Features: CSRF and NoScript

Ask for help about NoScript, no registration needed to post
gsm
Posts: 5
Joined: Tue Feb 02, 2010 4:37 pm

Features: CSRF and NoScript

Post by gsm »

Hello,
I've stumbled upon a Firefox addon CsFire [cite-1]. It should take countermeasures against CSFR.

Q1: Does NoScript protect from such vulnerability?
Q2: If not, shouldn't this be a core feature of NoScript?
Q3: What consequences would you expect (GMail, Yahoo) if such anti-CSFR policy would be implemented in popular browsers?
Q4: What is the status of ABE and surrogates? Can we expect an adequate GUI?
Q5: How does G.Maone's proposed specification accord with W3C CORS? Will developers have to implement both? What' swrong with the current specification?

...and again, off-topic:
Qx: Is it possible to block all foreign requests (such as yahoo.com getting images from yimg) using NoScript? If so, which content-types are allowed? It's cross-domain, with parseable data.

[cite-1]https://addons.mozilla.org/en-US/firefox/addon/58189
Mozilla/5.0 (Windows; U; Windows NT 5.1; lt; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Features: CSRF and NoScript

Post by Giorgio Maone »

gsm wrote: Q1: Does NoScript protect from such vulnerability?
Yes it does, through its ABE module.
gsm wrote: Q2: If not, shouldn't this be a core feature of NoScript?
It is a core feature of NoScript (see above), but in its default configuration ABE is set to protect only your LAN from cross-zone CSRF attacks (through the SYSTEM ruleset).
However you can easily configure ABE to act like CsFire, by putting an USER rule like this:

Code: Select all

Site *
Accept from SELF
Anon
and/or you can be more site specific, like

Code: Select all

Site mail.google.com
Accept from *.google.com
Anon
The "Anon" action anonymizes requests, i.e. strips out cookies and authentication headers (as far as I can tell, this is a little more than CsFire currently does).
gsm wrote: Q3: What consequences would you expect (GMail, Yahoo) if such anti-CSFR policy would be implemented in popular browsers?
Some sites which have complex cross-site relationships requiring authentication will likely break. That's why ABE allows very fine grained tuning, but you need to know what you're doing.
gsm wrote: Q4: What is the status of ABE and surrogates? Can we expect an adequate GUI?
Some GUI is planned for both, but currently priorities are differen (fine grained permissions, enterprise deployment, and a huge surprise to be revealed during the next few week).
gsm wrote: Q5: How does G.Maone's proposed specification accord with W3C CORS? Will developers have to implement both? What' swrong with the current specification?
They're not mutually exclusive. Actually ABE can leverage on CORS (partially, since ABE is more fine grained under some aspects) to be implemented as a proxy.
gsm wrote: Qx: Is it possible to block all foreign requests (such as yahoo.com getting images from yimg) using NoScript? If so, which content-types are allowed? It's cross-domain, with parseable data.
No content type allowed:

Code: Select all

Site *
Allow from SELF
Deny
(but looks definitely too much drastic to me)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
gsm
Posts: 5
Joined: Tue Feb 02, 2010 4:37 pm

Re: Features: CSRF and NoScript

Post by gsm »

Thank you for clarifications.

Unfortunately, they just mess everything more. The author of CsFire seems to be claiming contrary...

If you wouldn't mind I'll write a PM just to protect the innocent if I'm missing the point.

(Yes, NoScript and CSFR countermeasures - and security at all for me is not an option. I highly respect your work and expertise and I hope the best I can do is to take care of my own security and spread the word)
Mozilla/5.0 (Windows; U; Windows NT 5.1; lt; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
gsm
Posts: 5
Joined: Tue Feb 02, 2010 4:37 pm

Re: Features: CSRF and NoScript

Post by gsm »

Then, shouldn't ABE "Anon" rule be in the global System ruleset? If I understand correctly, there's a bug in Geckos which doesn't allow to strip HTTP Auth from CSR, and thus to implement CORS correctly? If ABE does this, and there's a dedicated extension just for that - wouldn't it to be reasonable to make this an out-of-box feature in NoScript? Somehow I feel a bit of sense of fake security - casual Joe Luser would expect that he's armed to the teeth with NoScript, and he trusts Mr. Giorgio to the extreme by handing his safety to Mr. Giorgio. ;-)
Mozilla/5.0 (Windows; U; Windows NT 5.1; lt; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
gsm
Posts: 5
Joined: Tue Feb 02, 2010 4:37 pm

Re: Features: CSRF and NoScript

Post by gsm »

Giorgio Maone wrote: Some sites which have complex cross-site relationships requiring authentication will likely break. That's why ABE allows very fine grained tuning, but you need to know what you're doing.
Do you mean something like OpenID or just poorly-crafted multi-domain applications? I see just abuse in these cases, and I feel that such should be banned without strict CORS compliance. Do we have a new "web for IE" problem here?
gsm wrote: Q4: What is the status of ABE and surrogates? Can we expect an adequate GUI?
Some GUI is planned for both, but currently priorities are differen (fine grained permissions, enterprise deployment, and a huge surprise to be revealed during the next few week).
Thank you, I can't wait to see some headlines ;-)
gsm wrote: Q5: How does G.Maone's proposed specification accord with W3C CORS? Will developers have to implement both? What' swrong with the current specification?
They're not mutually exclusive. Actually ABE can leverage on CORS (partially, since ABE is more fine grained under some aspects) to be implemented as a proxy.
Is someone at W3C involved? I see ABE's pushable rulesets a bit like quick and dirty workaround until CORS is fully implemented. Web developers already have much hassle to implement SEO, robots.txt, now CORS and here's ABE. Then there are dirty JSONP hacks and Yahoo proxies, etc.. Doesn't a new duplicate spec. lead to new "separate webs"?
gsm wrote: Qx: Is it possible to block all foreign requests (such as yahoo.com getting images from yimg) using NoScript? If so, which content-types are allowed? It's cross-domain, with parseable data.
No content type allowed:

Code: Select all

Site *
Allow from SELF
Deny
(but looks definitely too much drastic to me)
Thank you. But that does not solve the issue.
Yes, blocking everything is useful more for Thunderbird, etc., not for a general browser. Yet, we had a huge problem a few years ago with webmail and embedded web bugs. Currently, Google and Yahoo do a good job filtering these. Now it is generally impossible to parse foreign IFRAMEs, which is good. NoScript blocks Javascript, and its side effect - JSONP (I feel executing 3-rd party scripts, even from Yahoo or Google is just plain abuse of user's trust). AFAIK, Firefoxes block foreign XSLT and active elements of SVG and webfonts...

Then, what if a new vulnerability is found? We had such cases with JPEG, Adobe Reader... For example, I'm developing something like CSS HTTP Request as a non-scriptable and browser-parseable replacement for JSONP. Consider that this becomes popular... Someone might develop different hacks. And there suddenly a parser bug is found. Should all the Web of Mashups pause until browsers update? We live in a world of exceptions - and content-types are an example. I'm not crying for a new feature, I'm just asking - how would a security expert act and what would he recommend? What would he recommend for a developer?
Mozilla/5.0 (Windows; U; Windows NT 5.1; lt; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Re: Features: CSRF and NoScript

Post by Aerik »

This has been an interesting thread. How long has that "anon" command been available?

@giorgio:

Since you introduced ABE, I've gone by that one .pdf file you linked to at hackademix, but that command is not in it. Is there an updated how-to for ABE available somewhere?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Re: Features: CSRF and NoScript

Post by Aerik »

@giorgio:

While I'm at it, is there a command opposite of Anon so that I can create a pair privacy rulesets such as this?

Code: Select all

Site *
Anon

Site www.reddit.com forums.informaction.com
<anti-anon>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6
Aerik
Junior Member
Posts: 40
Joined: Fri Mar 20, 2009 5:24 pm

Re: Features: CSRF and NoScript

Post by Aerik »

Sorry to dogpile a bunch of comments again, but I really think my last idea is a good one, maybe even a necessary one. I'm talking about an ABE command that does the opposite of what Anon does. Like an arcsin to a sin function.

I've been experimenting with using the logout and anon commands, and it turns out that there are video/online TV sites that require something these ABE commands deny. Specifically, if Anon is applied to hulu.com, one may not watch any videos.

I know you can't get around some kind of restriction to even visit Hulu.com while in Italy, that's a shame, but I think you should know the issue is out there.

Still I must congratulate you on how powerful ABE is.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 BetterPrivacy-1.47 Firefox/3.6
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Features: CSRF and NoScript

Post by Giorgio Maone »

Aerik wrote:Sorry to dogpile a bunch of comments again, but I really think my last idea is a good one, maybe even a necessary one. I'm talking about an ABE command that does the opposite of what Anon does. Like an arcsin to a sin function.
You can use "Accept".
For instance, if you want to anonymize all requests to site a.com except those from a.com itself and b.com, you can write

Code: Select all

Site a.com
Accept from a.com b.com
Anon
Also if you want to tweak a "Site *" rule, you can put your exceptions in other rules preceding the rule you want to tweak in the same ruleset: an "Accept" match will stop the processing of the current ruleset, therefore you will be negating the restrictive rules which follow.

For instance,

Code: Select all

Site a.com b.com c.com
Accept

Site *
Anon
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
tlu
Senior Member
Posts: 129
Joined: Fri Jun 05, 2009 8:01 pm

Re: Features: CSRF and NoScript

Post by tlu »

gsm wrote:Then, shouldn't ABE "Anon" rule be in the global System ruleset? If I understand correctly, there's a bug in Geckos which doesn't allow to strip HTTP Auth from CSR, and thus to implement CORS correctly? If ABE does this, and there's a dedicated extension just for that - wouldn't it to be reasonable to make this an out-of-box feature in NoScript? Somehow I feel a bit of sense of fake security - casual Joe Luser would expect that he's armed to the teeth with NoScript, and he trusts Mr. Giorgio to the extreme by handing his safety to Mr. Giorgio. ;-)
I tried the USER rule suggested by Giorgio to mimic the behaviour of CsFire. Unfortunately it breaks a lot of sites and you have to add a lot of Accept .. rules which is sometimes difficult as I wasn't always able to find out via the error console what exactly was blocked. I generally agree that this would be an important feature that should be added to NS by default. But in this case it would have to be more user-friendly and it would also need a built-in CSRF whitelist to avoid too many false positives. Otherwise most Noscript users would be driven to despair ;)
Mozilla/5.0 (X11; U; Linux x86_64; de-DE; rv:1.9.2.8pre) Gecko/20100720 Ubuntu/10.04 (lucid) Namoroka/3.6.8pre
Post Reply