To learn more about Firefox Accounts project check out: [https://fxa.readthedocs.io/en/latest/ fxa.readthedocs.io/en/latest/]
==== User Impact of XSS Filters within Web Browsers ====
* Mentors: [https://mozillians.org/en-US/u/freddyb/ Frederik Braun] & [https://mozillians.org/en-US/u/ckerschbaumer/ Christoph Kerschbaumer]
Cross Site Scripting (XSS) consistently ranks highest in the list of the most prevalent software vulnerabilities.
Using XSS, hackers can gain access to confidential user data and conduct transactions on behalf of the user.
Many browsers provide a built-in XSS filter to protect the majority of users from XSS issues. Such heuristic based filters also trigger false positives. This may downgrade a user's experience on a benign site. Even worse, such filters might even introduce new vulnerabilities.
To the end of the project we expect you to
* compare existing XSS filters in modern browsers ''(new goal!)''
* measure user impact based on false positive rate
* measure performance
* co-produce a white paper with the mentors that summarizes the outcome of this project.
* (Pro Tip: This might qualify as a term paper or even grow into a thesis for your studies).
* <del>implement an XSS filter within Firefox</del> ''(removed goal)''
How you can prepare for the program:
* Familiarize yourself with the problem by reading literature on XSS-Filters:
** Introduction of the Chrome/Webkit filter called XSS Auditor in "Regular expressions considered harmful in client-side XSS filters"
** Security vulnerabilities introduced though XSS filters in IE8: https://blog.c22.cc/2010/04/15/blackhat-europe-universal-xss-via-ie8s-xss-filters-2/
** Bypassing XSS filters: (http://www.thespanner.co.uk/2015/02/10/xss-auditor-bypass/, http://brutelogic.com.br/blog/chrome-xss-bypass/)
* Familiarize yourself with the state of the art of implementing an XSS filter
** Browse the source code of NoScript, XSSAuditor in WebKit, or also the source of Internet Explorer (which can be inspected by looking into mshtml.dll)
** Compare approaches of these filters to answer questions like: where do their approaches overlap, which differences exist in their threat models, etc.
* Prepare yourself for implementing a filter within Firefox
** Outline the advantages and disadvantages of existing approaches Sketch out details for the actual implementation
We would be thrilled if you have a
* a deep understanding of Web Security and XSS
* a fundamental understanding of browser architecture
* solid experience in developing C/C++ applications
* the ability to work with a geographically distributed development team
* experience in learning, building and being effective with a large code base
We at Mozilla Security Engineering give you the opportunity to improve Firefox. We are an equal opportunity employer and value diversity. We do not discriminate on the basis of race, religion, color, national origin, gender, sexual orientation, age, marital status, veteran status, or disability status.
==== taskcluster-cli go implementation [No longer taking applicants] ====
