RSnake mentioned a few times already that he would like to see Adblock Plus extension turned into a firewall. I thought about how this can be done. It would be an extension for Adblock Plus (lets call it ABP Firewall here) with a static list of rules. Every time a request matches one of the rules ABP Firewall should deny it and show an icon in the status bar. The user can then click the icon and see in the log what happened. It should be possible to disable a rule globally or for one site only.

Instead of updating the list of rules ABP Firewall should force Firefox to check for extension updates more often so that an update to ABP Firewall (and with it to the rules) could be pushed to the users within a day or two - if it is necessary to stop some new attack. It is necessary to update the extension rather than the list because there is no guarantee that the rules language will be flexible enough - the extension code might need to be changed.

The difficult question is: what can be the rules for such an extension? Adblock Plus doesn't work on the HTML level so the response from the server cannot be filtered. But Adblock Plus is triggered for every request the browser makes to some server (actually, not necessarily a server - it works for all protocols including file:, about: and chrome:). It gets some data like the page where the request originated or HTML tag the request is attached to. So what can you with it?

1. Disallow some characters in URLs, e.g. %00 (null byte attacks), %0A|%0D (HTTP Response Splitting), %3C|%3E (XSS). The last one should already cause quite a lot of false positives however, adding %22 and %27 will do more harm than good (search engines always use method GET and people enter quotes there all the time).

2. Disallow unknown plugins by allowing only objects with types application/x-shockwave-flash, application/x-java-applet and probably a few others. Will stop things like Yahoo Application State Plugin.

3. Disallow requests to subnets 192.168/16 and 10/8 subnets (rfc 1918) that don't originate from these subnets - port scanning. Problem is that intranets don't always use private address spaces, also DNS name resolution is a problem. If I can solve the DNS resolution problem, anti-DNS pinning problem should be solvable as well (don't allow access if source and target have different IP addresses even though the host names are identical).

4. Known worms can be blocked by URL - that's a case where an update would be pushed.

5. Disallow any requests to imaqeshack.us from myspace.com :)

What else can you think of? The problem is that the checking is done before the actual request is made so neither request headers nor POST data are available (I even think you cannot distinguish POST and GET requests). Also, XMLHttpRequest doesn't go through Adblock Plus at the moment (my patch to fix this awaits review).

All I can say is that I am in love with this concept. It's the right place to be thinking about these problems - at the browser.

Anyway, I've been thinking about the IP problem a lot since the last email you sent (sorry about being slow with email - way too much stuff going on lately). But anyway, doesn't adblockplus have access to the IP address of the hostname requested? I know I've seen at least one plugin out there that shows the IP address of the server you are on. Is that simply a nslookup (async) or is it available in browser space in some way? If it's async that could be too slow to stop it in real-time, but if it's real time it could be useful.

- RSnake
Gotta love it. http://ha.ckers.org

Adblock Plus gets called before the request is made - meaning that the browser probably doesn't have the IP address in his DNS cache. So you can either resolve the name synchronously which will hang the browser for several seconds or asynchronously - but then once you get your answer your chance to stop the request will be already gone. Maybe using another interface in addition, the one LiveHttpHeaders is using, can solve this problem, but I am not sure. At least LiveHttpHeaders doesn't show connections where server lookup failed, so chances are it is called after the lookup is done.



Edited 2 time(s). Last edit at 03/18/2007 04:23PM by trev.

There's no way to hook into the DNS cache or at minimum watch the request as it's made to look for it connecting to the RFC1918 space (you still have to know the IP but you also know the header)? I'm not sure why this wouldn't be visible to you. Granted, I know little about how adblockplus is built.

- RSnake
Gotta love it. http://ha.ckers.org

No, DNS is a low level service and extensions don't exactly have much access there. Also, Adblock Plus never gets the request, it is called before the request object is created. LiveHTTPHeaders receives a reference to the request on the other hand so that tracking it might be possible if you attach to the same hook.

I just looked at the implementation and noticed more problems. If the DNS record has multiple addresses you will never know to which one the connection will go (there is a fallback that will try another address if first one fails, and you cannot get information about the IP address from outside). Also, in case of a local proxy the browser doesn't know the IP addresses at all, DNS requests are done by the proxy.



Edited 1 time(s). Last edit at 03/18/2007 07:45PM by trev.

I think that's okay in the case of them using a proxy, I mean if you are using a proxy you sort of forfeit some functionality. In the case of multiple IPs, why does it matter? If one of them looks bad you could at least warn if not block.

- RSnake
Gotta love it. http://ha.ckers.org