Page 2 of 2

Re: combination of Sandox and Anonymize actions?

Posted: Wed Dec 07, 2011 2:43 am
by MacOtaku
Alright then; I shan't belabour the point any longer. Thanks everyone for your time and efforts, especially Giorgio and Tom. I'll keep checking the release notes, and in the meantime, I'll read the documentation Tom suggested again, since it's probably changed in the last few years.

[Btw (O/T), on the spam filter false positive: I cleared Fx's recent history (cookies included) mid-writing, i.e., between logging in and submitting, because another site was exhibiting an annoying glitch. I didn't immediately remember that I'd done so before I clicked Preview, and so was initially a little surprised to be presented with a post form with a username box and a captcha. I clicked the new captcha button a couple of times, because I wasn't sure whether to include the punctuation in the first two. After I saw the "Oops" page, I realized what happened, and tried to post my message again after logging, and when that failed, I edited my post (significantly, I thought, but perhaps it was still too similar) and tried again. I don't know whether this is would be of any use, but I thought I should provide more details about what happened.]

One final note: Installing Fx on supportees' computers, setting it as their default browser, installing NoScript, and adding a few HTTPS-only and ABE rules to insulate certain highly-targeted sites, together, have saved me about as much Windows clean-up time as getting people to use non-admin accounts and teaching them about the importance of unique & distinct passwords. Your efforts go a long way. Thanks again.

Re: combination of Sandox and Anonymize actions?

Posted: Thu Dec 08, 2011 10:03 am
by Tom T.
Giorgio Maone wrote:Please notice that ABE's Anonymize and Sandbox were designed to allow those who can bear the burden to protect themselves against the classes of attack which you outlined in your pastebin piece.
The fact they cannot currently be combined is a bug in the implementation (not even in the grammar) and will eventually be fixed, even though there are currently many other priorities.
Thank you for reporting.

So, NS's XSS protection will not defeat the described attack, especially with third-party scripting denied in all but extraordinary cases?
(not counting SiteX.com + X-static.com; akamai.net, and other "benign" third parties.)

Re: combination of Sandox and Anonymize actions?

Posted: Thu Dec 08, 2011 10:26 am
by Giorgio Maone
Tom T. wrote:So, NS's XSS protection will not defeat the described attack, especially with third-party scripting denied in all but extraordinary cases?
(not counting SiteX.com + X-static.com; akamai.net, and other "benign" third parties.)

The two attacks he outlined are CSRF using a GET request (which in an ideal world would be a non-issue, since GET requests are not supposed to change the status of web application, but unfortunately incompetence is the rule) and exploiting a client side JavaScript logic flaw through data passed in the hash (which is even less likely but still possible).
Both are out of the scope of any XSS filter, because they're not cross-site scripting attacks, and are conducted against trusted web sites.

Re: combination of Sandox and Anonymize actions?

Posted: Fri Dec 09, 2011 10:46 am
by Tom T.
Giorgio Maone wrote:The two attacks he outlined are CSRF using a GET request (which in an ideal world would be a non-issue, since GET requests are not supposed to change the status of web application, but unfortunately incompetence is the rule) ...

Ahh, thank you, Giorgio. I knew that NS (Advanced > XSS) "Turn cross-site POST requests into (supposedly "idempotent" -- IIRC, that word used to be there) data-less GET requests". But IIUC, you are saying that site coders are so ignorant nowadays that they have, *in essence*, eliminated the distinction between POST and GET. Sad, indeed... :cry:

In a future release, when the ABE bug is fixed as noted, would you be able to include a default System Rule that protects even novices from this class of attack, without any configuration? Or would that break many pages, cause false positives, etc., thus requiring user-defined rules? If the former, I respectfully suggest to add that to the TODO as an RFE.

If not, ABE FAQ could perhaps create a generic template for moderate-level users to copy/paste as needed for their own sites... just one more thought for the many on your list. :)


MacOtaku wrote:Alright then; I shan't belabour the point any longer. Thanks everyone for your time and efforts, especially Giorgio and Tom. I'll keep checking the release notes, and in the meantime, I'll read the documentation Tom suggested again, since it's probably changed in the last few years.

You're very welcome, and the documentation most certainly has changed over time. And will continue to do so, although getting on the latest development build channel will provide info much faster, in almost real time, although very brief. Still, what you see may interest you to research the new feature, fix, etc.
MacOtaku wrote:Btw (O/T), on the spam filter false positive: I cleared Fx's recent history (cookies included) mid-writing, i.e., between logging in and submitting, because another site was exhibiting an annoying glitch. I didn't immediately remember that I'd done so before I clicked Preview, and so was initially a little surprised to be presented with a post form with a username box and a captcha. I clicked the new captcha button a couple of times, because I wasn't sure whether to include the punctuation in the first two. After I saw the "Oops" page, I realized what happened, and tried to post my message again after logging, and when that failed, I edited my post (significantly, I thought, but perhaps it was still too similar) and tried again. I don't know whether this is would be of any use, but I thought I should provide more details about what happened.]

