Blocking Cross-site scripting (XSS)

Okay, I will have another look at NS in the near future.

However, the web guard with version 8 of Avira professes that it spots/blocks XSS. See Hither and Thither. I would appreciate your comments regarding Avira's claim.

 

I have no idea how good Webguard is in detecting XSS attack vectors. That guy from Avira (Radu Gheorghe) says in their forum that he's using Noscript himself so it seems that he's not too much convinced by the capabilities of Webguard.

In general, I think it's a better approach to block scripts/plugins/XSS for all unknown sites by default so you are always on the safe side. Combining both approaches is even better, of course.

 

Hi

To gain protection against XSS/Drive-by-Downloads you need a proxy. A guard detects the file in the browser cache, but the browser will already be exploited.

The AVIRA engine has a special module for malicious scripts/HTML.
The detection is named HEUR/Exploit.HTML or HTML/*.Gen.
It can detect:
- Encrypted malware (HTML/Crypted.Gen)
- Infected Web pages (HTML/Infected.WebPage.Gen)
- Exploits (HTML/ADODB.Exploit.Gen, HTML/RCE.Gen, HTML/Shellcode.Gen)
- Specific Malware (HTML/Feebs.Gen)
- other stuff (HTML/Silly.Gen)

Additionally, there are signatures.

The HTML heuristics is configured together with Stefan's binary heuristics.

Radu is right if he suggests to additionally use NoScript. It is a very good tool if you want defence in depth. But you should be computer literate to use it and decide which page should be allowed to execute scripts.

 

Thanks Thorsten -- it's an informative post.

I re-tried NoScript, but still do not like it. Instead, I am using a Firefox plug-in called "XSS Warning" by the same person who created NoScript.

If I use WebGuard plus XSS Warning, I am protected pretty good, right?
Right?

 

IMO, those are the key words

 

Just a correction: they are not made by the same person.

 

Finland companys fixed and unfixed holes:

http://www.ihminen.org/blogi/2008/03/30/listaus_xss-haavoittuvuuksista_suomessa/
http://xss.dy.fi/wiki/doku.php?id=lista_xss-aukoista

 

You're right, it was my mistake. Gianni Amato is the developer of XSS Warning and Giorgio Maone is the developer of NoScript.

 

The XSS Cheat Sheet is available again on http://ha.ckers.org/xss.html .
The author RSnake - aka Robert Hansen (or is it vice versa? ) - is co-author of the book XSS Exploits and surely one of the most knowleadgable experts on XSS and other security issues. BTW: He's also a Noscript fan ...

 

Why not?

It protects you against XSS attacks (although I don't know if it's as good as Noscript) but it provides no protection against other zero-day Javascript based attacks - and most Firefox security leaks have been somehow related to Javascript (see this article regarding the latest ones). Besides, it doesn't protect against security leaks in plugins like Java, Flash, Silverlight, etc. - and there have been lots of them in the past.

 

Two Irish lads, no doubt -- I wonder if they're related?

Who can explain tastes? (as the lady said when she kissed the cow).

But seriously --

***I found that 95% of sites were not adequately functional unless I trusted them on at least a temporary basis. Bloody inconvenient.

+++I would not knowingly visit a site that I don't trust. No porn, no chat rooms, no PnP (whatever that is) etc. Such being the case, ALL my sites are "trusted." As I understand it -- at a "trusted" site, NS becomes little more than an XSS-warning for those sites, right?

+++BOTTOM LINE -- for trusted sites, what more does NS do than is done by XSS-Warning?

P.S. I am sincerely seeking counsel -- NOT arguing.

 

Strange - not in my experience ...

So I guess that you're the only surfer in the world who doesn't use Google to search for new = unknown = untrusted by definition sites ...

If you mark all sites as trusted that's basically true. But again, I've been using Noscript for quite some time and I don't find that necessary.

Nothing, indeed. But since XSS is becoming more and more popular and many trustworthy sites (like, e.g., banking sites) have been victims of XSS attacks, this alone makes Noscript important. And on all untrusted sites - and I stick to my opinion that most of them do not need to be whitelisted - you are protected against other attacks through security leaks in the browser and plugins.

 

I don't smoke and I don't chew & I don't go with girls that do (our class won a Bible!)

Rest assured -- you have convinced me, and I am very grateful for your patient & helpful comments.

But my use of XSS Warning will protect me against XSS, right? Also, the WebGuard of Avira's version 8 antivirus claims that it protects against bad scripts & XSS, so I shall be doubly protected (I think). Plus I browse with JS & Java & flash turned off, except at those sites where I know one or the other of them is actually needed. (E.g., Wilders won't do smilies unless JS is turned on.)

