Archive for the CSRF Category

ABE Quantum is the combination of Contextual Policies, one of the most requested features in NoScript's history, and LAN protection, an important "Classic" defense lost in the 2017 Quantum migration.

After years of waiting and months of hard work, this good stuff (which I personally missed a lot, too) is finally in the hands of all NoScript 11.3 users*, thanks to the precious support by the NLNet Foundation and the Next Generation Internet programme (more specifically the NGI0 PET fund).

The "ABE Quantum" nickname comes, of course, from the Application Boundary Enforcer module of NoScript Classic, which both Contextual Policies and LAN protection are in a sense a "modernized" descendant of, sacrificing some of the extreme flexibility of the original's firewall-inspired policy definition language in order to provide a simpler, more accessible and more intuitive user experience directly integrated in NoScript's main CUSTOM UI.

ABE Quantum Screenshot

Contextual Policies

Contextual policies let you assign different permissions (or "enable different capabilities", in NoScript's parlance) to a certain site depending on its context, i.e. which is the top level site (the address currently shown in the navigation bar).

For instance, you might want to enable scripts from twitter.com only if you're visiting maone.net - intrigued by Maone's awesome embedded tweet feed ;) - but not elsewhere, because you don't like Twitter to track you everywhere you go:

  1. While on maone.net, open NoScript's popup and select CUSTOM as the policy for twitter.com. You'll see a new drop down box, initially set to ANY SITE.
  2. Remove all the capabilities (e.g. script) you don't want Twitter to use on ANY SITE (notice that when CUSTOM is selected first time, the capabilities from the previously selected preset get copied, so if it was DEFAULT you can probably leave them that way).
  3. Then select ...maone.net from the drop down, and switch script, fetch and frame (the capabilities outlined in red, meaning they're are needed by twitter.com) on.

You're done: scripts from twitter.com are allowed to run only when the main site displayed is maone.net.
You can repeat this on any website (including twitter.com itself) where you want Twitter scripts and subdocuments to work normally.
If you change your mind, you can reset some or all the contextual policies you previously set in the CUSTOM permissions deck, either on from the popup (only for the current context) or from the Options>Per-site permissions panel, where all the context sites you had configured plus the ANY SITE default are listed in the Enable these capabilities when top page matches... dropdown.

LAN Protection

Simply put, the LAN capability lets documents coming from the public Internet (AKA World Area Network / WAN) to link / send requests to hosts inside your Local Area Network (LAN), which is pretty what they can do now, allowing so called cross-zone CSRF/XSS attacks.
By keeping it disabled (the factory setting in the DEFAULT and UNTRUSTED presets), you're replicating this feature from "Classic" NoScript, without the hassle of going through ABE's firewall-like rules when you need to set an exception, which now is just a matter of checking the LAN capability box.

The Contextual Policies & LAN Protection (ABE Quantum) project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.

* already available in auto-update from AMO, still waiting for review at the Chrome Store while writing this post.

NSA++, NoScript on Android

NSA++ (NoScript Anywhere Plus Plus, or NoScript 3.5 alpha for Android Native) has been in the works for a while now, and it’s finally ready for prime time, thanks also to the continuous help of the NLNet Foundation.

Even if it’s not as complete as its legacy Electrolysis-orphaned obsolete predecessor (NSA, designed for the now discontinued XUL Fennec, AKA Firefox 4 Mobile) yet, NSA++ already provides the best security you can get in any mobile browser: beside its trademark flexible script blocking facility, it features the first ever and still strongest XSS filter available, plus partial but functional portings of the unique ClearClick anti-Clickjacking technology and ABE’s firewall/LAN CSRF protection.

You can read more or try it with a recent Firefox Nightly (mobile or desktop, too!) on the NSA project page.

NoScript 2.0.4 has been released yesterday, with some bug fixes and one main addition: strict X-Content-Type-Options: nosniff enforcement.

NoScript, for a long time, had already being enforcing content type checks on cross-site Javascript and CSS includes, and recent Firefox versions introduced similar built-in mitigations, albeit limited to stylesheets, in order to mitigate CSS-based data theft.

Nevertheless, X-Content-Type-Options offers a nice opportunity to further hardening, by allowing web sites to opt-in for the strictest checks, on more file types and also same-domain, in a theoretically compatible way.

A side effect of this addition is that Firefox 4 + NoScript now scores 14/16 on Browserscope's Security Test, in "Allow Scripts Globally" mode (i.e., without blocking any JavaScript or active content)!
Browserscope Security Test
For those who don't know it, Browserscope is a project which aims at profiling and comparing browser capabilities, with a special eye for security features.

By comparison, only Google Chrome boasts a higher score of 15/16, because it supports both the HTTP Origin Header and the HTML 5 Sandbox Attribute, which are not implemented yet by Firefox nor by NoScript. For the curious, "vanilla" Firefox 4 nightlies stop at 11/15 (even if you're going to read 12/15 because of a XSS test bug), Firefox 3.6.12 + NoScript is at 13/15, while disabling NoScript makes it fall down to 9/16 (reported as 10/16 because of the aforementioned bug).

However, a fair comparison would need to cover also Content Security Policies, a very powerful and flexible security technology developed by Mozilla (test should be added soon, it seems) and countermeasures for cross-zone CSRF attacks (e.g. against routers), which are currently provided by NoScript and, partially, by Opera (Mozilla is working on something, too)*. If and when these features get tested, Firefox 4 + NoScript will lead at 16/18, followed by Chrome at 15/18.

That said, I'd really love to see Origin and Sandbox implemented natively by Firefox, for a perfect 18/18. Which is, I guess, the real raison d'être of Browserscope: getting good stuff implemented everywhere by the power of childish envy ;)

* I won't advocate including tests for other non-blocking security features provided by NoScript, such as ClearClick anti-Clickjacking, because they're not suitable for web-based automation.

