InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Which is the best way to configure ABE?

https://forums.informaction.com/viewtopic.php?t=4752

Page 1 of 1

Re: Which is the best way to configure ABE?

Posted: Thu Jul 29, 2010 2:34 pm
by therube
> WAN IP (Your-Internet-IP) @ LOCAL

http://forums.informaction.com/viewtopi ... 272#p20272

Re: Which is the best way to configure ABE?

Posted: Thu Jul 29, 2010 9:57 pm
by Giorgio Maone
DarkBlood wrote:Thank you therube, I understand better now but still ABE settings are too complicated to common users :(
In fact "common users" shouldn't touch them without guidance.
The built-in rules already give significant protection against attacks from internet to intranet.

Re: Which is the best way to configure ABE?

Posted: Fri Jul 30, 2010 5:39 pm
by tlu
Giorgio Maone wrote:
DarkBlood wrote:Thank you therube, I understand better now but still ABE settings are too complicated to common users :(
In fact "common users" shouldn't touch them without guidance.
The built-in rules already give significant protection against attacks from internet to intranet.
Giorgio, are you also considering to enhance ABE in such a way that Noscript will become an alternative to CsFire? I understand that ABE already offers what CsFire does but it's simply not user-friendly enough to use it that way. Would be highly appreciated :)

Re: Which is the best way to configure ABE?

Posted: Fri Jul 30, 2010 8:10 pm
by Giorgio Maone
CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon

Re: Which is the best way to configure ABE?

Posted: Sat Jul 31, 2010 9:44 am
by tlu
Giorgio Maone wrote:CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon
Ah - I had used the rule you had mentioned in http://forums.informaction.com/viewtopi ... 99&start=0& :

Code: Select all

Site *
Accept from SELF
Anon
and that broke too many sites - but it was without the ++. I will try your new suggestion. Thanks!

Re: Which is the best way to configure ABE?

Posted: Sun Aug 08, 2010 5:44 pm
by Jahzoone
Am I understanding this correctly, can I use this string to allow my own website?

My problem is ABE is blocking me from browsing to my own web pages since they are being served from the same IP.

Re: Which is the best way to configure ABE?

Posted: Sun Aug 08, 2010 9:15 pm
by Giorgio Maone
What message do you get, exactly?

Re: Which is the best way to configure ABE?

Posted: Sun Aug 08, 2010 11:02 pm
by Jahzoone
I have more information, problem happens when I do Google search for my site then click on search result, I get information bar at top of screen, actually I suppose this means ABE is working like it should? Perhaps I will just use bookmarks or is it safe to allow Google?

[deleted]

Posted: Wed Oct 27, 2010 3:29 am
by Nate
[deleted]

Re: Which is the best way to configure ABE?

Posted: Wed Oct 27, 2010 8:36 am
by Giorgio Maone
Nate wrote:
Giorgio Maone wrote:CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon
Could you please summarize why this rule is not included by default?
Because it would probably break any web site which spans across different domains linking back and forth (many financial sites have this kind of setup), so if you're not prepared to opt-in and possibly put exceptions to this behavior, it would come as an unpleasant surprise.

Re: Which is the best way to configure ABE?

Posted: Tue Apr 26, 2011 1:06 am
by very old guy
Giorgio Maone wrote:
Nate wrote:
Giorgio Maone wrote:CsFire's behavior can be implemented with this one simple rule (to be put in the USER ruleset):

Code: Select all

# This rules allows authentication data to be sent with requests originated
# from the same base domain, stripping it off otherwise 
Site *
Accept from SELF++
Anon
Could you please summarize why this rule is not included by default?
Because it would probably break any web site which spans across different domains linking back and forth (many financial sites have this kind of setup), so if you're not prepared to opt-in and possibly put exceptions to this behavior, it would come as an unpleasant surprise.


Could someone please give an example of "opt-in and possibly put exceptions to this behavior"? Yahoo Mail! would be a fine test case I believe; popular and at times has been prone to Cross-Site risks, and absent exceptions there are layout problems at a minimum.

Re: Which is the best way to configure ABE?

Posted: Tue Apr 26, 2011 9:22 pm
by Giorgio Maone
very old guy wrote: Could someone please give an example of "opt-in and possibly put exceptions to this behavior"? Yahoo Mail! would be a fine test case I believe; popular and at times has been prone to Cross-Site risks, and absent exceptions there are layout problems at a minimum.

Code: Select all

Site .yahoo.com .anyothersiteyouwanttoprotect.com
Accept from SELF++
Anon

Re: Which is the best way to configure ABE?

Posted: Fri Feb 10, 2012 4:38 pm
by herojoker
According to this presentation and this paper (this thread is reference [8] there) CsFire allows "expected requests" / "trusted delegations" since version 1.0 which would get blocked with the above user rule.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited