on June 23, 2009, 07:21:56 PM
Hi malware fighters,

Cross-site scripting (XSS) for years has been the number one hole in websites, being reason enough for the Mozilla Foundation to develop a technology to fight this problem. In recent months the open-source developer has been working on Content Security Policy (CSP), that makes that sites can tell a browser what content is legit and what content is not. The browser so can ignore all content that is non-trusted or non-supported by that site. The owner of a website can set through CSP from which domains scripts are being allowed to run. The browser in it's turn will only run those scripts that come from trusted websites, for which a withe-list is being kept.

To determine whether content is legit content or injected or adopted or obfuscated content, CSP demands that all JavaScript for a certain website is being loaded from an external file from an appointed trusted host. This gonna mean that all inline script, JavaScript and event-handling HTML attributes will be ignored. Only scripts that have been inserted via a script-tag and direct to a white-listed host the browser will execute. "We realize that this model is completely different from the present free model for the  web", according to Brandon Sterne, Mozilla's Security Program Manager. The developer wishes to enroll CSP in phases so it can be implemented fully later this year. Polonus already has the CSP extension running in his Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090623 Shiretoko/3.5pre ID:20090623044415 source: http://people.mozilla.org/~bsterne/content-security-policy/content-security-policy.xpi


More difficult
According to Sterne XSS-holes are really valuable for attackers and malcoders and these exploits are shared over the Internet as soon as they are found up. "Website-owners and web-admins now can relaz a bit more as they know the users are being protected, even if a XSS-bug may slip through. CSP can be configured in such a way that it informs the owners of websites if an attack is taking place. Further even users of older browser will benefit. "The final outcome will be it will be extremely difficult to run an XSS attack for a website that has implemented CSP. All known infection vectors for injecting malscripts will not function any longer and making a successful attack will be a great deal more difficult to perform."

Title: Re: Mozilla hardens protection against XSS!
Post by: polonus on June 26, 2009, 01:52:09 PM
Hi malware fighters,

And then some may ask who read the above posting, what happened with the CAPS policy? For CAPS to be performed in a decent matter, the user must be script savvy and know to handle the subtleties of the browser configuration (as bob3160 remarked in a reply to something I published about configuration tweaking in Fx or Flock), again very tweakable and fine-tunable to your every security need, but not the kettle of fish for the average user as bob3160 declared. It is the same as with the malware expert that knows how to SafeHex his or her Operational System and then "could" do without a resident AV solution (and occasionally works a non-resident scan if he/she/it feels the need for it) - this for the happy few because the average user will still need full resident AV and a FW and additional anti-spyware, so a multi-layered protection. The user that knows how to make his browser secure and knows how to secure his OS (drop your admin rights fully, fully secure browsers etc.) is in a complete different position then the average user that does not even know how to perform this and why he/she/it should do it. If everybody would apply SafeHex, use CAPS, NS and RP etc. not 50 % of the American users for example should be behind a computer they virtually do not own and are part of a botherding botnet dominion to serve the needs of cybercrime or adclick & Co, and that is the situation we have not only in the States but world-wide. Yes I say to the security aware, well that is the situation we have. Try to change it, but whether you will get results still has to be seen. And there I agree with the others that say to change the security situation you have to start with yourself and to learn to do that and in order get instructions how to do so  we come here to exchange these ideas. Thanks to avast for giving us the possibilities to come to such a very educational security site. I already learned a lot, also thanks for all the others that post here and keep us on track,

with virtual regards,

polonus (malware fighter)