With LUA & SRP is Noscript necessary?

With LUA & SRP and or anti-executable is Noscript necessary to stay safe?

 

It is certainly useful. Another layer.

 

Noscript is Firefox's way of controlling scripting. Other browsers handle it within the browser preferences.

SRP and the like, will block the executable payload of an exploit that has been triggered.

In cases where javascript is used on a web site to trigger an exploit, controlling scripting prevents the exploit from starting, hence, no executable payload to block.

This is especially true where a user is redirected to a malicious site, for example, in a Google poisoned search. The malicious site usually has embedded obfuscated javascript code to trigger the exploits. With javascript white listed per site, the malicious site's code will not trigger.

----
rich

 

I agree with above two comments. Noscript is still very useful additional layer of protection again exploits/payloads.

 

It would depend on what you are trying to guard against. LUA and SRP should be sufficient to prevent anything installing new or rewriting already installed software. But they wouldn't (for example) stop some browser exploit that might allow a java script keylogger to be loaded when you visit one site and stay resident while you go do you banking a few minutes later. Or so I understand it. If I'm wrong, I'm sure someone will point it out.

What I'm not sure about is whether you can script something that your browser would then happily reload everytime you start a new session. LUA and SRP don't prevent this AFAIK.

 

So,while LUA and SRP may prevent the malware payload from executing, Noscript or browser configuration is important to prevent XSS or CSRF attacks, or information theft. Correct?

Also RMUS, you had a tutorial on how to harden Opera a while back. Do you still have reference to that thread?

 

I thought a keylogger would not be able to execute but wasn't sure about other types of vulnerabilities.

 

Can you point to a current exploit that does this? I would like to check it out.

Any javascript embedded in a web site won't work unless the user has javascript enabled for that site.

You must be thinking of someone else. The only "hardening" I do in Opera is

1) configure cookies and javascript per site, and

2) configure downloads to Prompt rather than Open.

I do recall, however, one of the members is quite the Opera expert and used to post all sorts of Tweaks in the other software & services forum -- I don't remember who it was...

----
rich

 

No, I can't. It is hypothetical.

The part of my post concerning this was assuming that noscript was NOT installed and javascript would be enabled.

 

Not really hypothetical. But I'm quite sure, script-based keyloggers are actively exploited in the wild. It's so trivial if you have the power of javascript and vbscript in your arsenal.

http://www.sandboxie.com/index.php?DetectingKeyLoggers#script

 

re: script-based keyloggers:

Agreed, in fact, several years ago a Wilders member posted PoCs by a fan of R. Hensing, whose 2007 article you cited.

I would like to see one if you come across an example in the wild.

EDIT: scott1256ca describes not just a keylogger, but also:

----
rich

 

I wasn't aware of script based loggers. I thought all keyloggers were an executable. Thanks to all.

 

i hope you can remember who that was. I use Opera now.

 

Well I would like to comfirm the request of Rich: "show me the money" by providing some reference to an in the wild sample


Two comments:
a) With Chrome's sandbox such a hypothetical scenario would only be possible when browsing in the same tab (otherwise impossible), which is a very unlickely scenario of a hypothetical threat (so chances are .... less than winning the lottery IMO)

b) Noscript is usefull, I have seen just to many people not using it in the way Rmus does: for full benefits of the Noscript magic you need to apply A DEFAULT DENY ON JAVASCRIPT and WHITE LIST ONLY TRUSTED SITES.

Regards Kees

 

Oops! Not from Hensing's or rather from Provos' but from Manuel Caballero's. http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

Sure, if ever 'll found one as my spare time will allow me. jk ...

...i'll give the floor to those who have the time and the energy. My day job is completely unrelated to IT or anything about computers or much more about security.

Maybe scott1256ca is talking about these or something similar...

http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

I don't know but might be of interest to you...
http://eaea.sirdarckcat.net/hades.html

 

Thanks, but to use your quote,

I'll wait for a real exploit and then do a risk assessment!

regards,

rich

 

ok, the original post asked "does noscript add any benefit if you already have SRP and LUA".

My reply seems to have caused some confusion.
All I was trying to answer was, "yes, I think it does". I then tried to give an example where noscript could block something that SRP and LUA would not. I pulled the example out of the air. If someone already did a PoC on it, that doesn't change the fact that I pulled the scripted keylogger example out of the air. I just don't want anyone to think that I was implying it was an imminent threat. So sorry, I will not be showing money to anyone

In any case, thanks for the related links.

 

This would make the most sense if ultimate security against scripting dangers is desired. In my case, however, I hate Noscript, and therefore have no use for it; it slows down my enjoyment of the internet and without it I've never once encountered a situation where I needed it with a subsequent feeling of regret not having it. I feel certain that simply running as standard user with some sort of default-deny policy is all that's needed to avoid these over-hyped (by a few) problems. There's one member in these forums, in particular, who loves to cheer lead the latest, greatest threats with overtones of "worry" and "concern" when there's really no need for the rubbish at all

 

You can also use NoScript and allow all scripts globally and then you still have other protection, quote from NoScript developer's blog:

Also if you allow all scripts globally, go to NS options, Embeddings tab, and check Apply these restrictions to whitelisted sites too, then you can use NS too block Java, flash, i-frames etc. or whatever you like from that list, without also blocking javascript

 

Same developer stated Firefox was the safest browser. Before 3.6 Firefox was lagging as see https://www.wilderssecurity.com/showthread.php?t=272374 for facts.

Chrome has less API's available than Firefox, which offered near total control. The complaints the Noscript developer has on Chrome is more or less the same critique the HIPS developers had on x64 kernel patch proctection ("they won't build the API's I need for Noscript" - no off course they won't, they do not want to lower security)

Talking about Noscript author about Chrome is like discussing with the Turkey on what to eat for dinner on Christmas/Thanksgiviing

Chrome sandboxes those issues, a far better approach, see for new chrome goodies https://www.wilderssecurity.com/showthread.php?t=284601

Also due to the way Chrome uses hidden classes in stead of (shared) libraries and compiles javascript itself is less of an issue, see http://blog.chromium.org/2008/09/google-chromes-need-for-speed_02.html

 

I have now actually Uninstalled No Script due to the fact that I was for ever configuring its white and black list per site.

I don't know how other people deal with the following issue. But lets say for example you go surfing thru a whole bunch of websites you have never visited before you find that some sites don't load properly and that not all content is displayed which is limiting your browsing experience due to No Script. You then
have to decide whether it is safe or not to allow scripts to run on a Particular site so you can view it properly, you end up spending more time configuring no script than actually browsing the net.

I just run my browser in an Sandbox Isolated environment with and anti executable app.

 

'Temporarily allow all this page'

If you find yourself visiting a site frequently, spend a few seconds and whitelist that and related sites.

Also you can 'allow scripts globally' and use it the way BoerenkoolMetWorst described.

 

It depends on the overall configuration you have, but probably not necessary.

 

Thanks for the interesting reads.

 

NoScript and HTTPS mixed content... http://forums.informaction.com/viewtopic.php?f=10&t=5269#p22938

As session hijacking was taken tangentially in this thread, a bit off topic(privacy-related) but worth mentioning as it could change the world as Steve puts it... http://ssj100.fullsubject.com/security-f7/firesheep-t289.htm