Page 1 of 1

HEIST exploit

Posted: Fri Aug 05, 2016 7:51 pm
by swtdir
Will NoScript prevent or help prevent this exploit? http://arstechnica.com/security/2016/08 ... tps-pages/

Re: HEIST exploit

Posted: Fri Aug 05, 2016 8:11 pm
by therube
Without really knowing...
an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage
I'd think NoScript would at least cover the first part of that (Web ad, & assuming you haven't Allowed the ad domain). The second would be harder to contain (again assuming you've Allowed the particular domain you're specifically visiting).

Re: HEIST exploit

Posted: Sat Aug 06, 2016 1:04 am
by Thrawn
My $0.02:

NoScript would help to mitigate the attack as stated, assuming that the attacking site is not whitelisted, since it wouldn't be able to use JavaScript to launch the attack. I'm not sure whether there is some obscure non-JS way to do it.

My suggested universal TLS mitigation strategy would help, too, if anyone implemented it.

Probably your best defence for now is a generalised cross-site request controller, like RequestPolicy or μMatrix, either of which could kill this attack in its tracks.

EDIT: Also, at this point, it sounds like only Windows is affected.

Re: HEIST exploit

Posted: Sat Aug 06, 2016 1:35 am
by barbaz
What effect would NoScript's DoS checker have here, if any? (That is, if the attacker is or would firing request sufficiently fast to trigger this.)

Re: HEIST exploit

Posted: Sun Aug 14, 2016 10:56 pm
by Thrawn
DoS checker? I'm not aware of one.

This attack requires far less requests than some, probably less than DoS thresholds.

Re: HEIST exploit

Posted: Sun Aug 14, 2016 11:27 pm
by barbaz
Thrawn wrote:DoS checker?
Yep, check RequestWatchdog.js and components/noscriptService.js

Re: HEIST exploit

Posted: Mon Aug 15, 2016 12:25 am
by Thrawn
Ah, that's a very different feature. It's an internal protection against crafted requests designed to DoS the XSS filter, ABE, etc (eg sending a huge string of < to crash the XSS filter). It's unrelated to rate-limiting browser requests.

Re: HEIST exploit

Posted: Mon Aug 15, 2016 12:29 am
by barbaz
oops, nvm then. :oops:
Thanks for the explanation.