This article first appeared on the Mozilla Security blog
I recently gave a talk at OWASP Global AppSec in Amsterdam and
summarized the presentation in a blog post about how to achieve
"critical"-rated code execution vulnerabilities in Firefox with
The end of that blog posts encourages the reader to participate the bug
bounty program, but did not come with proper instructions. This blog
post will describe the mitigations Firefox has in place to protect
against XSS bugs and how to test them. Our about: pages are privileged
pages that control the browser (e.g.,
contains Firefox settings). A successful XSS exploit has to bypass the
Content Security Policy (CSP), which we have recently
but also our built-in XSS sanitizer to gain arbitrary code execution. A
bypass of the sanitizer without a CSP bypass is in itself a
severe-enough security bug and warrants a bounty, subject to the
discretion of the Bounty Committee. See the bounty
for more information, including how to submit findings.
How the Sanitizer works
How and where to test
A browser is a complicated application which consists of millions of lines of code. If you want to find new security issues, you should test the latest development version. We often times rewrite lots of code that isn't related to the issue you are testing but might still have a side-effect. To make sure your bug is actually going to affect end users, test Firefox Nightly. Otherwise, the issues you find in Beta or Release might have already been fixed in Nightly.
Sanitizer runs in all privileged pages
Some of Firefox's internal pages have more privileges than regular web pages. For example about:config allows the user to modify advanced browser settings and hence relies on those expanded privileges. Just open a new tab and navigate to about:config. Because it has access to privileged APIs it can not use innerHTML (and related functionality like outerHTML and so on) without going through the sanitizer.
Using Developer Tools to emulate a vulnerability
about:config, open The developer tools console (Go to Tools in
the menu bar. Select Web Developers, then Web Console
(Ctrl+Shift+k)). To emulate an XSS vulnerability, type this into the
document.body.innerHTML = '<img src=x onerror=alert(1)>'
Observe how Firefox sanitizes the HTML markup by looking at the error in
“Removed unsafe attribute. Element: img. Attribute: onerror.” You may
now go and try other variants of XSS against this sanitizer. Again, try
finding an mXSS bug or by identifying an allowed combination of element
and attribute which execute script.
Finding an actual XSS vulnerability
This blog post described the mitigations Firefox has in place to protect against XSS bugs. These bugs can lead to remote code execution outside of the sandbox. We encourage the wider community to double check our work and look for omissions. This should be particularly interesting for people with a web security background, who want to learn more about browser security. Finding severe security bugs is very rewarding and we're looking forward to getting some feedback. If you find something, please consult the Bug Bounty pages on how to report it.