Client side hacking with noscript (FF-addon) enabled
While noscript is a great plugin to make your browser secure I tried finding ways to break it and succeeded.
This means that it is possible to break the browser client side while noscript is enabled (and the site(s) are disallowed).
I did not fully debugged the bugs because I am not in the mood to find browser exploits but I was trying to find ways to disable/crash the browser client side wise with noscript enabled; crashes were enough for me..
My first idea to break it was making a very very long url, this is the code I used:
<?php
echo "<script src=\"http://";
for ($a=95000; $a>=0; $a--){
echo $a;
}
echo "\">";
?>
First it loads normally, it gives a message that 1 script is blocked, no crash was found here yet.
Then when I told it to temporary allow the site firefox kept running, no sandbox which stopped me and it kept eating my CPU, I waited some minutes before I killed firefox.
Alright, time for the second attempt, let's make tons of scripts to different locations to make it crash.
<?php
for ($a=95000; $a>=0; $a--){
echo "<script src=\"http://".$a."\"></script>";
}
?>
When you click the noscript button now it will attempt to make a drop down list of all sites, sometimes you will get a screen like this:
And sometimes it will just crash the browser, when you get the pop up and you make it stop it will show an empty drop down menu.
Another idea was to make a script to a very long port number, this made not crash the browser but gave unsuspected behavior because it would not ask to allow the script from that page but it told me the script was hosted on the localhost. Pretty weird, unfortunately I can not host something on a port number with 1000 digits to fully test this vulnerability.
I think noscript is also understanding that high port numbers are not existing or something.
After a lot of trying I noticed I entirely disabled the protection suite somehow, I was able to do XSS and such, I don't know why and how and I investigated where it came from but somehow I made noscript allow XSS and other attack vectors after allowing a website, there are also a lot of different errors you will get when playing with this so I must have triggered something accidentally, after the reboot anything was find.
There is a funny thing with the script which generates a lot of links, try this out and it will generate an empty warning box which you can repeatedly close but it will come back every time again. First you will get a problem in the policy.js script but it doesn't matter what you click there, your browser will be doomed anyway. Here is a screen shot of it:
Anyhow, if you manage to narrow it down then let me know, it's pretty severe if you can just strip the protection, if I find the specific way then I will also tell it you of course.
I also tested it on different operating systems and the results and errors where different.
Hello, I am Jelmer, born in 1991, I have been playing in IT security for over half my age, I am not sure when how and why it started but I like it. I met Fredrik and Mathias through the internet. This is my Twitter account, feel free to follow me. You can contact me via email jelmerdehen [ at ] hotmail [d0t] com Or you can chat with me in the IRC.