HEIST exploit
HEIST exploit
Will NoScript prevent or help prevent this exploit? http://arstechnica.com/security/2016/08 ... tps-pages/
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Re: HEIST exploit
Without really knowing...
I'd think NoScript would at least cover the first part of that (Web ad, & assuming you haven't Allowed the ad domain). The second would be harder to contain (again assuming you've Allowed the particular domain you're specifically visiting).an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:43.0) Gecko/20100101 SeaMonkey/2.40
Re: HEIST exploit
My $0.02:
NoScript would help to mitigate the attack as stated, assuming that the attacking site is not whitelisted, since it wouldn't be able to use JavaScript to launch the attack. I'm not sure whether there is some obscure non-JS way to do it.
My suggested universal TLS mitigation strategy would help, too, if anyone implemented it.
Probably your best defence for now is a generalised cross-site request controller, like RequestPolicy or μMatrix, either of which could kill this attack in its tracks.
EDIT: Also, at this point, it sounds like only Windows is affected.
NoScript would help to mitigate the attack as stated, assuming that the attacking site is not whitelisted, since it wouldn't be able to use JavaScript to launch the attack. I'm not sure whether there is some obscure non-JS way to do it.
My suggested universal TLS mitigation strategy would help, too, if anyone implemented it.
Probably your best defence for now is a generalised cross-site request controller, like RequestPolicy or μMatrix, either of which could kill this attack in its tracks.
EDIT: Also, at this point, it sounds like only Windows is affected.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:38.9) Gecko/20100101 Goanna/2.0 Firefox/38.9 PaleMoon/26.1.1
Re: HEIST exploit
What effect would NoScript's DoS checker have here, if any? (That is, if the attacker is or would firing request sufficiently fast to trigger this.)
*Always* check the changelogs BEFORE updating that important software!
-
Re: HEIST exploit
DoS checker? I'm not aware of one.
This attack requires far less requests than some, probably less than DoS thresholds.
This attack requires far less requests than some, probably less than DoS thresholds.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: HEIST exploit
Yep, check RequestWatchdog.js and components/noscriptService.jsThrawn wrote:DoS checker?
*Always* check the changelogs BEFORE updating that important software!
-
Re: HEIST exploit
Ah, that's a very different feature. It's an internal protection against crafted requests designed to DoS the XSS filter, ABE, etc (eg sending a huge string of < to crash the XSS filter). It's unrelated to rate-limiting browser requests.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.
True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Re: HEIST exploit
oops, nvm then.
Thanks for the explanation.
Thanks for the explanation.
*Always* check the changelogs BEFORE updating that important software!
-