HEIST exploit

General discussion about the NoScript extension for Firefox
Post Reply
swtdir
Posts: 1
Joined: Fri Aug 05, 2016 7:22 pm

HEIST exploit

Post by swtdir »

Will NoScript prevent or help prevent this exploit? http://arstechnica.com/security/2016/08 ... tps-pages/
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
User avatar
therube
Ambassador
Posts: 7922
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: HEIST exploit

Post by therube »

Without really knowing...
an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage
I'd think NoScript would at least cover the first part of that (Web ad, & assuming you haven't Allowed the ad domain). The second would be harder to contain (again assuming you've Allowed the particular domain you're specifically visiting).
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HEIST exploit

Post by Thrawn »

My $0.02:

NoScript would help to mitigate the attack as stated, assuming that the attacking site is not whitelisted, since it wouldn't be able to use JavaScript to launch the attack. I'm not sure whether there is some obscure non-JS way to do it.

My suggested universal TLS mitigation strategy would help, too, if anyone implemented it.

Probably your best defence for now is a generalised cross-site request controller, like RequestPolicy or μMatrix, either of which could kill this attack in its tracks.

EDIT: Also, at this point, it sounds like only Windows is affected.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: HEIST exploit

Post by barbaz »

What effect would NoScript's DoS checker have here, if any? (That is, if the attacker is or would firing request sufficiently fast to trigger this.)
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HEIST exploit

Post by Thrawn »

DoS checker? I'm not aware of one.

This attack requires far less requests than some, probably less than DoS thresholds.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: HEIST exploit

Post by barbaz »

Thrawn wrote:DoS checker?
Yep, check RequestWatchdog.js and components/noscriptService.js
*Always* check the changelogs BEFORE updating that important software!
-
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: HEIST exploit

Post by Thrawn »

Ah, that's a very different feature. It's an internal protection against crafted requests designed to DoS the XSS filter, ABE, etc (eg sending a huge string of < to crash the XSS filter). It's unrelated to rate-limiting browser requests.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: HEIST exploit

Post by barbaz »

oops, nvm then. :oops:
Thanks for the explanation.
*Always* check the changelogs BEFORE updating that important software!
-
Post Reply