Update 2010-11-13

Firefox 4 + NoScript scores 15/17 now!

Senior NoScript community contributor Grumpy Old Lady finally sent me a link to these notes, taken live at BlackHat USA during Graig Heffner's "How to Hack Millions of Routers" talk, and to the tool he released, allowing to remotely control the many models of routers found vulnerable to a specific kind of DNS Rebinding attack.

Since I couldn't attend the L.A. conference, I've been anxiously in search of something like that to confirm al_9x's speculative forecast, i.e. that the exploited vulnerability was about routers exposing their administrative interface to the LAN on their WAN IP (even if remote administration is explicitly disabled), and now I'm delighted to find he was entirely correct!

Of course I must be happy, because I don't need to rush out another ABE feature like the WAN IP protection which I baked inside NoScript 2.0 last week, and because my own home router had been vulnerable as well :)

Some clarifications are still needed, though.

Among the mitigations reportedly enumerated by Heffner (even if he had previously claimed that NoScript couldn't help), there's

Use NoScript (disable javascript?) Maybe not practical to most users

Now, it is true that Heffner's attack fails if the attacker's domain, bound on the fly to user's WAN IP, is not allowed to run JavaScript (very likely, when you use NoScript). This means that most users of older NoScript versions (1.10 and below) were already protected against Heffner's tool and this kind of "XSS via DNS Rebinding".

However, like for many other "emerging threats", NoScript provides a specific protection against this class of vulnerabilities (in this case via its ABE module), completely independent from script blocking: in other words, it just works, no matter if you decide to keep JavaScript, plugins and frames enabled everywhere ("Allow Scripts Globally"). There'no reasonable excuse to renounce this protection, since it does not imply the alleged "non-practicality" of enabling JavaScript selectively.

So, since security experts themselves sometimes seem confused about NoScript's real "convenience vs security" tradeoffs, taking for granted that all the security it offers depends on and requires script blocking, recapping here a (non exhaustive) list of attacks blocked by NoScript even in "Allow Scripts Globally" mode may be useful:

  1. XSS, thanks to its "Injection Checker", the first anti-XSS filter ever released in a web browser.
  2. Clickjacking -- NoScript's ClearClick feature is still the only effective protection entirely implemented inside the browser and requiring no server-side cooperation.
  3. CSRF (and especially, by default, cross-zone attacks against intranet resources) via the ABE module.
  4. MITM, courtesy of HSTS and other HTTPS-enhancing features

These are just some of the many additional protections provided by NoScript which do not depend on scripting being disabled. So next time you hear people saying "yes, browsing with NoScript is safer but having to pick trusted sites to run JavaScript is a pain", point them to these good reasons for running NoScript, even if they give up the extra security provided by plain old script blocking.

Web-based router hacking is hardly a new topic, but new variants pop up from time to time.

The most obvious attacks against a router which malicious web sites can pull are CSRF, XSS and DNS Rebinding. Of course changing the default password of your router helps mitigating these threats a lot, but unfortunately it's not enough if you happen to be already logged in the administrative console, or if your device is affected by any of the commonplace holes which are left open by an unsafe development attitude, on the flawed assumption that just because a vulnerable service is not exposed on the internet side it can't be reached by an internet attacker (see this HNAP D-Link Hack for a glaring example).

NoScript's ABE module has been protecting routers and intranet web resources against this kind of attacks for a long time, thanks to the following built-in SYSTEM rule:

# Prevent Internet sites from requesting LAN resources.
Site LOCAL
Accept from LOCAL
Deny

However security researcher Craig Heffner, interviewed by Andy Greenberg on his "The Firewall" Forbes blog, recently announced a new DNS Rebinding variant which can be used to remotely control your router and (the scary part) allegedly bypasses the defenses provided by NoScript against this class of attacks.

Even though the details are still to be presented -- together with an automated attack tool! -- at the BlackHat USA 2010 conference (today or tomorrow), al_9x, one of the most active members of the NoScript community, provided a very convincing speculative assessment of the new threat, based on the sparse data found in this briefing summary, and also a simple and clever suggestion for a remedy:

Many routers will respond to requests to their public ip on the private interface. This allows an external site not merely to load the router config in an iframe by ip (without triggerring ABE LOCAL rule) but also by the site's name (by dynamically dns binding it to the router's public ip), thereby bypassing same origin check and gaining access to the router.

I suppose NoScript could (optionally) lookup the public ip and include it in the abe LOCAL pseudo-list.

And so it does now :)

Since version 2.0rc5, released past week, NoScript detects your public (WAN) IP by sending a completely anonymous query on a secure channel to https://secure.informaction.com/ipecho, then treats it as a local address when enforcing its policies against CSRF and DNS Rebinding.

There are a few optimizations, meant to reduce the traffic to less than two hundreds of bytes per user per day (and prevent my servers from melting down), but if you do notice this background request, now you know what it is about (it is also mentioned in the NoScript's Privacy Policy, BTW). This new feature, enabled by default, can be disabled at any time by clearing the NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL checkbox *.

Now, let's just hope al_9x's guess is correct.
I'm quite confident it is, but if it's not, expect a brand new ABE protection feature in a week or so, anyway :)

Update

Looks like al_9x was entirely correct, indeed :)

* Note for network administrators

This feature tries to be nice: device fingerprinting can be turned off by sending a "X-ABE-Fingerprint: Off" HTTP header, and fingerprinting requests are identified by a "Mozilla/5.0 (ABE, http://noscript.net/abe/wan)" User-Agent header. Furthermore, custom local subnets or IPs can be configured as a space-separated list in the noscript.abe.localExtras about:config preference.

Bad Behavior has blocked 969 access attempts in the last 7 days.