Refresher: META redirects & Aviv

[therube]

Refresher: META redirects & Aviv

.85

Is Forbid META redirections inside <NOSCRIPT> elements not being honored?
Or does setting a noscript.forbidBGRefresh.exceptions override the META redirections setting?
If the latter, I'd prefer if they were separate.
If the former, then maybe something is broken.

As is, site is not Allowed, exception is entered, & the (former) prompt of META redirections is not being displayed.

http://avivraff.com/research/phish/arti ... ?854817837

What is expected to happen at avivraff?
The refreshes will occur, though only after the avivraff page has regained focus?
If the purpose is to thwart some malicious page, then the way things are now (IMO) it is too easy to miss the page change at avivraff.


(Yeah, I know, I may be playing both sides of the fence.)

[Giorgio Maone]

The "META in NOSCRIPT" notification is expected to appear on Gecko <= 1.9.2 (html5.enable=false) but not to appear on Gecko >= 1.9.3 (html5.enable=true), because in the latter case we can more accurately tell whether the META element is inside a NOSCRIPT element (which is not, in this case).

Regarding the effectiveness of forbidBGRefresh against this attack, IMHO it is more than enough: the attack doesn't involve you landing casually on the attacker page by clicking on a link and, when you're there, entering your credentials: that's "regular" phishing, and you already know (should be a basic reflex now) that when you navigate a new page you must always look at its address bar. The "novelty" of this attack is that you "forget" about a certain tab among the dozens you've got open and, when you look at it (the background tab) again, you see it has the familiar icon and title of GMail, so when you click on that tab you open it with a strong expectation of it being a GMail tab you previously opened (because you use to keep one or more of them open in the background and check it from time to time), and you're very unlikely to look at its address bar once you're there.
NoScript's forbidBGRefresh feature effectively prevents the background tab from morphing when you're not looking at its content, but this doesn't necessarily mean you'll get the fake GMail sooner or later (actually, you're very unlikely to ever get it):

1. If the attack, like in Aviv's case, is designed to never morph the page while you're looking at it, the page will never change.
2. If the attack is more naive than Aviv's (i.e. doesn't not check whether the tab is actually in the background but just tries to morph unconditionally, after let's say 20 minutes, hoping for that best that you kept the tab open and you're looking somewhere else) the refresh will happen only once you're back looking at the tab, so it gets effectively "downgraded" to a regular and specially innocuous phishing: you clicked on a "Krebs on security" tab, so you expect "Krebs on security", but after one second you get GMail... doesn't this look especially phishy?

However, as I said, if the attack has been actually designed as a "scriptless tabnapping" (and why would you want to design it otherwise? to go after NoScript users and seriously risk to miss all the others because your attack looses 99% of its effectiveness?), the malicious refresh just never happens.

So, to recap, the two "anti-refresh" features are completely independent from each other, and none of them is broken.

[therube]

I think I've got it now.

In the past, NoScript had to be overly broad when dealing with META redirects.

So even when there were instances (like below) where there was NOT a META redirect within <NOSCRIPT> element, NoScript was interpreting it as if it were.

So this was causing a META redirect prompt, where in actuality it really should not have.

Code: Select all

<html>

<head>
<title>Test Page</title>
<meta name="copyright" content="This code is Copyright (C) 2000-01 Michael Anderson and Pierre Gorissen">

<script language="JavaScript">
<!-- hide from JavaScript-challenged browsers
function openWindow(url) {
  popupWin = window.open(url,'new_page','width=400,height=400')
}
function openWindow2(url) {
  popupWin = window.open(url,'new_page','width=400,height=450')
}
function openWindow3(url) {
  popupWin = window.open(url,'new_page','width=400,height=450,scrollbars=yes')
}
function openWindow4(url) {
  popupWin = window.open(url,'new_page','width=400,height=525')
}
function openWindow5(url) {
  popupWin = window.open(url,'new_page','width=450,height=525,scrollbars=yes,toolbars=yes,menubar=yes,resizable=yes')
}
function openWindow6(url) {
  popupWin = window.open(url,'new_page','width=450,height=525,scrollbars=yes,toolbars=yes,menubar=yes,resizable=yes')
}
function openWindow7(url) {
  popupWin = window.open(url,'new_page','width=525,height=450,scrollbars=yes,toolbars=yes,menubar=yes,resizable=yes')
}
function openChat() { var MainWindow = window.open ("chat.asp", "","toolbar=no,location=no,menubar=no,scrollbars=yes,width=500,height=500,top=100,left=100,resizeable=yes,status=yes");
}
// done hiding -->
</script>
<style type=text/css>
<!--
a:link    {color:navy;text-decoration:underline}
a:visited {color:navy;text-decoration:underline}
a:hover   {color:red;text-decoration:underline}
input.radio {background: #DCDCDC; color:#000000}
-->
</style>
</head>

<body bgColor="#DCDCDC" text="navy" link="navy" aLink="red" vLink="red">
<a name="top"></a><font face="Verdana, Arial, Helvetica">

<table align="center" border="0" cellPadding="0" cellSpacing="0" width="100%">
  <tr>
    <td valign="top" width="50%"><a href="default.asp"><img alt="Test Page" border="0" src="testpage.gif"></a></td>
    <td align="center" valign="top" width="50%">
    <table border="0" cellPadding="2" cellSpacing="0">
      <tr>
        <td align="center"><font face="Verdana, Arial, Helvetica" size="2"><b>Test Page</b></font><br>
<font face="Verdana, Arial, Helvetica" size="1">06/03/2010 10:02:47 AM</font></td>
      </tr>
      <tr>
        <td align="center"><font face="Verdana, Arial, Helvetica" size="1">
        <a href="http://... .org/forum/forumindex.asp"><acronym title="Homepage">Home</acronym></a>
        |
        
        <a href="pm_view.asp"><acronym title="Private Messages">In-Box</acronym></a>
        |
        <a href="my.asp"><acronym title="My Personal Page">My Page</acronym></a>
        |
        <a href="pop_profile.asp?mode=Edit"><acronym title="Edit your personal profile...">Profile</acronym></a>
        |
        <a href="events.asp"><acronym title="Events Calendar...">Events</acronym></a>
        |
        <a href="active.asp"><acronym title="See what topics have been active since your last visit...">Active Topics</acronym></a>
		 |
		 <a href="active_polls.asp"><acronym title="Active Polls...">Active Polls</acronym></a>
        |
        <a href="members.asp"><acronym title="Current members of these forums...">Members</acronym></a>
        |
        <a href="search.asp"><acronym title="Perform a search by keyword, date, and/or name...">Search</acronym></a>
        |
        <a href="photos/photoalbum.asp" target="_blank"><acronym title="Visit Our Picture Gallery">Pics</acronym></a>
        |
        <a href="guestbook.asp"><acronym title="Sign Our Guest Book">Guest Book</acronym></a>
        |
        <a href="http://... .org/fl/default.asp"><acronym title="Some Downloads">File Library</acronym></a>
        |
        <a href="http://... .org/links/default.asp"><acronym title="Our Friends">Links</acronym></a>
        |
        <a href="stats.asp"><acronym title="Statistics">Stats</acronym></a>
        |
        <a href="stats2.asp"><acronym title="More Statistics">Stats2</acronym></a>
        |
        <a href="faq.asp"><acronym title="Answers to Frequently Asked Questions...">FAQ</acronym></a>

        </font></td>
      </tr>

     <form action="/forum/post_info.asp" method="post" id=form2 name=form2>
     <INPUT type="hidden" name="Method_Type" value="logout">
     <tr>
       <td align="center">
        <table>
          <tr>
            <td align="center">
            <font face="Verdana, Arial, Helvetica" size="1">
            You are logged on as<br>

             <b>testuser</b>
           </font>
            </td>
            <td>

            <INPUT src=button_logout.gif type="image" value="Logout" id=submit1 name=submit1 border=0 hspace=4> 

            </td>
          </tr>
        </table>
        </td>
     </tr>

     </form>

   </table>
   </td>
 </tr>
</table>
<table border=0 width="92%" align="center" cellpadding="4" cellspacing="0">
  <tr>
    <td align="center" valign="top"><font face="Verdana, Arial, Helvetica" size="1">
  <tr>
    <td>

