Some Sites you Might Want to Protect

Discussions about the Application Boundaries Enforcer (ABE) module
User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Some Sites you Might Want to Protect

Post by Thrawn » Fri May 18, 2012 12:42 am

Raising this topic to see if anyone's interested in sharing lists of candidates for CSRF protection via ABE.

As a start, I'd suggest protecting sites that are default-allowed in NS:

Code: Select all

# Google
Site .ytimg.com
Accept from SELF++ .youtube.com
Deny

Site .google.com .google.com.au .youtube.com
Accept from .google.com .google.com.au .youtube.com
Accept GET from ^moz-nullprincipal:\{.*}$
Anon

# Microsoft
Site .live.com .hotmail.com .passport.com .passport.net .passportimages.com .js.wlxrs.com .msn.com
Accept from .live.com .hotmail.com .passport.com .passport.net .passportimages.com .js.wlxrs.com .msn.com
Anon

# Yahoo
Site .yimg.com
Accept from .yahoo.com .yahooapis.com .yimg.com
Deny

Site .yahoo.com .yahooapis.com
Accept from .yahoo.com
Anon

# Paypal/eBay
Site .paypalobjects.com
Accept from .paypal.com
Deny

Site .paypal.com
Accept from https://*.paypal.com
Anon

All fixes and contributions are welcome.

ETA Protection for poorly-coded sites that may require XSS filter exceptions:

Code: Select all

Site .schwab.com
Accept from SELF++
Deny

Site .buy.com
Accept from SELF++
Deny

Site .elevationscu.com
Accept from SELF++
Deny

ETA Tracking scripts (thanks Giorgio & access2godzilla):

Code: Select all

Site ^.*(?:2leep\.com|3dstats\.com\/cgi-bin\/3dstrack(ssl)?\.cgi|as00\.estara\.com\/as\/initiatecall2\.php|\.atgsvcs\.com\/js\/atgsvcs\.js|awstats_misc_tracker\.js|\.aweber\.com|\.imiclk\.com\/|www\.actonsoftware\.com\/acton\/bn\/|\.activemeter\.com|\.adbull\.com\/|adf\.ly\/js\/(entry|link)|clarity\.adinsight\.eu\/static\/adinsight|\.adinsight\.(eu|com)\/static\/scripts\/aditrack\.min\.js|mi\.adinterax\.com\/(js|customer)|(rotator\.adjuggler\.com|\/banners\/ajtg\.js|\/servlet\/ajrotator\/)|(js|tag)\.admeld\.com|adocean\.pl|\.adperium\.com\/js\/adframe\.js|\.adplan-ds\.com|\.adplan\.ne\.jp\/cgi-bin\/ad\/se|\.advg\.jp|c\.p-advg\.com|pixel\.adpredictive\.com|js\.adscale\.de\/|(servedby|ads|event)\.adxpose\.com|yieldoptimizer\.com|addfreestats\.com\/cgi-bin\/afstrack\.cgi|\.addthis\.com|\/addthis_widget\.(js|php)|l\.addthiscdn\.com|jlinks\.industrybrains\.com\/jsct|wtp101\.com\/|\.designbloxlive\.com|o\.aolcdn\.com\/js\/mg2\.js|html\.aggregateknowledge\.com\/iframe|\.alexametrics\.com\/|xslt\.alexa\.com\/site_stats\/js\/t\/|(xslt\.alexa\.com\/site_stats\/js\/s\/|widgets\.alexa\.com\/traffic\/javascript\/)|websitealive[0-9]\.com\/|amadesa\.com\/static\/client_js\/engine\/amadesajs\.js|\.assoc-amazon\.(com|ca|co\.uk|de|fr|jp)\/(e\/ir|s\/(ads\.js|asw\.js|link-enhancer|impression-counter))|anormal-tracker\.de\/countv2\.php|anormal-tracker\.de\/tracker\.js|\.appmetrx\.com|www\.apture\.com\/js\/apture\.js|web\.asterpix\.com\/media\/js\/|\.revsci\.net\/|ad\.targetingmarketplace\.com\/|revsci\.(.*)\/gw\.js|wunderloop\.net\/|\.blvdstatus\.com\/js\/initBlvdJS\.php|(static\.btbuckets\.com\/bt\.js|\.n\.btbuckets\.com\/js)|widgets\.backtype\.com\/|dn3y71tq7jf07\.cloudfront\.net|s3\.amazonaws\.com\/cdn\.barilliance\.com|baynote(-observer)?([0-9]+)?\.js|baynote\.net|beencounter\.com\/b\.js|\.belstat\.(com|be|de|fr|nl)\/regstat|js\.bigdoor\.com|bitcoinplus\.com\/js\/miner\.js|theblogfrog\.com|blogrollr\.com\/embed\.js|\.(brcdn|brsrvr)\.com\/|d3hrg5kicb4pq5\.cloudfront\.net|lookup\.bluecava\.com|(tags\.bluekai\.com\/|bkrtx\.com\/js\/)|\.bmmetrix\.com\/|ads\.brainient\.com\/|\.branica\.com|btstatic\.com|s\.thebrighttag\.com|(goku\.brightcove\.com|admin\.brightcove\.com\/js)|browser\-update\.org\/update\.js|in\.bubblestat\.com|bufferapp\.com\/js\/button|stats\.businessol\.com|buzzster\.com\/widget\/|\.c3metrics\.com|\.c3tag\.com|\.cnzz\.com|radar\.cedexis\.(com|net)|certifica-js14\.js|certifica\.js|hits\.e\.cl|prima\.certifica\.com|\.chango\.(ca|com)|channelintelligence\.com\/|tracking\.searchmarketing\.com\/|(static\.chartbeat\.com|\/chartbeat\.js)|\/adam\/(cm8[0-9a-z_]+\.js|detect)|dsa\.csdata1\.com|www\.csm-secure\.com\/scripts\/clicktracking\.js|hit\.clickaider\.com|j\.clickdensity\.com\/cr\.js|analytics\.clickdimensions\.com|(beacon|js)\.clickequations\.net|\.conversiondashboard\.com\/|(impression|ca)\.clickinc\.com\/|\.clicktale\.net\/|clicktale\.pantherssl\.com|s\.clickability\.com\/s|cn\.clickable\.net\/js\/cct\.js|(static\.getclicky\.com\/|hello\.staticstuff\.net\/|clicky\.js)|\.clixmetrix\.com\/|clixpy\.com\/clixpy\.js|clustrmaps\.com\/counter\/|\.cognitivematch\.com|service\.collarity\.com\/|\.communicatorcorp\.com\/public\/scripts\/conversiontracking\.js|c\.compete\.com\/bootstrap\/.*\/bootstrap\.js|www\.conversionruler\.com\/bin\/|ant\.conversive\.nl\/|\.convertglobal\.com|convertglobal\.s3\.amazonaws\.com|dnhgz729v27ca\.cloudfront\.net|d1ivexoxmp59q7\.cloudfront\.net|sp1\.convertro\.com|\.coremotives\.com|(\/eluminate\.js|data\.cmcore\.com\/imp|data\.coremetrics\.com)|cetrk\.com\/|dnn506yrbagrg\.cloudfront\.net|\.crosspixel\.net|\.crsspxl\.com|static\.crowdscience\.com\/start(-.*)?\.js|(social\.bidsystem\.com\/|cubics\.com\/displayAd\.js)|\.stormiq\.com|tracking\.dsmmadvantage\.com\/clients\/|a\.live\-conversion\.com|displaymarketplace\.com|\.degaa\.net|(api|leads)\.demandbase\.com\/|\/internal\/jscript\/dwanalytics\.js|\.demdex\.net|tag\.didit\.com\/(didit|js)\/|track\.did-it\.com\/|digg\.com\/tools\/widgetjs|digg\.com\/[0-9a-zA-Z]*\/diggthis\.js|\.ppctracking\.net|disqus\.com\/(forums\/|count\.js)|www\.domodomain\.com\/domodomain\/sensor\/|(\.dtmpub\.com\/|login\.dotomi\.com\/ucm\/ucmcontroller)|\/(html|image|js)\.ng\/|\.doubleclick\.net\/activityi|fls\.doubleclick\.net|\.doubleclick\.net\/activity;|cdn\.doubleverify\.com\/[0-9a-zA-Z_-]*\.js|(content\.dl-rms\.com\/|\.dlqm\.net\/|\.questionmarket\.com\/)|(\/econda.*\.js|www\.econda-monitor\.de\/els\/logging)|effectivemeasure\.net|everestjs\.net|pixel([0-9]*)?\.everesttech\.net|(now\.eloqua\.com|elqcfg(xml)?\.js|elqimg\.js)|\.emediate\.eu|analytics\.engagd\.com\/archin-std\.js|\.enquisite\.com\/log\.js|nexus\.ensighten\.com|\.eulerian\.net|\.audienceiq\.com|facebook\.com\/beacon\/|\/fbconnect\.js|static\.ak\.connect\.facebook\.com\/.*\.js\.php|\.facebook\.com\/email_open_log_pic\.php|\.facebook\.com\/js\/conversions\/tracking\.js|fbcdn\.net\/connect\.php\/js\/fb\.share|tracking\.fathomseo\.com\/|tracking\.feedperfect\.com|(feedjit\.com\/serve\/|feedjit\.com\/map\/)|log\.feedjit\.com|hints\.netflame\.cc\/service\/script\/|api\.flattr\.com\/(.*)\/load\.js|(img|script)\.footprintlive\.com|foresee-(trigger(.*)?|alive|analytics(.*)?)\.js|js\.fout\.jp\/|freeonlineusers\.com\/|friendfeed\.com\/embed\/widget\/|js\.gb-world\.net\/lib\/ga_social_tracking\.js|fx\.gtop(stats\.com|\.ro)\/js\/gtop\.js|\.gaug\.es\/track|\/xgemius\.js|\.rsvpgenius\.com\/|js\.geoads\.com|s3\.amazonaws\.com\/getsatisfaction\.com\/(feedback\/feedback\.js|javascripts\/feedback-v2\.js)|\.gigya\.com\/js\/socialize\.js|counters\.gigya\.com|aff3\.gittigidiyor\.com\/affiliate_front\.js|rt\.trafficfacts\.com\/|tracking\.godatafeed\.com|\.gosquared\.com\/livestats\/tracker|d1l6p2sc9645hc\.cloudfront\.net|data\.gosquared\.com|gostats\.com\/|(\/gomez.+?\.js|\.[rt]\.axf8\.net\/)|\.google\.com\/buzz\/api\/button\.js|apis\.google\.com\/js\/plusone\.js|(\.googlesyndication\.com\/pagead\/|googletagservices\.com\/tag\/js\/gpt\.js|partner\.googleadservices\.com\/gampad\/|feedads\.g\.doubleclick\.net\/~at)|google\.com\/adsense\/search\/ads\.js|google\.com\/afsonline\/show_afs_ads\.js|\/__utm\.|google-analytics\.com\/(urchin\.js|ga\.js)|www\.google\.com\/friendconnect\/script\/friendconnect\.js|\.google-analytics\.com\/siteopt\.js|cdn\.triggertag\.gorillanation\.com\/js\/triggertag\.js|\.grapeshot\.co\.uk|\.gravity\.com|\/hellobar\.js|\.histats\.com\/|\.hit-parade\.com\/log|hitsniffer\.com\/|\.hittail\.com\/mlt\.js|\.hitslink\.com\/|\.hitsprocessor\.com|hotlog\.ru\/cgi-bin\/hotlog|static\.hubspot\.com\/websiteGraderBadge\/badge\.js|\/salog\.js\.aspx|hurra\.com\/ostracker\.js|\.ivwbox\.de\/|picadmedia\.com\/js\/|indextools\.js|resources\.infolinks\.com\/js\/infolinks_main\.js|\.insightexpressai\.com\/|\.inspectlet\.com|saas\.intelligencefocus\.com\/sensor\/|(www\.)?intensedebate\.com\/js\/|\.intentmedia\.net|api\.intercom\.io\/api\/js\/library\.js|voice2page\.com\/naa_1x1\.js|(www\.haloscan\.com\/load\/|js-kit\.com\/[0-9a-z\/]+\.js)|\/k_(push|button)\.js|\.xg4ken\.com|\.keymetric\.net\/|keywordmax\.com\/tracking\/|\/ki\.js\/|j\.kissinsights\.com|\.kissmetrics\.com\/|doug1izaerwt3\.cloudfront\.net|cdn\.krxd\.net|adelixir\.com\/(webpages\/scripts\/ne_roi_tracking\.js|neroitrack)|\.leadforce1\.com\/bf\/bf\.js|vlog\.leadformix\.com|(trackalyzer\.com|formalyzer\.com)|rt\.legolas-media\.com\/|\.tongji\.linezing\.com|\.linkz\.net\/linkz\/linkz\.js|\.listrakbi\.com|st\.listrak\.com|\/liveball_api\.js|static\.addtoany\.com\/menu\/(feed|page)\.js|logdy\.com\/scripts\/script\.js|(pub\.lookery\.com\/js\/|lookery\.com\/look\.js|\/j\/pub\/look\.js)|(tr-metrics\.loomia\.com|assets\.loomia\.com\/js\/)|lfov\.net\/webrecorder\/|\.luminate\.com|pixazza\.com\/(static\/)?widget|lypn\.com\/lp\/|\.clicktracks\.com\/|\.lytiks\.com|ads(1)?\.msn\.com\/library\/dap\.js|adsyndication\.msn\.com\/delivery\/getads\.js|domdex\.(net|com)|qjex\.net|www\.dialogmgr\.com\/tag\/lib\.js|\.connect\.mail\.ru\/js\/loader\.js|\.list-manage\.com\/track\/|\.marinsm\.com\/|(\.dt07\.net|mg\.dt00\.net\/(u)?js)|munchkin\.marketo\.net\/|netscope\.data\.marktest\.pt|mashlogic\.com\/(loader\.min\.js|brands\/embed\/)|(mmcore\.js|cg-global\.maxymiser\.com)|\.mookie1\.com|bs\.serving-sys\.com\/burstingpipe\/(activityserver|adserver)\.bs|\.(research\.de\.com|meetrics\.net)\/bb|(cdn\.mercent\.com\/js\/tracker\.js|link\.mercent\.com\/)|\.merchantadvantage\.com|\.r\.msn\.com\/scripts\/microsoft_adcenterconversion\.js|\/mint\/\?js|get\.mirando\.de\/|api\.mixpanel\.com\/|mobilemeteor\.com\/js\/check\.js|showmeinn\.com\/_js\/mobile\.js|b\.monetate\.net\/js\/|(l|b)ive\.monitus\.net|monitus(_tools)?\.js|\.nedstatbasic\.net|webstats\.motigo\.com|\.mouseflow\.com|(rainbow|rainbowx)\.mythings\.com|\.mybloglog\.com\/|t\.p\.mybuys\.com\/js\/mybuys3\.js|\.mycounter(\.com)?\.ua|\.mypagerank\.net\/services|assets\.newsinc\.com\/(ndn\.2\.js|analyticsprovider\.svc\/)|nakanohito\.jp|lt\.navegg\.com\/lt\.js|\.sitestat\.com\/|cdnma\.com\/apps\/|nr7\.us\/apps\/|\.netbina\.com|stat\.netmonitor\.fi\/js\/|\.imrworldwide\.com\/|dz\.glanceguide\.com\/|\/netupdater(_live)?|live1\.netupdater\.info\/live\.php|netupdater[0-9]\.de|\.netmining\.com|netmng\.com\/|d1ros97qkrwjf5\.cloudfront\.net|analytics\.apnewsregistry\.com\/analytics\/|newstogram\.com\/(.*)\/(histogram|toolbar)\.js|nxtck\.com|\.nextstat\.com|imgsrv\.nextag\.com\/imagefiles\/includes\/roitrack\.js|\.shinobi\.jp\/|\.nuconomy\.com\/n\.js|\.oewabox\.at|\.observerapp\.com\/record|\.olark\.com|touchclarity|\.1[12]2\.2o7\.net\/|\.omtrdc\.net\/|\/(omniture|mbox|hbx|omniunih)(.*)?\.js|common\.onset\.freedom\.com\/fi\/analytics\/cms\/|hitbox\.com|s(c)?_code[0-9a-zA-Z_-]*(\.[0-9a-zA-Z_-]*)?\.js|stat\.onestat\.com\/|e\.onetruefan\.com\/js\/widget\.js|\.onlinewebstats\.com|\/(adg|adx)\.js|\/(afr|ajs|avw|spcjs)\.php|\.spylog\.(com|ru)\/|openstat\.net\/cnt\.js|\.opentracker\.net|service\.optify\.net\/|cdn\.optimizely\.com\/js\/|\.optimost\.com\/|\/instantinvite3\.js|otracking\.com\/js|othersonline\.com\/*\/[a-z0-9]+\.js|widgets\.outbrain\.com\/|px\.owneriq\.net|\/pagepeelads\/pagepeelads\.js|\.pardot\.com\/|\.parsely\.com|stags\.peer39\.net\/|\.peerius\.com|\.keewurd\.com|(tracking\.percentmobile\.com\/|\/percent_mobile\.js)|\/performable\/pax|pmetrics\.performancing\.com\/(js|in\.php|[0-9]*\.js)|\.persianstat\.com|app\.phonalytics\.com\/track|(assets\.pinterest\.com|d3io1k5o0zdpqr\.cloudfront\.net)\/js\/pinit\.js|\/piwik\.js|api\.postrank\.com\/|\.predictad\.com\/scripts\/(molosky|publishers)\/|\.adserver\.com\.br|\/opentag\-(.*)\.js|(widget\.quantcast\.com|\.quantserve\.com\/|\/quant\.js)|(js\.adsonar\.com\/js\/|ads\.adsonar\.com\/adserving\/)|\.quintelligence\.com\/quint\.js|mct\.rkdms\.com\/sid\.gif|\.trk\.sodoit\.com\/rts|radarurl\.com|rs\.gwallet\.com\/r1\/pixel|(ad|ad2|counter)\.rambler\.ru|\.list\.ru\/counter|\.mail\.ru\/counter|(spruce\.rapleaf\.com|\.rlcdn\.com)|ad\.retargeter\.com/seg|\.rlcdn\.net|ad\.reachlocal\.com|raasnet\.com|include\.reinvigorate\.net\/|\.iesnare\.com|(\.res-x\.com\/ws\/r2\/resonance|\/resxcls[ax][0-9a-z_]*\.js|\/resonance5050\.js)|(rm\.yieldmanager\.com\/|ad\.yieldmanager\.com\/|optimizedby\.rmxads\.com|e\.yieldmanager\.net\/script\.js)|content\.yieldmanager\.com\/(rmtag3|rmi)\.js|ad\.yieldmanager\.com\/pixel|\/std\/resource\/script\/rwts\.js|\.rfihub\.com\/|sageanalyst\.net|lct\.salesforce\.com\/sfga\.js|\.