Re. "Exploiting CSRF under NoScript Conditions"
Posted: Tue Apr 15, 2014 5:44 pm
Re. "Exploiting CSRF under NoScript Conditions", found at https://community.rapid7.com/community/ ... javascript
I don't think the article is right. I did try the scenario, and NoScript did detect and did block the attempt at cross-site request. My understanding is that ABE prevents this by default (I don't remember changing anything in there), and so a user would be protected out-of-the-box, as opposed to what the article suggests. I figured Giorgio may want to clear this with the author of the article, as the article is a disservice to users by somewhat misinforming them. If I hadn't verified myself, I would have been led to the wrong conclusion (that NoScript wasn't protecting me) by the article.
I don't think the article is right. I did try the scenario, and NoScript did detect and did block the attempt at cross-site request. My understanding is that ABE prevents this by default (I don't remember changing anything in there), and so a user would be protected out-of-the-box, as opposed to what the article suggests. I figured Giorgio may want to clear this with the author of the article, as the article is a disservice to users by somewhat misinforming them. If I hadn't verified myself, I would have been led to the wrong conclusion (that NoScript wasn't protecting me) by the article.
. But it still looks like he hasn't done his homework properly regarding ClearClick and the sanitisation of untrusted POST requests.