Is there any malware that bypasses noscript?

Just curious how effective NS really is. I have it enabled for all websites with exception of those that I know are malware free (gmail, hotmail, google news, etc...).
So what do you guys think? Is it possible for any website to bypass NS?

 

Circumvent: surely possible. Trojans, phishing, engineering, vulns.

Bypass. Things like the xss filter or click-jack gear should be able to be bypassed and have been in the past. Too many odd ways to execute JScripts.

At the core prevention--blocking JS and plugins--you have deep coverage as it would require the malware using those tools to exploit your machine. Would it be possible to bypass this? If you mistrusted a plugin, that would be most obvious problem and where NS lacks most; you must run scripts to make pages functional again, otherwise, it would likely be from vulns in the browser itself. So attacking the browser, extension store, or other extensions via an overflow using acceptable parameters for example could bypass it, but I've never seen this in the wild or PoC and doubtful such holes would remain unpatched for too long or be created in the first place.

Noscript works well because it kills the tools malware designers use and use most often. Its weakness is in that you must turn it off in order to gain content but can't ensure that content is safe. However, that shouldn't be considered a "bypass" IMO although the end is the same: an exploited computer.

 

Look, this is from a Malwarebytes representative:

https://www.wilderssecurity.com/showpost.php?p=2164172&postcount=27987

 

NoScript is very powerful. I've seen researchers who try to bypass XSS filters in browsers have a lot of trouble trying to bypass the NoScript one.

Unlike browser filters, NoScript cares far more about security and far less about compatibility. So the filter is very strong.

 

interesting. good to know because i can really trim down on some security. most of my browsing is just to maybe a dozen of known safe websites, everything else is just Google searches during which I never disable NS.

 

NoScript is as powerful as the one who's in control of it. If you don't allow malicious content, it won't allow malware. Allow only the content you need to view. It's that simple.

In this case, NoScript is all you need.

 

It can be bypassed but as others have said it's very hard.

Why haven't they ported No-script to Chrome btw?

 

Well, im keeping NS and MBAM Pro just in case.

 

It has to do with some of the bad stuff that gets blocked by NoScript that don't make Google happy.

Bo

 

You're absolutely right Bo.

 

I agree.

 

it's the only pro-active security i have been using for the last year.

not only does it help a lot with security but it cuts down on the bandwidth sucking adware/trackware sludge.

i read not too long ago that 40% of a user bandwidth is devoted to running that crap.
tnx, but not with my computer. lol

 

Thats the reason ive switched to cyberfox amongst others just to use noscript and it blocks a ton of crap from webpages.

 

That's why I run the trinity: NoScript + Request Policy + Ad-block Plus. Throw in a good sandbox to catch anything should it get through and you should be pretty darn solid. I'd imagine that drops the risk of infection down considerably even without real-time protection av/am/as. I employed this setup on my parents computer for a year without problems.

My father complained about NoScript enough that he decided to disable it. Just disabling that one add-on, even with sandboxie lead to massive infection. Not because sandboxie didn't trap, but because he knows how to recover content from within the sandbox. People are resourceful, so I wouldn't say the above setup is advised unless you practically kiosk or admin restrict the entire setup.

 

@Techwiz
I've tried trinity many times. But RP is just too much hassle.