(scoreresearch|securestudies|scorecardresearch)\.com\/|static\.scribefire\.com\/ads\.js|\.searchforce\.net\/|searchignite\.com\/si\/cm\/tracking\/|\.srtk\.net\/www\/delivery\/|svlu\.net|(\/seesmic_topposters_v2\.js|seesmic-wp\.js)|\.sextracker\.com|\.shinystat\.(com|it)\/|reporting\.singlefeed\.com|sitecompass\.com\/(sc_cap\/|[ij]pixel)|sitebro\.net\/track\.js|sitemeter\.com\/(js\/counter\.js|meter\.asp)|\.skimlinks\.com\/(api|js)\/|\.skimresources\.com\/js|assets\.skribit\.com\/javascripts\/SkribitSuggest\.js|184\.73\.199\.28\/tracker\/event|\.smowtion\.com|(shots\.snap\.com\/snap_shots\.js|spa\.snap\.com\/snap_preview_anywhere\.js)|\.snapengage\.com\/(snapabug\.js|snapengage\-)|snapabug\.appspot\.com\/|\.snoobi\.com\/snoop\.php|\.sophus3\.com|\.spectate\.com|sa\.entireweb\.com\/sense\.js|\.(sphere|surphace)\.com\/widgets\/sphereit\/js|\.springmetrics\.com|d3rmnwi2tssrfx\.cloudfront\.net|\.statcounter\.com\/counter\/(counter[0-9a-zA-Z_]*|frames)\.js|c\.statcounter\.com\/|statisfy\.net\/javascripts\/stats\.js|one\.statsit\.com\/|px\.steelhousemedia\.com|utd\.stratigent\.com|\.struq\.com|\.stumble\-upon\.com\/js\/widgets\.js|platform\.stumbleupon\.com\/1\/widgets\.js|su\.pr\/hosted_js|tracking\.summitmedia\.co\.uk\/js\/|\.sweepery\.com\/javascripts\/*\/[0-9a-zA-Z_]*\.js|\.(shopximity|swoop)\.com\/js\/spxw\.js|(tns-counter\.ru|tns-counter\.js|\.tns-cs\.net|statistik-gallup\.net|\.sesamestats\.com)|(tacoda_ams_ddc_header\.js|\.tacoda\.net)|levexis\.com|adadvisor\.net|d34ko97cxuv4p7\.cloudfront\.net|tealium\.hs\.llnwd\.net|utag\.loader\.js|\.socialtwist\.com|\.tellapart\.com\/crumb|(adserver|int)\.teracent\.net\/|\.thesearchagency\.net\/(.*)\/tsaapi\.js|thesearchagency\.net\/tsawaypoint\.php|\.thinglink\.com\/jse\/embed\.js|esm1\.net|rate\.thummit\.com\/js\/|(ads|sync|set)\.(tidaltv)\.(tv|com)|\.tinystat\.(ir|com)|srv\.clickfuse\.com|\.inq\.com\/|\.tracemyip.org\/tracker\/|roia\.biz\/|(tracking\.conversionlab\.it|conversionlab\.trackset\.com\/track\/)|visualpath[0-9]\.trackset\.it\/|\.tradetracker\.net|storage\.trafic\.ro\/js\/trafic\.js|objects\.tremormedia\.com\/embed\/js|triggit\.com|revelations\.trovus\.co\.uk\/tracker\/|ad\.adlegend\.com|\.trumba\.com\/scripts\/spuds\.js|ats\.tumri\.net|(tweetmeme\.com\/i\/scripts\/button\.js|zulu\.tweetmeme\.com\/button_ajax\.js)|tweetboard\.com\/tb\.js|twitter\.com\/(javascripts\/[0-9a-z]+\.js|statuses\/user_timeline\/)|twittercounter\.com|(\.tynt\.com\/ti\.js|\.tynt\.com\/javascripts\/tracer\.js)|\.tynt\.com\/tc\.js|(\.tynt\.com\/ts\.js|\.tynt\.com\/javascripts\/tyntspeedsearch\.js)|www\.typepad\.com\/t\/stats|app\.ubertags\.com|d3pkntwtp2ukl5\.cloudfront\.net\/|t\.unbounce\.com\/|cdn\.undertone\.com\/js\/ajs\.js|(\.unica\.com\/|ntpagetag)|uptrends\.com\/(aspx\/uptime\.aspx|images\/uptrends\.gif)|webiqonline\.com|met\.vgwort\.de\/|vkontakte\.ru\/js\/api\/share\.js|userapi\.com\/js\/api\/|(scripts|tm)\.verticalacuity\.com\/vat\/mon\/vt\.js|roi\.vertical\-leap\.co\.uk|cts\.vresp\.com\/s\.gif|vertster.com\/.*\/vswap\.js|adserver\.veruta\.com|veruta\.com\/scripts\/trackmerchant\.js|(m|js|api|cdn)\.viglink\.com|trk\.vindicosuite\.com\/tracking\/|\.collserve\.com|(sniff|stats)\.visistat\.com\/|\.sa\-as\.com|\.visiblemeasures\.com\/log|visitstreamer\.com\/vs\.js|visitorville\.com\/js\/plgtrafic\.js\.php|\.visualrevenue\.com|(s3\.amazonaws\.com\/wingify\/vis_opt\.js|dev\.visualwebsiteoptimizer\.com\/deploy\/js_visitor_settings\.php.*|server\.wingify\.com\/app\/js\/code\/wg_consolidated\.js)|d5phz18u4wuww\.cloudfront\.net|vizisense\.komli\.net\/pixel\.js|vizisense\.net\/pixel\.js|(haku|puma|cheetah|tiger)\.vizu\.com|\.vizu\.com\/zones\/|voicefive\.com\/.*\.pli|\.w3counter\.com|\.wowanalytics\.co\.uk|webtraxs\.(js|com)|server[2-4]\.web-stat\.com|webgozar\.com\/counter|webgozar\.ir\/c\.aspx|\.webprospector\.de\/|\.webtrendslive\.com|\/(dcs\.gif\?|njs\.gif\?dcs)|\/webtrends(.*)?\.js|m\.webtrends\.com|trackingtags_v1\.1\.js|(c1|beta)\.web-visor\.com\/c\.js|\.webclicktracker\.com|(\.webtrekk\.net|\/webtrekk\.js|\/webtrekk_v3\.js)|widgetserver\.com\/syndication\/subscriber|api\.widgetbucks\.com\/script\/ads\.js|wwa\.wipe\.de|wiredminds\.de\/track|\/woopra(\.v(2|3|4))?\.js|(stats\.wordpress\.com\/|s\.stats\.wordpress\.com\/w\.js)|\.wysistat\.com|(cdn\.nprove\.com\/npcore\.js|go\.cpmadvisors\.com\/)|xcdn\.xgraph\.net\/([0-9]|partner\.js)|\.xiti\.com|\/js_xiti\.js|\/xtcore\.js|(\.analytics\.yahoo\.com\/indextools\.js|ystat\.js|\.yimg\..*\/ywa\.js)|\/js_source\/whv2_001\.js|visit\.webhosting\.yahoo\.com|\.wa\.marketingsolutions\.yahoo\.com\/script\/scriptservlet|d\.yimg\.com\/ds\/badge\.js|\.overture\.com\/(partner\/)?js|\.yandex\.ru\/(resource|metrika)\/watch|yandex\.ru\/(cycounter|informer)|stat\.yellowtracker\.com|hook\.yieldbuild\.com\/s_ad\.js|\.zemanta\.com\/|\.zendesk\.com\/external\/zenbox\/overlay\.js|\/z(i|a)g\.(js|gif)|zopim\.com\/|(\.content\.ru4\.com\/images\/|\.edge\.ru4\.com\/smartserve\/|\.xp1\.ru4\.com\/|ad\.xplusone\.com\/|\/xplus1\/xp1\.js)|an\.adhood\.com\/an\.|c\.bigmir\.net|crm-metrix\.com|customerconversio\.com|\.trackedlink\.net|cn01\.dwstat\.cn|\.eproof\.com\/js\/.*\.js|prof\.estat\.com\/js\/|\.etrigue\.com|\.extreme-dm\.com\/|\.exelator\.com\/|\.etracker\.de\/|\.sedotracker\.com|code\.etracker\.com\/|expo-max\.com|(cdn|g2|gonzogrape)\.gumgum\.com\/javascripts\/ggv2\.js|\.ib-ibi\.com|\.i-stats\.com\/js\/icounter\.js|r\.i\.ua|\.ic-live\.com\/(goat\.php|[0-9][0-9][0-9][0-9]\.js)|\.sptag3\.com|\.iperceptions\.com\/|\.clickmanage\.com|iwiw\.hu\/like\.jsp|tags\.mediaforge\.com\/if\/[0-9]+|\/phpmyvisites\.js|(adstat\.4u\.pl\/s\.js|stat\.4u\.pl\/cgi-bin\/)|\.statistics\.ro\/|(do\.am|at\.ua)\/stat\/|a\.ucoz\.net|ucoz\.(.*)\/(stat\/|main\/\?a=ustat)|vistrac\.com\/static\/vt\.js|\.w3roi\.com|\.xplosion\.de\/|\.zaparena\.com\/w\/|(\/share-this\.php|w\.sharethis\.com\/))
Deny INC

