Open Bug 332016 Opened 18 years ago Updated 2 years ago

XSS prevention based on data tainting

Categories

(Firefox :: Security, enhancement)

x86
All
enhancement

Tracking

()

People

(Reporter: vogge, Unassigned)

References

()

Details

(Whiteboard: patch)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20060325 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20060325 Firefox/0.10.1

For my master thesis I developed a anti-XSS solution that is implemented on Mozilla Firefox. 
The solution works by tainting sensitive information (e.g., the cookie) and tracking it through processing. It is integrated into the js-engine and a few parts of the web browser.

Further information (including patch against 1.0pre): NoMoXSS (no more XSS) http://www.seclab.tuwien.ac.at/projects/jstaint/


Reproducible: Didn't try
A few more details and an example of an existing xss vulnerability that this solves would probably help here.
Component: Safe Browsing → Security
QA Contact: safe.browsing → firefox
(In reply to comment #2)
> A few more details 

The paper (http://www.seclab.tuwien.ac.at/people/vogge/docs/xss_prevention.pdf) gives details about the theoretical aspects of the solution (1. Introduction, 3. Dynamic Data Tainting, 4. Data Transmission, 5. Implementation) and the master thesis (http://www.seclab.tuwien.ac.at/people/vogge/docs/da_xss_prevention.pdf) has implementation details (Chapter 4 Implementation)

>and an example of an existing xss vulnerability that this
> solves would probably help here.

See Chapter 5 Evaluation of the master thesis. Or for a short version Section 5 Evaluation in the paper.
Blocks: xss
Summary: Integrated XSS prevention solution → XSS prevention based on data tainting
Status: UNCONFIRMED → NEW
Ever confirmed: true
It would be nice to have this patch against the current trunk.

If I'm understanding this correctly, this patch would actually need to go against core because the affected code is shared with seamonkey.

Also, I question what affect this will have on some legitimate, but shortsighted behaviors between sites on different domains.
Whiteboard: patch
Stephanie,

indeed, we are thinking about porting our system to the current trunk. hearing people say that they would be interested in having this protection in place would obviously speed up the process :-).

with regards to false positives (i.e., effects on some legitimate, but shortsighted behaviors between sites on different domains) - this does happen, but according to our experiments (for which we crawled more than a million web pages), it does not seem to be that big of a problem. for more details, you are more than welcome to check out our NDSS '07 publication (http://www.auto.tuwien.ac.at/~chris/research/doc/ndss07_xssprevent.pdf), which contains more details on the expriments and the system itself.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: