> isn't there any way to allow site be iframed and > prevent most clickjacking vectors? if you mean "iframed by a 3rd, possibly hostile party" answer is no, you're doomed.
Forum: XSS Info

> 1. Frame-killers. E.g. from OWASP > if (top!=self) > top.location.href=self.location.href This one can be easily circumvented. Better if (top != self) location = "about:blank"; > 2. Usage of X-FRAME-OPTIONS Header You MUST use both, because Javascript framebusters are even more fragile in browsers which implement X-Frame-Options (it's not a coincidence).
Forum: XSS Info

Slightly OT, NoScript's interference with timeouts in bookmarklet is fixed in 1.9.9.15. Thanks SDC for reporting.
Forum: OMG Ponies

philip_clarke Wrote: ------------------------------------------------------- >isn't that then a partial implementation then > [...] > How far does "the trust > go ?", doesn't trust html vectors but does trust > script based vectors ? I'm not sure about what you mean exactly. NoScript features a full (not partial) anti-XSS protection against type 0 and type 1 XSS.
Forum: Projects

@philip_clarke: NoScript by default is tuned to check for injections only when it's necessary, i.e.: 1. The request must be cross-site (this can be overridden by setting noscript.injectionCheck to 3, which will cause NoScript to check every request, even same-site) 2. The target site must be Javascript-enabled (XSS won't work anyway if it's not). Of course, some "dangerous" HTML i
Forum: Projects

NoScript's anti-XSS protection is not triggered because you're attacking the mysql site from the mysql site itself, i.e. this is not cross-site scripting. Just follow the malicious link from ha.ckers.org or any other domain different than mysql, and you'll see NoScript screaming and killing.
Forum: Projects

philip_clarke Wrote: ------------------------------------------------------- > To be effective against this type of vector, > PHP-IDS etc.. now needs to take into account all > of the libraries methods and constructs such as > jQuery, mootools etc... Not necessarily... Did you try to use that vector cross-site with NoScript installed? e.g. http://noscript.net/?p='%27%2CjQuer
Forum: Projects

The "cool" thing is that, since this is a DOM XSS (type 0), it is completely ignored by IE 8's XSS protection ;)
Forum: Full Disclosure

@tx: could you please tear down that old "PoC" of yours, since I still receive email message like the following: Quote Hello, Just got your latest noscript update, but it still fails this site (no warning given) It's quite an annoyance having to explain yours is not clickjacking again and again, since your PoC says "clickjacking bypassing ClearClick". Thanks...
Forum: Full Disclosure

Gareth Heyes Wrote: ------------------------------------------------------- > Can this be beaten? > > http://www.thespanner.co.uk/2009/04/08/overwriting > -native-functions-in-javascript/ Yes, it can be beaten quite easily: try { // Firefox delete window.alert; } catch(e) { // IE with(document) window.alert = body.appendChild(createElement("frame")).content
Forum: XSS Info

Looks like it's not "again": we had been too much happy for the "fix" in Fx 3, overlooking that it didn't prevent 3rd party stylesheets from loading XBL from their domains. The correct approach IMHO (and what I believe everybody including Jonas Sicking mistakenly assumend the previous "fix" was about) is NoScript's: blocking every cross-site XBL. On a good.com page,
Forum: XSS Info

Not sure about NoScript 3 (have you got a link?), but this 20 secs "hang" is fixed in NoScript 1.9.0.9, thanks ;)
Forum: DoS

@Gareth, zatoichi: the constructor override thing was a loophole left open by the ECMAScript specification, and fixed more than one year ago in Firefox. So don't waste your time anymore over it ;) The setter technique still works, though. P.S.: no, Firefox doesn't use WScript, fortunately (and quite obviously, since it's cross-platform). Mozilla's engine is called SpiderMonkey.
Forum: XSS Info

