http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/ Giorgio Maone's answers to the Web, the Universe, and Everything Tue, 02 Dec 2008 12:50:46 +0000 http://wordpress.org/?v=2.2.3 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-9465 hackademix.net » Clickjacking Protection By Default Thu, 02 Oct 2008 10:49:43 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-9465 [...] this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats. Unfortunately, bugs happen too and [...] […] this feature had been introduced mainly to make Gareth Heyes happy, more than one year ago. As often observed with NoScript, an old feature happens to be effective against new threats. Unfortunately, bugs happen too and […]

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-6746 Giorgio Tue, 04 Mar 2008 10:13:40 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-6746 @<b>Alexander Ciornii</b>: <ol> <li>This was not that small. After an initial rating of "moderate", its security severity escalated to "high" because it actually allowed <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=413451" target="_blank" rel="nofollow external" rel="nofollow">reading the session store</a> (where authenticated sessions are persisted), and therefore accessing your protected sites.</li> <li>If you read carefully the 2nd paragraph of my post, you'd know that NoScript blocks this and similar attacks no matter if the site is trusted or not, i.e. <b>you don't need to keep JavaScript on a certain site to be protected</b></li> </ol> @Alexander Ciornii:

1. This was not that small. After an initial rating of “moderate”, its security severity escalated to “high” because it actually allowed reading the session store (where authenticated sessions are persisted), and therefore accessing your protected sites.
2. If you read carefully the 2nd paragraph of my post, you’d know that NoScript blocks this and similar attacks no matter if the site is trusted or not, i.e. you don’t need to keep JavaScript on a certain site to be protected

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-6742 Alexandr Ciornii Tue, 04 Mar 2008 08:57:40 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-6742 Is this small vulnerability (allowing reading unimportant files) worth disabling JavaScript? I don't think so. Is this small vulnerability (allowing reading unimportant files) worth disabling JavaScript? I don’t think so.

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-6208 clic Tue, 19 Feb 2008 10:24:42 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-6208 Grande estensione, è la prima che scarico per firefox quando ho un computer fresh-install ;) - complimenti Grande estensione, è la prima che scarico per firefox quando ho un computer fresh-install ;) - complimenti

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5283 Vinicius K-Max Tue, 29 Jan 2008 03:59:58 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5283 NOScript is the best! NOScript is the best!

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5116 Darknico’s Blog » Firefox: Falla Chrome Directory Traversal Fri, 25 Jan 2008 13:31:31 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5116 [...] Come riporta Giorgio Maone, autore di geek italiano e autore di popolari estensioni per Firefox come FlashGot e NoScript, la potente estensione di sicurezza NoScript è in grado di impedire agli URI chrome di essere caricati come script nei contenuti web, rendendo così questo bug impossibile da sfruttare, indipendentemente dal fatto che il sito dell’attacker sia impostato come sicuro (cioè gli sia permessa l’esecuzione di codice JavaScript). [...] […] Come riporta Giorgio Maone, autore di geek italiano e autore di popolari estensioni per Firefox come FlashGot e NoScript, la potente estensione di sicurezza NoScript è in grado di impedire agli URI chrome di essere caricati come script nei contenuti web, rendendo così questo bug impossibile da sfruttare, indipendentemente dal fatto che il sito dell’attacker sia impostato come sicuro (cioè gli sia permessa l’esecuzione di codice JavaScript). […]

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5048 Marco Ramilli Wed, 23 Jan 2008 18:27:27 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5048 Yes, good job !! I've always believed that NoScript was an useful toll but now my believe is much more strong ! Yes, good job !!
I’ve always believed that NoScript was an useful toll but now my believe is much more strong !

]]> http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5047 Gareth Heyes Wed, 23 Jan 2008 16:32:01 +0000 http://hackademix.net/2008/01/23/old-noscript-tricks-blocking-new-vulnerabilities/#comment-5047 Awesome work as always Giorgio! Awesome work as always Giorgio!

]]>