Blocking Cross-site scripting (XSS)

Thanks for testing that bellgamin. I am glad to see it worked. I will keep an ear out to see if XSS Warning keeps working for you with no problems and if so then when it is no longer "experimental" I will give it a go.

 

Sorry, I'm not sure that I understand. What's the meaning of TOS?

Not necessarily. Two examples: http://ha.ckers.org/blog/20070228/steal-browser-history-without-javascript/ and http://ha.ckers.org/blog/20070302/portscanning-without-javascript-part-2-2/ . But I agree that most XSS attacks are performed through scripts.

 

I use NoScript. I clicked the link but no warning.

Edit: I was surfing with Sandboxie. But I also tried surfing without Sandboxie, still no warning. Then I turned off the Online Armor Web Shield (surfing with Sandboxie) still no warning.

I have Java and JavaScript enabled in Firefox. They should be enabled when using NoScript, right?

 

Did you read the real-world examples in the Wikipedia article? One example is cookie stealing - an attacker could steal your cookies and palm himself off as Dogbiscuit. (An example for cookie stealing is also on http://www.cgisecurity.com/articles/xss-faq.shtml ). Other examples can be found on http://hackademix.net/category/security/xss/

Yes, although there are also other approaches (like Flash XSS). Besides, Noscript also checks for XSS patterns on sites you have whitelisted (like Wilders Security).

 

You have to (temporarily) whitelist the site in order to see the XSS warning.

 

Thanks. That made a difference, but I only had a popup-line at the top of the site. This popup disappeared after one second. I also tried with different Notification settings. Maybe not a big deal. I guess my NoScript still work as it should.

 

Hi,

Tlu: "border line with the TOS" just means that some sites provides scripts that can be used in bad intentions, but this is the job of moderators to consider what violates the policy of this forum or not (in this case i can also post the code of one or two worms, would it be considered as a policy violations?).

Regarding the XSS without java script, it does not work for me: as it was said on my suggestion, protection vs xss threats is a methodology, not a product; and in this methodology or process, browser settings hardening is an important step (see image).
There is various way to use scripts in malicious way, a non popular example is xss image injection for instance.

But more seriously, anything in the client side (plugin, addon, component etc) can be used in a malicious way; so....

regards

 

Now I understand. But please note that I included a link to a public forum run by RSnake who's definitely not a criminal but a highly respected guy in the IT security business. The examples there are first and foremost intended to call the attention of site administrators to a growing problem that is still neglected by most of them. As mentioned by you in another post, the XSS problem has to be solved on the server side after all.

I don't think that pointing to these examples (about which the admins of the affected sites are informed) is comparable to publishing the code of a worm.

 

The pop-up at the top of the site that briefly notified that NoScript had "filtered" the XSS attempt is all I got too. It might be nice if the maker of NoScript would provide a pop-up that either lasts longer or must be dismissed by the user to assure it had time to be read. In reality though as long as it blocks it I guess it doesn't matter much.

 

In my opinion, it DOES matter. Not everyone wants to know what is going on "under the hood" -- but I do.

XSS Warning gives a warning and waits for the user to respond to it.

I eagerly await Avira Antivir Premium version 8, which will include Webguard. According to Avira, Webguard uses a proxy & will detect dangerous scripts and XSS. I hope it does a good job.

 

I agree bellgamin that it would be very beneficial for the pop-up to remain until the user dismisses it. I hope that the developer of NS sees fit to follow XSS Warning in that area. I just meant that I was glad that it did at least block it whether the pop-up lasted as long as I would like or not.

XSS Warning looks promising and as I said earlier I will keep listening for your further evaluations of it. I might want to run it on my "family" computer. My wife sees NS about like you do, as more of a "stumbling block" to her enjoyment of the web than anything else. I finally relented and set NS to "Allow Scripts Globally" on that computer so it is really only protecting against XSS anyway.

Also, I have read that the next version of Firefox has some type of XSS protection built into it. I don't remember much more about it than that though...will have to look it back up.

 

Ahh, here is where I read about it Mozilla Firefox 3 will stop XSS

 

Grrrreat news! Thanks for sharing it.

 

Normally Noscript shows the same behaviour and you have the opportunity to press the Options ... button within the yellow notification bar. I don't know why it doesn't in this case. I asked Giorgio about it and will inform you about his answer.

 

Two other examples that affected Google but are fixed in the meantime: http://xs-sniper.com/blog/2008/04/04/insecure-content-ownership/ and http://xs-sniper.com/blog/2008/04/14/google-xss/ .

BTW: Billy Rios was the one who detected the famous URI security leak in Windows.

 

I hope Giorgio answers!

Based largely on tlu's supportive comments, I continue to try NS with FF. It's getting a tad easier to use (practice makes "better").

I am also running K-meleon, & using Avira's Webguard as my protection against bad scripts/XSS for that browser (it is faster, by far, than FF).

Does anyone know some sites where I can test the effectiveness of NS & Webguard?

 

Hi

I do not know how to test NS, but to test the webguard you can:

• Test if the webguard is active by downloading an eicar.
• Browser tests are different from drive-by-download sites, detection there is optional. But you can give it a try. Detection on real malware sites should be better.
• In av-comparative tests "script-malware" seems to be the class of test samples for drive-by-download sites.

Hope this helps

 

His answer can be found here!

 

One other thing besides extra security that I like about NoScript is that pages load much faster without having to load unneeded scripts. Some of the pages I tried were loading in half the time when they themselves were whitelisted but couldn't load scripts from other sites versus loading all scripts "Allow scripts Globally".

An example, when I whitelist http://fileforum.betanews.com/ and go there FileForum tries to load scripts from google-analytics.com, googleadservices.com, googlesyndication.com, and doubleclick.net. By having those scripts blocked the site loads much faster and the only functionality I lost was seeing ads.

 

Ooops, I just realized that my last post is a little off the topic of blocking XSS. Sorry about that, back to XSS.

 

Good schtuff. Thanks.

It sounds like XSS Warning is weak. Also, my computer does not like Avira Webguard. So I will use NS as my surfing-guard. As I use it more, it gets easier & less obtrusive.

 

Absolutely. BTW: Since you mentioned that CNN is one of your favourite sites I suggest that you read Giorgio's comment about that site. Quote: "So, to recap, CNN advertising system intentionally uses XSS to insert Web Bugs, and calls this clever solution Smart Count!"

 

Dem doity ratz!

Since CNN uses XSS to perpetrate this infamy, will NS automatically block it?

 

Yes, NS will block it.

 

New examples for XSS vulnerabilities on Verisign, Symantec and McAffee sites were found on http://www.xssed.com/ . Somehow disturbing ...

And there are also news from the Phishmarket.

XSS is spreading more and more.