Well I installed Sandboxie.

But this is'nt the function of Sandboxie and with Noscript your good to go.

BTW XSS is very complex and hard to get by,this is food for security proffessionals,its almost rocketscience. But we still wait for real solutions for the non computer illeterates like me and a host of others,so for the moment Noscript and the likes are some kind of defense.

 

How do you know you don't get spoofed or redirected,have you javascript allowed for any side,how make you up which side are compromised or not.SandBoxie does nothing against these attacks,does only so for the clientside of the web based application if configured right.But that is not enough to protect you against cross site scripting.
IMO Noscript is usefull against these attacks !

 

I think only that u will be still vulnerable to cross site scripting.

 

I don't deny that,the people that create these stuff are much smarter then me.
I said ''usefull '',but not perfect.

 

You are, of course, amortizing any out-of-pocket losses suffered by those who modify their security set-up based upon your unsupported ASSUMPTION?

NoScript is a freebie. Its proponent has NO ulterior motive for FUD in order to promote his security app. If the mere use of DropMyRights/RunSafer+SBIE could simplistically *solve* the problem of XSS/bad scripts, how convenient it would be for the browser programmers & security programmers who have been wasting their time trying to defeat these exploits when, all the time, Pete's amazingly simple solution was right there before their very noses.

I suggest that folks might want to do a bit of reading before passing out comments inferring that it is okay to shut down one's XSS/bad script protection.

The absence of XSS affecting many folks here at Wilders is largely due to the same reason why the "running naked" & "PlaceboAV" threads are having so much fun here. Namely: (1) the law of averages protects us (900 jillion people on the internet, with just a teeny weeny fraction of them hanging out at Wilders), PLUS (b) many of the denizens of Wilders are "squeaky-clean-livers" who practice safe hex.

There are lots of good reasons for using a sandbox such as SBIE. But SBIE is NOT a panacea whereby one should recklessly shut down his other security unless & until he actually knows what he is doing, based on study of facts & not mere anecdotal speculations.

Do a Google. You will find tons of answers. Here is one. And here is one that is both shorter & simpler.

 

I dont think Pete is telling anyone to ditch NoScript. He is simply stating his setup.

 

I agree with Subset and Peter that NoScript is a pain in the ... TOS .
Let me put it this way :
1. Can you use NoScript without blocking scripts all the time and still have the XSS protection ?
2. Is Sandboxie strong enough to protect you, when all scripts are allowed in NoScript ?

 

Supposedly if you tell NoScript to allow scripts globally it will still protect against XSS.

 

There is no way I could put it more clearly or succinctly than Giorgio Maone did in the first link I provided for all those who are sincerely interested in learning more about this fascinating threat category. Here is a partial extract (emphasis added by me) which is quite specific to the insufficiency of SBIE+LUA/DMR/RunSafer for this threat category...

+Internet Explorer- The current beta of IE builds in capability patterned after NS.

+K-meleon - Because of urging/begging by several concerned K-meleon users (myself included) in this forum thread there is now a modified version of a recent NS that runs quite nicely under K-meleon browser.

+Opera- Beta testing of NS for Opera proceeds apace. See also NS-related discussions for Opera here & here. See also THIS interesting script to gain a stop-gap NS capability for Opera, pending completion of the beta. It works to a degree, I am told.

So the happy answer is NO -- one does not need to run FF+NS in order to use this vital type of security. It is already available or in development for ALL mainline browsers.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I have not had ANY malware bother me for quite a long time, nor even try to (AFAIK). Even so, I find it prudent to run an Antivirus, a HIPS, NS, practice safe HEX, etc. The fact that someone can remain untainted while riding bareback is a matter of the law of averages, luck, the computer usages by that specific individual, the sites visited by that specific individual, etc.

Therefore, anecdotal comments about being untouched despite non-use of contemporary security apps is simply beside the point -- especially when discussing such matters in company with those who might not be as lucky or skillful or cautious.

