HTTP Switchboard for Chrome/Chromium:

Discussion in 'other software & services' started by apathy, Nov 25, 2013.

  1. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Hi Raymond,

    if you get a chance can you please check this website:

    -http://www.acunetix.com/websitesecurity/xss/

    Then please copy & paste the code part ways down the page:

    Code:
    http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr%3EPlease+login+with+the+form+below+before+proceeding%3A%3C%20form+action%3D%22test.asp%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+%20length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput%20+type%3Dtext+length%3D20+name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput+type%3Dsubmit+value%20%3DLOGIN%3E%3C%2Fform%3E']http://testasp.vulnweb.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr%3EPlease+login+with+
    the+form+below+before+proceeding%3A%3C
    form+action%3D%22test.asp%22%3E%3C
    table%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3D
    text+
    length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3C
    td%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput
    +type%3Dtext+length%3D20
    +name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput
    +type%3Dsubmit+value
    %3DLOGIN%3E%3C%2Fform%3E
    into the browser's address field and enter. My httpsb setup is displayed in post #774. When I enter that code the username and password fields are displayed and when I enter any random text into them, that exact text is "reflected" back to me. Using NoScript in Firefox the same test won't even display the login fields and NS warns of a possible XSS attack. Thanks for any feedback you can provide!
     
  2. gorhill

    gorhill Guest

    I got this, as a URL in the address bar:

    data:,?login=toto&password=tata


    Did you get something like that? Not sure what was supposed to happen.

    Anyway, I looked at you config and you would b protected against that kind of attack where there would be an attempt at sending your credentials to a remote server under the control of an attacker, because you block-all by default -- unless you have auto-whitelist enabled. HTTPSB does not have explicit XSS protection, I leave this to the browser.
     
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thank you Raymond!

    yes, I get what you see; whatever characters I type into the username & password fields I see reflected back to me.

    I use a combination of the Request Policy and NoScript approach; I block all except I Auto whitelist page domain, although as you can see "Script" and "Frame' are blocked exceptionally. I trust you implicitly that I'm protected against my creds being sent to remote server :thumb: Thanks again, you are the best :)
     
  4. gorhill

    gorhill Guest

    Actually, thinking more about it, that won't prevent the credentials to reach an attacker server (if that's what they tried to demonstrate), because to block a request for a whole page a site needs to be blacklisted, graylisted-blocked won't prevent the main page from downloading -- just the secondary resources. If I understand correctly the (broken) test case, they wanted to redirect the result to a data url-encoded page for demonstration (instead of using a URL to another server).

    So I have to correct myself: unless the attacker's web site is outright blacklisted (auto-whitelisting doesn't work on blacklisted hostnames), there would be a problem. I wonder how likely is the XSS vulnerability they present -- I wonder if they configured really sloppily the server for the test case.

    Edit: Ok, it seems Chromium is protecting us here. I thought the test case was broken, but I can get a "proper" result in Firefox (without NoScript). I can't get the same result in Chromium: it's suppose as per test case to try to reach "hxxp://testasp.vulnweb.com/destination.asp?login=toto&password=tata" (as seen in Firefox), but with Chromium I can only get "data:,?login=toto&password=tata". So it looks that for this particularly case of horribly configured server (they are selling their services at the bottom of the page..), Chromium-based browsers would protect us.
     
    Last edited by a moderator: Aug 23, 2014
  5. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Thanks Raymond, I was actually starting to doubt my response :oops: I auto whitelist page domain but I blacklist script and frame, so I figured this should prevent XSS exploits, but i might be wrong??
     
  6. gorhill

    gorhill Guest

    The exploit is a form submission, that's not blocked by HTTPSB. It's like clicking on a link. But it doesn't work on Chromium-based browsers. And to add to this, the proof of concept implies that whoever maintains the web site is completely incompetent.
     
  7. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    This is from four years ago but I think it's still interesting:

    http://blog.chromium.org/2010/01/security-in-depth-new-security-features.html

    "The XSS filter is similar to those found in Internet Explorer 8 and NoScript. Instead of being layered on top of the browser like those filters, our XSS filter is integrated into WebKit, which Google Chrome uses to render webpages. Integrating the XSS filter into the rendering engine has two benefits: (1) the filter can catch scripts right before they are executed, making it easier to detect some tricky attack variations, and (2) the filter can be used by every WebKit-based browser, including Safari and Epiphany."

    That's why there is no need to for Chrome extensions to deal with XSS issues. Firefox announced its own XSS auditor a long time ago but it's not there yet.
     
  8. tlu

    tlu Guest

    What do you mean by "reflected" back? I tried that site with javascript disabled and enabled - but after entering some text and clicking the button nothing happens ... :confused: What's noteworty, though: After I enabled the Netcraft extension, it reported a "Suspected XSS Attack".

    @gorhill: What's strange is that after copy and paste of that code, a global scope was applied by HTTPSB although I've chosen domain-specific scopes as default. How can that happen?
     
  9. tlu

    tlu Guest

    Yes, and it's actually based on Chrome's XSS Auditor. However, the related bug report suggests that there hasn't been any progress made since 2012.
     
  10. gorhill

    gorhill Guest

    I looked into this, and the web site returns a HTTP status 500 error. HTTPSB won't auto-whitelist a page which return anything else than HTTP status 200.
     
  11. tlu

    tlu Guest

    Thanks! This confirms what you said about the competence of the website maintainer ;)
     
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    That was just my lack of using a better term. If you check gorhill's post #777, what he typed in the credentials fields is displayed back to him, which is exactly what happened to me:

    It looks like this is nothing to worry about after all :) I thought there might be some sort of XSS bypass but it isn't.
     
  13. Malwar

    Malwar Registered Member

    Joined:
    May 5, 2013
    Posts:
    297
    Location:
    USA
    Gorhill can you answer my post #773?
    Thanks,
    Malwar
     
  14. gorhill

    gorhill Guest

    Best is to just ask the authors of the paper, they know their stuff better than I. In the closing section, the advice is to ensure the use of encrypted connections, there is no mention of firewall, or RequestPolicy and such.
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Does HTTPSB support rules to force HTTPS for specified hosts (convert all HTTP requests to HTTPS requests)?

    Does HTTPSB support rules to block HTTP for specified hosts (without also blocking HTTPS)?
     
  16. gorhill

    gorhill Guest

    No to both.
     
  17. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    This seems to be the extension that's gonna make me switch from Firefox to Chromium..

    I haven't read the 32 pages (I apologize, but damn, that's way too much for me to read), but I have one question regarding HTTP SB:

    How does one "Save Changes" automatically, without having to click on the icon?
     
  18. tlu

    tlu Guest

    First of all: Welcome to this forum, Overdone! :)

    That's not possible. All your changes are temporary by default. In order to make them permanent you have to click the padlock.

    BTW, you don't have to read the 32 pages of this thread ;) But I strongly suggest that you read the HTTPSB wiki pages, particularly the "MUST READ" section. You'll see that HTTPSB is extremely flexible - you can configure it in various ways according to your needs. One caveat, though: Not all articles in the wiki are up-to-date. You should also read what gorhill wrote in the changelog for v. 1.0.0.3. Briefly speaking, disable adblocking in HTTPSB and install gorhill's µBlock as it is more advanced in this area.

    EDIT: In the wiki you should definitely read this page. HTTPSB can control what Chromium itself and other extensions are doing behind the scene if configured accordingly. This post might als be helpful.
     
    Last edited by a moderator: Sep 7, 2014
  19. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    @tlu

    I've read some parts of the wiki.. The reason for not saving the changes automatically makes sense, though I would still like to be able to change that, in the settings or so.

    I've added several lists to HTTPSB and I've been using it as an adblocker.. I didn't quite understand the reason for using ublock instead of HTTPSB, but this is definitely not my area of expertise (if I've any), so I'll just take the suggestion and do it!

    About the "Behind the scenes requests":

    I'm quite interested in this.. The reason why I've not been using chromium is solely for privacy reasons, as it seems to be much faster than firefox. Sadly, whenever I search for "chromium privacy" I come across this thread. Blocking that kind of connection would surely improve my feelings of privacy while using chromium and may tip the balance to make it my default browser! As far as I understand, HTTPSB allows to block that kind of connection, am I right?

    I'm not sure how to block "Behind the scenes requests" though, even after reading what you linked me.. In the gif they've there, aren't they just blocking everything or allowing everything, by clicking on the upper/bottom part of "all"?


    PS: This seems to be quite a welcoming community. Hopefully I'll be able to give back to it someday, in a few years :p. Thank you for the warm welcome!
     
    Last edited: Sep 7, 2014
  20. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    5,703
    Location:
    North Carolina, USA
    Hello,

    I have just recently started using HTTPSB and have a quick question. I have figured out how to back-up my scope rules and restore them (and know what I am backing-up and restoring). This may be a dumb question but here goes... On the "About" tab there is the option to back-up and restore "Your data". I have done a lot of searching (and probably just overlooked the answer) and cannot find exactly what "Your data" means... What exactly am I backing-up and restoring pertaining to "Your data"? I am wondering if it is basically just statistics and/or logs (or such) that is not really that important to back-up or is it my overall settings. If it is my overall settings, does it also include the scope rules or are they only back-upped and restored separately? It appears that after looking at the text files created both ways, that the "Your data" includes your settings and all of your created rules (and the "Your data" back-up is a fair bit larger than the scope rules back-up). I am assuming that all I really need to do to back-up everything is the "Your data" and I do not really need to worry with the scope rules. Any help in me understanding this will be appreciated...
     
  21. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    It is used to back up your settings data and restore it. I do not believe, it does backup of either statistics or log entries..
     
  22. tlu

    tlu Guest

    There are several reasons. The most important ones, IMHO:
    1. The adblocking filter engine in µBlock is more advanced than in HTTPSB.
    2. A more complete support of the Adblock Plus filter syntax.
    3. The Element Picker.

    Yes, there is also a reply by gorhill at the bottom of that thread which confirms this.

    By default, behind-the-scene requests are not blocked by HTTPSB because this can irritate new users if certain things do not work any more. Changing that default behavior is easy. Just open the statistics tab in HTTPSB and click the HTTPSB symbol (while still in that tab): You will see the chromium-behind-the-scene matrix. Blacklist the "all" cell and save it with the padlock. From now on all behind-the-scene requests are blocked. Please read again what I wrote in that linked post as you won't be able to install/update any extensions anymore, you won't be able to update the filter lists in HTTPSB and µBlock anymore, and you will break most probably a couple of other extensions. In order to unbreak them, you will normally have to whitelist the corresponding requests in the XHR column of the behind-the-scene matrix (and in the "other" column for googleusercontent.com) and save those rules with the padlock. Just look for numbers (usually 1) in those cells.


    Okay, I will come back to you then :D
     
  23. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Something weird is happening.

    I've decided to block all cookies in HTTPSB by clicking on the lower end of the "Cookie" tab. Whenever I think a site should be able to set cookies, I'll allow it. By doing that, sites should not be able to set cookies, unless I green them, right? Well, that is not happening. There're sites/forums (not this one though) that still set cookies, even though they're not green in the "cookie" tab.
     
  24. harsha_mic

    harsha_mic Registered Member

    Joined:
    Mar 11, 2009
    Posts:
    815
    Location:
    India
    the way cookie blocking works in HTTPSB is little different.
    When you block cookies thru httpsb, it will still allow the site to set the cookies in your browser, but will stop sending the cookie info. back to the server.

    you can test cookie blocking at below link..http://raymondhill.net/httpsb/httpsb-test-cookie-1.php
     
  25. Overdone

    Overdone Registered Member

    Joined:
    Sep 7, 2014
    Posts:
    89
    Another "noob" question by me, I apologize:

    Was it discussed on this thread or is there any link that explains what each column of HTTPSB does (css, plugin, script, XHR, frame, other)? Which one of those should we block by default? (I've cookies blocked by default so automatically blocking everything would be too much trouble, as I'd need to go from column to column to allow them..)
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.