hackademix.net

On April the 1^st (!) 2009 I had a phone call with Mickey Kim of Google. The Chromium development team was starting to design a browser extension API, and they wanted to know what kind of hooks were needed for FlashGot and NoScript to be ported on Chrome. I gave them detailed answers with references to related Mozilla technologies, and they promised to keep me updated with progresses.

Eight months later, Chrome extensions are here but NoScript is not among them yet, and people are asking why. The reason is very simple: Chrome is still lacking the required infrastructure for selective script disablement and object blocking.

Maybe Google plans to implement the missing stuff later, maybe they’re still trying to figure out whether it can be done without enabling effective ad blocking, but in the meanwhile the pale AdBlock and FlashBlock imitations which have been hacked together by overwhelming popular demand, are forced to use a very fragile CSS-based hiding approach, ridiculously easy to circumvent.

Just install the most popular FlashBlock clone for Chrome and visit this page I put together in 3 minutes to see what I mean…

Update

Sam Hasler came to the rescue:

The top rated FlashBlock clone for Chrome does block your example page.

Of course, it took another 3 minutes to fix “the top rated” as well ;-)

If you can see my Google Talk Badge on the right, either you’re browsing with anything else than IE8/Chrome/Safari/Firefox+NoScript, or the issue we’re talking about has already been fixed by Google. Edit 7 Dec 2009: the issue has been fixed, so I’ve removed my badge to prevent a spam flood.

Otherwise, you’re getting an error page (hard to read, since it’s embedded in a tiny frame) — or a blank one if you’re on Chrome — because Google is sending down a X-Frame-Options HTTP header with value SAMEORIGIN, allowing only pages served from www.google.com to embed this badge.

Now, Google playing the early adopter of bleeding edge security technologies like X-Frame-Options or STS, both in its browser and in its web properties, is really great because it speeds up their acceptance hugely, making the whole web safer. But if the service you’re offering is based on cross-site frames, you’d better keep them enabled ;-)

On a side note, users can easily disable NoScript’s implementation of X-Frame-Options, if needed, via about:config preferences: either globally (noscript.frameOptions.enabled) or per-embedding-site (noscript.frameOptions.parentWhitelist). Don’t worry, ClearClick will still be watching your back…

A rather funny (depending on your boss’ and wifey’s sense of humor) Clickjacking-based worm has been spreading on Facebook for the past few days.

Like mom said, you shouldn’t trust a nasty bikini miss and start clicking random buttons around… or just do what you want, who cares?
We’re all adult and NoScripters, aren’t we?

Internet Explorer 8’s famous XSS filter can be exploited to perform successful XSS attacks against web sites which would be otherwise safe. In other words, XSS “protection” is helping XSS attackers, oh the irony.

Well, this is not exactly news among security researchers, but those aware of the details (including Microsoft of course, Eduardo “Sirdarckcat” Vela and myself) have kept a low profile so far. Check, for instance, slide #17 in my OWASP presentation (alternate link), given two weeks ago.

However, after Microsoft left it unfixed for many months, someone apparently decided to whisper this dirty little secret in Dan Goodin (The Register)’s ear.

To Microsoft’s credit, this problem has no quick fix: in fact, it’s way worse than a simple implementation bug. Its root is a flawed design choice: when a potential XSS attack is detected, IE 8 modifies the response (the content of the target page) in order to neuter the malicious code. This is, incidentally, the only significant departure from NoScript’s approach, which modifies the request (the data sent by the client) instead, and is therefore immune.

Anyway, here’s the juice: IE 8’s response-changing mechanism can be easily exploited to turn a normally innocuous fragment of the victim page into a XSS injection. The attacker just needs a certain degree of control on the content of the web site to be injected: social networks, forums, wikis and even Google Apps are good prey. To be fair, Google Apps are not vulnerable anymore, since Google’s properties wisely choose to deploy the X-XSS-Protection: 0 header, which is the “safety switch” disabling IE 8’s XSS protection.

So, web site owners’ dilemma is, opt out or not opt out?
For browser users, there should be no dilemma at all ;-)

Strict Transport Security (STS) has gone live on PayPal yesterday.

STS is a simple yet effective system for web sites requiring high safety levels, e.g. payment gateways or financial institutions, to force HTTPS connections on every request originated by supporting browsers.

It is currently supported by NoScript, Chrome 4 beta and Sid Stamm’s Force TLS.

Together with NoScript’s anti-XSS protection, this feature makes PayPal a much safer service for NoScript users.