hackademix.net

Many people use their hosts file for resources blocking purposes, especially against ads or known malicious sites.

Since your hosts file takes precedence over your DNS in domain name resolution, you can redirect undesired domain to invalid IP addresses, saving both bandwidth and CPU because resolved IPs are cached.

Unluckily, most information sources about this useful technique, including the Wikipedia article above, instruct the reader to use 127.0.0.1 (the local loopback IP) as the dead-end destination, rather than a truly invalid address such as 255.255.255.0. This is not very smart, especially if you installed a web server on the loopback interface (like many web developers do), because you’re spamming it with dummy requests whenever you browse an ad-laden web site.

Furthermore, I’m currently receiving several reports about ABE warnings popping up everywhere. If you read my post about ABE yesterday, you know that it ships with a built in “SYSTEM” ruleset containing just one rule which alone implements the whole LocalRodeo functionality:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

Such a rule blocks any HTTP request for resources placed in your local network, including localhost (127.0.0.1) and any other LAN IP, unless it is originated from your local network as well. This protects your internal servers and devices (e.g. routers and firewalls exposing web interfaces) against CSRF and XSS attacks performed from the internet.

As a side effect, though, if you’re redirecting arbitrary hosts to 127.0.0.1, you’ll get bombed by a storm of ABE warnings whenever those sites are linked from external web sites. The solution is simple: just open your host file and replace 127.0.0.1 with 255.255.255.0 everywhere it’s used to block something, but being careful to keep 127.0.0.1 on the localhost entry and other really local domains, if any.

I’m pleased to announce that ABE, the Application Boundaries Enforcer meant to fight CSRF and related web attacks, has finally been included in a stable NoScript release: version 1.9.5, available here.

It’s been quite a long development journey since my first announcement, made possible by NLNet’s foresight, and it required more than one month of beta testing: among the thousands of testers victims I inflicted twenty builds upon, I must especially thank therube, GµårÐïåñ, Tom T., Alan Baxter, dhown and the other friends at the NoScript forum, who devoted their time to aid debugging and optimization. A special thanks goes also to Edoardo “Sirdarckcat” Vela, talented hacker and loyal NoScript fan, who offered many useful suggestions to model the threats which ABE can counter react.

Great but.. now that I’ve got ABE, what can it do for me?

If you’ve got latest NoScript version installed on Firefox 3.0.11 or another compatible Gecko >= 1.9 browser, you’ll notice a new “ABE” tab in NoScript Options|Advanced. There you can find a list of the loaded “Rulesets”, i.e. groups of firewall-like rules (syntax specification PDF).
Rulesets can be:

1. Built-in like the “SYSTEM” ruleset, shipping with ABE and meant to provide automatic protection against “general” threats; you don’t want to edit them unless you know exactly what you’re doing.
2. User-defined like the “USER” ruleset, which is empty for you to customize according to your needs.
3. Subscription-provided, coming from a centralized location which delivers “trusted” rules (not supported yet).
4. Site-specific, created and made automatically available by site developers or administrators to protect their own web applications.

All these rulesets (built-in, yours, centralized and site-specific) cooperate to properly insulate your most sensitive web applications and prevent them from being abused by unrelated malicious web sites.

Drop-in LocalRodeo replacement

The “SYSTEM” built-in ruleset currently contains just one rule definition:

Site LOCAL
Accept from LOCAL
Deny

This simple rule protects your local network from CSRF attacks coming from outside, for instance from a malicious web page trying to hack your router. If this scenario does not sound new to you, maybe you’ve heard of LocalRodeo, an experimental Firefox extension which was meant to defeat exactly this kind of internet-to-intranet threats. In facts, the default ABE configuration shipping with NoScript 1.9.5 and above is as effective as LocalRodeo at least, but more performant, especially when DNS queries are involved, and much more flexible, since it’s not limited to this specific attack scenario: if you’re using both NoScript and LocalRodeo, it’s time to uninstall the latter.

ABE for web authors

While centralized subscriptions aimed to protect the most popular web applications have been planned but are not implemented yet, you as a web author can already start experimenting how to protect your own web application by enforcing your own rules.
Just deploy your rules.abe file at the root of your HTTPS site and be sure to check Allow sites to push their own rules in the ABE options panel. This preference is initially disabled in 1.9.5, but this default will be likely inverted in next stable iteration, as soon as it gets enough testing.
More details here.

This morning I got many reports about NoScript disappearing after a Microsoft automatic update.
Looks like a “fix” for the infamous .NET Framework Assistant (AKA the ClickOnce extension for Firefox) caused the breakage.
Luckily this issue is temporary: just reboot your system and everything should be fine (in the best MS tradition).

An old Java vulnerability, already fixed 6 months ago in every Java implementation except Apple’s, allows remote attackers (i.e. malicious web sites) to launch arbitrary code from Safari or Firefox with full user privileges, evading the Java applet sandbox on Mac OS X.

Here’s the Slashdot’s routine Apple+Java bashing with linked source articles.

At this moment, the easiest way to protect your Mac web browser is either turning off Java globally or… you know what ;)

Update Jun 15th

Three weeks later, Apple finally patched..

When Microsoft unveiled its IE 8’s “XSS filters”, almost one year ago, we could notice how, despite their impressive resemblance to NoScript’s anti-XSS protection, they were quite limited in comparison.

One of the limitations was their ability to mitigate a subset of reflective (AKA type 1) XSS vulnerabilities only, leaving them totally useless against DOM-based (AKA type 0) XSS attacks which, instead, are effectively defeated by NoScript.

Today I noticed via sla.ckers.org that such a DOM-based XSS attack is currently possible against Paypal and Ebay, no less, allowing the attacker to steal authentication info and other sensitive data, or even perform financial transactions on the behalf of the victim.

Even more interesting, modern browsers* except IE properly encode request URLs before sending them on the wire, but exploitation of this specific Paypal vulnerability requires the “double quotes” character to pass through with no encoding: therefore, while the vast majority of XSS exploits are cross-browser, this one affects exclusively IE**. Embrace and XSStend?

1. * Latest versions of Firefox, Safari, Opera and Chrome.
2. ** Variants could affect any browser, since IE’s encoding bug is generally not required for DOM-based XSS. Firefox users can protect themselves by using NoScript, even in the permissive and not recommended “Allow Scripts Globally” mode.