Adblock Plus and (a little) more
Analyzing huge piles of code · 2009-02-10 23:37 by Wladimir Palant
Back in August, at the Firefox Summit, I promised Giorgio Maone to properly analyze NoScript. Trust me, better that than the alternative. And it is not that I forgot. I tried, really. Problem is, Giorgio isn’t a big friend of modularization. Most of NoScript code is contained in two files, one being 2000 and the other whooping 8000 lines long, all of its 500 features nicely intertwined. He isn’t a big fan of documentation either, keeping code comments to a minimum as to prevent code bloat. Finally, he isn’t a big fan of consistency and made sure that each feature is triggered only under its very unique conditions. In short, the code is a mess.
Five wrong reasons to use eval() in an extension · 2009-02-06 13:35 by Wladimir Palant
One of the most overused JavaScript features is the eval() function. I have seen it used in very many extensions but only a few actually had a good reason to use it. So I want to go through all the wrong reasons one would use eval().
Vulnerable extensions survey · 2009-02-05 16:49 by Wladimir Palant
I spent in total something like 10 hours searching 78 of the top 100 extensions for signs of unsafe interactions with the web (yes, I failed downloading the extensions that are hidden behind a EULA, will do better next time). The result: 14 extensions with severe vulnerabilities (typically the kind of vulnerability that lets a web page take over your browser and even the computer if your browser runs with administrator privileges) and several proof of concept exploits. The good news: I don’t think that I missed too many vulnerable extensions, when I searched for more patterns I just kept finding new issues in the extensions that were already known to be vulnerable. More good news: none of the top 10 most popular extensions made the list. The bad news: many of the remaining extensions didn’t make this list simply because they don’t interact with the web or only interact with the web in ways that are relatively unproblematic. Some others were just too messy to get an overview in reasonable time, so it was impossible to understand whether questionable coding practices actually caused security issues.
Displaying web content in an extension - without security issues · 2009-01-28 12:02 by Wladimir Palant
Over the last few years I reported a bunch of security vulnerabilities in various extensions and by far the most common issue was: “Extension Foo allows execution of remote code in privileged context”. Typically, an RSS reader extension would take the content of the RSS feed (HTML code), format it nicely and insert into the extension window. The issue that is overlooked here is that the RSS feed could contain some JavaScript code and it would then execute with the privileges of the extension — meaning for example that it would get full access to the browser (cookies, history etc) and to user’s files. pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.
Now it got me as well · 2009-01-15 23:24 by Wladimir Palant
Giorgio knew very well of course that I was only waiting for a chance to tag him, so he tagged me first. Argh… Whatever, here are the rules:
Deobfuscating JavaScript · 2009-01-12 17:28 by Wladimir Palant
A few months ago I read a post in the WebSense Security Labs blog: The Ultimate Deobfuscator. Wow, pretty impressive hacking effort and nice tricks to hook JavaScript eval() function and document.write() in Internet Explorer. But couldn’t you use JS Debugger hooks in Firefox to do the same thing with only a few lines of code? And then maybe even more generic because eval() and document.write() are certainly not the only ways to generate JavaScript code on the fly (out of the top of my head: changing window.location to a JavaScript URL, event handler attributes or setTimeout() with a string parameter).
Adblock Plus 1.0.1 released · 2009-01-10 18:30 by Wladimir Palant
Major changes
- New translations: Icelandic, Kazakh
- Disabled filters are now displayed in list of blockable items and can be reenabled with one click
- Filters can be restricted to a domain with $domain=foo.com option (documentation)
- Improved start-up performance
Known issues
- Some translations contain untranslated English strings
On the new Ctrl+Tab behavior · 2009-01-09 12:23 by Wladimir Palant
While I usually spend most of my time with stable browser versions, I still use Minefield frequently. And Minefield builds now have the new Ctrl+Tab behavior again. While this feature will certainly help most users navigate around their tabs, I cannot help myself disliking it. And now I finally understand my problem: usually I don’t even look at the screen when switching tabs.
EasyList and EasyElement got merged · 2009-01-06 11:51 by Wladimir Palant
After some discussion Rick decided that keeping EasyList and EasyElement separate is no longer necessary. Today they were combined into one subscription and I created redirects to make sure everybody using EasyElement or one of the combined subscriptions containing EasyElement gets updated automatically. Just to let everybody know that there is only EasyList and EasyPrivacy now. Adblock Plus will also recommend “plain” EasyList again starting with version 1.0.1.
Fixing issues in the release candidate · 2009-01-05 14:59 by Wladimir Palant
This is a release candidate for Adblock Plus 1.0.1.
Known issues
“Slow filter” exclamation mark shows up for disabled filters“Filter source” shows disabled filter subscriptions as sourceBlocking rules are sometimes misinterpreted as exception rules