        <center><a href="http://... .org/chat/chat.asp" target="_blank"><b>Test iRC</b></a></center><br>
        <center><a href="javascript:openChat()"><b>Shoutbox</b></a></center>
        <center>	<tr>
	  <td bgcolor="#DCDCDC" colspan="6"><font face="Verdana, Arial, Helvetica" size="2" color="navy" valign="top"><b>News</b></font></td>
        </tr>
	<tr>
	  <td bgcolor="#F5F5F5" align=center valign=top><img src="icon_blank.gif" height=1 width=1 border=0 hspace=0 alt="Category Locked"></td>
	  <td bgcolor="#F5F5F5" align=center valign="center" colspan="4">
<font color="midnightblue" face="Verdana, Arial, Helvetica" size="2"> <font size=6><b>Test Page</b></font id=size6></font>
 </td>

	</tr>









</center>
        <center></center>
        <center>        <tr>
          <td bgcolor="#DCDCDC" colspan="6"><font face="Verdana, Arial, Helvetica" size="2" color="navy" size="+1"><b>Private Messages</b></font></td>
        </tr>
        <tr>
          <td align="center" bgcolor="#F5F5F5" valign="middle"><font face="Verdana, Arial, Helvetica" size="2" color="navy"> </font></td>
          <td valign="top" bgcolor="#F5F5F5" colspan="5"><font face="Verdana, Arial, Helvetica" size="2" color="navy"><a href="pm_view.asp">Inbox</a></font>
<font face="Verdana, Arial, Helvetica" size="1" color="navy"><br><b>testuser</b> - You have 0 new private message.</font></td>
        </tr>
</center>
    </td>
  </tr>
</table>
<table align="center" border="0" cellPadding="0" cellSpacing="0" width="95%">
  <tr>
    <td>
<table border="0" width="100%">	<tr>		<td width="33%" align="left"><font face="Verdana, Arial, Helvetica" size="2">			<img src="icon_folder_open.gif" border="0"> <a href="default.asp">All Forums</a><br><img src="icon_bar.gif" border="0"><img src="icon_folder_open.gif" border="0"> <a href="FORUM.asp?FORUM_ID=12">Test Posts</a><br><img src="icon_blank.gif" border="0"><img src="icon_bar.gif" border="0"><img src="icon_folder_open_topic.gif" border="0"> <a href="/forum/topic.asp?TOPIC_ID=33660">redirect test</a></font></td>	</tr></table><p align="center"><font face="Verdana, Arial, Helvetica" size="4">New Reply Posted!</font></p><meta http-equiv="Refresh" content="2; URL=/forum/topic.asp?TOPIC_ID=33660"><p align="center"><font face="Verdana, Arial, Helvetica" size="4">Thank you for your contribution!</font></p><p align="center"><font face="Verdana, Arial, Helvetica" size="4"><a href="/forum/topic.asp?TOPIC_ID=33660">Back To Forum</font></a></p>
<table width=100% border=0 bgcolor="#DCDCDC" cellpadding="0" cellspacing = "4"> 
  <tr bgcolor="#DCDCDC">
    <td bgcolor="#DCDCDC">
    <table border=0 width="100%" align="center" cellpadding="4" cellspacing="0">
      <tr>
        <td bgcolor="#F5F5F5" align=left valign=top nowrap><font face="Verdana, Arial, Helvetica" size="1">
        <p align=left>Test Page</p>
        </font></td>
        <td bgcolor="#F5F5F5" align=right valign=top nowrap><font face="Verdana, Arial, Helvetica" size="1">
        <p align=right>©2000-2010 ...  Test Page</p>
        </font></td>
        <td bgcolor="#F5F5F5" width=10 nowrap><a href="#top"><img src="icon_go_up.gif" height=15 width=15 border="0" align="right" alt="Go To Top Of Page"></a></font></td>    
      </tr>
    </table>
    </td>
  </tr>
</table>

