Adblock Plus and (a little) more
Displaying web content in an extension - without security issues · 2009-01-28 12:02 by Wladimir Palant
Over the last few years I reported a bunch of security vulnerabilities in various extensions and by far the most common issue was: “Extension Foo allows execution of remote code in privileged context”. Typically, an RSS reader extension would take the content of the RSS feed (HTML code), format it nicely and insert into the extension window. The issue that is overlooked here is that the RSS feed could contain some JavaScript code and it would then execute with the privileges of the extension — meaning for example that it would get full access to the browser (cookies, history etc) and to user’s files. pdp discovered a similar issue in the Firebug extension that uses an HTML-based templating system and forgot to sanitize some input received from the webpage.
Now it got me as well · 2009-01-15 23:24 by Wladimir Palant
Giorgio knew very well of course that I was only waiting for a chance to tag him, so he tagged me first. Argh… Whatever, here are the rules:
Deobfuscating JavaScript · 2009-01-12 17:28 by Wladimir Palant
A few months ago I read a post in the WebSense Security Labs blog: The Ultimate Deobfuscator. Wow, pretty impressive hacking effort and nice tricks to hook JavaScript eval() function and document.write() in Internet Explorer. But couldn’t you use JS Debugger hooks in Firefox to do the same thing with only a few lines of code? And then maybe even more generic because eval() and document.write() are certainly not the only ways to generate JavaScript code on the fly (out of the top of my head: changing window.location to a JavaScript URL, event handler attributes or setTimeout() with a string parameter).
On the new Ctrl+Tab behavior · 2009-01-09 12:23 by Wladimir Palant
While I usually spend most of my time with stable browser versions, I still use Minefield frequently. And Minefield builds now have the new Ctrl+Tab behavior again. While this feature will certainly help most users navigate around their tabs, I cannot help myself disliking it. And now I finally understand my problem: usually I don’t even look at the screen when switching tabs.
EasyList and EasyElement got merged · 2009-01-06 11:51 by Wladimir Palant
After some discussion Rick decided that keeping EasyList and EasyElement separate is no longer necessary. Today they were combined into one subscription and I created redirects to make sure everybody using EasyElement or one of the combined subscriptions containing EasyElement gets updated automatically. Just to let everybody know that there is only EasyList and EasyPrivacy now. Adblock Plus will also recommend “plain” EasyList again starting with version 1.0.1.
Microsoft joining the ranks of referrer spammers? · 2008-12-19 08:52 by Wladimir Palant
I just noticed an unusually high amount of requests in my logs with referrer being Live Search, all with the same search request. Now that doesn’t make sense because I usually get very few people from there, about 0.5% of the requests referred by Google. And I just don’t believe that everybody suddenly decided to search for “adblockplus”. Finally, all requests came in for http://adblockplus.org/ and were redirected to http://adblockplus.org/en/ — but Live Search doesn’t even list the main page, it links directly the the English one (or German, or French, depending on your location).
Filterset.G webpage hacked · 2008-12-15 10:02 by Wladimir Palant
Did I already mention that running a web server is dangerous? Well, it was only one part of the picture. Each server gets lots of automated requests trying to find vulnerabilities in the scripts that are installed (SQL injection vulnerabilities got particularly popular lately). But servers also get lots of requests on SSH and FTP ports trying to guess user names and passwords. So you better don’t use passwords that can be easily guessed using a dictionary attack. Even better, you don’t use any passwords at all.
Third-party JavaScript - yes, it is a security risk · 2008-12-02 15:23 by Wladimir Palant
Third-party JavaScript includes are as popular as ever. Almost every web page includes third-party scripts, be it for advertising, for visitor statistics or just for the fun widgets. The awareness of security risks connected to it — it is just not there. All the better to see The Register bring up this issue again, this time because of Google Analytics being used on Barack Obama’s website (and particularly in the admin interface).
New "Getting Started" page · 2008-11-25 09:41 by Wladimir Palant
I created a new documentation page called Getting Started with Adblock Plus. The idea is to provide an overview for new users with links to all the relevant information. It should replace the Tip Of The Day which never really took off. Of course, some more illustrations (or, more likely, animations) need to be added to the “Solving problems” section. I also want to add “Using Adblock Plus in Thunderbird” to “First steps” because people usually don’t understand what Adblock Plus will do in a mail client. Question is, what else should go onto that page? Suggestions?
Different ways to force garbage collection · 2008-11-20 12:49 by Wladimir Palant
Yesterday I reported a Gecko bug where reproducing required the garbage collector to run. In the following discussion this useful snippet of code appeared:
window.QueryInterface(Components.interfaces.nsIInterfaceRequestor)
.getInterface(Components.interfaces.nsIDOMWindowUtils)
.garbageCollect();