HEIST exploit

General discussion about the NoScript extension for Firefox
Post Reply
swtdir
Posts: 1
Joined: Fri Aug 05, 2016 7:22 pm

HEIST exploit

Post by swtdir » Fri Aug 05, 2016 7:51 pm

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0

User avatar
therube
Ambassador
Posts: 7458
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: HEIST exploit

Post by therube » Fri Aug 05, 2016 8:11 pm

Without really knowing...

an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage


I'd think NoScript would at least cover the first part of that (Web ad, & assuming you haven't Allowed the ad domain). The second would be harder to contain (again assuming you've Allowed the particular domain you're specifically visiting).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HEIST exploit

Post by Thrawn » Sat Aug 06, 2016 1:04 am

My $0.02:

NoScript would help to mitigate the attack as stated, assuming that the attacking site is not whitelisted, since it wouldn't be able to use JavaScript to launch the attack. I'm not sure whether there is some obscure non-JS way to do it.

My suggested universal TLS mitigation strategy would help, too, if anyone implemented it.

Probably your best defence for now is a generalised cross-site request controller, like RequestPolicy or μMatrix, either of which could kill this attack in its tracks.

EDIT: Also, at this point, it sounds like only Windows is affected.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1

barbaz
Senior Member
Posts: 9263
Joined: Sat Aug 03, 2013 5:45 pm

Re: HEIST exploit

Post by barbaz » Sat Aug 06, 2016 1:35 am

What effect would NoScript's DoS checker have here, if any? (That is, if the attacker is or would firing request sufficiently fast to trigger this.)
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HEIST exploit

Post by Thrawn » Sun Aug 14, 2016 10:56 pm

DoS checker? I'm not aware of one.

This attack requires far less requests than some, probably less than DoS thresholds.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9263
Joined: Sat Aug 03, 2013 5:45 pm

Re: HEIST exploit

Post by barbaz » Sun Aug 14, 2016 11:27 pm

Thrawn wrote:DoS checker?

Yep, check RequestWatchdog.js and components/noscriptService.js
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HEIST exploit

Post by Thrawn » Mon Aug 15, 2016 12:25 am

Ah, that's a very different feature. It's an internal protection against crafted requests designed to DoS the XSS filter, ABE, etc (eg sending a huge string of < to crash the XSS filter). It's unrelated to rate-limiting browser requests.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0

barbaz
Senior Member
Posts: 9263
Joined: Sat Aug 03, 2013 5:45 pm

Re: HEIST exploit

Post by barbaz » Mon Aug 15, 2016 12:29 am

oops, nvm then. :oops:
Thanks for the explanation.
*Always* check the changelogs BEFORE updating that important software!
-

Post Reply