Blocking Cross-site scripting (XSS)

Ive heard that you can get dangerous scripts with your browser. Is there any other software that can filter out/block XSS Scripts other than the no script add on for fire fox??

I currently use Opera, would turning off Java Script be sufficient?

 

Most but not all XSS attacks are Javascript related, see this post. Another example is Flash-based XSS.

 

Ajax, Java Scripts and VBscripts... others... (basically any type of CGI )

Iframe's and XSS, BHO's, Active X and so on can go in the background on the Internet, and pull up just about anything scripts wise which in turn can call on executables, so if it can be ran within the browser's interpreter it then can pull executables to be processed and injected into something else...

The only real alternative to NoScript is to use sandboxie to do your browsing... (Although Why not use it w/Firefox?) in either case: Your browser will be injected, and modified, executable might be pulled in from the internet and might even run and install other executables and infect your system to the gills, but as you delete the sandbox it's all gone...

Personally I would use Firefox w/Noscript within sandboxie + a Good HIPS and a decent AV to boot... One cant be too careful online these days.

Doing so you will be giving the middle finger to a lot of hack's...

 

As to NoScript (NS)...

Q1- If a user adds a given website to NS's list of Trusted sites, isn't it a fact that NS somewhat relaxes the stringency of its monitorship over the activities of that particular website?

Q2- Isn't it a fact that just about ANY website can unknowingly become an *XSS carrier* -- especially if that website accepts user input (such as a forum)?

Q3- If the answers to Q1 & Q2 both are "Yes", then isn't it unwise for me to add ANY website to NS's permanent Trusted list?

 

In my list above I forgot to mention the use of Linkscanner Pro as well as Siteadvisor.... (I did in many other posts) to counter many of these hostiles, however yes there are multiple inherent weaknesses in sandboxes related to web browser exploits as in the interceptions of cookies that contain secure info and logon credentials...

 

Hello arran,

I have been a loyal and diehard user of Opera. The following are things that I have performed in and around Opera to "minimize" the risk/threat of XSS.

1.) Disable Java or uninstall Java.(Note: I chose the latter.)
2.) Disable Plug-Ins(flash, etc...)
3.) Disable inline frames
4.) Leave JavaScript(JS) enabled, but with all JS options unchecked/disabled.
5.) Install three specific Opera User JavaScript files which include:
http://userjs.org/help/installation
Prevent Malicious Redirects (http://userjs.org/scripts/general/fixes/redirect-opera-fixer)
Block Unwanted Scripts (http://userjs.org/scripts/general/enhancements/block-unwanted-scripts)
Transparent Flash Removal (http://userjs.org/scripts/general/enhancements/remove-transparent-flash)
6.) Disable GIF/SVG animation.

Other than what I have done to Opera above, I employ the use of DefenseWall(policy restriction sandbox) to restrict the potential damage of web browser targeted malicious scripts and related payload(drive-by-downloads, exploit targeted malware, etc...) within the confines of its sandbox. Other sandboxing alternatives include BufferZone, GeSwall, SafeSpace and SandBoxie. Browser specifc sandboxes include Internet Explorer 7's "protected mode"(Vista only), AMUST 1-Defender and ZoneAlarm ForceField. An alternative to browser-specific sandboxes would be to run one's browser with limited rights by way of DropMyRights or similar means.

Why iframes are a security risk:
http://www.thespanner.co.uk/2007/10/24/iframes-security-summary/

How can users protect themselves from XSS:
http://www.howtocreate.co.uk/crosssite.html#userprotect

Other than using NoScript with FireFox for protection against malicious scripts, iframes and XSS, other alternatives include Haute Secure(Internet Explorer/FireFox) and Linkscanner Pro and possibly Finjan's SecureBrowsing(Internet Explorer/FireFox).

Hope this helps.


Peace & Gratitude,

CogitoErgoSum

 

Very helpful comments for anyone using Opera (& me,too, if I should decide to switch to Opera).

Now will somebody please answer my Q3 from post #4 above?

 

bellgamin if no one here can answer your question (I certainly can't) maybe you could post here, NoScript Forum The developer monitors it and seems quick to reply.

 

4

Doing this will allow pages that require js to render properly, while restricting the actions of certain js based exploits?

 

From NoScript website:

NoScript features unique Anti-XSS counter-measures, even against XSS Type 1 attacks targeted to whitelisted sites. Whenever a non-trusted site tries to inject JavaScript code inside a trusted (whitelisted and JavaScript enabled) site, NoScript filters the malicious request neutralizing its dangerous load.



and:

By default, Anti-XSS protection filters all requests from untrusted origins to trusted destinations, considering trusted either "Allow"ed or "Temporary allow"ed sites. If you prefer "Temporarily allow"ed sites to be still considered as untrusted origins from the XSS point of view, you just need to set about:config noscript.xss.trustTemp preference to false.
Furthermore, since version 1.1.4.9 NoScript checks also requests started from whitelisted origins for specific suspicious URL patterns landing on other trusted sites: if a potential XSS attack is detected, even if coming from a trusted source, filters are promptly triggered.

 

Firebytes,

Does this mean that NoScript can identify, the way a blacklist scanner does, which scripts contain potential XSS attacks?

Thanks.

