Paid Advertising
web application security lab

NoScript Plugin Beta Attempts To Stop XSS

Giorgio Maone, the author of the NoScript Firefox plugin has recently been posting to the boards about a new experimental version of the plugin that intends to protect against XSS. The concept of the tool change is to detect when one site is attempting to send you to another site with XSS within the query string. Obviously there are more ways to XSS sites than the query string, so this mostly relates to certain forms of reflected XSS.

Giorgio is open to comments, so I would recommend that anyone interested in testing out the tool download it and give their feedback. Thus far there are a number of bugs, since it is very restrictive in what it attempts to stop, but being experimental there is lots of room for comments and improvements where they make sense. A big thanks to Giorgio for taking the time to let us all test his code. I, for one, have got a lot more testing to do!

4 Responses to “NoScript Plugin Beta Attempts To Stop XSS”

  1. Giorgio Maone Says:

    Many thanks to rsnake for blogging about it and recruiting more testers :)

    Just one clarification: currently available test build (070318), the one rsnake is blogging about, sanitizes query strings *and* strips off any upload data (e.g. from POST or PUT requests) when they come from an untrusted origin (JavaScript disabled) and are targeted to a whitelisted site (JavaScript enabled).
    Next build, which should be available in hours, sanitizes the whole URI (included username and password) plus the referrer (thanks to trev for pointing the latter).

    So we are catching: request URL, POST data and referrer URL.

    Considering that these NoScript changes are meant to prevent XSS from being used for “NoScript evasion”, i.e. they focus on *scriptless* attacks launched from non-whitelisted sites, can you name other XSS attack vectors which can be exploited without JavaScript?

    Thank you!

  2. Wladimir Palant Says:

    RSnake, I meant to tell you long ago - you really shouldn’t call them “plugins”, things like Adblock Plus and NoScript are extensions. Plugins are Java, Flash & Co - they are entirely different things.

  3. RSnake Says:

    Thanks for the head’s up. I pretty much call everything a plugin (even greasemonkey scripts). I wasn’t implying anything about the functionality, the term in my mind applies only to it being an extension of the original functionality of the underlying rendering engine.

  4. CenQ Says:

    I’m tested this plugin yesterday and test result is a wonderfull but don’t know plugin block are another illegal web script… Do you know?