Injection attacks are among the oldest and most dangerous attacks over the Internet that target web applications. Using this method, hackers can gain access to valuable data or compromise a whole system.
Mozilla‘s taking this issue as a top priority and has announced a new move to strengthen Firefox‘s security against these attacks.
“To make Firefox resilient against such code injection attacks, we removed occurrences of inline scripts as well as removed eval()-like functions,” the Mozilla Security Team explained in a blog post.
According to the team led by Christoph Kerschbaumer, an effective way of fighting injection attacks is to limit their attack surface. This can be possible if all potentially dangerous artifacts in the codebase will be removed, securing the code at different levels.
Hardening Firefox Against Injection Attacks
As mentioned, Kerschbaumer and his team hardened Firefox’s defense by removing occurrences of inline scripts and eval()-like functions. Here’s how it will make Firefox more secure.
Removing Inline Scripts
Since Firefox’s built-in pages, commonly referred to as about:pages, use HTML and JavaScripts for implementation, they are vulnerable to injection attacks. Meaning, If an attacker successfully injected malicious codes into an about:page, it will allow that person to execute the injected script code in the security context of the Firefox browser itself.
Such a scenario could give the attacker access to an unsuspecting user’s data, as well as perform actions on behalf of the victim. So, to prevent this from happening, the Mozilla Security Team rewrote all inline event handlers and transferred all the inline JavaScript codes packaged files for all 45 about: pages.
“This allowed us to apply a strong Content Security Policy (CSP) such as ‘default-src chrome:’ which ensures that injected JavaScript code does not execute. Instead, JavaScript code only executes when loaded from a packaged resource using the internal chrome: protocol,” the team wrote.
With this technique, the team managed to limit the surface attack of malicious codes injected by hackers, giving Firefox a stronger line of defense.
Removing eval()-like Functions
Like ‘new Function’ and ‘setTimeout()/setInterval(),’ the eval()-like JavaScript is also considered a powerful tool. Using it enables developers to execute codes generated at runtime or those stored in non-script locations conveniently. However, this script offers a large attack surface for code injection.
So, to discourage the use of eval()-like Functions, Mozilla rewrote all use of “‘eval()’-like functions from system privileged contexts and from the parent process in the Firefox codebase.”
Aside from rewriting the script, the team also added assertions that disable the use ‘eval()’ and its relatives in system-privileged script contexts.
“Our introduced eval() assertions will continue to inform the Mozilla Security Team of yet unknown instances of eval() which we will closely audit and evaluate and restrict as we further harden the Firefox Security Landscape,” the team concluded.
Comments (0)
Least Recent