InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Information on ES6 attacks thwarted by NoScript 2.6.9.13

https://forums.informaction.com/viewtopic.php?t=20539

Page 1 of 1

Information on ES6 attacks thwarted by NoScript 2.6.9.13

Posted: Wed Feb 11, 2015 7:56 pm
by bgmnt
Hi,

In the changelog there is:
x [XSS] Better protection against some ES6 attacks (thanks Masato Kinugawa for reporting)
I'm curious, which attacks did ES6 enabled that NoScript had to be tweaked to protect against ?

Thanks

Re: Information on ES6 attacks thwarted by NoScript 2.6.9.13

Posted: Wed Feb 11, 2015 10:14 pm
by Giorgio Maone
One using a funny combo of string interpolation (a new, very tricky ES6 feature) and nested comments.
I'll leave to Masato publishing the gory details.

Re: Information on ES6 attacks thwarted by NoScript 2.6.9.13

Posted: Thu Feb 12, 2015 12:29 am
by bgmnt
Ok thanks, I'll see if he publishes something in English :)

For anyone interested in new threats posed by ES6, I found this. A vulnerability with NoScript XSS protection was even found and quickly fixed. It's interesting to see that ES6 features can take even NoScript off guard, but of course there needs to be a whitelisted site involved for attackers to have a chance to run anything ES6.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited