Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
The ha.ckers.org and sla.ckers.org web application security lab house rules and a place for you to introduce yourself if you like. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Ciao, help wanted with NoScript!
Posted by: ma1
Date: March 20, 2007 01:45PM

Hello everybody,

I'm Giorgio Maone, the author of the NoScript Firefox extension.

I've been lurking here for a few of weeks -- it's easy to guess why I'm interested in XSS and scriptless attacks ;)

At a certain point (less than one week ago) trev forced me to stop researching theoretical countermeasures and rush to the implementation phase.

So here we are, I've just uploaded the 1st usable NoScript development build applying some quite drastic (default deny) anti-XSS filters to requests originated from untrusted sites and targeted to a whitelisted address.

This should prevent "whitelist subversion" (as trev put it) by dynamic attacks run when user visits an arbitrary (untrusted) website, i.e. exploiting non-persistent XSS holes on the fly. It won't certainly help against persistent XSS, with attacker injecting JS code permanently into the target website, nor against crazy URL rewriting, but that's definitely webmaster's shame and hopefully much less common than volatile XSS based on query strings and POST payload.

At any rate, permanently enabling JavaScript on any web site which allows user generated content (like this one, for instance, or mozillazine.org -- shame on me!) is asking for troubles, isn't it?

Now I'm trying to address the other scriptless goodies, both port and history scanners.

In the meanwhile, I would really appreciate any feedback, especially criticisms, from the experts.

Cheers :)

Options: ReplyQuote
Re: Ciao, help wanted with NoScript!
Posted by: Anonymous User
Date: March 20, 2007 02:17PM

Hi Giorgio!

Maybe you could need some of the filter rules from the PHP IDS project I recently started on Google Code:

http://groups.google.com/group/php-ids
http://code.google.com/p/phpids/

If you want full access to the repository just drop me a line. BTW, your project definitely looks interesting! Maybe I will find some time to give it an in depth look this weekend.

Greetings,
.mario

Options: ReplyQuote
Re: Ciao, help wanted with NoScript!
Posted by: tx
Date: March 20, 2007 02:43PM

Welcome, I'm a big fan of NoScript. I'm going to try out this new build now!

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Ciao, help wanted with NoScript!
Posted by: rsnake
Date: March 20, 2007 03:50PM

Giorgio, first of all, welcome to the boards. Secondly, I've just tested one example that I thought should fail but actually succeeded:

site1.com:

<iframe src="http://site2.com/xss-script.cgi?'><script>alert('XSS')</script>"></iframe>


Site2.com is trusted, Site1.com is not, yet Site2 can still run JS built by Site1. Should this work or am I missing the point?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Ciao, help wanted with NoScript!
Posted by: ma1
Date: March 20, 2007 04:09PM

rsnake Wrote:
-------------------------------------------------------
> Giorgio, first of all, welcome to the boards.

Thanks, I was looking forward to being "probed" by you :)

> Secondly, I've just tested one example that I
> thought should fail but actually succeeded:

Your sample does fail for me as expected:

[-- Error Console --

[NoScript XSS] Sanitized suspicious query string. Original URL [hxxp://private.informaction.com/xss/echo.php?'%3E%3Cscript%3Ealert('XSS')%3C/script%3E] requested from [hxxp://sla.ckers.org/forum/read.php]. Sanitized URL: [hxxp://private.informaction.com/xss/test.php?%20script%20alert%20XSS%20%2Fscript%20].

-- Error Console --]

Stupid question, but are you sure you're actually using the latest dev build (or that site1 is not whitelisted)?

Thanks for your time!

-- Edit --

whoa, any escaping/unescaping hint for posting URLs and tags on this board? :)

-- Edit 2 --

BTW, I missed your answer in the "news" forum. Please answer and continue there, so we keep greetings and welcomes short ;)
Thanks again!



Edited 3 time(s). Last edit at 03/20/2007 04:29PM by ma1.

Options: ReplyQuote


Sorry, only registered users may post in this forum.