Need NoScript like never before....

General discussion about the NoScript extension for Firefox
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Need NoScript like never before....

Post by GµårÐïåñ »

therube wrote:
pirlouy wrote:(but you can split it !)
I think it's a good idea, but I'll leave it up to someone else. After all, we did hijack luntrus's thread pretty much, didn't we.
I don't think it is necessary to split, I apologize to luntrus for the apparent hijacking and if forgiven, we can get back on topic.

Edit: luntrus already forgave us and posted us back on topic while I was writing this. Thank you.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Need NoScript like never before....

Post by luntrus »

Hi folks,

Yes, who is without this off-topic sin, let him cast the first stone, and I am not, but back on topic. Another important topic is securing PHP with add-slashes, and not every coder has remembered his or her homework.Read about this JS:Redirector-H[Trj} malware here: http://blogs.technet.com/antimalware/
Luntrus says never ever trust any user input, used in a query, always use add-slashes at variables. In a numeric SQL field do not use slashes in a WHERE statement, else you are vulnerable and your open again to SQL injection. Encrypted data from a cookie and from a URL-variable should always be add-slashed.
So the following string 'Mtp0cm91Ynk6M2U5YzliNzcxZGZkY2QyMjlhMTk0MDE1ZmViYTQ1MWM=' had been add-slashed(). This decoded base-64 string was not add-slashed as such within a script, and bingo you are vulnerable again. Non-valids! So always perform this in case of cookies, post, variables,

What was the problem here: hxtp://www.problemefiat.ro/scripts/ac_runactivecontent.js

Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals? " - it's quite a bit simple, your browser try to render some additional files, with some specific formats such as flash .swf and I the browser doesn't find installation, than will be start downloading, or you will got the option to download that program. Flash also use AC_RunActiveContent.js please take a look at this js, people usually put this on their webpages

Code: Select all


if (AC_FL_RunContent == 0) {
	alert("This page requires AC_RunActiveContent.js.");^^
} else {
	AC_FL_RunContent( 'codebase','xttp://download.macromedia.com/pub/shockwave cabs/flash swflash.cab#version=8,0,0,0','width','981','height','635','id','build5','align','middle','src','build5','quality','high','bgcolor','#ffffff','name','build5','allowscriptaccess^^','sameDomain','allowfullscreen','false','pluginspage','xttp://www.macromedia.com/go/getflashplayer','movie','build5' ); //end AC code
} 
vulnerable to SQL exploit. So analyze and understand what NoScript does for your security....

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090507 Shiretoko/3.5b5pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Need NoScript like never before....

Post by Giorgio Maone »

@luntrus:
thanks for the reminder against SQL injections.
Actually the most effective way to defend yourself against SQLI is using prepared statements.

Addslashes() is rather dangerous because it gives a false sense of security. In facts, it can be fooled by exploiting character set mismatches between input and database, and it works (badly) with MySQL only (none of the other SQL-compliant databases use slashes to escape special characters).

If you can't use prepared statements, e.g. because you're stuck with PHP 4 and the its old mysql client API, you must escape all the data you put in your SQL statement with mysql_real_escape(), rather than addslashes()
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Need NoScript like never before....

Post by luntrus »

Hi Giorgio,

Thank you for the heads-up on this, I will pass this info on, I am not a webmaster myself, but it is shown to me daily that there is an enormous lack of understanding how difficult it is to secure script. These discussions will help make a lot of users aware of the underlying problems involved, three things to do always:
*

Filter your data.

This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated.

*

Quote your data.

If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type.

*

Escape your data.


luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090507 Shiretoko/3.5b5pre
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Need NoScript like never before....

Post by luntrus »

Hi NoScript forum users.

Can you find the very sneaky HTML:Iframe-inf on this site: hxtp://www.banipepost.com/
Look here: http://forum.avast.com/index.php?action ... 3075;image
No av and no checker alerting this one, but NoScript saved us here.
Only finjan detected it:
Finjan SecureBrowsing has analyzed the above web address as it currently exists on the web.

The analysis indicates that:
Potentially malicious behavior was detected on this page
Technical information:
-Code Obfuscation (Home-Encoding)

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090507 Shiretoko/3.5b5pre
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Need NoScript like never before....

Post by Giorgio Maone »

Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Need NoScript like never before....

Post by Tom T. »

luntrus wrote:Can you find the very sneaky HTML:Iframe-inf on this site: hxtp://www.banipepost.com/
I get a message that Fx can't connect, because the protocol "hxtp" isn't associated with any program. Was this a typo?