ETA Protections against known privacy/security threats (thanks Tom T. for collecting):
Optional rules

Code: Select all

# Optional - allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site ^https?://www\.google\.com/recaptcha/*
Accept
Site ^https?://www\.google\.com/*
Sandbox

# Optional - Site .trusteddownloads.com:182 exception to NAT Pinning blockage
Accept from .trusteddownloads.com
Deny

Recommended rules

Code: Select all

# Yahoo data-mining script
Site .analytics.yahoo.com
Deny

# Invitemedia web bugs
Site .com.com .invitemedia.com
Deny

# Soundclick rule
Site 8.14.112.25
Accept from .soundclick.com 8.14.112.25
Deny

# Mozilla and all webtrends live tracking / web bugs
Site .webtrendslive.com
Deny

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site ^https?://[^/]+:[0-35-7]
Deny

ETA JDownloader exception, to be added to SYSTEM rules before default (thanks Tom.de for reporting and Giorgio for supplying):

Code: Select all

# JDownloader exception
Site http://127.0.0.1:9666/flash/addcrypted
Accept POST


ETA: moz-nullprincipal fix for GMail (see viewtopic.php?f=23&t=8870)
Last edited by Thrawn on Tue Sep 18, 2012 2:54 am, edited 6 times in total.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Some Sites you Might Want to Protect

Post by Tom T. » Fri May 18, 2012 6:37 am

The concept is good, but like all else, it's going to come down to personal preference.
I delete from the Default Whitelist *all* Google, Microsoft, and PayPal entries.

I use Yahoo Mail, but don't need the rest of the Yahoo scripting except on an occasional-to-rare basis, so the defaults are removed from the whitelist, and the whitelist permissions are fine-tuned as follows:
mail.yimg.com
mail.yahoo.com

... thus forbidding the rest of the Yahoo universe. Yahooapis is TA-d as needed, mostly for editing Contacts lists or other account info, which isn't very often.

Code: Select all

Site .google.com .youtube.com
Accept from .google.com .youtube.com
Anon

I don't need Google script to play YouTube videos, and so wouldn't use this rule. But IIRC, you need a Google account now to comment on YT vids. So I stopped commenting. :mrgreen:

A lot can be done with fine-tuning permissions, a topic worth exploring.
But for the advanced user, your concept is also definitely worth exploring. (resisting the temptation to say that truly advanced users would avoid Google and MS "services" -- guess I just said it. ;) )
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Sat May 19, 2012 11:28 am

Tom T. wrote:The concept is good, but like all else, it's going to come down to personal preference.

Yes, this is just considering candidates; everyone's needs are different. My thoughts were that if we can assemble some good lists of site rules - especially gathering information about which rules work best for each site and its dependencies - then it would be feasible for novices to just copy the list(s) into their ABE user rules and have most of their sensitive browsing protected. Not entirely unlike pre-assembled Hosts files.

The ideal would be to have comprehensive enough lists that advanced users could afford to put something like

Code: Select all

Site *
Accept from SELF++
Anon

at the end, and only occasionally break something and need to add another exception.

Tom T. wrote:I delete from the Default Whitelist *all* Google, Microsoft, and PayPal entries.

Fair enough, since you don't need them. I just figured that being allowed by default, they're a good starting point for rule examples - and they're decent examples of possible syntax, too, since they all depend on other sites.

Tom T. wrote:I use Yahoo Mail, but don't need the rest of the Yahoo scripting except on an occasional-to-rare basis, so the defaults are removed from the whitelist, and the whitelist permissions are fine-tuned as follows:
mail.yimg.com
mail.yahoo.com

... thus forbidding the rest of the Yahoo universe. Yahooapis is TA-d as needed, mostly for editing Contacts lists or other account info, which isn't very often.

More specific permissions are good, yes. Actually, if you can post some appropriate ABE rules that match your usage, I'd be interested to see them, because I too use Yahoo Mail but no other Yahoo services. Not so appropriate for a bulk import of standard rules, but a handy reference for those willing to do things more manually.

Tom T. wrote:A lot can be done with fine-tuning permissions, a topic worth exploring.
But for the advanced user, your concept is also definitely worth exploring. (resisting the temptation to say that truly advanced users would avoid Google and MS "services" -- guess I just said it. ;) )

Well, OK, but Gmail is really nice to use...I don't suppose Startpage does webmail services? ;)
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Some Sites you Might Want to Protect

Post by Tom T. » Sun May 20, 2012 1:10 am

Thrawn wrote:....then it would be feasible for novices to just copy the list(s) into their ABE user rules and have most of their sensitive browsing protected. Not entirely unlike pre-assembled Hosts files.

A little bit concerned -- especially being one of five people who would have to handle the inquiries ;) -- about novices copying ABE rules they don't understand.
The difference, IMHO of course, is that the sites in pre-assembled HOSTS files (at least, the one I use), are known to be malicious or privacy-invasive (and useless to the user), so no one should *ever* connect to them.

Whereas your concept is affecting some of the most popular sites and portals on the web. Users go there frequently, and if stuff breaks, they'll have no clue about it, even with the ABE notification. Which would be geek-Greek to them. (Unless they're Greek or speak it, in which case, it would be -- n/m. :D)

So definitely not default rules, and reluctant to encourage copy/paste, unless the user understands what it does and what to do if things break. If nothing else, delete the rule, which means... knowing where to delete it.

Or maybe this is where you were headed anyway; I wasn't sure.
Thrawn wrote:
Tom T. wrote:I delete from the Default Whitelist *all* Google, Microsoft, and PayPal entries.

Fair enough, since you don't need them. I just figured that being allowed by default, they're a good starting point for rule examples - and they're decent examples of possible syntax, too, since they all depend on other sites.

Fair enough indeed. Yes, at any opportunity, I advise users to delete whatever default entries they don't need.
But I do get asked to go to Google a lot here; the map function may be useful; and especially since recaptcha.net was bought out by The Big G, this rule was developed in another thread. (Were you part of it? I don't remember.)

Code: Select all

# Allow all Google recaptcha and Maps, but sandbox all www.google.com.*
Site ^https?://www\.google\.com/recaptcha/*
Accept
Site ^https?://www\.google\.com/*
Sandbox


This next one is for Yahoo's data-mining script. A surrogate hasn't been written, because so far, forbidding it does not break sites. If it should start doing so, then of course we would ask Giorgio to include a default surrogate.

Code: Select all

Site .analytics.yahoo.com
Deny


There was a thread on not being able to block web bugs from invitemedia or com.com (actual address) with either NS or RP, because they were being run as first-party content, and hence if you allowed the site (you had to), this got allowed.

