combination of Sandox and Anonymize actions?

Discussions about the Application Boundaries Enforcer (ABE) module
MacOtaku
Posts: 5
Joined: Wed May 19, 2010 2:44 am

Re: combination of Sandox and Anonymize actions?

Post by MacOtaku » Wed Dec 07, 2011 2:43 am

Alright then; I shan't belabour the point any longer. Thanks everyone for your time and efforts, especially Giorgio and Tom. I'll keep checking the release notes, and in the meantime, I'll read the documentation Tom suggested again, since it's probably changed in the last few years.

[Btw (O/T), on the spam filter false positive: I cleared Fx's recent history (cookies included) mid-writing, i.e., between logging in and submitting, because another site was exhibiting an annoying glitch. I didn't immediately remember that I'd done so before I clicked Preview, and so was initially a little surprised to be presented with a post form with a username box and a captcha. I clicked the new captcha button a couple of times, because I wasn't sure whether to include the punctuation in the first two. After I saw the "Oops" page, I realized what happened, and tried to post my message again after logging, and when that failed, I edited my post (significantly, I thought, but perhaps it was still too similar) and tried again. I don't know whether this is would be of any use, but I thought I should provide more details about what happened.]

One final note: Installing Fx on supportees' computers, setting it as their default browser, installing NoScript, and adding a few HTTPS-only and ABE rules to insulate certain highly-targeted sites, together, have saved me about as much Windows clean-up time as getting people to use non-admin accounts and teaching them about the importance of unique & distinct passwords. Your efforts go a long way. Thanks again.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: combination of Sandox and Anonymize actions?

Post by Tom T. » Thu Dec 08, 2011 10:03 am

Giorgio Maone wrote:Please notice that ABE's Anonymize and Sandbox were designed to allow those who can bear the burden to protect themselves against the classes of attack which you outlined in your pastebin piece.
The fact they cannot currently be combined is a bug in the implementation (not even in the grammar) and will eventually be fixed, even though there are currently many other priorities.
Thank you for reporting.

So, NS's XSS protection will not defeat the described attack, especially with third-party scripting denied in all but extraordinary cases?
(not counting SiteX.com + X-static.com; akamai.net, and other "benign" third parties.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

User avatar
Giorgio Maone
Site Admin
Posts: 8732
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: combination of Sandox and Anonymize actions?

Post by Giorgio Maone » Thu Dec 08, 2011 10:26 am

Tom T. wrote:So, NS's XSS protection will not defeat the described attack, especially with third-party scripting denied in all but extraordinary cases?
(not counting SiteX.com + X-static.com; akamai.net, and other "benign" third parties.)

The two attacks he outlined are CSRF using a GET request (which in an ideal world would be a non-issue, since GET requests are not supposed to change the status of web application, but unfortunately incompetence is the rule) and exploiting a client side JavaScript logic flaw through data passed in the hash (which is even less likely but still possible).
Both are out of the scope of any XSS filter, because they're not cross-site scripting attacks, and are conducted against trusted web sites.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: combination of Sandox and Anonymize actions?

Post by Tom T. » Fri Dec 09, 2011 10:46 am

Giorgio Maone wrote:The two attacks he outlined are CSRF using a GET request (which in an ideal world would be a non-issue, since GET requests are not supposed to change the status of web application, but unfortunately incompetence is the rule) ...

Ahh, thank you, Giorgio. I knew that NS (Advanced > XSS) "Turn cross-site POST requests into (supposedly "idempotent" -- IIRC, that word used to be there) data-less GET requests". But IIUC, you are saying that site coders are so ignorant nowadays that they have, *in essence*, eliminated the distinction between POST and GET. Sad, indeed... :cry:

In a future release, when the ABE bug is fixed as noted, would you be able to include a default System Rule that protects even novices from this class of attack, without any configuration? Or would that break many pages, cause false positives, etc., thus requiring user-defined rules? If the former, I respectfully suggest to add that to the TODO as an RFE.

If not, ABE FAQ could perhaps create a generic template for moderate-level users to copy/paste as needed for their own sites... just one more thought for the many on your list. :)


MacOtaku wrote:Alright then; I shan't belabour the point any longer. Thanks everyone for your time and efforts, especially Giorgio and Tom. I'll keep checking the release notes, and in the meantime, I'll read the documentation Tom suggested again, since it's probably changed in the last few years.

You're very welcome, and the documentation most certainly has changed over time. And will continue to do so, although getting on the latest development build channel will provide info much faster, in almost real time, although very brief. Still, what you see may interest you to research the new feature, fix, etc.
MacOtaku wrote:Btw (O/T), on the spam filter false positive: I cleared Fx's recent history (cookies included) mid-writing, i.e., between logging in and submitting, because another site was exhibiting an annoying glitch. I didn't immediately remember that I'd done so before I clicked Preview, and so was initially a little surprised to be presented with a post form with a username box and a captcha. I clicked the new captcha button a couple of times, because I wasn't sure whether to include the punctuation in the first two. After I saw the "Oops" page, I realized what happened, and tried to post my message again after logging, and when that failed, I edited my post (significantly, I thought, but perhaps it was still too similar) and tried again. I don't know whether this is would be of any use, but I thought I should provide more details about what happened.]

