[ext] NoScript 1.9 - Your Friendly Web Cop

[Giorgio Maone]

@GµårÐïåñ:
I'm unable to reproduce that untrusted/trusted issue. I've tried going to msn.com, marking ads1.msn.com as untrusted and allowing msn.com and everything works as expected (ads1.msn.com is kept untrusted).
Can you come with a reproducible step-by-step test case?

Regarding your XSS tests, thanks for your feedback but as far as I can see there's nothing to worry about NoScript's effectiveness:

Code: Select all

data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=

This is irrelevant because

1. NoScript prevents data: URIs from being launched by untrusted sites
2. data: URIs inherit the same principal as the containing document, therefore there's no proper XSS here

Code: Select all

[color=red width=expression(alert(123))][color]

This is irrelevant because dynamic properties (AKA "CSS expressions") are a proprietary Microsoft extension to CSS and cannot work on Firefox.

Code: Select all

<br size=\"&{alert('XSS')}\">

This one beats me: how is it supposed to be executed, exactly?

Code: Select all

'">><marquee><h1>XSS</h1></marquee>

Marquee is not scripting, you can move text around but you can't execute anything...

In other words, not every "XSS" sample in the wild is caught by NoScript, by design: NoScript only filters out stuff which can actually harm a Firefox/NoScript user, it doesn't care about generic "exploits" which cannot work against Firefox and/or NoScript for different reasons (e.g. incompatibility or a different protection kind).

@dhouwn:
You're very likely getting that message because the page importing that "script" contained a typo, and the result was an HTML 404 error page (thus apparently XML) rather than a script source file.

[nagan]

Giorgio ,incase you missed this.....

@nagan:
have you got the RealPlayer plugin installed? That player seems to need it.

Thanks for the reply.But I am surprised at the behaviour.


I tried a Real Alternative installation.It is not working ,I will try Real next.

1.But why does not NS propose a placeholder ,before actually allowing a plugin?

2.Why does not FF give an indication (the green Plus sign) that the Real Plugin is required??

The answers would be useful...

[Giorgio Maone]

@nagan:
if there's no plugin, there's nothing for NoScript to block and therefore no placeholder.
Why does not FF give an indication? Either the web page is broken enough not to give room to the broken plugin content, or it's a Firefox bug.

[Alan Baxter]

@nagan:
Did you miss this?

I tried a Real Alternative installation.It is not working ,I will try Real next.

I managed to get the player to run the file using a Real Alternative plugin here.
It wasn't perfectly straightforward, but using the NS "Blocked Objects" menu list let me identify and allow the plugin, after which a manual reload of the page gave a functioning stream.

Like NanM, I clicked on the Blocked Object menu in the popup, temporarily allowed the content on the bottom line, closed the the popped up player, and double-clicked the selected item again. (It was Ringa, Ringa for me.) The player popped up again, but this time it played the content.

[GµårÐïåñ]

feature request:
Can you make NoScript either work wih Foxmarks to sync trusted sites or add the ability to sync trusted sites? I have multiple computers and i use noscript on all of them. And it's a pain to have to make sites trusted on all of them.

OK, it's time for me to try my hand as a coding geek. Until the sync feature that Nan M. mentioned is ready, this might speed it up: I like to make occasional backups of Fx profile folder to flash drive (f:\ for me), so if the system crashes, I don't have to re-configure everything

This batch file automates it for me:

@echo off
xcopy /y "%appdata%\mozilla\firefox\profiles\machine1.default" "f:\machine1.default" /e
pause
exit

Copy and paste to a text document (mine is named "profilecopy"), then change the extension to .bat (profilecopy.bat) > yes.

This one copies the backup from the flash drive to the computer:

@echo off
xcopy /y "f:\machine1.default" "%appdata%\mozilla\firefox\profiles\machine1.default" /e
pause
exit

I call it "flashcopy.bat".