Code: Select all

#adlog rule
Site .com.com .invitemedia.com
Deny


I don't use Soundclick very much, but do on occasion, and they use a numerical IP for some scripting. Always makes me nervous -- do a lookup, and find out why they're not using a known domain name. But two agencies of my local government do the same thing. Anyway,

Code: Select all

#Soundclick rule
Site 8.14.112.25
Accept from .soundclick.com 8.14.112.25
Deny


Sadly, this time the web bug culprit was Mozilla. :evil:

Code: Select all

#Mozilla and all webtrends live tracking / web bugs
Site webtrendslive.com
Deny


Then there's the much-discussed NAT-pinning countermeasure -- search the forum for NAT pinning:

Code: Select all

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports) 
Site ^https?://[^/]+:[0-35-7]
Deny

This broke a file-sharing site for one user, but it turned out that the site had a very bad reputation for hosting, or linking to, malware sites. So it was good that it brought him here.

Another file-sharing site (always be cautious about those) used the same non-standard port, but seemed to have an OK reputation.
So the exception, after investigating the site thoroughly, would go *above* the previous rule, since ABE parses from top-down.

Code: Select all

Site .trusteddownloads.com:182
Accept from .trusteddownloads.com
Deny

This exempts Port 182 from the blanket rule, but only for this site that you genuinely trust, even though it uses non-standard ports.

Thrawn wrote:
Tom T. wrote:I use Yahoo Mail, but don't need the rest of the Yahoo scripting except on an occasional-to-rare basis, so the defaults are removed from the whitelist, and the whitelist permissions are fine-tuned as follows:
mail.yimg.com
mail.yahoo.com

... thus forbidding the rest of the Yahoo universe. Yahooapis is TA-d as needed, mostly for editing Contacts lists or other account info, which isn't very often.

More specific permissions are good, yes. Actually, if you can post some appropriate ABE rules that match your usage, I'd be interested to see them, because I too use Yahoo Mail but no other Yahoo services. Not so appropriate for a bulk import of standard rules, but a handy reference for those willing to do things more manually.

The specific subdomains mail.(yahoo|yimg).com don't seem to be called from anywhere else, AFAICT. No reason for them to be. So I haven't made any ABE rules for them, other than what's above.
Thrawn wrote:Well, OK, but Gmail is really nice to use...I don't suppose Startpage does webmail services? ;)

https://www.hushmail.com does, and a basic account is free. Fully-encrypted -- not just the connection, but the messages themselves and the digital signatures, with PGP. So if any of your contacts has either a hush account of their own, or any PGP-GPG compatible mail client, you can exchange secure e-mail. Giorgio and GµårÐïåñ sent me their public keys; I uploaded them to Hush's servers; they (quite properly) sent confirmation e-mails to each asking, "Is this you, and are you OK with having your public key on our servers?" Once confirmed, it's all invisible from there.

You can send e-mail to those without such capability using a privately-known "challenge question", which of course is not nearly so secure.
Worth checking out.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Mon May 21, 2012 4:23 am

@Tom T: Nice summary of the ABE rules that have been developed in other forum threads thus far :).

Tom T. wrote:
Thrawn wrote:....then it would be feasible for novices to just copy the list(s) into their ABE user rules and have most of their sensitive browsing protected. Not entirely unlike pre-assembled Hosts files.

A little bit concerned -- especially being one of five people who would have to handle the inquiries ;) -- about novices copying ABE rules they don't understand.
The difference, IMHO of course, is that the sites in pre-assembled HOSTS files (at least, the one I use), are known to be malicious or privacy-invasive (and useless to the user), so no one should *ever* connect to them.

Whereas your concept is affecting some of the most popular sites and portals on the web. Users go there frequently, and if stuff breaks, they'll have no clue about it, even with the ABE notification. Which would be geek-Greek to them. (Unless they're Greek or speak it, in which case, it would be -- n/m. :D)

So definitely not default rules, and reluctant to encourage copy/paste, unless the user understands what it does and what to do if things break. If nothing else, delete the rule, which means... knowing where to delete it.

OK, so maybe 'novices' was a bit optimistic, and I definitely wasn't aiming for default rules, just providing lists of known helpful ones to be used at one's own (small) risk.
How about we instead consider "NoScript users without technical expertise, but advanced enough to search the NoScript FAQ and/or forums for answers to their problems"?

Tom T. wrote:
Thrawn wrote:Well, OK, but Gmail is really nice to use...I don't suppose Startpage does webmail services? ;)

https://www.hushmail.com does, and a basic account is free.
<snip>
Worth checking out.

I may indeed do that. The free 25MB isn't much, but I wouldn't be using it to send/receive email forwards anyway...

Oh - I'm particularly interested in assembling rules for bank sites, which as you know are highly important but often badly coded. How does this one look?

Code: Select all

# Commonwealth Bank
Site www.my.commbank.com.au/netbank/Logon/Logon.aspx
Accept from SELF+ ^https?://www\.commbank\.com\.au/?$
Deny

Site .my.commbank.com.au
Accept from .my.commbank.com.au
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Some Sites you Might Want to Protect

Post by Tom T. » Mon May 21, 2012 5:49 am

Thrawn wrote:OK, so maybe 'novices' was a bit optimistic, and I definitely wasn't aiming for default rules, just providing lists of known helpful ones to be used at one's own (small) risk.
How about we instead consider "NoScript users without technical expertise, but advanced enough to search the NoScript FAQ and/or forums for answers to their problems"?

You'd be amazed at how many users, from novice to advanced, post questions here whose answers are easily found in the FAQ, the Forum Stickies, or the Forum Search itself. ;)
How about if we raise the bar to "NS users who are reasonably comfortable with ABE's basic functions and usage"?
(Then, if a novice has issues, they may be prompted to read up on the documentation first -- or at least, they'll have been warned. :D )

Hushmail: Free limit was only 2 MB until fairly recently, but it's not where I send everyone my vacation pics. :lol:
The 2 MB limit wasn't much of an issue. 25 MB is more than ample. I have waaaay too many old e-mails stored at Yahoo, as everyone does. The limit is a good way of forcing one to d/l and save locally any important stuff.

What's mostly in there, aside from the messages themselves, is docs, pdf's, and spreadsheets. Whatever is truly confidential in the way of attachments.
Those tend to be under 25 MB, lol. Again, bulky attachments (if not all) should be stored locally and securely. So I haven't found the limit to be an issue. YMMV.

Oh - I'm particularly interested in assembling rules for bank sites, which as you know are highly important but often badly coded. How does this one look?

Code: Select all

# Commonwealth Bank
Site www.my.commbank.com.au/netbank/Logon/Logon.aspx

Why have an insecure site in this picture at all?

To use a US example with which I'm familiar (esp. since I can't log in to yours):

Going to www.wellsfargo.com quite properly redirects to https://www.wellsfargo.com/ -- possibly as a result of the negative publicity that some banks received when the NS Force HTTPS feature had to be implemented, to prevent sending insecure pages with login forms.

But it gets better. Even though the login at https://www.wellsfargo.com/ works, one ends up at https://online.wellsfargo.com.
So, eliminate the middleman, and login directly (bookmark, Password Safe, etc.) at https://online.wellsfargo.com/login

This actually solved a user's problem, who was getting crashes from the other, for reasons unknown.

Anyway, the fewer the links in the chain, the better, agreed?
And eliminate all http links in the chain.

Code: Select all

Site .my.commbank.com.au
Accept from .my.commbank.com.au
Deny

Do you really want scripting from an insecure source to run at your online bank?
If they require it, change banks. :mrgreen:
And tell them to stop pinging my browser, or otherwise attempting to get it to accept a connection, although this may be because they aren't accustomed to logins from the US. (Do Aussies never holiday in the US, nor attempt to do some banking while abroad?)

I did go to

Code: Select all

http://www.commbank.com.au/ 

I used the same "trick" as at the previously-linked thread, of entering an empty login, and was taken to:

Code: Select all

https://www.my.commbank.com.au/netbank/Logon/Logon.aspx

which at the very least, is where one should start. Parallel to the WellsFargo example.
If upon logging in, there is some domain such as

Code: Select all

https://online.my.commbank.com.au

or similar, then I'd try using that as the starting page at which to login.

Code: Select all

Accept from SELF+ ^https?://www\.commbank\.com\.au/?$

Same comment: Why the ? after https? If the bank doesn't require http scripting, don't let the regex allow it. If it does require it (see above ;) )

Not being able to go any farther, I'm not certain of the need for the ending ?$, although it may indeed be needed.
Wouldn't ...... \.au/.* work, or not?

Also, even as far as I got, what was needed (it seemed) was

Code: Select all

+https://www.my.commbank.com.au
+https://static.my.commbank.com.au

Neither the SELF+ resource nor the one after it seems to allow static.my.commbank etc. The rule that does, doesn't require https (see above).
SELF++ would, so long as com.au isn't read as a 2LD domain by itself. (I really don't know.) Else, we're allowing all .com.au. :o
If it indeed parses as the base 2LD being commbank.com.au, then we may be allowing insecure http in once more.

Without being able to login, it's hard to be more certain, but please consider the above, including the ever-present possibility of human error by this writer. :)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Mon May 21, 2012 7:01 am

Tom T. wrote:You'd be amazed at how many users, from novice to advanced, post questions here whose answers are easily found in the FAQ, the Forum Stickies, or the Forum Search itself. ;)
How about if we raise the bar to "NS users who are reasonably comfortable with ABE's basic functions and usage"?
(Then, if a novice has issues, they may be prompted to read up on the documentation first -- or at least, they'll have been warned. :D )

Fair enough. ABE knowledge is a good prerequisite.

Tom T. wrote:What's mostly in there, aside from the messages themselves, is docs, pdf's, and spreadsheets. Whatever is truly confidential in the way of attachments.
Those tend to be under 25 MB, lol. Again, bulky attachments (if not all) should be stored locally and securely. So I haven't found the limit to be an issue. YMMV.

It probably won't be a problem. I'll let you know sometime how i go...

Tom T. wrote:

Code: Select all

# Commonwealth Bank
Site www.my.commbank.com.au/netbank/Logon/Logon.aspx

Why have an insecure site in this picture at all?

I guess the http page would still be protected from third parties by the second rule. So yeah, this specific login page rule could apply to https only.
Tom T. wrote:So, eliminate the middleman, and login directly (bookmark, Password Safe, etc.) at https://online.wellsfargo.com/login
<snip>

Code: Select all

Accept from SELF+ ^https?://www\.commbank\.com\.au/?$

Same comment: Why the ? after https? If the bank doesn't require http scripting, don't let the regex allow it. If it does require it (see above ;) )
<snip>
Not being able to go any farther, I'm not certain of the need for the ending ?$, although it may indeed be needed.
Wouldn't ...... \.au/.* work, or not?

Yes, it's possible to go straight to https://www.my.commbank.com.au/netbank/Logon/Logon.aspx, but I wanted to support the 'Netbank' link from the main page, which is www.commbank.com.au and doesn't support https.
Actually, on looking into it further, that link is available in various incarnations on various http pages. So, the rule has to either break them all or accommodate them all. I guess it should be:

Code: Select all

Site https://www.my.commbank.com.au/netbank/Logon/Logon.aspx
Accept from .commbank.com.au
Deny

or else be eliminated and just use the default .my.commbank.com.au rule to protect it, which would require direct access via eg bookmark as you suggest.

And the reason for SELF+ instead of SELF is that if you try to enter the URL as http, then the bank will redirect you to https (good), but if the rule used SELF, then ABE would kill the redirection, breaking what seems like desirable behavior.
Tom T. wrote:And eliminate all http links in the chain.

Code: Select all

Site .my.commbank.com.au
Accept from .my.commbank.com.au
Deny

Do you really want scripting from an insecure source to run at your online bank?
If they require it, change banks. :mrgreen:

Not my bank...but if I were to exclude http from the rule, then wouldn't that mean that the http site is completely unprotected?

I guess you could instead use:

Code: Select all

Site .my.commbank.com.au
Accept from .my.commbank.com.au:443
Deny

ie protect both versions, but allow requests only from the https one. Or were you thinking of something like this?

Code: Select all

Site .my.commbank.com.au:80
Deny


Tom T. wrote:Also, even as far as I got, what was needed (it seemed) was

Code: Select all

+https://www.my.commbank.com.au
+https://static.my.commbank.com.au

Neither the SELF+ resource nor the one after it seems to allow static.my.commbank etc. The rule that does, doesn't require https (see above).
SELF++ would, so long as com.au isn't read as a 2LD domain by itself. (I really don't know.) Else, we're allowing all .com.au. :o
If it indeed parses as the base 2LD being commbank.com.au, then we may be allowing insecure http in once more.

I believe the 2LD would be commbank.com.au. However, I was hoping to lock things down to my.commbank.com.au, ie the online banking portion, which is why I didn't use SELF++.


So,
revised suggestions:

Code: Select all

# Commonwealth Bank
# Optional - allow links from general bank site to login page
Site https://www.my.commbank.com.au/netbank/Logon/Logon.aspx
Accept from .commbank.com.au
Deny

# protect online banking from anything except the encrypted version of itself
Site .my.commbank.com.au
Accept from .my.commbank.com.au:443
Deny
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Mon May 21, 2012 8:10 pm

Oh - by the way, I fully agree about the value of https, but maybe a dedicated tool is a better idea. NoScript can force https for '.my.commbank.com.au', leaving our ABE rules cleaner & simpler.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Some Sites you Might Want to Protect

Post by Tom T. » Tue May 22, 2012 1:33 am

I don't understand why one would want to visit insecure pages at a banking site in the first place, although your afterthought post suggests that this occurred to you as well.

All of my financial institutions are listed in NS Force HTTPS, and that is very likely to work at all banking sites. It works at all of mine.

As it happens, WellsFargo online uses only one script source,
+https://online.wellsfargo.com

and Recently Blocked shows

Code: Select all

http://www.wellsfargo.com

Which is probably some advertising, promotional material, pictures of their dedicated and friendly employees (or professional models, LOL) ... so who needs it?
The site functions without it, so good riddance.

