NoScripters and WebSec nerds of all lands, unite!
Skip to content
by Giorgio Maone » Thu Oct 27, 2011 10:38 pm
al_9x wrote:I think it's a good idea for a toggle pref to completely bypass the codepath of the functionality it disables, since that could be the reason for and the benefit of disabling it.
by al_9x » Thu Oct 27, 2011 10:30 pm
Giorgio Maone wrote:al_9x wrote: this should have a toggle or context pref possibly exceptions it double logs Done/fixed in latest development build 2.1.8rc2
al_9x wrote: this should have a toggle or context pref possibly exceptions it double logs
by Giorgio Maone » Thu Oct 27, 2011 11:04 am
al_9x wrote:4. logs when script domain is not whitelisted
by saywot » Tue Oct 25, 2011 4:46 pm
Giorgio Maone wrote:Please check latest development build 2.1.8rc1
by tlu » Sun Oct 23, 2011 11:07 am
by al_9x » Sun Oct 23, 2011 5:26 am
by Giorgio Maone » Sun Oct 23, 2011 1:49 am
by saywot » Sat Oct 22, 2011 4:23 pm
tlu wrote: That's really great! Giorgio, thank you very much!!
by tlu » Sat Oct 22, 2011 11:22 am
Giorgio Maone wrote: That said, I'm gonna implement in next dev build a further (pretty unique) mitigation, which will neutralize this attack even if the injected script source comes from a trusted origin.
by Giorgio Maone » Sat Oct 22, 2011 11:15 am
tlu wrote: I wonder if this technique can't be used for a new class of attacks
by tlu » Sat Oct 22, 2011 10:55 am
Giorgio Maone wrote: you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work. The problem here is the incredible stupidity of the developers of those sites, which have implemented their page to load any script whose address is passed as the src query string parameter. In other words, no Javascript code is passed in the request, just an "innocent" URL which the page idiotically turns into a script source.
by tlu » Sat Oct 22, 2011 10:41 am
GµårÐïåñ wrote:tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source". I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this.
tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".
If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?
by GµårÐïåñ » Fri Oct 21, 2011 9:54 pm
Giorgio Maone wrote:tlu is right in his understanding that NoScript's XSS filters blocks XSS attacks even if they come from a source which is in your scripting whitelist. In this case, though, this doesn't happen because there's no XSS payload to be stripped but just a URL which the victim site idiotically uses as a reference to an external script source.
by Giorgio Maone » Fri Oct 21, 2011 9:30 pm
by GµårÐïåñ » Fri Oct 21, 2011 9:14 pm
Top
Powered by phpBB® Forum Software © phpBB Limited
Privacy | Terms