Sunday, January 18, 2009

noscript feature

ok, so peeps around me might've heard me blabbing on and on about my exciting noscript 'discovery'... i stumbled upon functionality i thought was weird while searching for sharpening stones for my katana (ironic but true).

anyway, i procrastinated research for a month or so, and when i realized i wasn't going to fuzz each html tag for js execution i emailed giorgio... that deflating sound is my ego:

many thanks for the PoC.

Is it just about links going back and forth in history working?
If so, fortunately that's a feature, not a bug: NoScript Options|Advanced|Untrusted|Attempt to fix JavaScript links.
In order to make user's life easier, NoScript tries to detect JavaScript links used for navigation purposes (e.g. containing an URL or resembling a back/forth history navigation) and "emulate" them on the fly *by design*.
If you want, you can disable this feature from the aforementioned configuration option.

Please let me know if I'm missing something more malicious.

Thank you again

i respond:

oh wow! rtfm & bad on me! ;) ok, well the things that seem malicious are all subtle imo.

the fact that .go() can be used for arbitrary navigation kinda seems dangerous. even though you'll be running noscript wherever you end up, it could be used to exploit a vuln that noscript doesn't protect against (possibly flash, pdf, etc).

and giorgio disagrees:

no "automatic navigation" can be triggered, because of the way this feature works: it reacts on *user click*, checks if the clicked item is a link (either an anchor or a map or a button) and tries to "guess" the destination by simple string parsing, then emulates the navigation.


well, i'm not going to get into an infosec pissing match w/ a guy who's contributed more to protect end-users than i prolly ever will... sigh...

i was really surprised to find script execution when i had ns set to not allow scripts globally.

for the navigation feature, i've got no click generating foo atm. iirc there are things that can be done to overlay pages and catch clicks.

for the sandbox fun, nursing my bruised ego kept me away from coming up w/ a way to smuggle the information back to the attacker. but my understanding of infosec suggests that giving someone a way to discover information about a system (file exists, exists but you don't have perms, exists and is executable, and doesn't exist) is not optimal. also, prompting a user w/ a download dialogue seems dangerous, even for local files.

anyway, i've put up a quick PoC for the stuff i was playing with...

Friday, January 2, 2009

winter cleaning time

was out in cali visiting my folks, and got into an infosec discussion w/ dad (who sat patiently while i ranted for a *while*).

on the topic of best practices i was talking about password rotation and pushed an idea i've been kickin around (but which has roots w/ @shawnmoyer)... i've been thinking of doing a livecd experiment (really, someday soon), and for a less extreme suggestion i brought up treating your OS install as a replaceable session. do quarterly rotations, or whatever.

doing this limits the lifetime of a lot of compromises, ensures that recent (restorable) backups exist, and pushes you towards a core set of applications which are being kept up to date.

he asked if i was doing this myself, and i owed up and said no. so now i am. bleh, me and my big mouth... ;)

anywho, i'll be linking up interesting docs and stuff here when i find em...