NoScript features unique Anti-XSS counter-measures - HeapOverflow Computer Security Community & Forums : Heap Overflow.com

HeapOverflow Computer Security Community & Forums : Heap Overflow.com

		HeapOverflow Computer Security Community & Forums : Heap Overflow.com > Computer Security: Discussions > Security discussions
NoScript features unique Anti-XSS counter-measures

Mark Forums Read

Notices

Welcome to you visitor! This community is mainly dedicated to the computer and security, if you're looking for DFind scanner or others exploits codes you will find them into the Projects section, feel free to start Blogging and remember to always keep an eye and start talking about security Advisories & public Exploits.

Security discussions Discuss about the computer security in general

NoScript features unique Anti-XSS counter-measures

This is a discussion on "NoScript features unique Anti-XSS counter-measures" within the Security discussions part of the Computer Security: Discussions section; Since today the NoScript addon of Firefox added an interesting feature wich blocks the XSS attacks. Anti-XSS protection Cross-Site Scripting (XSS) vulnerabilities are usually caused programming errors made by web developers, allowing an attacker to inject his own ...

Reply

#1 (permalink)

Old

23-04-07

class101 is offline

Administrator

Join Date: May 2005

Location: France

Age: 27

Posts: 592

Blog Entries: 3

Thanks: 18

Thanked 6 Times in 6 Posts

Rep Power: 10

class101 has disabled reputation

Send a message via MSN to class101

Default

NoScript features unique Anti-XSS counter-measures

Since today the NoScript addon of Firefox added an interesting feature wich blocks the XSS attacks.

Anti-XSS protection

Cross-Site Scripting (XSS) vulnerabilities are usually caused programming errors made by web developers, allowing an attacker to inject his own malicious code from a certain site into a different site. They can be used, for instance, to steal your authentication credentials and, more in general, to impersonate you on the victim site (e.g. your online banking or your web mail).

This kind of vulnerability, often overlooked, is very widespread and becoming highly popular among hackers: someone even bothered to write a JavaScript-based bot, called Jikto, turning your browser into a zombie which relentlessy sends automated XSS attacks all around. Of course this tool has been built "for research purpose", but its code unfortunately appears to be leaked in the wild, so anybody can take advantage of it, now...

NoScript XSS notification and its menu NoScript features unique Anti-XSS counter-measures, even against XSS Type 1 attacks targeted to whitelisted sites.

Whenever a non-trusted site tries to inject JavaScript code inside a trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load.

Then a yellow notification bar displays a message like
"NoScript filtered a potential cross-site scripting (XSS) attempt from [some-evil-url.com]. Technical details have been logged to the Console."
On the left side of this bar there's also an "Options..." button: if you click it, you can choose among the following actions:

* Show Console, displaying the Error Console where further technical details about the actions taken by NoScript are logged.
Please notice that the Error Console is a standard Firefox component reporting every JavaScript-related message from any source: the explanatory messages specifically coming from NoScript and related to XSS are only the ones marked with a [NoScript XSS] label.
* Unsafe Reload, which will "replay" the requst bypassing XSS filters. Use this command only if you're absolutely sure that NoScript detected a false positive.
* Suppress the XSS-related notifications (you will still be able to operate through the standard NoScript menu).
* Open the XSS Options panel.
* Navigate to the XSS FAQ web page.

The specific anti-XSS counter-measures are controlled by two options under NoScript Options|Advanced|XSS.

Both these options are enabled by default for your maximum protection.

NoScript's anti-XSS filters had been deeply tested and proved their ability to defeat every known reflective XSS technique, but their power is a double-edged sword: sometime they may detect a weird looking but legitimate request as a "potential XSS attempt". This should almost never be a show stopper, since the filter most of the time doesn't prevent you from navigating the filtered page, but the aforementioned Unsafe reload command and the XSS Advanced Options are have been made easily accessible so you can work-around if you hit a false positive with side effects. Just please notify me when it happens, possibly reporting the messages NoScript logged, so I can keep tweaking NoScript's "XSS sensibility" as needed.

While Cross-Site Scripting (XSS) vulnerabilities need to be fixed by the web developers, users can finally do something to protect themselves: NoScript is the only effective defense available to "web-consumers", waiting for "web-providers" to clean up their mess.

http://noscript.net/?ver=1.1.4.8.070423

__________________
Security community webmaster
100% Free Directory
100% Cool milw0rm javascript

Reply With Quote

Sponsor

Advertiser

Reply

Tags
antixss, countermeasures, features, noscript, unique

« US State department rooted by 0-day Word attack | Microsoft Service Packs Going Out of Support - May 2007 »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts BB code is On Smilies are On [IMG] code is On HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

heapoverflow.com - SEOmeter SEO tools

Locations of visitors to this page

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64