No need to shrink that, and any glitch in the forum software should be reported. Since you were posting anyway, it's hard to see including that as going O/T. If a third party interrupted your main topic to say, "I had this login issue", yes, they should instead start a new thread for that. But I'm glad you included it. :)

My guess is that the best thing to do after the repeated failures would be to clear *everything* - cache, cookies, history, or just close the browser and start all over again. I just tried very briefly to reproduce that, by composing (and saving in a text doc, lol), then clearing all, then going to another open tab at this forum and hitting Reload. Indeed, I was given the reCaptcha treatment. But instead, I logged in, and had no trouble coming back to this partially-composed message, previewing, completing, and submitting. However, I did not go through all of the steps and iterations that you did. So I suspect that one or both of the first two recommendations would have worked -- not that it will ever happen again. :D
MacOtaku wrote:One final note: Installing Fx on supportees' computers, setting it as their default browser, installing NoScript, and adding a few HTTPS-only and ABE rules to insulate certain highly-targeted sites, together, have saved me about as much Windows clean-up time as getting people to use non-admin accounts and teaching them about the importance of unique & distinct passwords. Your efforts go a long way. Thanks again.

:) Thank you for those kind words. It encourages us to continue to donate our time to help here. And while I always hesitate to bother Giorgio unless/until certain that his response is needed (as here, e. g.,) I don't think he ever gets tired of receiving words of appreciation. 8-) I'll tap him on the shoulder (Web-ly speaking, of course) and I'm sure your real-world experiences with NoScript will brighten his day.

(and please tell your family, friends, co-workers, employees, supervisors, random strangers, enemies, etc. about NoScript. :D )

Re: combination of Sandox and Anonymize actions?

Posted: Tue Jun 19, 2012 10:20 am
by Thrawn
Is Anonymize+Sandbox on the radar to be implemented? I'd love to support it in SABER. As well as the attacks that Giorgio mentioned, a policy of Anon+Sandbox could defend against:
  • CSRF/XSS originating from (unwisely) whitelisted sites.
  • XSS 0-days. Yes, I know Giorgio works his tail off to fix these, but I'd rather he didn't have to. Besides, 'default deny', instead of an arms race, is what makes NoScript so good in the first place.
  • XSS attacks on poorly-coded sites that require XSS filter exceptions.
It would be rather like running RequestPolicy, except that it wouldn't block static content like images (including web bugs...) or stylesheets, so less sites would break.

Re: combination of Sandox and Anonymize actions?

Posted: Fri Jun 22, 2012 9:27 am
by Thrawn
Giorgio Maone wrote:The fact they cannot currently be combined is a bug in the implementation (not even in the grammar) and will eventually be fixed, even though there are currently many other priorities.

How would that look? The ABE Rules PDF indicates that each predicate contains one Action, and as soon as one rule matches, processing stops, so I'm not sure how it would allow two actions to be applied? Or does it mean that all predicates for a rule should in theory be applied, regardless of how many match?

Re: combination of Sandox and Anonymize actions?

Posted: Thu Aug 23, 2012 12:50 pm
by tlu
Thrawn wrote:Is Anonymize+Sandbox on the radar to be implemented? I'd love to support it in SABER.


Thrawn, just out of curiosity: Have you made any progress with SABER? Is there an alpha/beta version to test? What you were planning to implement sounds very interesting, indeed!

Re: combination of Sandox and Anonymize actions?

Posted: Thu Aug 23, 2012 9:38 pm
by GµårÐïåñ
@tlu, unfortunately both Thrawn and I have been really busy, specially me. So while have been working on the interface, getting the ideas going, we are still working on the dev environment and deciding which approach to take on it, so that we can also preserve integration with NS in the future, so we are working on it and don't have an outside testable version ready yet, but when we do, we will post a thread on it and provide it for everyone who wants to test it. Just keep an eye out for it.

Re: combination of Sandox and Anonymize actions?

Posted: Fri Aug 24, 2012 11:13 am
by tlu
GµårÐïåñ wrote: Just keep an eye out for it.


I certainly will :) Thanks for your reply!

Re: combination of Sandox and Anonymize actions?

Posted: Fri Aug 24, 2012 10:34 pm
by GµårÐïåñ
tlu wrote:I certainly will :) Thanks for your reply!

You are very welcome, always.