@DoctorDan: there's no "equivalency" or other magic there. If multiple indexes are given for a bracket accessor, the last one gets evaluated: var o = { a: "first property", b: "second property", c: "third property" }; alert(o["a", "b"]); // this shows "second property"
Forum: XSS Info

http://hackademix.net/2008/12/30/putting-ssl-in-perspectives/
Forum: News and Links

@thornmaker: nice, you gave me inspiration for a shorter one: '\ MsgBox 1'
Forum: XSS Info

@Gareth: Your spambam thing apparently eats c-style comments even if they're urlencoded, that's why you didn't manage to run my entry on your blog. <script type="text/vbscript"> ''/* MsgBox 1'*/ </script> <script type="text/javascript"> ''/* MsgBox 1'*/ </script> You can run it live here.
Forum: XSS Info

Hi tx, Thank you for trying, but how does this qualify as "clickjacking", exactly? 1. both the frames are on the same domain 2. the two buttons are identical 3. there's no form involved In other words, what's the advantage for the attacker, compared to putting the logout link directly on the main page, with no frames involved? Clickjacking is different from CSRF, albeit simil
Forum: Full Disclosure

I didn't write much about the attack itself, because I respect the reasons for not disclosing it, but I wrote something about defense: http://hackademix.net/2008/09/27/clickjacking-and-noscript/ http://hackademix.net/2008/09/29/clickjacking-and-other-browsers-ie-safari-chrome-opera/ http://hackademix.net/2008/10/02/clickjacking-protection-by-default/
Forum: News and Links

@digi7al64: DNS rebinding is more likely to succeed against intranets because internet sites are usually virtual hosted and/or depend on the HOST header being correct, while intranet web apps can often be addressed by IP, ignoring HOST.
Forum: Projects

@yawnmoth: http://hackademix.net/2007/12/25/merry-xssmas/#comment-9144
Forum: XSS Info

@RSnake, Metahuman, trev: maybe Metahuman believed it was fixed because he's using NoScript, which has been blocking this kind of "attack" (automatic opening of external protocol URLs) for a long time.
Forum: DoS

@emonk: It could happen in Firefox < 1.5.0.6, unless you explicitely wrapped every DOM node you manipulated into an XPCNativeWrapper (a typical beginner error). Doing this "the safe way" was quite painful, though (I had very ugly code inside my FlashGot overlay which I still strive to clean up now), so starting with Firefox 1.5.0.6 XPC deep wrapping has been made automatic, i.e. y
Forum: CSRF and Session Info

Uhm, OK, it's about social engineering then. I admit I didn't ready your OP carefully enough, and I'm afraid I cannot help because it's not exactly my field...
Forum: XSS Info

Why do you need them to click? Once they're on your page, just <iframe> or meta refresh them (or use scripting, if your page is allowed to).
Forum: XSS Info

FIXED Now that it's fixed, I'll explain my innuendo to Ebay's "scary and brainless" issue, which reminds me closely last month's Base64 Yahoo one. Your PoC was hxxp://search.ebay.com/search/search.dll?_trksid=&satitle=ME+XSS+U&category0=&from=%27%2Balert(document.cookie)%2B%27 and it did not bypass NoScript. I guess you meant to write it in the "mixed plus&qu
Forum: Projects

@sdc: On a side note, your latest search.ebay.com PoC DOES actually trigger NoScript's anti-XSS protection. But I guess I understand what you're hinting at, and it's scary and brainless (from Ebay) ;)
Forum: Projects

@sdc: nice findings, thanks. Fixes for both on their way :)
Forum: Projects

@sirdarckcat: NoScript used to decode base64 window.name, but not the URI itself, on the assumption that if the attacker wants to decode something from the URI he needs to isolate it first, and two function calls (atob() + whatever needed to isolate the payload) are detected by ordinary filters, whereas base64 window.name can be pulled out with just location=atob(name) or obfuscated equivalent.
Forum: XSS Info

Sorry, I did not notice this topic at the right time -- probably because I was busy with fixing this very issue... @.mario: you're right, I released a patch in less than one hour while you were commenting here, since I read about it in jackson's blog.
Forum: XSS Info