Technology 3 min read

Mozilla Firefox Strengthens Fight Against Injection Attacks

Piotr Swat / Shutterstock.com

Piotr Swat / Shutterstock.com

Injection attacks are among the oldest and most dangerous attacks over the Internet that target web applications. Using this method, hackers can gain access to valuable data or compromise a whole system.

Mozillas taking this issue as a top priority and has announced a new move to strengthen Firefox‘s security against these attacks.

“To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions,” the Mozilla Security Team explained in a blog post.

According to the team led by Christoph Kerschbaumer, an effective way of fighting injection attacks is to limit their attack surface. This can be possible if all potentially dangerous artifacts in the codebase will be removed, securing the code at different levels.

Hardening Firefox Against Injection Attacks

As mentioned, Kerschbaumer and his team hardened Firefox’s defense by removing occurrences of inline scripts and eval()-like functions. Here’s how it will make Firefox more secure.

Removing Inline Scripts

Since Firefox’s built-in pages, commonly referred to as about:pages, use HTML and JavaScripts for implementation, they are vulnerable to injection attacks. Meaning, If an attacker successfully injected malicious codes into an about:page, it will allow that person to execute the injected script code in the security context of the Firefox browser itself.

Such a scenario could give the attacker access to an unsuspecting user’s data, as well as perform actions on behalf of the victim. So, to prevent this from happening, the Mozilla Security Team rewrote all inline event handlers and transferred all the inline JavaScript codes packaged files for all 45 about: pages.

“This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead, JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol,” the team wrote.

With this technique, the team managed to limit the surface attack of malicious codes injected by hackers, giving Firefox a stronger line of defense.

Removing eval()-like Functions

Like ‘new Function’ and ‘setTimeout()/setInterval(),’ the eval()-like JavaScript is also considered a powerful tool. Using it enables developers to execute codes generated at runtime or those stored in non-script locations conveniently. However, this script offers a large attack surface for code injection.

So, to discourage the use of eval()-like Functions, Mozilla rewrote all use of “‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase.”

Aside from rewriting the script, the team also added assertions that disable the use ‘eval()’ and its relatives in system-privileged script contexts.

“Our introduced eval() assertions will continue to inform the Mozilla Security Team of yet unknown instances of eval() which we will closely audit and evaluate and restrict as we further harden the Firefox Security Landscape,” the team concluded.

Read More: New Firefox Blocks Google Analytics And Other Website Tracking Tools

First AI Web Content Optimization Platform Just for Writers

Found this article interesting?

Let Chelle Fuertes know how much you appreciate this article by clicking the heart icon and by sharing this article on social media.


Profile Image

Chelle Fuertes

Chelle is the Product Management Lead at INK. She's an experienced SEO professional as well as UX researcher and designer. She enjoys traveling and spending time anywhere near the sea with her family and friends.

Comments (0)
Most Recent most recent
You
share Scroll to top

Link Copied Successfully

Sign in

Sign in to access your personalized homepage, follow authors and topics you love, and clap for stories that matter to you.

Sign in with Google Sign in with Facebook

By using our site you agree to our privacy policy.