Monday, 23 August 2010

Would you run something blindly from the internet? Then why aren't you using NoScript?

I would hope, these days, that generally speaking people are cautious about the applications they run on their computers... but web browsers are becoming more complex these days, and some consideration needs to be given to in-browser execution, regardless of the claims of secure sandboxing made by the browser vendors.

Recently I read a post over at The Register, talking about the dangers of XSS and the use of the Firefox add-on NoScript originally suggested to me by my friend, Paul D.. along with the Adblock Plus add-on, which I'll discuss in a later post.

What is XSS (for those too lazy to click the link above)? When you visit a web site, and remain logged into that website whilst you visit others, or when other websites are embedded into the website you're logged into (through iframes and other various tricks), these websites can sometimes trigger your web browser into performing actions on the site you're logged into as if it were you?

This might include thieving information or, ultimately, money.

There are ways websites can prevent XSS from succeeding, but often they can't be bothered, don't have the time, or new browser vulnerabilities open new attack vectors.

In a normal web browser configuration, when you visit a new website for the first time, all the plugins load, all the scripting runs. Whilst you have a single webpage open, it could be pulling in content from multiple sites... Advertising networks, news aggregation sites, promotion sites, traffic monitoring and statistics packages.. But, what if you don't trust the website? What if this website is being embedded in the pages of a site you do trust, but you don't know it's being done? What if an ad network has accidentally allowed the uplink of a nefarious banner ad that's then syndicated to sites you trust?

Enter NoScript.

In its default configuration, NoScript blocks all plugins, all java, all scripting on every website you visit (except for a pre-configured, minimal whitelist). Yes, it gives a very pre-2.0 experience and a lot of websites do just break outright. HOWEVER on the bottom of the screen it displays a bar, telling you exactly what it stopped from running, and allowing you to, one by one, permanently or temporarily whitelist sites.

It also protects against several other forms of attack such as "clickjacking" and "clear clicking" attacks where you're lead to believe you're clicking on one thing, but really your mouse clicks are being captured to send you elsewhere.

It's a pain in the butt to use when visiting a new site for the first time, but in my mind, it's a necessarily evil in today's increasingly complex and nefarious online realm especially when using one's computer to perform financial transactions.

Stay safe people!

UPDATE: The Register reports about Twitter's post-mortem of the "onMouseOver" XSS exploit. Another example of why you should run NoScript..

1 comment:

  1. NoScript is a handy add-on however I think it could be improved by helping users understand what they are missing. Where page functionality like - as just one example - the ability to leave comments on a site running Captcha, is silently broken by NoScript, it would be helpful to have that content clickable like blocked Flash objects are hidden but clickable.