Re. "Exploiting CSRF under NoScript Conditions", found at https://community.rapid7.com/community/ ... javascript
I don't think the article is right. I did try the scenario, and NoScript did detect and did block the attempt at cross-site request. My understanding is that ABE prevents this by default (I don't remember changing anything in there), and so a user would be protected out-of-the-box, as opposed to what the article suggests. I figured Giorgio may want to clear this with the author of the article, as the article is a disservice to users by somewhat misinforming them. If I hadn't verified myself, I would have been led to the wrong conclusion (that NoScript wasn't protecting me) by the article.
Re. "Exploiting CSRF under NoScript Conditions"
Re. "Exploiting CSRF under NoScript Conditions"
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/33.0.1750.152 Chrome/33.0.1750.152 Safari/537.36
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Re. "Exploiting CSRF under NoScript Conditions"
I hate when they force you to both enabling JavaScript and joining the website (and filling a captcha) just to comment 
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Re: Re. "Exploiting CSRF under NoScript Conditions"
ABE is only the beginning. The author also suggested bypassing NoScript using clickjacking (ClearClick handles this situation, right?), and apparently ignored the fact that NoScript sanitises POST requests sent from untrusted sites.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0
Re: Re. "Exploiting CSRF under NoScript Conditions"
At least he did respond to Giorgio's comment 
. But it still looks like he hasn't done his homework properly regarding ClearClick and the sanitisation of untrusted POST requests.
. But it still looks like he hasn't done his homework properly regarding ClearClick and the sanitisation of untrusted POST requests.======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Dillo/3.0.3