Hi malware fighters,
Fx and flock have the possibility to install an extension like NoScript. The IE8 browser by default has an xssfilter aboard, re: http://ha.ckers.org/blog/20080702/xssfilter-released/
(Also read how the two big browser-security giants Wladimir Palant and Giorgio Maone constantly are into each other’s hairs about what protection may actually work or what level of it will break the Internet, and to what extent it is adoptable and/or workable by the general user).
The whole idea of the NoScript plugin or any other plugin like the aforementioned xssfilter is to provide to the user a default/easy way to control scripting (instead of going tools options->security etc., ticking a bunch of boxes). When such a filter exists on the firewall, antivirus, browser etc., in general on the client-side should be sufficient to eliminate xss attacks,
polonus
Hi malware fighters,
While pondering on the above posting, I realized a particular truth.
JavaScript security today is just binary: allow or deny. Period. There’s no real in between. There is no JavaScript proxy that parses and rejects malicious script, no solution that proactively scans JavaScript for code-based exploits, no external answer to the problem. That means we have to rely on the browser developers to not only write a good browser with all the bells and whistles we like, but for security, as well. That’s why browser add-ons like NoScript are so popular.
We have to admit that scripting languages are such a mess to secure at the semantic level («Hi Giorgio Maone, why doesn’t NoScript just strip out malicious scripts and leave the rest my page alone?»), especially from an external node (like a firewall) which does not actually parse the code:
We are not aware of any security solution that currently parses out JavaScript before it’s delivered to the client. If there are any out there, love to hear about them.
Well, WebCleaner comes to mind.
Also NoScript’s Anti-XSS filters actually parse cross-site request fragments through SpiderMonkey, mainly to reduce false positives by acting on syntactically valid JS only.
But it obviously means something different: a device placed outside the browser, parsing JavaScript and performing sandboxed behavioral analysis. This is the rara avis we are waiting for here, and the latter is the true challenge in this case, but building such a tool might be not impossible, especially since the best JavaScript implementations out there, Mozilla’s SpiderMonkey/TraceMonkey and Google’s V8 are open-source and embeddable. However, performance penalties aside (most of the scripts should be parsed and possibly compiled and executed at least twice, you know this script performing is making everything hang), you would loose a very important decision factor: browser context, i.e. DOM, cookies, authenticated sessions, navigation history and so on.
Unless they imagine to stuff a “twin” of your browser inside your firewall, sort of a proxy based on Gecko+SpiderMonkey or WebKit+V8 and acting as a guinea pig just before the “real” navigation happens…can it be build into a virtual machine?
But for the time being, we have the shields, haven’t we?
polonus
And what would we do without the shields?!!!