Author Topic: Firekeeper in Firefox saved me from this one...  (Read 5650 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Firekeeper in Firefox saved me from this one...
« on: March 22, 2009, 11:03:31 PM »
Hi malware fighters,

Micro-blogging site Twitter suffers from a potentially devastating vulnerability that forces logged-in users to post messages of an attacker's choice simply by clicking on a link. It could be used to spawn a self-replicating worm.

The XSS, or cross-site scripting, error was discovered by Secure Sciences Corp researchers Lance James and Eric Wastl
Here is the POC: hxxp://www.securescience.net/twoubledtwitter.html
Visit with Fx or Flock with Firekeeper with these rules installed: http://firekeeper.mozdev.org/rules/xss.fk
it alerts you and makes it possible to block this cross-site-scripting attack for good,
Re: http://www.theregister.co.uk/2009/03/20/twitter_viral_xss_flaw/

Get Firekeeper here: http://firekeeper.mozdev.org/installation.html
Malwate block list: http://www.malware.com.br/

Firekeeper is an Intrusion Detection and Prevention System for Firefox. It is able to detect, block and warn the user about malicious sites. Firekeeper uses flexible rules similar to Snort ones to describe browser based attack attempts. Rules can also be used to effectively filter different kinds of unwanted content. Other features include:
Ability to scan incoming Firefox traffic - HTTP(S) response headers, body and URL and to cancel processing of suspicious responses.
HTTPS and compressed responses are scanned after decryption/decompression.
Very fast pattern matching algorithm (taken directly from Snort).
Interactive alerts that give an ability to choose a response to detected attack attempt.
Ability to use any number of files with rules and to automatically load files from remote locations

pol
« Last Edit: March 23, 2009, 12:11:37 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

normishmael

  • Guest
Re: Firekeeper in Firefox saved me from this one...
« Reply #1 on: March 23, 2009, 12:40:50 AM »
This is very nice!
I have never heard of it before.
I am running it now.
Is protection good enough if I just use the default settings?

(love the u-boot prints)

drhayden1

  • Guest
Re: Firekeeper in Firefox saved me from this one...
« Reply #2 on: March 23, 2009, 04:48:27 AM »
Quote
Firekeeper 0.3.1 (alpha release) for Windows
Thanks Damian ;)
Sounds like a good program but will wait till a final version is released

Alan Baxter

  • Guest
Re: Firekeeper in Firefox saved me from this one...
« Reply #3 on: March 23, 2009, 07:25:15 AM »
Quote
Firekeeper 0.3.1 (alpha release) for Windows
Thanks Damian ;)
Sounds like a good program but will wait till a final version is released

Might be a while.  This version is almost a year old.  Judging by the project weblog and its bug database, there doesn't seem to have been any development activity on it since then.

Don't rely on it to protect against 0-day exploits.  Firekeeper is designed to warn about attempts to exploit known vulnerabilities.  Those are usually patched in the browser and OS before they're published.  FAQIt sounds like it doesn't add much more than avast! Web Shield provides.  I don't know.  Would its rules at that time have protected against the Twitter exploit when the exploit first came out?

Edit: Web Shield, not Web Search.  Must have been late.
« Last Edit: March 23, 2009, 04:24:59 PM by Alan Baxter »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Firekeeper in Firefox saved me from this one...
« Reply #4 on: March 23, 2009, 04:09:04 PM »
Hi Alan Baxter,

I would have thrown it out long ago, but I tested all the new XSS Cross Site Scripting exploits, three pages of them and all were flagged by Firekeeper immediately, which asked me to block them once, block them, run them once, etc. I have the following lists inside them that are loaded every time the browser starts and renewed:
I have the firekeeper experimental.fk, malware.hyperlinks.com - agressive? action, www.malware.com.br,
mozdev.new_threats.fk - it comes with a whitelist, a blacklist and default settings,
I think Jan Wrobel made a nice ISD add-on for inside Friefox or Flock.
Remember the lists are general detection rules, as it works for me, why not keep it there.
Just like to have this extension next to NoScript, Perspectives and the red flag of RequestPolicy,

polonus

P.S. @normishmael  just another U-boat for ye here (click to enlarge)
       and use the rules inside "add remote file" and put the URL there this:
       http://www.malwarepatrol.net/cgi/submit?action=list_fkeeper
       http://www.malwarepatrol.net/cgi/submit?action=list_fkeeper
       http://firekeeper.mozdev.org/rules/xss.fk (This was made by Thomas Kilgore)
« Last Edit: March 23, 2009, 04:15:27 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Alan Baxter

  • Guest
Re: Firekeeper in Firefox saved me from this one...
« Reply #5 on: March 23, 2009, 04:35:19 PM »
Thanks for the reply, polonus.  Interesting.  Did Firekeeper identify any dangerous XSS exploits that NoScript missed?  Giorgio should be told about any, right?  Could you them in NoScript General?

Cool U-boat!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Firekeeper in Firefox saved me from this one...
« Reply #6 on: March 23, 2009, 06:21:50 PM »
Hi Alan Baxter,

Go to the NoScript forums, just posted one: hxxp://bypass.xssing.com/testing.php?vector=data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
You can try that one out on Fx and it is not alerted by NoScript and not by Netcraft,

polonus
« Last Edit: March 23, 2009, 06:24:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Firekeeper in Firefox saved me from this one...
« Reply #7 on: March 24, 2009, 10:53:09 PM »
Hi malware fighters,

As we learned from the discussion at the NoScript forums, as the particular domain is not whitelisted normally these are blocked by NoScript, so in this case Firekeeper is just alerting to inform the user, and this can be handy for educational reasons. So I have three layers of protection there, actually five:
First firekeeper alerts to something that was blocked by NoScript anyhow, but could not be redirected anyway because RequestPolicy does not allow, then if I allow it there, the Netcraft toolbar would disconnect, but first of all the avast shield had alarmed, so without user interaction there are certainly some locks on this door,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!