Break NoScript

[WTF]

Client side hacking with noscript (FF-addon) enabled
http://h.ackack.net/client-side-hacking ... abled.html

[Giorgio Maone]

And so? They're nearly-DOS (you've got a chance to stop the unresponsive script in most cases).
There are several ways to perform them by overloading either the HTML parser or the JavaScript interperter, but they're not even cosidered low-impact vulnerabilities, just (ugly) annoyances.

Regarding the claim of having temporarily disabled the XSS filter, I've got my share of doubts, since the InjectionChecker component, like other filtering features of NoScript including ABE, have an anti-DOS mechanism which makes the HTTP request to be filtered fail fast in case a DOS prevents the filter from complete.
Most likely the researcher was testing same-site, therefore no cross-site request to be filtered was performed in first instance (he openly said he didn't manage to reproduce).

[GµårÐïåñ]

Also consider that many who are being subverted and nuked by NoScript and prevented from damaging you have an axe to grind and will mostly likely try to go the route of FUD to get people to doubt their security and drop it and then they are open wide for them to do what they want. The fact is that NoScript has features that protect you even when your AV doesn't, that's protection and until I see it in black and white and for myself, I will NEVER (and I recommend others to follow the same) drop my security on the word of some anonymous or ignorant individual spreading false, half-assed or just outright wrong information or trying to use fear and suspicion to cast doubt on the only line of security that stands between us and them in 110% of the time. That's right, more than 100% because often NS will catch, cripple and disarm something that no one has even seen yet and most security software have not even had a chance to react to and catch up after the fact when the damage is already done. It even protects against stupid changes in the Fx core that often cause vulnerability, its built THAT WELL. I have a system that has NO AV, NO SPAM, NO ANTI-MALWARE, NO FIREWALL and only NoScript and I have never in my entire 4 years of using this machine as my POC have I seen a single bug get through, even those that crippled MANY who had "security" tools ups the wazoo, and I use this system to browse some of the WORST places on the web notorious for viruses, worms, malware, adware and etc, so what does that say about NS? Its priceless and we are getting for free. I thank each and every day for Giorgio and so should everyone else. The better you are and the closer to the BEST that you are, the more people take shots at you and try to bring you down.

[WTF]

NoScript New Bypass Method by Unicode in ASP
http://soroush.secproject.com/blog/2010 ... de-in-asp/

[Guest]

NoScript New Bypass Method by Unicode in ASP
http://soroush.secproject.com/blog/2010 ... de-in-asp/

Right, except it doesn't bypass NoScript at all. All it does is give you a way to sneak reflected XSS past the NoScript XSS protection using a non-standard, proprietary feature of questionable usefulness (which is still blocked if that XSS payload relies on an external .js file, or if the vulnerable site isn't allowed to execute scripts).

[Giorgio Maone]

non-standard, proprietary feature of questionable usefulness

I dare say, so incredibly stupid (automatically translating random unicode characters into ASCII homographs based on a vague visual resemblance) that even Microsoft decided it was too much a shame and removed it from ASP.NET

Anyway, I'm currently performing some tests to find how many unicode characters receive this idiotic treatment and will bake a work-around in next NoScript version.

[Giorgio Maone]

Work around in latest development build.

[GµårÐïåñ]

NoScript New Bypass Method by Unicode in ASP
http://soroush.secproject.com/blog/2010 ... de-in-asp/

This is a hardly coherent or useful presentation of a concept that in actually as already mentioned doesn't do squat to defeat NS, just because you can make it LOOK like you are bypassing, doesn't equal ACTUAL bypassing. I refer you to read up on the BlackICE fiasco long ago where the things that would slip by their firewall was later HARDCODED to make it look like it was catching it but in actuality it wasn't. You can probably find an old archived copy on GRC.com