 

solcroft,

I am certainly not an expert on NoScript and was merely quoting from the NoScript site. It would seem to me that it can identify which scripts are XSS though; as that is the whole point of it's XSS protection. I don't know exactly the method it uses to determine what is an XSS attack, in the quote below it just mentions "filters" (again quoting from the NoScript website):

"NoScript's Anti-XSS filters have been deeply tested and proved their ability to defeat every known reflective XSS technique, but their power is a double-edged sword: sometime they may detect a weird looking but legitimate request as a "potential XSS attempt". This should almost never be a show stopper, since the filter most of the time doesn't prevent you from navigating the filtered page, but the aforementioned Unsafe reload command and the XSS Advanced Options have been made easily accessible so you can work-around if you hit a false positive with side effects. Just please notify me when it happens, possibly reporting the messages NoScript logged, so I can keep tweaking NoScript's "XSS sensibility" as needed."

Hope this helps. If not as I said you can post at the NoScript Forum, the developer seems quite fast at replying to questions and concerns.

Also, here is the page from where my quotes originated: Anti-XSS Protection

 

Hello benny bronx,

Yes, doing this will allow js to render properly, but will not allow it to perform the eight specified actions listed in "JavaScript options...". In my case, the only js option that will run is my user js files.


Peace & Gratitude,

CogitoErgoSum

 

Can you use noscript JUST for XSS protection, while still allowing all other scripting? I find noscript to be a pain to use but want the XSS protection. Thanks.

 

If the documentation is anything to go by, you can say that NoScript employs algorithms to detect XSS attempts while minimizing FPs.

I'd guess that whitelisting every site you visit would do the trick. I could be wrong, though.

 

I don't think it would allow this functionality as you would have to allow scripts globally thus disabling the filtering... I don't thinks this would be wise as it opens the door to everything from Iframes to XSS free access..

 

Hi,

XSS is a client/server side threat, so there's no absolute solution against it (you can only control what happens on your host, not the server side).
With a simple scripts it's possible to detect if tor is used or not, to change router settings (password), to get a shell on a machine etc...
It's a complex threat, and off course the answer is not a product in particular, but a methodology.

Noscript is interesting but rely to trusted sites.
Another interesting firefox add-ons is XSS Warning, but it's important to consider that any add-ons or plug-in can be defeated (case of NoScript and XSS Warning).

Surf comfort (scripts, flash etc) is not always the friend of Security.
A good solution to mitigate risk is to use a text browser like Lynx under a sandbox (Sanboxie) or virtual (DefenseWall, BufferZone free etc) condom.
But seriously, who use Lynx browser...

On the server side, it's up to webmaters to audit and protect their web applications.
The open source community has for instance released a web applications firewall designed to harden and secure servers (Appache) against such attacks: it is ModSecurity.


Regards

 

I used Noscript for a few days then uninstalled it. It was just too much of a hassle to get NS to allow certain types of sites to work properly. In some cases I had to trust 3 or 4 URLs in order for (e.g.) a news site to be able to display news stories & videos from sites that it linked to. Every new link had to be separately trusted -- huge PITA!

By the way -- with NS gone, FF zzzzips along once again.

Thanks for this link. I have installed it to replace bothersome Noscript.

Tu tu true. There never was a horse that couldn't be rode. There never was a rider that couldn't be throwed. Still... we do what we can, wot!

P.S. This thread makes me wonder what real value is there to be had from web scanners (aka http scanners) if they do not block XSS?

 

AFAIK, Both NoScript and XSS Warning come from the same author (Giorgio Maone)

 

I hope you're right. He is obviously good at this sort of protection. Even so, for me NoScript is excessively intrusive when I am surfing news sites and other sites with lots of links. It seems that others may feel the same way, inasmuch as Mr. Maone offers XXS Warning as a stand-alone whereas NoScript includes XSS protection.

People sometimes joke that the safest protection against malware is to chop off one's internet connection. For me, NoScript made me want to do exactly that.

On the other hand, XSS is much much less intrusive.

 

XSS+phishing in Italian bank hack

As usual, common sense (don't follow links in mails -even if they look legitimate- which are unsolicited and are financially related) defeats this serious attack.
Giorgio Maone's opinions

 

Common sense isn't so common nowadays.

I do wish Giorgio had given a plug for his apps -- such as: "Of course, if you were running Noscript or XXS Warning, then you would have been alerted to this exploit."

It's disturbing information, Lucas -- but thanks for posting it. I am increasingly convinced that password stealing is possibly THE most threatening threat there is nowadays. And yet, I do not know of ANY behavior blocker or web scanner that gives warnings when XSS is encountered. I do hope someone will show me to be wrong.

 

He did that

With XSS, nothings happens on your local filesystem:

With XSS, it's all about web-based crimeware. All the action happens inside your browser. Behav. blockers and web scanners (with the POSSIBLE exception of AVG's LinkScanner) are hopeless here.

 

Then "web scanners" should not be called "web scanners." Why? For the reason that, when it comes to deflowering "THE most serious web threats", web scanners are like stud horses afflicted by E.D.

 

They're called webscanners because they hook/intercept the network traffic directed to the browser (HTTP mainly) and scan it looking for malware or exploit attempts.
I'd say that the detection of XSS by a traditional scanner is next to impossible. Parsing JS on the fly without performance penalties and FPs is a tough work.