By the way, the CNN news site is one of my favorites. When I was testing NoScript, CNN's video's would not work. So I whitelisted CNN's video page. Videos still wouldn't work. So I killed NS & refreshed -- THEN they worked.

No doubt NS wasn't working because I was doing something wrong. If you have a moment, I would very much appreciate it if you would give CNN videos a try & teach me what I am doing wrong (or failing to do) in order to view CNN's videos with NS running.

Aloha...bellgamin

 

I believe that even on trusted sites NS only allows the scripts coming directly from that site. I tried the CNN website and even with it whitelisted I had to right click the NS icon and select "Allow turner.com" to view the videos. I also had the option to allow cnn.net but it was not needed to see the videos.

To make things a little easier, on the general options for NS, I always set it to allow sites opened through bookmarks. That takes some work out of it but as you go to those sites the first time, or any others you whitelist, you may still have to allow content opening from other sites. If you usually just visit the same sites over and over this won't be a problem after allowing needed content on the first visit.

 

With all due respect, how does Noscript specifically protect a user here? If a website attempts something malicious using javascript, for example, wouldn't the site's author usually insist that you can't access the information unless you enable javascript?

Noscript's value here seems to be in protecting you from drive-by malware that exploits zero-day vulnerabilities (which are rare), and, at the same time, must lure you to a website while the vulnerability is not yet patched. A very short window of time to crawl through, so to speak.

And, like a HIPS, if you don't know how to use it, it probably won't provide all the security you seek. For example, how can someone tell if a website is benign or malicious, so that the choice about whether to allow javascript is correct?

You could also make a comparison to the http scanning feature of AV software. Like web scanning, Noscript is obviously useful for people who don't keep their software constantly updated, because it protects them from drive-by malware exploiting these open vulnerabilities. It seems more narrowly helpful during that period after the discovery of a vulnerability, but before AVs can be updated or OSs patched for those of us who keep updated.

I haven't as much knowledge of XSS as I would like, and correct me if I'm wrong, but wouldn't not opening up multiple browser windows (i.e., being online to your bank and reading your email at the same time) prevent much of what the anti-XSS feature of Noscript protects against?

Like bellgamin, I'm seriously interested in understanding where Noscript's real value lies (in which settings it's valuable), not trying to win an argument.

 

Congratulations But I wasn't speaking merely about sites with objectionable content.

bellgamin - now I'm completely confused! First of all: How are you doing that? I think it can only be done in Opera by disabling JS etc. by default and enabling it for specific sites via the context menu, or in IE by disabling any scripting in the Internet Zone and adding the trusted sites to the Trusted Zone (which is rather circuitous, IMHO). Noscript does exactly this with just 2 mouseclicks which is much more convenient! Secondly, in a previous post you wrote: "I would not knowingly visit a site that I don't trust. No porn, no chat rooms, no PnP (whatever that is) etc. Such being the case, ALL my sites are "trusted." " But now you're writing that you turn off JS and plugins by default - how does that fit together? What really confuses me is that you don't like NS although it does exactly what you're already doing anyhow but only in a much more comfortable way. I would like to understand what exactly you don't like in NS especially in comparison to the other approaches above.

Firebytes already answered that question.

 

Easiest for me in Opera is toggle js on/off.
(In FF NoScript rules; in IE )

 

Dogbiscuit, as I wrote in a previous post, in my experience most sites can be at least viewed without enabling JS. If it's nevertheless necessary or even requested - well, you have at least the chance to decide. Other info from extensions like WOT or Finjan Secure Browsing might help.

I agree that the risk of zero-day attacks under Firefox is rather limited as vulnerabilities are patched very fast. Besides, Javascript in Firefox is less dangerous than JScript in MSIE (This browser is tightly integrated in Windows. A couple of other system applications (like Help and Desktop) use IE. To make this possible Microsoft extended the abilities of Javascript by creating JScript. JScript is as powerful as VBS: via FileSystemObject it can open or delete files, start applications, communicate with other processes etc. Thus, it's obvious that a security flaw affects very often many other aspects of the OS. Javascript (as used in, e.g, Firefox) is much more limited as it doesn't have a FileSystemObject and therefore no direct access to your local files. And, of course, Firefox (or any other browser) is not used for other system applications - a security flaw consequently won't affect other functionalities of the OS.). On the other hand, Noscripts also protects against vulnerabilities in plugins just in case that you missed the newest updates for Java, Adobe Flash ... whatever. And last but not least, NS (particularly if used in combination with Adblock Plus) makes my surfing more comfortable (no more annoying popups etc.) and enhances privacy since it disables Javascript links and flash cookies to 3rd party sites (like doubleclick etc.) even if JS is allowed for the site you're currently watching.

A nice overview with a couple of examples can be found on Wikipedia and many more examples of attacks on sla.ckers.org.

 

Yes, I see. When software is not current, Noscript can protect you from malware trying to exploit open vulnerabilities before you update. Once you are updated, however, NoScript would then seem to be much less valuable for security, since you are protected already by being updated. What's left would be those rare zero-day vulnerabilities, which again, would not only require the not-yet-patched flaw to be in the hands of the malware writer, but also a website you would need to go to during this time frame for the infection to take place.

So if you regularly don't/can't keep Firefox and/or plugins updated for some reason, security could be enhanced with Noscript significantly. Otherwise, I can see some, but not a significant benefit to security.

Understood. NoScript for comfort, fun, education, etc.

The value from using NoScript for privacy seem clear to me, assuming someone wants/needs the extra privacy.


XSS and Noscript: still trying to understand how serious XSS attacks are, and if disabling javascript is the most effective way for a user to protect themselves. Thanks for the links.

 

Perhaps we should contact Giorgio Maone to get his views on XSS and NS without too much technical info?

 

Hi,

Antivirus are totally ineffective against xss threats (verified by the practise).
And their protection against drive by download is poor: the black list concept applied to web filtering is also a "dead end" (see MPack who has infected a lot of computers before being detected).
Symantec has released a special product Norton Confidential), but is also ineffective against XSS threats.

I could not be more informative that i could: most interesting tools and site are out of the TOS because they can be used audit a web page vs xss vulnerability, but also to attack these pages (some links provided by tlu are quite border line with TOS too).

XSS attacks need scripts to interact with the client side (browser, IM etc), and by using Lynx under a virtual/sandbox condom, the end user can highly mitigate the risk (cookie and stored password theft for instance).
But surf should be a pleasure, especially with Web 2.0 popular sites (MySpace and co).

I can suggest quickly:

-choose an armored browser (paid exist too) like Firefox (can be used for defense and attack) and harden the settings: by TCP/IP permisions (more simply, only allow port 80, 443 as firefox firewall rule), limit the cache, do not store paswwords, use No Scripts, XSS warning and other useful addons (Shazou, FlagFox, stealther, yesscript etc),

-As a real time web filter, there is Foxy, WebScarab, or Paros wich can be used as a Man in the Middle proxy.
But here again, it would not be serious to check each page we wish to visit: the surf sesssion would become a torture...

-apply the "dear prudence" as policy: enable scripts on browsers only and only if they're necessary, use with caution "friendly" applications (GDrive, Picasa etc) etc...

The protection against web application threats like XSS IS MOSTLY THE RULE OF SERVER SIDE.
But as often, many sites invest much more in marketing than in security, and we can't imagine how their sites are vulnerable.

And off course there's no real paranoia to have against those threats, even if they're more and more common (used by a very few worms, and be afraid of this one )

And if i was like some people a resident of Steve Mc Garett and Magnum "country", XSS would be the last thing to worry about ...

Regards.

 

I used to have the same problem until I stopped sniffing my MagicMarker pen.

Firefox - click "Prefs" & use the check boxes.

FF 2 clix. Besides, clicking links and pressing buttons on the TV remote are just about all the exercise I get.

Why turn 'em on unless they are needed? PLUS -- even trusted sites can become infected, right? Right!

Not at all comfortable. If trusting a site fails to make that site easily accessible (as in the case of CNN) then convoluted solutions, via NS, are just that -- convoluted. CNN is just 1 example. I have several other examples where Firebyte's solution DOESN'T work -- such as USAToday.

For instance, Yahoo News & USAToday simply will not show news videos unless I first view commercial videos, which entail (at times) disabling HOSTS, killing popup blocker, & enabling flash/js/java & what have you. And those sites (like CNN) often grab feeds from SEVERAL different websites other than theirs. Using NS at those sites is a HUGE pain.

In short, NS continues to impede access to certain sites even after they are "trusted".

I am still seeking comments as to the proposition that using FF with XSS Warning PLUS Avira Webguard (uses a proxy) will provide *adequate* protection. Thanks for all the helpful advice.

 

bellgamin,

XSS Warning is still listed as "experimental" on the Mozilla add-ons site. I was wondering if you have had any issues with it? Also, if you don't mind, please test it by clicking on this link XSS Sample and see how it does. When I click the link with NoScript enabled it advises me that it has filtered a potential XSS attempt.

Yes, the link is safe, it is actually from an earlier thread here at Wilders which you can view HERE if you want to read back on what it is all about.

 

FYI - I tried the XSS Sample link that's in my last post with NoScript set to "Allow Scripts Globally" (which means it doesn't block any scripts on any site you visit) and it still warned me and blocked the XXS attempt. So IF you wanted to you could use NoScript in the same manner you would use XSS Warning, as a XSS blocker only.

 

Done. It popped up instantly. Screenie below.