hackademix.net

Even if I’m the NoScript guy, I write a lot of JavaScript all the day. As you probably know, even the JavaScript Annihilator is mostly written in JavaScript. Like Crock, I love the language, despite its current browser-bound shortcomings.

So far, my favourite editor for JS coding has been JEdit with its JavaScript plugin, providing syntax highlighting (of course!), on the fly syntax checking via Rhino and optional code completion with configurable scopes, including Mozilla “chrome window” and XPCOM.

But today I’ve watched a presentation of the new NetBeans 6.1 JavaScript capabilities, and I’m impressed.
Dynamic type guessing, browser-specific contextual help and DOM-aware AJAX library support (John, guess which they show in their demo?) may be really worth the switch.

After hearing me crying for help, my friend Sirdarckcat went hunting and entrapped a poltergeist which haunts IE only.

Is it this the one Manuel Caballero was talking about?
Or was that a different cross-browser evilness?

However, I ain’t afraid of no ghosts :)

I would be very interested in learning some technical details of Manuel Caballero’s talk at BlueHat, titled A Resident in My Domain, but so far news are very scarce, fragmented and contradictory.

Its abstract is intriguing:

A Resident in My Domain

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Then we’ve got two quite reticent posts by Nate McFeters, who was there but pretends he doesn’t remember well enough and/or he can’t disclose such an atomic bomb ;)

There’s some discussion at TSSCI, but it adds more questions than answers: the article devises similarities with two distinct old and fixed bugs, the nastier affecting IE and the other Firefox; some comments speculate about an IE7 only, possibly patched, vulnerability; but why so much secretiveness if it was already fixed?
Nate, on the other hand, wrote that this is “a horribly serious issue that affects all browsers and is currently not fixed on any of them”.

Direct inquiries in security circles I’m member of did not bring anything less ectoplasmic on the table.

Therefore, all the juice we’ve got so far is a couple of photos authorizing only the following statements:

1. It is scary.
2. It has something to do with JavaScript and IFrames.
3. It definitely works in IE7.

If you can summon anything useful, you’re very welcome!

SANS is reporting a new wave of the mass SQL injection automated attack against MS ASP + MS SQL Server web sites.

To my surprise and disappoint, first commenter on the SANS diary entry wrote:

If you’re using Firefox, exploited sites may reach out and “touch” you even before you look at cached pages, unless you’ve manually disabled “network.prefetch-next” in “about:config” Check out http://www.google.com/help/features.html#prefetch for more information.

Such a statement is either misleading or plain wrong (depending on what you mean by “touch”), since no remote code gets executed when pages are prefetched: the raw content is are just stored in cache for faster access, and cannot do any harm.
Furthermore, if you’re using Firefox you’re immune from exploits targeted to Internet Explorer vulnerabilities, which are a very common payload, and if you’re running NoScript you won’t be “touched” by any part of this attack: the initial malicious script of the chain is prevented from loading, and even if it wasn’t, the plugin-based exploitation attempts would have been blocked anyway.

On a side note, I’ve updated the post-mortem cleanup SQL script I attached with no guarantee in my previous post for site administrators, after reader Scott reported that it was not working properly. Now it’s debugged and “tested” on SQL Server 2005 (should work on other versions as well).

But again: if you own a web site, a serious code review to eliminate SQL injection opportunities is mandatory, unless you want your site to get reinfected on next round. It’s happening right now…

As I can easily tell by looking at flashgot.net and noscript.net Apache logs, every day the blogosphere gets flooded by copycat articles about “Top 5 Firefox Extensions” or “Best 10 Add-ons”.
Yesterday, though, I’ve been pleased by a slightly different variation: Keeping Safe on the Web: 8 Firefox Addons for Privacy and Security.

• Once in a while, this is not just a rehash of an AMO category, like recommended or popular.
• Its items count is a power of 2, rather than banally a divisor or a multiplier of 10 ;)
• It features two often neglected extensions by Stanford University, Safe History and Safe Cache, which can effectively mitigate some interesting attacks on our privacy. Any web page can quite easily discover if we’ve visited certain sites by exploiting our navigation history visual feedback or the performance differences caused by our cache. Most people don’t know or don’t care, but such a vulnerability may be critical if you’re under an oppressive regime or you’re an interesting blackmail target. Even if these two extensions impose some usability and performance burden (SafeHistory, for instance, scans all the links of a page to “artificially” color them as visited only if they’ve been previously followed from the same site, and this can cause a noticeable unresponsiveness where links are a lot), they’re the best defense we’ve got — other than clearing both cache and history every time we navigate to a new site — until these bugs (affecting all the major browsers) are fixed.

Thanks to Dave Drager for the useful reminder.