Comments on: NoScript’s Anti-XSS Filters Partially Ported to IE8

By: hackademix.net » IE's XSS Filter Creates XSS Vulnerabilities

hackademix.net » IE's XSS Filter Creates XSS Vulnerabilities — Fri, 20 Nov 2009 22:27:03 +0000

[…] Internet Explorer 8’s famous XSS filter can be exploited to perform successful XSS attacks against web sites which would be otherwise safe. In other words, XSS “protection” is helping XSS attackers, oh the irony. […]

By: Zero Day mobile edition

Zero Day mobile edition — Wed, 19 Aug 2009 13:17:15 +0000

[…] protection, as well as omitting ClickJacking defenses and IE8’s XSS filter, once pointed out as a less sophisticated alternative to the Firefox-friendly NoScript. Socially engineered malware is not the benchmark for a […]

By: Giorgio

Giorgio — Tue, 19 May 2009 00:33:52 +0000

@Miles:

You mentioned how IE8 doesn’t protect well against any type of encoding or obfuscation in use of XSS attacks, but how exactly does NoScript do that?

NoScript uses the SpiderMonkey JavaScript engine itself to check (iteratively across multiple decoding transforms) if the request contains syntactically valid JavaScript, rather than checking against static signatures which cannot take in account obfuscation.

I’ve been looking around your FAQ’s and Features, but haven’t been able to find anything.

You can look at the source code ;)

By: hackademix.net » Paypal XSS, an IE Exclusive!

hackademix.net » Paypal XSS, an IE Exclusive! — Tue, 19 May 2009 00:23:11 +0000

[…] Microsoft unveiled its IE 8’s “XSS filters”, almost one year ago, we could notice how, despite their impressive resemblance to NoScript’s […]

By: Miles

Miles — Mon, 18 May 2009 20:04:41 +0000

I like your analysis of IE8, but I have a question. You mentioned how IE8 doesn’t protect well against any type of encoding or obfuscation in use of XSS attacks, but how exactly does NoScript do that?

I’ve been looking around your FAQ’s and Features, but haven’t been able to find anything.

Thanks.

By: hackademix.net » Ehy IE8, I Can Has Some Clickjacking Protection?

hackademix.net » Ehy IE8, I Can Has Some Clickjacking Protection? — Tue, 27 Jan 2009 14:41:41 +0000

[…] aside, forgiving Microsoft’s habit of forgetting precursors of their “first and unique” technologies, what can we infer from the “few […]

By: Giorgio

Giorgio — Mon, 10 Nov 2008 18:05:44 +0000

@Morgan Storey:
If it used to work (it doesn’t at this moment), it’s because the site did double url unescaping on the _profile parameter before using it, i.e. a very unusual kind of processing.
Early NoScript anti-XSS filter versions used to perform iterative unescaping until there was nothing else to be unescaped, but this has been dropped later except for nested URLs as a speed optimization, because it was not a general use case.
I’m still not convinced this is really necessary, anyway I’ve restored a 2-levels deep unescaping in latest dev builds in order to cope with the very rare cases like this with a modest performance impact.

By: Morgan Storey

Morgan Storey — Mon, 10 Nov 2008 02:06:49 +0000

I found an XSS that runs even though noscript is installed.
http://www.citibank.com/domain/contact/index.htm?_u=visitor&_uid=&_profile=%2522%2522%253e%253cimg src=%2522%2522 onerror=%2522alert(1)%2522
care of http://www.hiredhacker.com/2008/10/31/citibank-xss/

By: hackademix.net » Heart Touching Thingies

hackademix.net » Heart Touching Thingies — Sat, 09 Aug 2008 09:22:49 +0000

[…] face to face in the romantic and adventurous land of Whistler? I guess it’s destiny, even Steve Ballmer had been too shy to declare his love […]

By: Gökhan Onar ‘ın Blogu » Yeni Microsoft tarayıcısı ne kadar güvenli olacak?

Gökhan Onar ‘ın Blogu » Yeni Microsoft tarayıcısı ne kadar güvenli olacak? — Mon, 28 Jul 2008 05:28:10 +0000

[…] saldırganları uzun bir süre uğraştıracaktır. Firefox eklentisi NoScript’i programlayan Giorgio Maone için bu korumanın devre dışı bırakılması an meselesi. Geriye ise zekice gizlenmiş […]