Protecting Web Browser Extensions from JavaScript Injection Attacks

Vulnerable web browser extensions can be used by an attacker to steal users´ credentials and lure users into leaking sensitive information to unauthorized parties. Current browser security models and existing JavaScript security solutions are inadequate for preventing JavaScript injection attacks that can exploit such vulnerable extensions. In this paper, we present a runtime protection mechanism based on a code randomization technique coupled with a static analysis technique to protect browser extensions from JavaScript injection attacks. The protection is enforced at runtime by distinguishing malicious code from the randomized extension code. We implemented our protection mechanism for the Mozilla Firefox browser and evaluated it on a set of vulnerable and non-vulnerable Firefox extensions. The evaluation results indicate that our approach can be a viable solution for preventing attacks on JavaScript-based browser extensions. In designing and implementing our approach, we were also able to reduce false positives and achieve maximum backward compatibility with existing extensions.