.

Noscript

<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Tue Jun 05, 2007 7:19 pm

Noscript

I understand that I am potentially starting a browser war, but so be it.  Firefox, is a better (safer?) browser, and one of the main reasons that I say that is noscript http://noscript.net .  Noscript is a Firefox extension, that allows the  user to decide which sites can and cannot run javascript and java.  It is amazing how many websites want to load code on a page you are looking at, without you even realizing it. 

I personally feel that the threat of cross-site scripting is a major issue and we need to do our due diligence as infosec representatives and take the extra steps to thwart malware.  I empathize that it can be annoying to have to temporarily allow a site to run javascript, but if you blindly trust a site and they become compromised you may or may not now be infected.  I'll put up with the hassle, noscript is enabled and shields are up!

P.S.

Make certain you enable javascript temporarily when posting on eh.net or you will have to may have to re-type your post :)
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Tue Jun 05, 2007 8:37 pm

Re: Noscript

I agree RickM! I love firefox and has lots of useful extensions I use everyday.

Brian
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

jimbob

Post Wed Jun 06, 2007 5:48 am

Re: Noscript

I used to use NoScript on a regular basis but I have to say that since almost every site I visit requires JavaScript in order for simple things like links to work I've given up with it. A lot of work for perhaps little benefit.

Be careful though, blocking JavaScript does not block XSS vulnerabilities. You can inject plain HTML or any other code into an XSS-vulnerable page. For example you could inject a HTML form to steal login credentials and not use JavaScript at all.

Jim
<<

linuxstarved

EH-Net Columnist
EH-Net Columnist

Posts: 49

Joined: Sat Sep 23, 2006 9:55 am

Post Wed Jun 06, 2007 9:23 pm

Re: Noscript

Thanks slimjim 100,

I have used FF since it first came out, and don't know where I would be without it.  As an aside I have been reading a little about 3.0 and there is some grumbling from hardcore beta testers saying that the mozilla folks have bloated the browser with .ext's rather than allowing each user to pick and choose which addons fits his/her individual needs.  Hopefully (if that is the case) they will run a leaner light version, that is just FF *fingers crossed*

jimbob,

Thank you for pointing out that noscript does not defend against xss, I re-read my post and it seemed a little confusing.  I was trying to say that xss is so dangerous that we should do whatever (even if inconvenient) it takes to keep things at bay, when we can (like java and javascript). 
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Thu Jun 07, 2007 9:50 am

Re: Noscript

Anyone else notice how many updates there have been to NoScript in the last 3-4 weeks? It used to be a few times a year, but the last month has been bi-weekly it seems.
<<

jimbob

Post Fri Jun 08, 2007 4:48 am

Re: Noscript

[quote author=RichM link=topic=1390.msg5046#msg5046
Thank you for pointing out that noscript does not defend against xss, I re-read my post and it seemed a little confusing.  I was trying to say that xss is so dangerous that we should do whatever (even if inconvenient) it takes to keep things at bay, when we can (like java and javascript). 
[/quote]

Ah, gotcha. JavaScript is used to deliver all manner of browser nasties so blocking it block malicious injected code. Like I said before, NoScript is a great plugin that I've got too lazy to use. Bad me.
<<

Kev

Post Wed Jun 13, 2007 8:21 pm

Re: Noscript

There is no question at this time that firefox is the one.  And I dont mean that from an anti windows view. With its plugins and speed, etc..

Return to RichM

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software