Blanket Blocking of window.eval using Surrogates ?

General discussion about the NoScript extension for Firefox
Post Reply
ashrc4
Posts: 4
Joined: Mon May 18, 2009 3:07 am

Blanket Blocking of window.eval using Surrogates ?

Post by ashrc4 » Tue Jul 26, 2011 2:35 pm

http://www.dslreports.com/forum/r261313 ... loits-Dead

heads up on suggestion from thread.

"If you use NoScript, you protect yourself a great deal. However there is one small case that it won't protect you. Say for example you accidentally execute a script that contains malicious and obfuscated code? You're screwed aren't you?

Many Javascript exploits use eval() to execute data like it was code. This in itself is an vulnerability because there are countless ways to encode executable code, to make it difficult for security software to detect (ignoring the fact that blacklisting is not the best idea).

The solution is to make eval unavailable to websites. I use the following Firefox configuration setting to do this. Open about:config (type it in the address bar) and create the following settings as strings:
noscript.surrogate.noeval.replacement
The value should then be:
window.eval = null;document.eval=null;
You also need the setting noscript.surrogate.noeval.sources to be:
@^http://[a-z]+[^/]+\.[a-z]+(?:/|$)
I believe this states what kind of URLs in which the surrogate will be placed.
You also need the setting noscript.surrogate.noeval.exceptions but this is empty unless you want some websites to run eval."

Hope it's of some use.
ash
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0

User avatar
therube
Ambassador
Posts: 7643
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Blanket Blocking of window.eval using Surrogates ?

Post by therube » Wed Jul 27, 2011 1:05 am

(I split this as I was going to ask about it [here] anyhow [from the post at dslreports].)

Comments?

I have no clue, but my feeling would be that if it were necessary, wanted, something like this would be defaulted, & since it is not, then the danger is minor. Plus thinking that it would be apt to break legitimate functions.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20110706 Firefox/5.0 SeaMonkey/2.2

Post Reply