NoScript vs. Internet Explorer 8 Filters

NoScript vs. Internet Explorer 8 Filters

Summary: NoScript plugin writer Giorgio Maone posted a commentary on IE 8's new filters, drawing comparisons to his own widely popular NoScript Firefox plugin.  Maone writes:I’m happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed for more than one year now.

SHARE:
11

Giorgio MaoneNoScript plugin writer Giorgio Maone posted a commentary on IE 8's new filters, drawing comparisons to his own widely popular NoScript Firefox plugin.  Maone writes:

I’m happy to learn that IE8 is going to implement a less ambitious version of a feature which NoScript users have enjoyed NoScriptfor more than one year now. The announcement posts seem not to notice the resemblances of “XSS Filter” with NoScript’s Anti-XSS Protection, the most striking being their non-blocking approach: loading the target page in a “neutralized” form and emitting a warning as an info-bar, which doesn’t require interaction and therefore doesn’t necessarily interrupt user’s workflow. But that’s fine: in facts, under the hood, their filter looks quite less sophisticated than NoScript’s InjectionChecker engine, as it is based on a limited blacklist, apparently targeted to the most common reflective XSS attack patterns as seen in proofs of concept:

The XSS Filter defends against the most common XSS attacks but it is not, and will never be, an XSS panacea. […]

The fact that our filter effectively blocks the common “><script>”… pattern we see most frequently in Type-1 XSS attacks is inherently a step forward. Pushing that further and blocking other common cases of reflected XSS where possible, as the XSS Filter does, is extra goodness.

Caveats aside, it will be great to see the tens of thousands of publicly disclosed Type-1 XSS vulnerabilities indexed on sites like XSSed.com simply stop working in IE8.

And there I started smiling: you realize, guys, that those listed “on sites like XSSed.com” are not “XSS vulnerabilities” which will “stop working in IE8?, but just minimal exploit test cases — <script>alert("XSS")<script> — which can be refactored and obfuscated in endless ways to obtain the “IE8 compatible” certification. Yeah, it will be great to see.

Ouch.  Read on.

If Giorgio is correct (and I have no reason to doubt his knowledge on the subject), the IE 8's anti-XSS filters are seriously lacking behind the widely popular NoScript plugin which protects the Firefox browser.  I agree with Giorgio, there's so many iterations of XSS attacks that this becomes extremely difficult to stop without a great amount of effort going into the black list.  Here's a few examples of outlier cases where XSS is still possible due to difficulties finding black list matches:

  • Use of alternate encodings, similar to some of the UTF-7 attacks that were seen
  • Use of regular UTF-8 encodings, i.e. %3c for < (ok, this is an easy one, they should have this)
  • HTML attribute injection

    • If dynamic code looks like this: <input type="text" value="USERVALUE">

      • Where "USERVALUE" is controlled by the user

    • Then attackers can supply an attack string like " onfocus=alert(document.cookie)
    • This results in <input ... value="" onfocus=alert(document.cookie)"> and an XSS attack

  • Injection straight to JavaScript code

    • User supplied input goes directly into javascript code.  Attacker must make previous JavaScript valid, but typically requires no <, >, or " to make the exploit happen.

This all not to mention the numerous HTML tags that can be used, including things you'd never expect, like <bgsound>.  It will be interesting to see how the IE 8 anti-XSS filter stands up to scrutiny by the community, but I do applaud them for the effort.  At a minimum something is being done and progress is being made, if things turn out great, then we may have some of the NoScript features that protect Firefox.

This brings up an interesting question... why is NoScript not just a part of the Firefox browser, not simply a plugin?

Finally, is there any protection like this for Safari?  I'll answer that for you.  There's not.

-Nate

Topics: Security, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Think About End Users

    I've tried, a couple of times, to use NoScript in my normal surfing, and it became unbearable quickly. Too many sites were disfunctional. MLB.com is a good example.

