Sunday, January 18, 2009

noscript feature

ok, so peeps around me might've heard me blabbing on and on about my exciting noscript 'discovery'... i stumbled upon functionality i thought was weird while searching for sharpening stones for my katana (ironic but true).

anyway, i procrastinated research for a month or so, and when i realized i wasn't going to fuzz each html tag for js execution i emailed giorgio... that deflating sound is my ego:

many thanks for the PoC.

Is it just about links going back and forth in history working?
If so, fortunately that's a feature, not a bug: NoScript Options|Advanced|Untrusted|Attempt to fix JavaScript links.
In order to make user's life easier, NoScript tries to detect JavaScript links used for navigation purposes (e.g. containing an URL or resembling a back/forth history navigation) and "emulate" them on the fly *by design*.
If you want, you can disable this feature from the aforementioned configuration option.

Please let me know if I'm missing something more malicious.

Thank you again
--
Giorgio


i respond:

oh wow! rtfm & bad on me! ;) ok, well the things that seem malicious are all subtle imo.

the fact that .go() can be used for arbitrary navigation kinda seems dangerous. even though you'll be running noscript wherever you end up, it could be used to exploit a vuln that noscript doesn't protect against (possibly flash, pdf, etc).
...


and giorgio disagrees:

no "automatic navigation" can be triggered, because of the way this feature works: it reacts on *user click*, checks if the clicked item is a link (either an anchor or a map or a button) and tries to "guess" the destination by simple string parsing, then emulates the navigation.

Cheers


well, i'm not going to get into an infosec pissing match w/ a guy who's contributed more to protect end-users than i prolly ever will... sigh...

i was really surprised to find script execution when i had ns set to not allow scripts globally.

for the navigation feature, i've got no click generating foo atm. iirc there are things that can be done to overlay pages and catch clicks.

for the sandbox fun, nursing my bruised ego kept me away from coming up w/ a way to smuggle the information back to the attacker. but my understanding of infosec suggests that giving someone a way to discover information about a system (file exists, exists but you don't have perms, exists and is executable, and doesn't exist) is not optimal. also, prompting a user w/ a download dialogue seems dangerous, even for local files.

anyway, i've put up a quick PoC for the stuff i was playing with...

1 comment:

rwnin said...

lol, looks like borderline s[c|p]am w/ all the blogs you're following and stuff, but i have an 04 600rr in my garage and you posted some good pics, so you've won me over :)

i prolly won't click your google ads tho... empty economics doesn't work, trust me i live in the US and we just tried it ;)))