Edit: Assumed typo. Went to http:....
Saw a small, blue empty square in lower right. Mouseover shows statcounter.com. R-click Properties = http://c.statcounter.com/3959474/0/4cb55c41/1/

If there was anything else deceptive or malicious, either AdBlock or NS blocked it. So it wouldn't get to AV, at least on this machine.

@ Giorgio: No panic here!

Went there. Trusty NS asks to load octet-stream en something. Told it 'no, thank you'. End of panic. Blank page.

If only there were some way to convince "certain" users that if they do not have, *or remove*, NS, they need to panic! ;)
Last edited by Tom T. on Sun May 10, 2009 5:57 am, edited 1 time in total.
Reason: went to non-typo address
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Need NoScript like never before....

Post by luntrus »

Hi Tom T.

As I work as a malware fighter on a web forum we know how to break links. So when a link with some possible malicious redirects or malicious script would be broken like: hxtp://evilmalicioussite.com or like evilmalicious dot com or : "www dot evilmalicious dot com. The person that knows what it should look like can enter the address in a (link) scanner like bad stuff detektor, Exploit Prevention Lab link scanner, DrWeb's av link checker plug-in extension for fx or Webpage Security Report = : http://www.unmaskparasites.com/security-report/ , without having to click on it directly and probably get infected as a worst case scenario (not if you have NoScript installed and active off-course, but we all know that here).
- So it is to prevent that curiosity will kill the proverbial n00b cat. -
We have to point this out to new users of anti malware forums again and again, but after a while they understand why we do this and why we follow this policy/
Also when publishing malicious or suspicious script in for instance a hidden iFrame or injected obfuscated script, we try to break that by putting ^ where > should be or entering some ..... Better is to make a screen dump and link to a picture of the code found, because that cannot be flagged by a scanner, while with a real script that can be a possibility under certain circumstances.
We find that some av now is alerting on all obfuscated scripts for reasons that the use of obfuscation is suspicious to them, for what do they have to hide? But sometimes the author of a script want to protect it from/for copy cats, but when they use packers that are also used by cybercriminals to hide their evil intentions, av may and will more often than not flag it.

That is another reason that I think NoScript has the only best elegant solution for these problems, what is blocked cannot run, and what does not run can't infect. The only hole now is that sites that you have whitelisted as trusted can have been hacked any time from the moment you gave them a clean bill and where they had a good reputation before, there is so much automated and bot-related injection of malcode with just some bits of older (vulnerable) software version or a changed or outdated component somewhere around that this may be enough to own a site for malicious purposes. In these cases I think RequestPolicy add-on in fx or flock is the best elegant solution to block any request to third party & possibly malicious re-directs. A webshield as a third layer of protection to flag and to disconnect from some redirect(s) to a malware downloading site with drive-by-downloads of malware all sorts is another option open to users, setting killbits and protecting via blacklist blocking is another option,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090510 Shiretoko/3.5b5pre
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Need NoScript like never before....

Post by Tom T. »

Hi luntrus,

I support everything you are doing, including breaking the malicious link to prevent curious n00bs. So now I understand why that wasn't a typo.
You are preaching to the choir here! Please continue the good fight!

Yes, it's possible that my trusted sites could be XSS'd or otherwise feed malicious code through links, ads, and any number of other ways. My personal choice for redundant protection is always to run the browser under Sandboxie, so that any malware that sneaks through the AV, AdBlock, and NS cannot affect the real machine. Of course, I can't officially comment on that as a forum team member, but just sharing personal experience that works for me.

Thank you for your continued efforts against malware and for your continued support of NoScript.
Image
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Need NoScript like never before....

Post by GµårÐïåñ »

Yes, the fact that developers and security professionals tend to post the link in a way that is broken and not further the agenda of the exploit. This way the ones who WANT to go there know to just modify the link and go and others won't be affected by accident. This way also prevents any novice who might not know the full extent of what to expect from clicking on it and then bam getting hurt and feeling sour about it. In fact it is not uncommon, I am sure luntrus would agree and has already hinted, to remove the damaging payloads when sharing to ensure that no accidental damage is done. Good times.

Add: As a general rule of thumb, if you see a character that is NOT part of the usual protocol encoding or valid path encoding, that's your clue that it was replaced intentionally to prevent making it live.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: Need NoScript like never before....

Post by luntrus »

Hi Giorgio Maone,

As a belated reply to your don't panic issue, this was foreseen some 3 years ago, see Steve Rambam's lecture on privacy is dead: http://video.google.com/videoplay?docid ... 7384528624

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b5pre) Gecko/20090513 Shiretoko/3.5b5pre
User avatar
AlphaCentauri
Posts: 13
Joined: Fri Mar 27, 2009 12:09 am
Contact:

Re: Need NoScript like never before....

