InformAction Forums

Whenever trusted websites are compromised and there scripts become malicious, how is Noscript going to prevent the execution of malicious code on websites that were trusted by the user ???

It cannot, but it usually mitigates many of these attacks which typically:

1. Either insert their scripts dynamically through reflected XSS (which is blocked by NoScript's XSS filter)...
2. ... or, if they manage to statically store malicious scripts in the trusted website, they usually insert minimal boostrap code which then loads the bulk of the malicious payload from a 3rd party (both to work around likely size constraints in the script insertion vulnerability, to better evade detection and to be able to easily update / morph the payload). The 3rd party, in control of the attacker, is unlikely to be itself trusted by NoScript and therefore execution from there would still be blocked.

One way or the other: we come in the situation where a trusted site will present additional scripts visible in Noscript. But does this ring an alarm? It perhaps looks like a very normal situation and not even look suspicous at all. And then we do what we're used to do so much i.e. give permission in order to get the site fucntional.

My point is that I do not have expertise in making discissions about scripts or related sites, with Noscript we are supposed to have that . Every allowed script is a possible threat and I am not able to judge any site or script for it's reliability.
Without this expertise I wonder how to make the best out of Noscript.

vigothebigo wrote: ↑Thu Nov 12, 2020 9:43 pm expertise in making discissions about scripts or related sites, with Noscript we are supposed to have that .

False.

vigothebigo wrote: ↑Thu Nov 12, 2020 9:43 pm Every allowed script is a possible threat and I am not able to judge any site or script for it's reliability.

If you are unwilling or unable to figure out how to do this well enough (it's not hard and requires ZERO "expertise" in that area!), then using NoScript is too much to ask of yourself.

@barbaz: I fail to see how your reply is productive regarding to my question.

It sounds a bit silly to me when you take the effort answering in this threat but refuse to give a real answer to it.

anyway... giving permission requires more then just pressing a button.
For those familiar with this materie it must be quite simple then to give a decent answer without stabbing me in the back.

You sound a bit silly when you prefer to treat the knowledge you're missing as mumbo-jumbo and dig in when called on it.

It would have taken you less time to find the info than to write that reply. If you are going to insist on being ignorant, especially to the point of trying to shoot the messenger, then this thread is pointless and will be locked.

@barbaz aka the barbarian

mumbo jumbo is hocus pocus to me and I realize I must have touched a sensitive subject surrounded with long toes.
When you feel that asking for info is to much for your brainy then close the F**** Forum

Noscript to the BIN, browsing per sandbox or VM makes life sooo much easier. It so much of a relieve allready......

OP is only interested in attempting to insult and debate, so this thread is locked and the matter is closed.

@vigothebigo You need to read through Forum Rules before using this site again.