[RESOLVED] ABE vs Citi -- they are not friendly

Discussions about the Application Boundaries Enforcer (ABE) module
User avatar
lakrsrool
Senior Member
Posts: 190
Joined: Wed Nov 12, 2014 4:20 pm

[RESOLVED] ABE vs Citi -- they are not friendly

Post by lakrsrool » Tue Oct 31, 2017 6:09 pm

As usual ABE is causing issues again with Citibank log-in (I've got about a half dozen rule-sets as it is through the years for Citi).

Here is the latest: Image Please help with what rule-set I need to add to ABE to fix this one (I've tried a few guesses without any luck).... thanks

I keep getting the:
Ooops, something in your posting triggered my antispam filter...
Please use the "Back" button to modify your content and retry.

clearing out my posts.... ugh!!!!

Preview worked -- so why not submit?

It's difficult enough without providing an easy way to post images but then there is this too!!!

I've been on this now for about 20 minutes just trying to post a simple request.

Edit: I was obviously able to post (without doing anything different) on the second attempt (this post will probably fail but if not just explaining).

Many thanks for any help after spending all this time. ;)

Good Edit's are working for now... If there is any way to simply disable ABE exclusively for a specific site (Citibank) to avoid these ongoing rule-set additions/changes that would be GREAT!!!
Last edited by lakrsrool on Tue Oct 31, 2017 7:07 pm, edited 2 times in total.

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs City -- they are not friendly

Post by barbaz » Tue Oct 31, 2017 6:14 pm

What version of NoScript are you using?

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here the message(s) from ABE. If you can't post it due to spam filter, please PM it to me and I'll try to post it for you.
*Always* check the changelogs BEFORE updating that important software!

User avatar
lakrsrool
Senior Member
Posts: 190
Joined: Wed Nov 12, 2014 4:20 pm

Re: ABE vs City -- they are not friendly

Post by lakrsrool » Tue Oct 31, 2017 6:16 pm

NS v2.9.0.14 (last compatible version with Pale Moon).

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs City -- they are not friendly

Post by barbaz » Tue Oct 31, 2017 6:28 pm

lakrsrool wrote: If there is any way to simply disable ABE exclusively for a specific site (Citibank) to avoid these ongoing rule-set additions/changes that would be GREAT!!!
You could put your Citibank ABE rules in their own ruleset, then disable that ruleset. If you do this, be sure to use an isolated browser session only for Citibank, and re-enable the ruleset when done.

To set this up:
about:config
right-click > New > String
name:

Code: Select all

noscript.ABE.rulesets.CITIBANK
for value, just put in #
Then edit it in NoScript Options > Advanced > ABE
lakrsrool wrote:NS v2.9.0.14 (last compatible version with Pale Moon).
(NoScript latest version, 5.1.4, should be compatible with Pale Moon 27.5.1 which you seem to be using. Giorgio just hasn't had time to update it on the Pale Moon add-ons site yet - https://forums.informaction.com/viewtop ... =8&t=23106)
*Always* check the changelogs BEFORE updating that important software!

User avatar
lakrsrool
Senior Member
Posts: 190
Joined: Wed Nov 12, 2014 4:20 pm

Re: ABE vs Citi -- they are not friendly

Post by lakrsrool » Tue Oct 31, 2017 7:31 pm

Thanks for the help.

I am confused, I added the isolated CITIBANK rule sets into their own ruleset and disabled this ruleset and citibank login works (I am not using browser exclusively for citibank).

I do not want to have to disable/enable the isolated CITIBANK ruleset every time I use the website (I might use this site several times a week or more and don't want to have to be disabling/enabling every time I use the site and I do not want to have to only use the site exclusively in the browser.

What would be the problem just disabling the CITIBANK rule-set all the time as it now allows citibank to work and presumably all other sites will still use ABE presumably. I was looking for a way to disable ABE for Citibank exclusively all the time and this seems to do this.

What is the risk of doing this other than whatever risk there would be using Citibank?

If this is not a good idea to disable the CITIBANK ruleset all the time to allow me to use Citibank whenever I need to without adding other steps then I guess I would need another ruleset specifically for the ABE warning banner I'm currently getting (but of course knowing Citibank another ruleset will be needed down the road again some time).

