by Tom T. » Fri Dec 09, 2011 10:46 am
Giorgio Maone wrote:The two attacks he outlined are CSRF using a GET request (which in an ideal world would be a non-issue, since GET requests are not supposed to change the status of web application, but unfortunately incompetence is the rule) ...
Ahh, thank you, Giorgio. I knew that NS (Advanced > XSS) "Turn cross-site POST requests into (supposedly "idempotent" -- IIRC, that word used to be there) data-less GET requests". But IIUC, you are saying that site coders are so ignorant nowadays that they have, *in essence*, eliminated the distinction between POST and GET. Sad, indeed...
In a future release, when the ABE bug is fixed as noted, would you be able to include a default System Rule that protects even novices from this class of attack, without any configuration? Or would that break many pages, cause false positives, etc., thus requiring user-defined rules? If the former, I respectfully suggest to add that to the TODO as an RFE.
If not,
ABE FAQ could perhaps create a generic template for moderate-level users to copy/paste as needed for their own sites... just one more thought for the many on your list.
MacOtaku wrote:Alright then; I shan't belabour the point any longer. Thanks everyone for your time and efforts, especially Giorgio and Tom. I'll keep checking the release notes, and in the meantime, I'll read the documentation Tom suggested again, since it's probably changed in the last few years.
You're very welcome, and the documentation most certainly has changed over time. And will continue to do so, although getting on the
latest development build channel will provide info much faster, in almost real time, although very brief. Still, what you see may interest you to research the new feature, fix, etc.
MacOtaku wrote:Btw (O/T), on the spam filter false positive: I cleared Fx's recent history (cookies included) mid-writing, i.e., between logging in and submitting, because another site was exhibiting an annoying glitch. I didn't immediately remember that I'd done so before I clicked Preview, and so was initially a little surprised to be presented with a post form with a username box and a captcha. I clicked the new captcha button a couple of times, because I wasn't sure whether to include the punctuation in the first two. After I saw the "Oops" page, I realized what happened, and tried to post my message again after logging, and when that failed, I edited my post (significantly, I thought, but perhaps it was still too similar) and tried again. I don't know whether this is would be of any use, but I thought I should provide more details about what happened.]
No need to shrink that, and any glitch in the forum software should be reported. Since you were posting anyway, it's hard to see including that as going O/T. If a third party interrupted your main topic to say, "I had this login issue", yes, they should instead start a new thread for that. But I'm glad you included it.
My guess is that the best thing to do after the repeated failures would be to clear *everything* - cache, cookies, history, or just close the browser and start all over again. I just tried very briefly to reproduce that, by composing (and saving in a text doc, lol), then clearing all, then going to another open tab at this forum and hitting Reload. Indeed, I was given the reCaptcha treatment. But
instead, I logged in, and had no trouble coming back to this partially-composed message, previewing, completing, and submitting. However, I did not go through all of the steps and iterations that you did. So I suspect that one or both of the first two recommendations would have worked -- not that it will ever happen again.
MacOtaku wrote:One final note: Installing Fx on supportees' computers, setting it as their default browser, installing NoScript, and adding a few HTTPS-only and ABE rules to insulate certain highly-targeted sites, together, have saved me about as much Windows clean-up time as getting people to use non-admin accounts and teaching them about the importance of unique & distinct passwords. Your efforts go a long way. Thanks again.
Thank you for those kind words. It encourages us to continue to donate our time to help here. And while I always hesitate to bother Giorgio unless/until certain that his response is needed (as here, e. g.,) I don't think he ever gets tired of receiving words of appreciation.
I'll tap him on the shoulder (Web-ly speaking, of course) and I'm sure your real-world experiences with NoScript will brighten his day.
(and please tell your family, friends, co-workers, employees, supervisors, random strangers, enemies, etc. about NoScript.
