Comments on: NoScript’s Anti-XSS Filters Partially Ported to IE8

By: Giorgio

Giorgio — Mon, 10 Nov 2008 18:05:44 +0000

@Morgan Storey:
If it used to work (it doesn’t at this moment), it’s because the site did double url unescaping on the _profile parameter before using it, i.e. a very unusual kind of processing.
Early NoScript anti-XSS filter versions used to perform iterative unescaping until there was nothing else to be unescaped, but this has been dropped later except for nested URLs as a speed optimization, because it was not a general use case.
I’m still not convinced this is really necessary, anyway I’ve restored a 2-levels deep unescaping in latest dev builds in order to cope with the very rare cases like this with a modest performance impact.

By: Morgan Storey

Morgan Storey — Mon, 10 Nov 2008 02:06:49 +0000

I found an XSS that runs even though noscript is installed.
http://www.citibank.com/domain/contact/index.htm?_u=visitor&_uid=&_profile=%2522%2522%253e%253cimg src=%2522%2522 onerror=%2522alert(1)%2522
care of http://www.hiredhacker.com/2008/10/31/citibank-xss/

By: hackademix.net » Heart Touching Thingies

hackademix.net » Heart Touching Thingies — Sat, 09 Aug 2008 09:22:49 +0000

[…] face to face in the romantic and adventurous land of Whistler? I guess it’s destiny, even Steve Ballmer had been too shy to declare his love […]

By: Gökhan Onar ‘ın Blogu » Yeni Microsoft tarayıcısı ne kadar güvenli olacak?

Gökhan Onar ‘ın Blogu » Yeni Microsoft tarayıcısı ne kadar güvenli olacak? — Mon, 28 Jul 2008 05:28:10 +0000

[…] saldırganları uzun bir süre uğraştıracaktır. Firefox eklentisi NoScript’i programlayan Giorgio Maone için bu korumanın devre dışı bırakılması an meselesi. Geriye ise zekice gizlenmiş […]

By: dIRTYbRAIN v3 –> MCCCXXXVII powered » Preview: IE8-Sicherheit

dIRTYbRAIN v3 –> MCCCXXXVII powered » Preview: IE8-Sicherheit — Fri, 25 Jul 2008 13:58:06 +0000

[…] des XSS-Filters. Zwar wird der Filter die Skript-Kiddies eine Zeit lang beschäftigen. Für Giorgio Maone, Programmierer der Firefox-Erweiterung NoScript, ist es dennoch nur eine Frage der Zeit bis sie den […]

By: pirlouy

pirlouy — Thu, 10 Jul 2008 21:07:13 +0000

Once again, Giorgio, why don’t you create a separate extension for xss and other security stuff which don’t need any interaction ?
I mean I’d like an extension ala Noscript but without all this clicks thing I have to do for all sites…
I’d like an extension which can catch jar flaws, xss things, all other stuff you master, and all I have to do is updating extension (no options needed). I don’t want all this Noscript options. :P

ps: do you know comments section don’t work if you block all third party content of the web page ? :/
Isn’t it a misconception for a website like yours ? :P

By: rvdh

rvdh — Tue, 08 Jul 2008 00:39:45 +0000

On the other hand, they claim to be working on it since 2001. Actually very early, so I guess they made something worthy for IE surfers. Would be fun to test this feature tough, I’m pretty concerned about the code rewriting but also I wonder if when they modify the code and display it, if it have some reference to certain anonymous functions internally, so that a script could listen for IE to rewrite it, and try to execute a re-written piece to gain permissions. Anyway, my mind runs wild :) But yeah, still like Kuza55 said it’s best to wait and sit when they’ll release the beta 2 which will be released in August this year.

By: Zach

Zach — Fri, 04 Jul 2008 18:31:29 +0000

I think having at least some basic XSS filtering included by default is a fantastic development for browsers. Any chance a subset of NoScript’s features will be included in Firefox 3.x by default?

By: kuza55

kuza55 — Fri, 04 Jul 2008 04:20:48 +0000

Yes, they’re definitely not going to catch the JSON issue, they’re not going to catch everything, and I wouldn’t expect anyone to try to, the fact that you’ve had so much success with it is the exception to the rule when it comes to blacklisting/heuristics, and even you have had to issue patches.

Personally, I think that those changes are a bit too dramatic for the way web interactions work. Simply because messing around with what the server sends could get very, very messy.
I remember talking to Martin Johns who said one of his students was going to do something very similar to this for a thesis and I remember liking the idea now, but I simply assumed that it would block the page from rendering, rather than rewriting the page. All I can say is that I hope MS have thought this through well enough.

By: Giorgio

Giorgio — Thu, 03 Jul 2008 23:02:12 +0000

@kuza55:
yes, their description is pretty clear about this: they’re filtering on the response because they check if the payload is actually echoed.
As I commented elsewhere, this is the most noticeable difference from NoScript, and while it might help reducing false positives on the rare really well behaved sites which still accept HTML tags as legitimate input on a query string, it leaves the door open for a flood of false negatives.
This CNN one, for instance, will go surely undetected.

That said, after having seen your impressive presentations, I’m sure that if some side effect of their approach (or of mine) can be turned into a vulnerability, you’ll be the one who finds it ;)