<table border=0 width="100%" align="center" cellpadding="4" cellspacing="0">
  <tr>
    <td align="right"><font face="Verdana, Arial, Helvetica" size="1">
    <a href="http://forum.snitz.com"><acronym title="Powered By: Snitz Forums 2000 Version 3.3.05"><img src="logo_powered_by.gif" border=0></acronym></a>

    </font></td>
  </tr>
</table>
    </td>
  </tr>
</table>

</font>
</body>



<center>
<font face="Verdana, Arial, Helvetica" size="1">0.15625</font>
</center>

<a href="http://www.2enetworx.com/dev/projects/statcountex.asp" target="_blank" title="Get Your Copy of StatCounteX">
<script type="text/javascript" language="JavaScript">
// Define the location of count.asp
// Using a path, you may use this code in any subfolder
var file='/statcountex/count.asp';

var d=new Date(); 
var s=d.getSeconds(); 
var m=d.getMinutes();
var x=s*m;
f='' + escape(document.referrer);
if (navigator.appName=='Netscape'){b='NS';} 
if (navigator.appName=='Microsoft Internet Explorer'){b='MSIE';} 
if (navigator.appVersion.indexOf('MSIE 3')>0) {b='MSIE';}
u='' + escape(document.URL); w=screen.width; h=screen.height; 
v=navigator.appName; 
fs = window.screen.fontSmoothingEnabled;
if (v != 'Netscape') {c=screen.colorDepth;}
else {c=screen.pixelDepth;}
j=navigator.javaEnabled();
info='w=' + w + '&h=' + h + '&c=' + c + '&r=' + f + '&u='+ u + '&fs=' + fs + '&b=' + b + '&x=' + x;
document.write('<img src="' + file + '?'+info+ '" width=1 height=1 border=0>');
</script>
</a>
<noscript>
<a href="http://www.2enetworx.com/dev/projects/statcountex.asp">
<img src="/statcountex/count.asp" width=1 height=1 border=0></a>
</noscript>




</html>

And now in Gecko >= 1.9.3 you can more accurately determine if in fact the META redirect is within a <NOSCRIPT> element, & in the above case it is not, so there is no prompt.

Other thread for reference, meta refresh outside of <noscipt> is blocked.


Now using accessibility.blockautorefresh you may again be prompted even in Gecko >=1.9.3 (though one may find its' being overly broad, not fine grained enough).

though one may find its' being overly broad, not fine grained enough

Ah, but looks like finer grained control can be had with hostperm.1.

So if you had META redirections disabled in NoScript & you did not have (the overly broad) accessibility.blockautorefresh enabled, you could still block refreshes on a per domain basis with hostperm.1.

Code: Select all

host    refresh2     testpage.org testpage.org/

BUT

hostperm.1 (a simple text file) has since been replaced permissions.sqlite, & I don't know if something like "refresh" is valid any longer. (Sure see no means to specify/enter a "refresh" entry into permissions.sqlite like you could with hostperm.1?)

<Sander> therube: until then, you can use sqlite manager

<Sander> I don't know for certain if refresh would work as a value in there, but don't really see why they wouldn't have carried it over with the move to sqlite storage, so it should

Suppose I'll look into that at some point.


For reference:

SQLite Manager

ExExceptions "permissions.sqlite" editor.
Pic: https://addons.mozilla.org/img/uploads/ ... /21079.png

[therube]

Just to note that forbidBGRefresh will also block "automatic" (background tab) download prompts like here:
http://ab623c63-download.picpick.org/do ... start.html

Code: Select all

[NoScript] Blocking refresh on unfocused tab, http://ab623c63-download.picpick.org/download_start.html->http://ab623c63-download.picpick.org/picpick_inst.exe

Good when you're made aware of a potentially malicious download.

Less good when you're downloading from a download site that sends the download after a timeout period, or with a server that is slow to respond, & since you know you need to wait, you're off doing something else, just waiting, expecting for the download dialog to (automatically) popup so you can accept it. For those you'll need an exception or you'll need to revisit the page before the download dialog appears.

[Giorgio Maone]

For those you'll need an exception or you'll need to revisit the page before the download dialog appears.

The download should actually start as soon as you switch back, if the timeout already expired.

[therube]

The download should actually start as soon as you switch back, if the timeout already expired.

Right. That was my intended meaning.