InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Is my ABE set up right? Am I missing some ABE lines?

https://forums.informaction.com/viewtopic.php?t=4983

Page 1 of 1

Is my ABE set up right? Am I missing some ABE lines?

Posted: Sat Sep 04, 2010 12:52 pm
by glnz
New to NoScript and I'm just a good home PC user so almost everything NoScript does is way beyond my technical understanding.

Do I have my ABE set up correctly? When I go to Options - Advanced - ABE and click on Rulesets - SYSTEM, I see the following:

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
But on the "What's ABE?" page, it says all of the following (please scroll in the box below):

Code: Select all

ABE rules, whose syntax is defined in this specification (pdf), are quite simple and intuitive, especially if you are familiar with firewall policies:

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Accept GET
Deny

# This one guards logout, which is foolish enough to accept GET and
# therefore we need to guard against trivial CSRF (e.g. )
Site www.somesite.com/logout
Accept GET POST from SELF
Deny

# This one guards the local network, like LocalRodeo
# LOCAL is a placeholder which matches all the LAN 
# subnets (possibly configurable) and localhost
Site LOCAL
Accept from LOCAL
Deny

# This one strips off any authentication data
# (Auth and Cookie headers) from requests outside the
# application domains, like RequestRodeo
Site *.webapp.net
Accept ALL from *.webapp.net
Anonymize

# This one allows Facebook scripts and objects to be included only
# from Facebook pages
Site .facebook.com .fbcdn.net
Accept from .facebook.com .fbcdn.net
Deny INCLUSION(SCRIPT, OBJ, SUBDOC)
So, is my simple SYSTEM script in ABE missing all these lines? Should I just copy and paste them into SYSTEM in ABE?

Thanks.

Re: Is my ABE set up right? Am I missing some ABE lines?

Posted: Sat Sep 04, 2010 1:25 pm
by Guest
These are examples if you want to write your own rules. You'd think "somesite.com" would be a giveaway.

Re: Is my ABE set up right? Am I missing some ABE lines?

Posted: Sat Sep 04, 2010 1:50 pm
by glnz
Now, Guest, don't be snide. I was wondering whether "somesite.com" was a code word for any site. Esp. as the few lines I do have are also in those samples on the "What's ABE?" page.

So those samples have to be customized for individual sites, by replacing "somesite.com" with, for example, "bankofamerica.com"? Is that really practical?

Or am I missing something?

Re: Is my ABE set up right? Am I missing some ABE lines?

Posted: Sat Sep 04, 2010 2:15 pm
by Alan Baxter
glnz wrote:Do I have my ABE set up correctly? When I go to Options - Advanced - ABE and click on Rulesets - SYSTEM, I see the following:

Code: Select all

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny
That's the default. Your ABE is set up correctly.

Personally, I run with just the default ABE settings. See http://noscript.net/faq#qa8_10, ABE's other entries in the FAQ, and the examples you've already seen if you want to do more.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited