With LUA & SRP is Noscript necessary?

Discussion in 'other anti-malware software' started by jdd58, Oct 16, 2010.

Thread Status:
Not open for further replies.
  1. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    With LUA & SRP and or anti-executable is Noscript necessary to stay safe?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    It is certainly useful. Another layer.
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Noscript is Firefox's way of controlling scripting. Other browsers handle it within the browser preferences.

    SRP and the like, will block the executable payload of an exploit that has been triggered.

    In cases where javascript is used on a web site to trigger an exploit, controlling scripting prevents the exploit from starting, hence, no executable payload to block.

    This is especially true where a user is redirected to a malicious site, for example, in a Google poisoned search. The malicious site usually has embedded obfuscated javascript code to trigger the exploits. With javascript white listed per site, the malicious site's code will not trigger.

    ----
    rich
     
  4. Boyfriend

    Boyfriend Registered Member

    Joined:
    Jun 7, 2010
    Posts:
    1,070
    Location:
    Pakistan
    I agree with above two comments. Noscript is still very useful additional layer of protection again exploits/payloads.
     
  5. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    It would depend on what you are trying to guard against. LUA and SRP should be sufficient to prevent anything installing new or rewriting already installed software. But they wouldn't (for example) stop some browser exploit that might allow a java script keylogger to be loaded when you visit one site and stay resident while you go do you banking a few minutes later. Or so I understand it. If I'm wrong, I'm sure someone will point it out.

    What I'm not sure about is whether you can script something that your browser would then happily reload everytime you start a new session. LUA and SRP don't prevent this AFAIK.
     
  6. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    So,while LUA and SRP may prevent the malware payload from executing, Noscript or browser configuration is important to prevent XSS or CSRF attacks, or information theft. Correct?

    Also RMUS, you had a tutorial on how to harden Opera a while back. Do you still have reference to that thread?
     
  7. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    I thought a keylogger would not be able to execute but wasn't sure about other types of vulnerabilities.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you point to a current exploit that does this? I would like to check it out.

    Any javascript embedded in a web site won't work unless the user has javascript enabled for that site.

    You must be thinking of someone else. The only "hardening" I do in Opera is

    1) configure cookies and javascript per site, and

    2) configure downloads to Prompt rather than Open.

    I do recall, however, one of the members is quite the Opera expert and used to post all sorts of Tweaks in the other software & services forum -- I don't remember who it was...

    ----
    rich
     
  9. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    No, I can't. It is hypothetical.

    The part of my post concerning this was assuming that noscript was NOT installed and javascript would be enabled.
     
  10. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Not really hypothetical. But I'm quite sure, script-based keyloggers are actively exploited in the wild. It's so trivial if you have the power of javascript and vbscript in your arsenal.

    http://www.sandboxie.com/index.php?DetectingKeyLoggers#script
     
    Last edited: Oct 16, 2010
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    re: script-based keyloggers:
    Agreed, in fact, several years ago a Wilders member posted PoCs by a fan of R. Hensing, whose 2007 article you cited.

    I would like to see one if you come across an example in the wild.

    EDIT: scott1256ca describes not just a keylogger, but also:

    ----
    rich
     
    Last edited: Oct 16, 2010
  12. jdd58

    jdd58 Registered Member

    Joined:
    Jan 30, 2008
    Posts:
    526
    Location:
    USA
    I wasn't aware of script based loggers. I thought all keyloggers were an executable. Thanks to all.
     
  13. Konata Izumi

    Konata Izumi Registered Member

    Joined:
    Nov 23, 2008
    Posts:
    1,544
    i hope you can remember who that was. I use Opera now. :)
     
  14. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Well I would like to comfirm the request of Rich: "show me the money" by providing some reference to an in the wild sample


    Two comments:
    a) With Chrome's sandbox such a hypothetical scenario would only be possible when browsing in the same tab (otherwise impossible), which is a very unlickely scenario of a hypothetical threat (so chances are .... less than winning the lottery IMO)

    b) Noscript is usefull, I have seen just to many people not using it in the way Rmus does: for full benefits of the Noscript magic you need to apply A DEFAULT DENY ON JAVASCRIPT and WHITE LIST ONLY TRUSTED SITES.

    Regards Kees
     
    Last edited: Oct 17, 2010
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    Oops! Not from Hensing's or rather from Provos' but from Manuel Caballero's. http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

    Sure, if ever 'll found one as my spare time will allow me. jk :D ...

    ...i'll give the floor to those who have the time and the energy. My day job is completely unrelated to IT or anything about computers or much more about security.

    Maybe scott1256ca is talking about these or something similar...

    http://sirdarckcat.blogspot.com/2008/05/ghosts-for-ie8-and-ie75730.html
    http://sirdarckcat.blogspot.com/2008/05/browsers-ghost-busters.html

    I don't know but might be of interest to you...
    http://eaea.sirdarckcat.net/hades.html
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, but to use your quote,

    I'll wait for a real exploit and then do a risk assessment!

    regards,

    rich
     
  17. scott1256ca

    scott1256ca Registered Member

    Joined:
    Aug 18, 2009
    Posts:
    144
    ok, the original post asked "does noscript add any benefit if you already have SRP and LUA".

    My reply seems to have caused some confusion.
    All I was trying to answer was, "yes, I think it does". I then tried to give an example where noscript could block something that SRP and LUA would not. I pulled the example out of the air. If someone already did a PoC on it, that doesn't change the fact that I pulled the scripted keylogger example out of the air. I just don't want anyone to think that I was implying it was an imminent threat. So sorry, I will not be showing money to anyone :)

    In any case, thanks for the related links.
     
  18. wat0114

    wat0114 Guest

    This would make the most sense if ultimate security against scripting dangers is desired. In my case, however, I hate Noscript, and therefore have no use for it; it slows down my enjoyment of the internet and without it I've never once encountered a situation where I needed it with a subsequent feeling of regret not having it. I feel certain that simply running as standard user with some sort of default-deny policy is all that's needed to avoid these over-hyped (by a few) problems. There's one member in these forums, in particular, who loves to cheer lead the latest, greatest threats with overtones of "worry" and "concern" when there's really no need for the rubbish at all :rolleyes:
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    You can also use NoScript and allow all scripts globally and then you still have other protection, quote from NoScript developer's blog:
    Also if you allow all scripts globally, go to NS options, Embeddings tab, and check Apply these restrictions to whitelisted sites too, then you can use NS too block Java, flash, i-frames etc. or whatever you like from that list, without also blocking javascript ;)
     
  20. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Same developer stated Firefox was the safest browser. Before 3.6 Firefox was lagging as see https://www.wilderssecurity.com/showthread.php?t=272374 for facts.

    Chrome has less API's available than Firefox, which offered near total control. The complaints the Noscript developer has on Chrome is more or less the same critique the HIPS developers had on x64 kernel patch proctection ("they won't build the API's I need for Noscript" - no off course they won't, they do not want to lower security)

    Talking about Noscript author about Chrome is like discussing with the Turkey on what to eat for dinner on Christmas/Thanksgiviing

    Chrome sandboxes those issues, a far better approach, see for new chrome goodies https://www.wilderssecurity.com/showthread.php?t=284601

    Also due to the way Chrome uses hidden classes in stead of (shared) libraries and compiles javascript itself is less of an issue, see http://blog.chromium.org/2008/09/google-chromes-need-for-speed_02.html
     
  21. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    I have now actually Uninstalled No Script due to the fact that I was for ever configuring its white and black list per site.

    I don't know how other people deal with the following issue. But lets say for example you go surfing thru a whole bunch of websites you have never visited before you find that some sites don't load properly and that not all content is displayed which is limiting your browsing experience due to No Script. You then
    have to decide whether it is safe or not to allow scripts to run on a Particular site so you can view it properly, you end up spending more time configuring no script than actually browsing the net.

    I just run my browser in an Sandbox Isolated environment with and anti executable app.
     
  22. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    'Temporarily allow all this page'

    If you find yourself visiting a site frequently, spend a few seconds and whitelist that and related sites.

    Also you can 'allow scripts globally' and use it the way BoerenkoolMetWorst described.
     
  23. ParadigmShift

    ParadigmShift Registered Member

    Joined:
    Aug 7, 2008
    Posts:
    203
    It depends on the overall configuration you have, but probably not necessary.
     
  24. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    Thanks for the interesting reads.
     
  25. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
Loading...
Similar Threads
  1. waters
    Replies:
    3
    Views:
    385
Thread Status:
Not open for further replies.