XSS examples not blocked by Noscript?

Post a reply


In an effort to prevent automatic submissions, we require that you complete the following challenge.
Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: XSS examples not blocked by Noscript?

Re: XSS examples not blocked by Noscript?

by Giorgio Maone » Thu Oct 27, 2011 10:38 pm

al_9x wrote:I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.

It's an optimization for the common case, since preference access (through XPCOM) is relatively expensive and these features are very unlikely to be turned off (hence it makes little sense to observe & cache yet another pref value).

Re: XSS examples not blocked by Noscript?

by al_9x » Thu Oct 27, 2011 10:30 pm

Giorgio Maone wrote:
al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs

Done/fixed in latest development build 2.1.8rc2


This may not be very important, but I noticed in at least couple of places (rapidFireCheck, checkInclusions) that you check the pref at the last minute having done all the preparatory work for the feature in question. In general, I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.

Re: XSS examples not blocked by Noscript?

by Giorgio Maone » Thu Oct 27, 2011 11:04 am

al_9x wrote:
  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs

Done/fixed in latest development build 2.1.8rc2

al_9x wrote:4. logs when script domain is not whitelisted

By design. You may want to know in advance if a site wants to engage in potentially hostile activities.

Re: XSS examples not blocked by Noscript?

by saywot » Tue Oct 25, 2011 4:46 pm

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


Confirmed. After AMO caught up with the version ;-)

Re: XSS examples not blocked by Noscript?

by tlu » Sun Oct 23, 2011 11:07 am

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


Thanks again! Those examples are indeed successfully blocked! (Somehow I was pretty sure that you would come up with a solution - you're really incredible :D )

Re: XSS examples not blocked by Noscript?

by al_9x » Sun Oct 23, 2011 5:26 am

Giorgio Maone wrote:Please check latest development build 2.1.8rc1


  1. this should have a toggle or context pref
  2. possibly exceptions
  3. it double logs
  4. logs when script domain is not whitelisted

Re: XSS examples not blocked by Noscript?

by Giorgio Maone » Sun Oct 23, 2011 1:49 am

Please check latest development build 2.1.8rc1

Re: XSS examples not blocked by Noscript?

by saywot » Sat Oct 22, 2011 4:23 pm

tlu wrote:That's really great! Giorgio, thank you very much!!


+1
because strictly XSS or not, buggy tool or not, NS runs on this system to anticipate both the dangerous and the dumb.
Giorgio, we've already donated but not even the most expensive proprietary software offers such generous support as you and your team.
NS is priceless.

Re: XSS examples not blocked by Noscript?

by tlu » Sat Oct 22, 2011 11:22 am

Giorgio Maone wrote:That said, I'm gonna implement in next dev build a further (pretty unique) mitigation, which will neutralize this attack even if the injected script source comes from a trusted origin.


That's really great! Giorgio, thank you very much!!

Re: XSS examples not blocked by Noscript?

by Giorgio Maone » Sat Oct 22, 2011 11:15 am

tlu wrote: I wonder if this technique can't be used for a new class of attacks

Fortunately it's a very limited "class" of attacks, since using a parameter as the script source is something so stupid that I've never seen it before and hopefully will never see again (any developer with a clue understands that). The fact we're seen it on multiple sites at the same times is just due to their reliance on the same buggy tool.

That said, I'm gonna implement in next dev build a further (pretty unique) mitigation, which can neutralize this attack even if the injected script source comes from a trusted origin.

Re: XSS examples not blocked by Noscript?

by tlu » Sat Oct 22, 2011 10:55 am

Giorgio Maone wrote:you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work.

The problem here is the incredible stupidity of the developers of those sites, which have implemented their page to load any script whose address is passed as the src query string parameter.
In other words, no Javascript code is passed in the request, just an "innocent" URL which the page idiotically turns into a script source.


Thanks, Giorgio for this explanation. I understand what you're saying, and I agree that risk is low as Noscript blocks it by default (= if the origination site isn't whitelisted). Nevertheless, I wonder if this technique can't be used for a new class of attacks if an attacker succeeds to manipulate the originating site which might be a trustworthy and, thus, whitelisted website. In those examples the results were only funny, but other outcomes are conceivable.

Re: XSS examples not blocked by Noscript?

by tlu » Sat Oct 22, 2011 10:41 am

GµårÐïåñ wrote:
tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".

I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this.


Because you're much more intelligent than I am? :evil:

If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?


Yes, you are. There must be a reason why Giorgio constructed the XSS filter in such a way that it also blocks XSS attacks coming from trusted sites. It it were that simple as you suggest this wouldn't have been necessary. And if I remember correctly, this feature didn't exist in earlier versions - it was introduced later. Again, there must be a reason why.

Anyway, it's a built-in feature, and my only question was why it doesn't work in these examples. "Simple enough, so I don't get why you are not getting this."

Re: XSS examples not blocked by Noscript?

by GµårÐïåñ » Fri Oct 21, 2011 9:54 pm

Giorgio Maone wrote:tlu is right in his understanding that NoScript's XSS filters blocks XSS attacks even if they come from a source which is in your scripting whitelist.
In this case, though, this doesn't happen because there's no XSS payload to be stripped but just a URL which the victim site idiotically uses as a reference to an external script source.


Correct, not arguing that. But anytime you have to have to explicitly allow something to work, even if it happens to be bad coding by the site, to have the exploit work on it, then the security tool is still preventing it even if using a different vector (in this case blocking a different domain and not letting it be governed by the trusted status of the idiot site) which may not be using the XSS engine because it doesn't qualify as one but still the protection is there none the less unless you allow it to take advantage of that exploit.

Re: XSS examples not blocked by Noscript?

by Giorgio Maone » Fri Oct 21, 2011 9:30 pm

tlu is right in his understanding that NoScript's XSS filters blocks XSS attacks even if they come from a source which is in your scripting whitelist.
In this case, though, this doesn't happen because there's no XSS payload to be stripped but just a URL which the victim site idiotically uses as a reference to an external script source.

Re: XSS examples not blocked by Noscript?

by GµårÐïåñ » Fri Oct 21, 2011 9:14 pm

tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".

I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this. If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?

Top