I have tried to point any interested readers to some facts on this matter, provided by persons much more technically savvy than myself. If I have annoyed anyone by doing so, I am truly sorry -- but also puzzled.
~~~~~~~~~~~~~~~~~~~~~~~~~
@Erik- YES, NS will handle XSS even if you globablly allow scripts. As to Sandboxie protecting against bad scripts -- As I understand it, SBIE is purely & primarily a sandbox. Period. The main threat (as I see it) that SBIE won't protect you against is password stealing, key logging - that sort of thing. Defense Wall will protect against that sort of thing because it is a sandbox+HIPS, whereas SBIE (as said b4) is pure sandbox.
~~~~~~~~~~~~~~~~~~~~~~~~~~
Those interested in *the rest of the story* should enjoy reading NS FAQ & NS Basics. Also, the NS part of Mozilla's sloooow-loading forum is Yonder.

Pete- I'm waaay OT, so please forgive. If you decide to send these ramblings to outer darkness or a more appropriate thread, N.P. Peace unto thee & thine.

 

Long after we all gone,there will be heated threads,discussions about the newest treats,i'm in awe of what the human mind can achieve technically but mentally we are still living in the stone age ! LOL

Bellgamin,SBIE with some altering the ini file can protect against Host intrusion,Code injection of your browser,no Hips needed,and yess SBIE is a pure Sandbox.

comes to mind that it then works like a white lister such as Anti Executable proggie in a Sandbox !

 

I'm not sure how scripts can hurt me badly.

1. Sandboxie locks my data partition : no reading, no writing, no stealing.
So scripts can't do anything in my data partition.

2. So only my system partition is vulnerable for scripts during browsing.
The only thing that scripts can do in my system partition is damage it, because there is nothing to steal.
Two possibilities :
a. The damage is done, but my reboot-to-restore UNDOES any change : no damage anymore.
b. My reboot-to-store doesn't work, in that case ShadowProtect will do the job : no damage anymore.

So what is the problem ? Am I that stupid ?

 

Its not really about whats going on at your system,but more what you put out to the web. Legitimate websites can be taken over by the bad guys and will try to lure you into entering credentials and all personal stuff like creditcard numbers.Problem is damage can be already done before they eventually are exposed and recognised.

I'm not an security illiterate,but afaik some very smart programmers should be involved,very smart but bad !

 

Regarding what Peter said, "...I wisely exit the browser, and empty the sandbox prior to visiting an banking type sites."

Can these scripts steal any information if the sandbox is emptied before visiting a banking site?

The articles mentioned sensitive information being exploited within the sandbox, but none (that I could tell) addressed whether information could be 'stolen' if the sandbox is continually emptied, and emptied before visiting a banking site.

 

OK. But that problem is also solved. I keep on using NoScript for XSS protection, just not the script protection.
Besides lots of users will turn off NoScript, when they can't read a website very well or want to buy something online.

 

Its a gain/lose situation,if you make a website with just plain text,its boring but compromise is reduced.A website with full javascript and HTLM pages gives a richer experience but danger for exploits grow.

These guys are smart, in some cases just mirroring the original site(needed for XSS) and before you are aware,your sensitive info is exposed to these guys.

 

I'm not sure. Usually I boot-to-restore before online-banking, which means that my sandbox is empty, while my system partition is malware-free and clean again.
According my readings, some keyloggers operate from the pagefile.sys, which isn't erased during boot-to-restore or cleaning the sandbox.
In theory you have to clean pagefile.sys as well, which will slow down your shutdown or boot-to-restore.

 

I see what your saying because you have no script disabled your still protected because of sandboxie proabably true. But I wouldn't say that Sandboxie is 100 percent bullet proof.

I use both no script turned on and sandboxie. I use both because it is 2 security layers instead of just 1. So if malware gets passed 1 of the security layers the other will block it.

Also I find that sites load a bit faster with no script on.

 

ScriptDefender was IMO the best available software to block scripts. Very simple too.
Unfortunately ScriptDefender is as good as dead and it had serious uninstalling problems that corrupted my system partition, that's why I stopped using it. Reporting the problem was impossible, the link was dead.
I tried a few others after that, but they weren't good enough.
Somehow I hope that next versions of AE will stop scripts, AEv3 in beta has at least different whitelists now instead of one, I wonder what you can do with them.

 

Is this right? Sounds like a good solution if so.

 

I believe it is correct, XSS protection in NoScript has to be activated on a total different screen.
Of course it would have been nicer to hear this from someone, who really tested this out.
But that doesn't solve the script protection, unless Sandboxie can do this. Sometimes, I wished, I was a malware expert.