Page 1 of 1

NoScript as an attack surface: review of a 2013 quote

Posted: Sun Jan 05, 2020 4:25 pm
by grahamperrin
A January 2013 answer in Information Security Stack Exchange, part of which was quoted in a November 2019 question:
Take into consideration that NoScript will also increase the attack surface
My response: https://security.stackexchange.com/a/223723/13575 – the second part of the answer (below the dividing line).

Thoughts?

TIA

Re: NoScript as an attack surface: review of a 2013 quote

Posted: Sun Jan 05, 2020 8:14 pm
by barbaz
How about putting that quote in context? -
https://security.stackexchange.com/a/27957 wrote: For starters, Chrome has better security features and a larger security effort than Firefox.

It's true that JavaScript can be involved in exploitation and exploit kits use JS to hide exploits and profile the browser for exploitation. But disabling JS should not be considered a silver bullet for browser security.

More than just blocking JS, NoScript brings to Firefox security features which Chrome already has, like XSS protection. And features that Chrome lacks, like Clickjacking protection and protection against plugin based attacks. Take into consideration that NoScript will also increase the attack surface.

There isn't a clear winner here considering that the security of Firefox + NoScript depends on the user configuring NoScript and the usability trade-off.

For more about browser security read the Browser Security Handbook by Michal Zalewski. His book, The Tangled Web: A Guide to Securing Modern Web Applications extends this handbook.
(red coloring mine)

Notice how that statement seems a total non-sequitur, and that no explanation was provided. And when asked to clarify, they responded with this -
It means that NoScript is also a target for exploitation. As browsers get harder to exploit, attackers focus more on pluggins and addons. NoScript parses a lot of input so there are a lot of possibilities for buffer overflows and other attacks.
That last sentence is drivel.

As for the other two sentences - if the attack surface provided by NoScript is the size of a pea, the attack surface provided by all active content functionality would be the size of Jupiter.

Also, keep in mind that "attack surface" only means "things that are exposed to potential attack". Whether something is "attack surface" or not is a separate question from how vulnerable or exploitable it is.

Re: NoScript as an attack surface: review of a 2013 quote

Posted: Mon Jan 06, 2020 6:29 am
by grahamperrin
Thanks, was my response reasonable?

Re: NoScript as an attack surface: review of a 2013 quote

Posted: Tue Jan 07, 2020 1:42 am
by barbaz
grahamperrin wrote:
Mon Jan 06, 2020 6:29 am
was my response reasonable?
Could you please be more specific about what about your response you would like us to evaluate?

In any case, you might want to take another look at this statement -
It's reasonable to assume that extensions for Firefox in general (not NoScript in particular) have a far smaller attack surface.
Not a reasonable assumption.

Re: NoScript as an attack surface: review of a 2013 quote

Posted: Sun Mar 29, 2020 1:40 am
by grahamperrin
Thanks

With apologies for a late response (I must have overlooked an e-mail notification):
barbaz wrote:
Tue Jan 07, 2020 1:42 am
Not a reasonable assumption.
I struck through that part of my answer in Stack Exchange.