)
[quote="Giorgio Maone"]The two attacks he outlined are [b]CSRF using a GET request[/b] (which in an ideal world would be a non-issue, since GET requests are not supposed to change the status of web application, but unfortunately incompetence is the rule) ...[/quote]
Ahh, thank you, Giorgio. I knew that NS (Advanced > XSS) "Turn cross-site POST requests into (supposedly "idempotent" -- IIRC, that word used to be there) data-less GET requests". But IIUC, you are saying that site coders are so ignorant nowadays that they have, *in essence*, eliminated the distinction between POST and GET. Sad, indeed... :cry:
In a future release, when the ABE bug is fixed as noted, would you be able to include a default System Rule that protects even novices from this class of attack, without any configuration? Or would that break many pages, cause false positives, etc., thus requiring user-defined rules? If the former, I respectfully suggest to add that to the TODO as an RFE.
If not, [url=http://noscript.net/faq#faqsec8]ABE FAQ[/url] could perhaps create a generic template for moderate-level users to copy/paste as needed for their own sites... just one more thought for the many on your list. :)
[quote="MacOtaku"]Alright then; I shan't belabour the point any longer. Thanks everyone for your time and efforts, especially Giorgio and Tom. I'll keep checking the release notes, and in the meantime, I'll read the documentation Tom suggested again, since it's probably changed in the last few years.[/quote]
You're very welcome, and the documentation most certainly has changed over time. And will continue to do so, although getting on the [url=http://noscript.net/getit#devel]latest development build[/url] channel will provide info much faster, in almost real time, although very brief. Still, what you see may interest you to research the new feature, fix, etc.
[quote="MacOtaku"]Btw (O/T), on the spam filter false positive: I cleared Fx's recent history (cookies included) mid-writing, i.e., between logging in and submitting, because another site was exhibiting an annoying glitch. I didn't immediately remember that I'd done so before I clicked Preview, and so was initially a little surprised to be presented with a post form with a username box and a captcha. I clicked the new captcha button a couple of times, because I wasn't sure whether to include the punctuation in the first two. After I saw the "Oops" page, I realized what happened, and tried to post my message again after logging, and when that failed, I edited my post (significantly, I thought, but perhaps it was still too similar) and tried again. I don't know whether this is would be of any use, but I thought I should provide more details about what happened.][/quote]
No need to shrink that, and any glitch in the forum software should be reported. Since you were posting anyway, it's hard to see including that as going O/T. If a third party interrupted your main topic to say, "I had this login issue", yes, they should instead start a new thread for that. But I'm glad you included it. :)
My guess is that the best thing to do after the repeated failures would be to clear *everything* - cache, cookies, history, or just close the browser and start all over again. I just tried very briefly to reproduce that, by composing (and saving in a text doc, lol), then clearing all, then going to another open tab at this forum and hitting Reload. Indeed, I was given the reCaptcha treatment. But [b]instead[/b], I logged in, and had no trouble coming back to this partially-composed message, previewing, completing, and submitting. However, I did not go through all of the steps and iterations that you did. So I suspect that one or both of the first two recommendations would have worked -- not that it will ever happen again. :D
[quote="MacOtaku"]One final note: Installing Fx on supportees' computers, setting it as their default browser, installing NoScript, and adding a few HTTPS-only and ABE rules to insulate certain highly-targeted sites, together, have saved me about as much Windows clean-up time as getting people to use non-admin accounts and teaching them about the importance of unique & distinct passwords. Your efforts go a long way. Thanks again.[/quote]
:) Thank you for those kind words. It encourages us to continue to donate our time to help here. And while I always hesitate to bother Giorgio unless/until certain that his response is needed (as here, e. g.,) I don't think he ever gets tired of receiving words of appreciation. 8-) I'll tap him on the shoulder (Web-ly speaking, of course) and I'm sure your real-world experiences with NoScript will brighten his day.
(and please tell your family, friends, co-workers, employees, supervisors, random strangers, enemies, etc. about NoScript. :D )