So it seems you could make multiple copies of the latter. Just substitute "machine2.default", "machine3.default" (the xxxxxxxx.default Fx profile of each machine) in the second part of the "flashcopy.bat". Plug the flash drive in, 2-click the appropriate .bat file for machines 2, 3, ..., and *everything" is synched with machine1: bookmarks, extensions (Adblock list, etc. etc.), not just your NS whitelist.

I'm sure someone who's less of a dummy than I could improve on the automation of this, and if your machines are networked, could probably run the batch file across the network.

Tip: Before you try this, make a backup copy of your profile folder to your desktop or somewhere, in case it screws it up. As I said, I'm a coding dummy, and take no responsibility.

Hey buddy, why don't you use FEBE addon, it is truly wonderful and has so many features of what you can backup, where and how often. It will be far more stable and you will have much better control. Just a suggestion.

[GµårÐïåñ]

@GµårÐïåñ:
I'm unable to reproduce that untrusted/trusted issue. I've tried going to msn.com, marking ads1.msn.com as untrusted and allowing msn.com and everything works as expected (ads1.msn.com is kept untrusted).
Can you come with a reproducible step-by-step test case?

Here is the thing, it works as expected on my machine but this was a fresh install, fresh config on this machine and it behaved this way and it blew my mind. I checked my machine and my exact same configuration is valid, so I was just confused, that's why I thought it was possibly a new thing. I have no way to reproduce it as such other than what happened. I will keep you posted though if it comes up, in the meantime I just wanted to share it with you as more of a heads up, just in case, nothing to worry really.

Regarding your XSS tests, thanks for your feedback but as far as I can see there's nothing to worry about NoScript's effectiveness:

Code: Select all

data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=

well obviously in our test, we are not going to use something harmful, its intended to be a proof of concept and this would and could contain ANY data, if its allowed to execute then whatever it contains will execute, that's the idea. Personally I am not worried about NoScript's effectiveness, we were just working as part of a group of security consultants to see if there is a clever way a security can be defeated. This in turn provides more reliability and seal of effectiveness if repeated efforts to intentionally defeat something, fail. You know how that goes, its a hacker's stress test. We do it against encryption, security, and so on, I am sure you know what I mean. I was sharing simply because it didn't catch or call it and I was wondering why more than anything else, I know it was harmless in its current form. Anyway.

This is irrelevant because

1. NoScript prevents data: URIs from being launched by untrusted sites
2. data: URIs inherit the same principal as the containing document, therefore there's no proper XSS here

Ok, explains why it wasn't caught because of the other NoScript policy in effect, gotcha. Sort of shot ourselves in the foot with that one, I probably should have allowed to see if it catches it, regardless, gotcha and thanks.

Code: Select all

[color=red width=expression(alert(123))][color]

This is irrelevant because dynamic properties (AKA "CSS expressions") are a proprietary Microsoft extension to CSS and cannot work on Firefox.

I am aware of that but I was under the impression as part of the CSS standard, it would still be processed BEFORE it is ignored this means that the code can be still injected using this method, no? As long as you are sure it will never process on Firefox, then I guess that's a moot point then.

Code: Select all

<br size=\"&{alert('XSS')}\">

This one beats me: how is it supposed to be executed, exactly?

It using the improper character to force the browser to correct the coding in the process of which it interprets and executes what is contained inside it. It has worked successfully on IE and other Mozilla based browsers, I was just testing it on Firefox to mostly see if NoScript would catch it. As to how it is executed, sorry not at a liberty to divulge the secret sauce

Code: Select all

'">><marquee><h1>XSS</h1></marquee>

Marquee is not scripting, you can move text around but you can't execute anything...

Yes, as stated before the codes we execute are intended to be harmless, after all we can't afford to destroy ourselves running every test, but the principle is that once the marquee is executed, it will execute the code within it. So if you embed a malicious code in the place of XSS in the above example, when it renders it, it will execute it.

In other words, not every "XSS" sample in the wild is caught by NoScript, by design: NoScript only filters out stuff which can actually harm a Firefox/NoScript user, it doesn't care about generic "exploits" which cannot work against Firefox and/or NoScript for different reasons (e.g. incompatibility or a different protection kind).