No need to shrink that, and any glitch in the forum software should be reported. Since you were posting anyway, it's hard to see including that as going O/T. If a third party interrupted your main topic to say, "I had this login issue", yes, they should instead start a new thread for that. But I'm glad you included it. :)

My guess is that the best thing to do after the repeated failures would be to clear *everything* - cache, cookies, history, or just close the browser and start all over again. I just tried very briefly to reproduce that, by composing (and saving in a text doc, lol), then clearing all, then going to another open tab at this forum and hitting Reload. Indeed, I was given the reCaptcha treatment. But instead, I logged in, and had no trouble coming back to this partially-composed message, previewing, completing, and submitting. However, I did not go through all of the steps and iterations that you did. So I suspect that one or both of the first two recommendations would have worked -- not that it will ever happen again. :D
MacOtaku wrote:One final note: Installing Fx on supportees' computers, setting it as their default browser, installing NoScript, and adding a few HTTPS-only and ABE rules to insulate certain highly-targeted sites, together, have saved me about as much Windows clean-up time as getting people to use non-admin accounts and teaching them about the importance of unique & distinct passwords. Your efforts go a long way. Thanks again.

:) Thank you for those kind words. It encourages us to continue to donate our time to help here. And while I always hesitate to bother Giorgio unless/until certain that his response is needed (as here, e. g.,) I don't think he ever gets tired of receiving words of appreciation. 8-) I'll tap him on the shoulder (Web-ly speaking, of course) and I'm sure your real-world experiences with NoScript will brighten his day.

(and please tell your family, friends, co-workers, employees, supervisors, random strangers, enemies, etc. about NoScript. :D )
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.24) Gecko/20111103 Firefox/3.6.24

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: combination of Sandox and Anonymize actions?

Post by Thrawn » Tue Jun 19, 2012 10:20 am

Is Anonymize+Sandbox on the radar to be implemented? I'd love to support it in SABER. As well as the attacks that Giorgio mentioned, a policy of Anon+Sandbox could defend against:
  • CSRF/XSS originating from (unwisely) whitelisted sites.
  • XSS 0-days. Yes, I know Giorgio works his tail off to fix these, but I'd rather he didn't have to. Besides, 'default deny', instead of an arms race, is what makes NoScript so good in the first place.
  • XSS attacks on poorly-coded sites that require XSS filter exceptions.
It would be rather like running RequestPolicy, except that it wouldn't block static content like images (including web bugs...) or stylesheets, so less sites would break.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: combination of Sandox and Anonymize actions?

Post by Thrawn » Fri Jun 22, 2012 9:27 am

Giorgio Maone wrote:The fact they cannot currently be combined is a bug in the implementation (not even in the grammar) and will eventually be fixed, even though there are currently many other priorities.

How would that look? The ABE Rules PDF indicates that each predicate contains one Action, and as soon as one rule matches, processing stops, so I'm not sure how it would allow two actions to be applied? Or does it mean that all predicates for a rule should in theory be applied, regardless of how many match?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: combination of Sandox and Anonymize actions?

Post by tlu » Thu Aug 23, 2012 12:50 pm

Thrawn wrote:Is Anonymize+Sandbox on the radar to be implemented? I'd love to support it in SABER.


Thrawn, just out of curiosity: Have you made any progress with SABER? Is there an alpha/beta version to test? What you were planning to implement sounds very interesting, indeed!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20120819 Firefox/16.0

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: combination of Sandox and Anonymize actions?

Post by GµårÐïåñ » Thu Aug 23, 2012 9:38 pm

@tlu, unfortunately both Thrawn and I have been really busy, specially me. So while have been working on the interface, getting the ideas going, we are still working on the dev environment and deciding which approach to take on it, so that we can also preserve integration with NS in the future, so we are working on it and don't have an outside testable version ready yet, but when we do, we will post a thread on it and provide it for everyone who wants to test it. Just keep an eye out for it.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: combination of Sandox and Anonymize actions?

Post by tlu » Fri Aug 24, 2012 11:13 am

GµårÐïåñ wrote: Just keep an eye out for it.


I certainly will :) Thanks for your reply!
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20120819 Firefox/16.0

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3339
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: combination of Sandox and Anonymize actions?

Post by GµårÐïåñ » Fri Aug 24, 2012 10:34 pm

tlu wrote:I certainly will :) Thanks for your reply!

You are very welcome, always.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

Post Reply