If I wanted to ABE this (New verb! New verb!), it would be just

Code: Select all

Site https://online.wellsfargo.com
Accept from https://online.wellsfargo.com
Deny

This covers all -- the login page and all pages within the site.
The literals are simpler (and possibly stricter?)

It's simpler. (Simpler is better.) It works. (I just did it -- good idea.)

And in addition to ABE's protection, you pick up more security by not visiting any insecure page at any financial-related institution.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Tue May 22, 2012 3:31 am

Not to argue endlessly, but...
Tom T. wrote:If I wanted to ABE this (New verb! New verb!), it would be just

Code: Select all

Site https://online.wellsfargo.com
Accept from https://online.wellsfargo.com
Deny

This covers all -- the login page and all pages within the site.
The literals are simpler (and possibly stricter?)

It's simpler. (Simpler is better.) It works. (I just did it -- good idea.)

And in addition to ABE's protection, you pick up more security by not visiting any insecure page at any financial-related institution.

But is it not true that http://online.wellsfargo.com would now be unprotected by ABE? The implicit rule is:

Code: Select all

Site http://online.wellsfargo.com
Accept from *

and you just have to hope that wellsfargo will ignore/redirect any requests sent to the plaintext port, or that Force HTTPS is 100% effective in protecting the plaintext site against CSRF (which is not its primary purpose).
I would instead suggest:

Code: Select all

Site .online.wellsfargo.com
Accept from SELF
Deny

which is even simpler. And since SELF requires the same port number, it will protect the https site (including subdomains) in the same way as you wanted - allowing only requests from the encrypted version of itself - while also similarly protecting the http site. Also, as a bonus, it will prevent the https site from requesting insecure resources from the http site.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Some Sites you Might Want to Protect

Post by Tom T. » Tue May 22, 2012 7:38 am

Thrawn wrote:But is it not true that http://online.wellsfargo.com would now be unprotected by ABE? The implicit rule is:

Code: Select all

Site http://online.wellsfargo.com
Accept from *

Short answer: In principle, I think you're right, but if I never visit an http page there, which I don't (having bookmarked all of the https login pages as the starting point), am I really at risk?

Using Giorgio's CSRF threat model, why would I care who calls http wellsfargo, since they can't get any money out of my account there?

The Force HTTPS is enforced before the request leaves the box.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Tue May 22, 2012 7:57 am

Tom T. wrote:Using Giorgio's CSRF threat model, why would I care who calls http wellsfargo, since they can't get any money out of my account there?

Fair enough, since the http site will never be associated with a login session. I still like the SELF rule because it stops the https site from importing insecure content.
Tom T. wrote:The Force HTTPS is enforced before the request leaves the box.

Good to know. I just know that CSRF protection wasn't what it was designed for...
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (Linux; U; Android 2.2.1; en-gb; GT-S5570 Build/FROYO) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1

Tom T.
Field Marshal
Posts: 3620
Joined: Fri Mar 20, 2009 6:58 am

Re: Some Sites you Might Want to Protect

Post by Tom T. » Tue May 22, 2012 8:34 am

Thrawn wrote:
Tom T. wrote:Using Giorgio's CSRF threat model, why would I care who calls http wellsfargo, since they can't get any money out of my account there?

Fair enough, since the http site will never be associated with a login session. I still like the SELF rule because it stops the https site from importing insecure content.

In your own words, fair enough. :) Can't be too cautious, and there's no harm, so will give it a try. (It works, in a brief test.)

However, is there anything to stop the https site from importing content itself (perhaps from http-wellsfargo?), and sending me back the https page with that content?
As one wise user noted, a site can make an internal call by, e. g., the <NOSCRIPT> element, which also bypasses RequestPolicy. The cure there was to ABE-deny the third-party. But this would be the same site.

Therefore, should we use something like

Code: Select all

Site ^http://.*\wellsfargo\.com/.*
Deny

in addition to the SELF rule?

Need to sign off now without thinking this through too deeply. Will shoot you a PM, but this is surely worth exploring.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Tue May 22, 2012 11:01 am

Tom T. wrote:However, is there anything to stop the https site from importing content itself (perhaps from http-wellsfargo?), and sending me back the https page with that content?
As one wise user noted, a site can make an internal call by, e. g., the <NOSCRIPT> element, which also bypasses RequestPolicy. The cure there was to ABE-deny the third-party. But this would be the same site.

Therefore, should we use something like

Code: Select all

Site ^http://.*\wellsfargo\.com/.*
Deny

in addition to the SELF rule?

Need to sign off now without thinking this through too deeply. Will shoot you a PM, but this is surely worth exploring.

Well, if you really want to stop all HTTP traffic to Wells Fargo, then I'd again suggest the Force HTTPS feature, this time with '.wellsfargo.com'. Assuming that it works for all requests, not just for the top-level page? And if you want to use ABE, then you don't need a regex, just use:

Code: Select all

Site .wellsfargo.com:80
Deny

By the way, if you recall, the RequestPolicy bypass turned out to be some specific hardcoded exceptions for Firefox Add-ons. According to Giorgio, it shouldn't work in the general case.

OK, I've thought some more and realised that there's a good way to protect the encrypted online banking portion of the site, while allowing the general site to link to the login page. How's this?

Code: Select all

# Wells Fargo online banking
Site .online.wellsfargo.com
Accept from SELF
Anon GET from .wellsfargo.com
Deny

# Commonwealth Bank online banking
Site .my.commbank.com.au
Accept from .my.commbank.com.au
Anon GET from .commbank.com.au
Deny

So, the only way that I can see for an attacker to reach the online banking site would be to compromise (XSS?) a page on the general banking site in a way that gets past NoScript, then use that page to launch an XSS attack on the login page - using only GET, evading NoScript's XSS filters plus whatever sanitization the bank itself uses, and capable of extracting passwords from the Firefox password manager, if they're stored there and not protected by an addon like Secure Login or similar. Anyone up to the challenge? ;)

This unlikely attack vector could be closed (against XSS, at least) by adding .commbank.com.au to a general 'Accept from SELF++' rule at the end, eg:

Code: Select all

Site .wellsfargo.com .commbank.com 
Accept from SELF++
Deny


On an unrelated note, you've mentioned that it's better for people to ditch Google/Microsoft/Yahoo services, but Wells Fargo relies on Akamai?
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Some Sites you Might Want to Protect

Post by Thrawn » Wed May 23, 2012 4:05 am

If the above rule looks good, then we could add similar ones for the other banks in the Australian Big Four (feel free to contribute US ones):

Code: Select all

# ANZ Bank
Site .anz.com .anz.com.au .anzmoneymanager.com
Accept from SELF
Anon GET from .anz.com .anz.com.au .anzmoneymanager.com
Deny

# Westpac Bank
Site .online.westpac.com.au
Accept from SELF
Anon GET from www.westpac.com.au
Deny

# National Australia Bank
Site .ib.nab.com.au
Accept from SELF
Anon GET from .nab.com.au
Deny

NB I don't bank with any of these, so I can't actually log in and verify the above rules, but they work as far as the login page. If anyone can log in, and they find problems with these rules, please let me know (you can PM if you're concerned about privacy).
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0

Post Reply