P.S.: ironically, looks like in order to cast your ballot you need to Temporarily allow about.com first.

P.S.: bring your nest :)

Here is a proof of concept in what I’m calling NAT Pinning (”hacking gibsons” was already taken). The idea is an attacker lures a victim to a web page. The web page forces the user’s router or firewall, unbeknownst to them, to port forward any port number back to the user’s machine. If the user had FTP/ssh/etc open but it was blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

In short, he exploits a smart mechanism in modern network equipment, which graciously and “magically” NATs on the fly arbitrary ports when certain handshake patterns are detected in outbound traffic, allowing (usually older) protocols which require a “call back” connection (like FTP, IRC or SIP) to work properly.

Good news is that ABE can prevent exploitation without hampering the useful functionality. If you’re concerned about this issue, you just need to open NoScript Options|Advanced|ABE and edit the “USER” ruleset, adding the following rule:

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site ^https?://[^/]+:[0-35-7]
Deny

Bad news is that Java, Flash, Silverlight and maybe other plugins can open raw sockets bypassing any browser control, including ABE. Just another reason to keep them at bay.

Thanks to Thoughtcrime for bringing this to my attention, and to Samy for the chat we had this afternoon.

NoScript users should not be overwhelmed by these annoyances, especially when they’re delivered through external scripts provided by 3^rd party advertising agencies, whose hosts are blocked by default.

However an increasing number of web sites, especially adult-oriented ones, uses Javascript code embedded in the page itself to produce pop-unders: therefore, if user is forced by other means to enable page Javascript (e.g. by requiring scripting to decode image URLs on the fly, like happens on imagefap.com), the pop-under will unavoidably succeed. Well, almost unavoidably.

For some time now NoScript has been providing a page-level script surrogate to kill imagefap.com’s pop-unders. Actually, since most recent NoScript versions execute page-level script surrogates also on script-disabled pages, you could even use a surrogate to decode images, yet keeping Javascript disabled (such a feature this will probably included in next NoScript release).

However the just released NoScript 1.9.9.35 enhances and generalizes the previously imagefap-specific surrogate, making it effective against much wider range of web sites: certainly all those hosting AWEmpire’s ads, but potentially many many more.

The noscript.surrogate.popunder.sources about:config preference, listing the URL patterns where this surrogate applies, currently looks like this:

@*.imagefap.com *.moviefap.com imagefap.com moviefap.com *.grayvee.com grayvee.com *.empornium.us empornium.us

Theoretically you should add there the sites requiring Javascript and spawning pop-unders (are you sure they’re worth your whitelist, though?)
However, since running this surrogate does not add more than one millisecond to your page loading and should not have any notable side effect, if you feel adventurous you can change the preference above into

@^http:

meaning that all the HTTP unencrypted web sites will enjoy pop-under immunity. If you experience problems with this setting (especially links which don’t react to your clicks even if Javascript is enabled) and they’re fixed by restoring the default, or just find a web site where pop-unders survive, please let me know.

Update

After quite extensive testing, this Anti-Pop-under surrogate seems unlikely to break anything. Therefore, NoScript 1.9.9.36 turns it on by default for every HTTP unencrypted web site. If you want you can tweak it by editing either the noscript.popunder.source or the noscript.popunder.exceptions about:config preferences.

Eight months later, Chrome extensions are here but NoScript is not among them yet, and people are asking why. The reason is very simple: Chrome is still lacking the required infrastructure for selective script disablement and object blocking.

Maybe Google plans to implement the missing stuff later, maybe they’re still trying to figure out whether it can be done without enabling effective ad blocking, but in the meanwhile the pale AdBlock and FlashBlock imitations which have been hacked together by overwhelming popular demand, are forced to use a very fragile CSS-based hiding approach, ridiculously easy to circumvent.

Just install the most popular FlashBlock clone for Chrome and visit this page I put together in 3 minutes to see what I mean…

Update

Sam Hasler came to the rescue:

The top rated FlashBlock clone for Chrome does block your example page.

Of course, it took another 3 minutes to fix “the top rated” as well ;-)

Otherwise, you’re getting an error page (hard to read, since it’s embedded in a tiny frame) — or a blank one if you’re on Chrome — because Google is sending down a X-Frame-Options HTTP header with value SAMEORIGIN, allowing only pages served from www.google.com to embed this badge.

Now, Google playing the early adopter of bleeding edge security technologies like X-Frame-Options or STS, both in its browser and in its web properties, is really great because it speeds up their acceptance hugely, making the whole web safer. But if the service you’re offering is based on cross-site frames, you’d better keep them enabled ;-)

On a side note, users can easily disable NoScript’s implementation of X-Frame-Options, if needed, via about:config preferences: either globally (noscript.frameOptions.enabled) or per-embedding-site (noscript.frameOptions.parentWhitelist). Don’t worry, ClearClick will still be watching your back…

Like mom said, you shouldn’t trust a nasty bikini miss and start clicking random buttons around… or just do what you want, who cares?
We’re all adult and NoScripters, aren’t we?

Well, this is not exactly news among security researchers, but those aware of the details (including Microsoft of course, Eduardo “Sirdarckcat” Vela and myself) have kept a low profile so far. Check, for instance, slide #17 in my OWASP presentation (alternate link), given two weeks ago.

However, after Microsoft left it unfixed for many months, someone apparently decided to whisper this dirty little secret in Dan Goodin (The Register)’s ear.

To Microsoft’s credit, this problem has no quick fix: in fact, it’s way worse than a simple implementation bug. Its root is a flawed design choice: when a potential XSS attack is detected, IE 8 modifies the response (the content of the target page) in order to neuter the malicious code. This is, incidentally, the only significant departure from NoScript’s approach, which modifies the request (the data sent by the client) instead, and is therefore immune.

Anyway, here’s the juice: IE 8’s response-changing mechanism can be easily exploited to turn a normally innocuous fragment of the victim page into a XSS injection. The attacker just needs a certain degree of control on the content of the web site to be injected: social networks, forums, wikis and even Google Apps are good prey. To be fair, Google Apps are not vulnerable anymore, since Google’s properties wisely choose to deploy the X-XSS-Protection: 0 header, which is the “safety switch” disabling IE 8’s XSS protection.

So, web site owners’ dilemma is, opt out or not opt out?
For browser users, there should be no dilemma at all ;-)

STS is a simple yet effective system for web sites requiring high safety levels, e.g. payment gateways or financial institutions, to force HTTPS connections on every request originated by supporting browsers.

It is currently supported by NoScript, Chrome 4 beta and Sid Stamm’s Force TLS.

Together with NoScript’s anti-XSS protection, this feature makes PayPal a much safer service for NoScript users.