I'm a bit confused on how by creating an isolated rule-set disabled ABE for Citibank just because I disable the rulesets for Citibank (the rulesets were required to get Citibank to work each time a ruleset was needed), it seems to me as long as ABE is enabled this would apply to all sites (I'm probably not understanding how all this works of course).

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs Citi -- they are not friendly

Post by barbaz » Tue Oct 31, 2017 7:52 pm

lakrsrool wrote:What would be the problem just disabling the CITIBANK rule-set all the time as it now allows citibank to work and presumably all other sites will still use ABE presumably. I was looking for a way to disable ABE for Citibank exclusively all the time and this seems to do this.

What is the risk of doing this other than whatever risk there would be using Citibank?
IIRC, you needed some XSS exceptions for Citibank. If so, the ABE rules would be to make the XSS exceptions not so dangerous.
lakrsrool wrote:If this is not a good idea to disable the CITIBANK ruleset all the time to allow me to use Citibank whenever I need to without adding other steps then I guess I would need another ruleset specifically for the ABE warning banner I'm currently getting (but of course knowing Citibank another ruleset will be needed down the road again some time).
Hang on, you asked about this before, didn't you? - https://forums.informaction.com/viewtop ... 23&t=22632

Ok, so if your ABE rules are same as before, you have "https://start.me/*" somewhere in your ruleset, right? Try adding "https://palemoon.start.me/*" next to it, separated by a single whitespace.

If your ruleset looks like https://forums.informaction.com/viewtop ... 218#p87218, also change

Code: Select all

Site https://online.citi.com/US/JRS/portal/index.do
to

Code: Select all

Site https://online.citi.com/US/JRS/portal/index.do*
If this doesn't help, please post or PM me the Browser Console messages.
lakrsrool wrote:I'm a bit confused on how by creating an isolated rule-set disabled ABE for Citibank just because I disable the rulesets for Citibank (the rulesets were required to get Citibank to work each time a ruleset was needed), it seems to me as long as ABE is enabled this would apply to all sites (I'm probably not understanding how all this works of course).
Because the protection ABE provides, is all in the ABE rules.

You have rules are specific to Citibank, so in your case it's just a matter of isolating the Citibank rules in their own ruleset and disabling it. If other rules were implicated, it'd be a bit more complicated to disable ABE on one specific site, but still doable.
*Always* check the changelogs BEFORE updating that important software!

User avatar
lakrsrool
Senior Member
Posts: 190
Joined: Wed Nov 12, 2014 4:20 pm

Re: ABE vs Citi -- they are not friendly

Post by lakrsrool » Tue Oct 31, 2017 10:36 pm

I removed the "#" at the beginning of CITIBANK ruleset in about:config (I noticed the other "USER" ruleset does not have a "#" so I figured that was only necessary to first create the about:config entry) and it looks like this now:
[Screenshot hidden by barbaz]
Citibank log-in now works --- is this because the rulesets are not working because of removing the "#" or it's okay and removing the leading "#" was okay and helped (the red for all of this ruleset leads me to believe there is a problem with the CITIBANK ruleset). But at least Citibank logs-in now. :D

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs Citi -- they are not friendly

Post by barbaz » Wed Nov 01, 2017 12:47 am

Yeah, that ruleset is broken due to all the newlines being stripped. What I had in mind for disabling it was clicking the "Disable" button below the ruleset. :)
*Always* check the changelogs BEFORE updating that important software!

barbaz
Senior Member
Posts: 8788
Joined: Sat Aug 03, 2013 5:45 pm

Re: ABE vs Citi -- they are not friendly

Post by barbaz » Wed Nov 01, 2017 1:24 am

Resolved by PM. The problem was that parts of the ruleset were written sort of like this -

Code: Select all

Site .test.example.com
Accept from .example.com
Deny INC
Accept from (...other 3rd party sites...)
Deny

Site .test.example.com
Accept from .example.com
Deny INC
Accept from https://palemoon.start.me/* (...other 3rd party sites...)
Deny
Notice the two identical Site lines. ABE matching stopped at the first Site line, so the needed exception was never reached.

The fix was to condense that part of the ruleset under one Site line -

Code: Select all

Site .test.example.com
Accept from .example.com
Deny INC
Accept from https://palemoon.start.me/* (...other 3rd party sites...)
Deny
*Always* check the changelogs BEFORE updating that important software!

Post Reply