So the assumption here is that it "EVALUATES" the threat before blocking it, even if it is an injection and XSS by design? If that's the case, then it would be valid that it didn't catch these, because they were not intended to be harmful, just a proof of concept. Would you have an objection to us going through NoScript to see the logic it uses to "evaluate" the threat and how it decides its a harmful exploit or a generic one?

[Giorgio Maone]

So the assumption here is that it "EVALUATES" the threat before blocking it, even if it is an injection and XSS by design? If that's the case, then it would be valid that it didn't catch these, because they were not intended to be harmful, just a proof of concept.

Yes, the InjectionChecker component, and specifically its checkJSBreak() checks for non trivial JavaScript code fragments and also checks if they're actually compilable.

Would you have an objection to us going through NoScript to see the logic it uses to "evaluate" the threat and how it decides its a harmful exploit or a generic one?

No objection at all. After all, it's the beauty of open source

[al_9x]

Giorgio,

When you force a site to https in ff2 using noscript and make http requests, firefox will issue both http and https requests for a given url

[GµårÐïåñ]

Yes, the InjectionChecker component, and specifically its checkJSBreak() checks for non trivial JavaScript code fragments and also checks if they're actually compilable.

Gotcha, thank you.

No objection at all. After all, it's the beauty of open source

I know but as a developer, it is also my professional duty to extend the courtesy of asking before digging through another's code. If I was just random stranger, I can see doing it without asking, but since we are not, it would only be right to ask. Thank you.

[Giorgio Maone]

@al_9x:
steps to reproduce?

[al_9x]

@al_9x:
steps to reproduce?

xp x86 sp3, ff2.0.0.20, noscript 1.9.1.2, new profile

1. add "sso.verizon.net" to the https list
2. navigate to http://sso.verizon.net/ssowebapp/VOLPortalLogin
3. the urlbar will show https://sso.verizon.net/ssowebapp/VOLPortalLogin
4. but a network sniffer shows a request to http://sso.verizon.net/ssowebapp/VOLPortalLogin in addition to the https connection

[NanM]

[*] add "sso.verizon.net" to the https list
[*] navigate to http://sso.verizon.net/ssowebapp/VOLPortalLogin
[*] the urlbar will show https://sso.verizon.net/ssowebapp/VOLPortalLogin
[*] but a network sniffer shows a request to http://sso.verizon.net/ssowebapp/VOLPortalLogin in addition to the https connection[/list]

Reproduced here. The port 80 traffic appears to cease once the connection has been established.
Screenshots of Ridge packet monitoring available if needed.

Edit after update to 1.9.1.2: port 80 stuff much reduced.

[859]

How is it that in about:config there is a parameter noscript.clearClick.exceptions set to three URL including ebay.com (!!!) and I do not see where ClearClick exceptions can be managed in the NoScript options? Where are users pointed to the fact that there *is* ClearClick exceptions?

[Giorgio Maone]

@859:
ClearClick exceptions are sites which are allowed to perform UI redressing (i.e. to embed frames to 3rd party sites with portions of them hidden).
This option has no UI because you generally should not add anything there, unless a surely non-hostile top-level sites is proven to have a valid reason to UI-redress.

1. noscript.net and flashgot.net do use UI-redressing as an user convenience for their "Add to Firefox" buttons, which comes actually from addons.mozilla.org.
2. ebay.com has been added because the one click bid feature apparently conflicted with ClearClick and there's been no way to reproduce this issue, even though a very kind NanM temporarily donated her account (with money) to investigate.

@NanM, al9_x:
Managed to reproduce with Wireshark. Oddly enough, when HttpFox was active as well no http traffic was actually sent, but when I disabled it I've seen one request passing. I'm currently investigating if the response gets actually parsed by Firefox 2.0 or not: in the latter case, the feature would serve its purpose anyway, notwithstanding the double request, otherwise I should patch in next dev build. Stay tuned.

BTW, SURPRISE

[NanM]

Hi 859 Welcome!

The other two exceptions are the author's domains and I'm guessing he trusts himself
It is great to see a user asking questions at the trust level, btw.