Post by AlphaCentauri »

I've run into the hidden iFrame on the website for my daughter's dance school. I reported it to them, but they haven't managed to get it cleaned up yet. In fact, I got the domain it directed to shut down, and now the code points to a new one.

As far as the Avast vs. AVG vs. Avira, I'm using Avira (paid) because I found it was detecting a higher percentage of the malware being reported when Castlecops' malware listserve forum was up. (To be posted there, a sample had to be missed by at least 50% of the products included in VirusTotal's scan.) But Avira's wonderful 96% performance still means it misses 4%, which is still a lot of malware.

I would not go without an antivirus nor without Noscript. In the case of the iFrame on the dance school website, being a trusted site, Noscripts might have whitelisted it. (Fortunately, that particular site had no other javascript, so it had never come up.) Avira pitched a fit as soon as I tried to load the page. If Avira had missed the obfuscated code, Noscript likely would still have blocked it because it would have blocked the domain being loaded in the iFrame as untrusted. If the iFrame had not been referring to another domain, my browser is set to always ask where to put downloads, so I would have been alerted to the fact that it was trying to download malware. And if the malware creators had found a vulnerability in my browser (not IE) that allowed them to download a script, Avira may have caught it or caught whatever other malware it might try to download once installed. The more layers of protection you have, the less chance a single vulnerability can be successfully exploited ... assuming you don't have the biggest vulnerability, which is a user that is bound and determined to override all security features so he can see the dancing bunnies.

Re: breaking malicious links in forums: If a link has the http or www, it will be live. If you include those but use invisible forum tags (like the tags for color, italics, bold, etc.) it won't be live, but can be easily swiped, copied and pasted by people who really want to. So in your composition window, your link might look like this:

http:[i]//[/i]example.com/gobbledygook.php
or
www[b].[/b]example.com/gobbledygook.php

but when you see it in the final post, it will be

http://example.com/gobbledygook.php
or
www.example.com/gobbledygook.php
Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.9.1b3pre) Gecko/20090223 SeaMonkey/2.0a3
Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: Need NoScript like never before....

Post by Alan Baxter »

Well put, AlphaCentauri. Thank you for sharing your experience and the link-breaking trick. +1 for layered protection. I've started to gently rag on our NoScript users on Windows that are running with an unpatched version of Firefox 3.0.*. [1] From what I've read on the security sites, most compromised systems were using an unpatched browser and/or OS. (And probably downloaded a dancing bunny too.)

[1] I haven't ragged on Tom T. He's an incorrigible Luddite. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3365
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Need NoScript like never before....

Post by GµårÐïåñ »

My preferred way to break a link when I post something that might refer to something malicious that I don't want people to blindly click is to write: http as htxp or www as wxw or ftp as fxp and the reason is that it will be voided by ALL protocol recognizing browsers and tools and it will bring the user's attention to the failure and hopefully make them pay closer attention. No matter though, ultimately its the user that needs to care and pay attention to their security, I don't care how priceless or funny something is, I will NEVER EVER disable my security to watch it, use it, download it or whatever other action. I rather be boring than stupid. Thanks for letting me chime in guys.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Need NoScript like never before....

Post by Tom T. »

Alan Baxter wrote:[1] I haven't ragged on Tom T. He's an incorrigible Luddite. :)
Most definitely. Newer is not always better. (coughvistacough). F3 seems to have had its fair share of growing pains, including a rash of security issues, though of course patched much more promptly than "certain" browsers :twisted:

And a Luddite with multiple layers of protection, including, apparently, being one of very few users to run NS always in 100%-lockdown mode, including whitelisted sites; AV (the Avira that AlphaCentauri praised); Sandboxie, to which the Luddite converted you and has started to convert another team member here; most of the Windows "Services" disabled ("Conficker spreads primarily through Windows Server Service", says one source. That service was disabled on my machine long before anyone dreamt of Conficker); many of the components supporting the completely useless or risky "services" (e. g. Remote Assistance) actually deleted from Windows; ad-blocking; some image-blocking -- actually, I might as well be using Gopher: A good bit of the Web is mostly text for me, which suits me fine. (No offense to Hackademix, but the frequent red-on-black text gets a "View > No Page Style", which produces a nice black-on-white, blue-link page that doesn't need to be magnified for these over-30 eyes ;) I'm not sure if you saw my post on how to update NS without exposing a non-sandboxed, admin-privileged browser to the dangerous Internet, but I thought it was a clever hack. :ugeek:

Plus I don't download dancing bunnies. If I need to see them, they stay in the BunnyHutch (sandbox).

Comment taken in the spirit in which it was intended.
xoxoxo
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US at an expert level; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 diehard
Locked