JavaScript Clipboard Access

http://www.jasons-toolbox.com/BrowserSecurity/table-of-contents.asp?

IE 8 on Win 7 stops it and gives prompt. I was curious if any HIPS will intercept. CFP and GW did not intercept it.

 

Hi aigle,

Is this test for IE/Netscape only? It did not work in Opera with javascript enabled.

----
rich

 

I get this.......

 

Not sure. In Opera, it seems OK even with JS enabled.

 

For a failed JavaScript Clipboard Test, Jason's Toolbox says...

"To prevent a web site from reading your clipboard, take the following steps:

Go to Tools->Internet Options.
Click on the Security Tab.
Click on "Custom Level."
Scroll down to the Scripting section under Settings.
Set "Allow paste operations via script" to Disable or Prompt.
Press the OK buttons to close the dialog boxes."

Trouble is, on IE7 there is no scripting setting that says, "Allow paste operations via script".

I do see a setting to, "Allow Programmatic clipboard access", and it is disabled.

 

Seamonkey passes regardless of its JavaScript settings. Using IE6, the results depend on the security setting "allow paste operations via script". Mine is set to prompt and it works as it's supposed to. I'm not positive but I think this is only possible with Internet Explorer. Alternate browsers are not part of the OS and don't have access to the clipboard. There is a FireFox extension, allow clipboard helper that adds this functionality and uses a user defined whitelist of allowed sites.

I don't see why HIPS should have this function. Internet Explorer will prompt when the security option is set. The other browsers don't appear to be vulnerable. Why duplicate the coverage?

 

Remember a while back there was a similar POC that worked with all browsers. It was like hijacking your clipboard.

 

This is what i get on Win 7 with IE 8, default settings.

 

I never got around to checking into that POC. I'd have to try it and see what it does and which browsers it affects. For the most part, code like that gets filtered out before it reaches my browsers. All of them are forced to connect thru Proxomitron. That's the only way I'll use Internet Explorer.

IMO, it would be better for this to be addressed by the browser itself or by a web filtering app or plug-in like Proxomitron or NoScript. I'd rather not see this included in HIPS. On my setup, HIPS defends the attack surface (web apps, firewall, Proxomitron) and limits what those apps can do if they are successfully compromised, but does not handle potentially malicious content itself. If HIPS is also given the task of filtering web content, that would make it part of the attack surface. It creates a potential attack vector that reaches to the system kernel.

 

I failed the JavaScript Clipboard Test using IE7. Anyone know which browser setting can be changed to fix this? The one suggested by Jason (Set "Allow paste operations via script" to Disable or Prompt) is not present in IE7. https://www.wilderssecurity.com/showpost.php?p=1395980&postcount=5 Thank you

Edit in: I question whether the failed notification from the test is accurate. It states, You're failed that JavaScript Clipboard Test. The JavaScript on the previous page was able to read the following data from your clipboard: "", showing the clipboard contents as blank (with no data between the quotations), yet I did have data on the clipboard. Does this seem right? It doesn't to me.