    It's one thing to make an add-in for technical users that they can tweak on a per-site basis, but IE8 has to be designed so as not to add new technical questions for end users to ask, nor to disable major standard web features. Comparing IE8's XSS filters to NoScript is therefore inappropriate.
    larry@...
    • Wow, you had to work hard to justify Microsoft's ineptness on this.

      Some of those really bad websites like MLB.com, that do really bad things for no good reason are a problem and make it harder to detect rouge sites. And, that has been the problem with MS all along, they focus on just making it work rather than worry about security. Then the bad boys like MLB.com don't have to clean up their act.
      DonnieBoy
    • End Users

      Ok, I'm a Firefox User (with No Script) I'm an computer geek, but my wife is a lawyer and just want to surf the web, but I prefer the calls like "How do I do this??" than spending my little free time fixing the OS.
      After a short period of time my wife learned how to make things work whit out calling me, and this means that she never allows any script from a suspicius domain to be executed, she LEARNED how to protect her self.
      This IE8 new feature demands no learning a no anoying from the end user, but kepps him in the blind about his security.
      maalmike@...
      • Ah beautiful!

        A great story. The problem with making things hard is that people will take the easy way out, rather than learn. If we continue to have options that make it easier to use, easier to get pwnd, then we'll continue to have inept users.

        -Nate
        nmcfeters
        • Old times

          aaahh! this brings me memoryes of those days when you needed lessons just to turn on the computer.

          Nowadays any one can turn on a computer, but as cars it doesn't mean you know how to use it, with all the good and bad things this brings.

          At least those users provides the failures that keeps my work gonig on (I'm the tech support guy)

          Final words, of the teacher who taught me DB design:
          Ignorance costs...... just make sure your'e the one who collects the money.
          maalmike@...
  • Sounds like a lot of great innovation with NoScript, and of course also

    creating a paper trail of prior art so people like MS can not patent it.
    DonnieBoy
  • IE8 is stil in beta

    I only use Firefox. I always use NoScript. But, even I have to accept that a beta is not a finished product. Let's wait to criticise the finished product.
    jorjitop
    • I thought ?beta? is precisely that stage

      in the process towards general (Gold) release of a product in which criticism should be welcome - if not, what is it for ? To my mind, the best thing [b]MS[/b] and the [b]IE[/b] developers could do would be to get in touch with Signor Malone and discuss collaboration on a non-proprietory, [b]FOSS[/b] version of [b]NoScript[/b] for [b]IE8[/b]. Given [b]IE[/b]'s inherent security vulnerabilities, a [b]NoScript for IE[/b] would probably not make the browser as secure as, say, [b]Firefox[/b], but it should go a long way towards solving [b]Active X[/b]-related problems....

      Henri
      mhenriday
      • Nobody will read this but

        NoScript, IMO, is both an essential tool and one that many (most?) non technical users could find frustrating.

        I white list sites as I go, and htat works for me, but for many people, they'd just think that a page doesn't work. Or if they did use NoScript, they'd get frustrated if things didn't work when they said okayed the site they're on (as many sites require scripts from other domains to enable all content).

        With that said, there may be more user friendly, though likely less secure, ways to operate NoScript that still make FF more secure.

        The bottom line is for it to go to IE, it has to be completely transparent. I've got my mom trained to use FF, but my Dad would be hopelessly frustrated if he had to do any sort of interaction.

        I think that NoScript (or someone else) will get us there, but we're not there yet. I think that it's the make it easy to use factor that causes so many problems with MS software.

        It's a balancing act and I don't think there's an easy solution, but things are moving in the right direction.

        Nevertheless, I prefer FF and it just so happens to have NoScript :D
        notsofast
  • Been using NoScript since FIREFOX 1.4

    Been using NoScript for 4 going on 5 years now? No Internet Explorer will replace my Firefox.
    rebelxhardcore
  • I smell sour grapes ...

    Aren't you just upset that Microsoft didn't ask you for help? Every clever web developer in the world has faced issues similar to this. I was arguably the first developer to implement the "wish lists" concept, but that didn't stop others from making big bucks from the technique. Makes you wish patenting was cheaper and easier...
    tgilbert@...