Friday, October 12, 2007

Detecting Firefox Extensions Without Javascript

ascii recently posted a piece on detecting whether Javascript execution is disabled due to it being disabled through Firefox or through NoScript, by abusing NoScript's redirection code here: http://www.ush.it/2007/10/11/detect-noscript-poc/

Which got me thinking about how else we could determine this - and though I haven't come up with that, I've come up with a method to detect Firefox extensions without Javascript. It may not work on all extensions, but it works with NoScript, and should work with any extension which has a CSS file in chrome with a single valid definition.

If we take a look at how Firefox resolves conflicts between duplicate definitions for the same class (and probably for the same id) then we notice that Firefox simply uses the latter definition.

Knowing this we can construct a page which looks like this:

<html>
<head>
<style>
  .noscript-error {
    background-image: url(no.php)
  }
</style>
<style>
  @import url(chrome://noscript/skin/browser.css);
</style>
</head>
<body>
  <div class="noscript-error">If noscript is NOT installed (and enabled as an extension) then Firefox will make a request for no.php, otherwise it won't.</div>
</body>
</html>


Whereby we simply have to have no.php set something in the session to say that the user does not have NoScript installed.

Note: Thanks to thornmaker for pointing out that no.php will also be requested by other browsers, so you probably want to do this only after you have determined the browser being used.

Also, ascii/sirdarckcat came up with another method for detecting when NoScript is installed, which does positive detection (i.e. youget a response when it is installed, rather than this negative detection), but I'll let them write about that.

8 comments:

Gareth said...

Nice!

About time you posted something :P

Seriously though I like the technique.

kuza55 said...

Yeah some posts are long over due on this blog, but I'm busy atm with exams, and most of my ideas are in a stage of half-completeness, so I'm not posting about them yet.

Personally, I'm just glad that so far no-one has told me something like "Oh, yeah, someone wrote about that years ago, here's a link to the paper". >_<

Travis said...

nice article i'll have to give it a shot. i assume this could be used on other extensions not just the NoScript extension?

http://travisaltman.com

kuza55 said...

@Travis:
I haven't tested it against other extensions, but since the method used doesn't really rely on anything which is unique to NoScript it should work on other extensions as well.

Marco Ramilli said...

Yep, it's true.
It's working correct. Very smart technique kuza55.

sirdarckcat said...

Hi

reCaptcha is using something like this to detect if you have javascript really disabled, or you are using noscript, the technique is the same as:

http://www.sirdarckcat.net/youhavenoscript.html

It can detect if you have NoScript, or JavaScript disabled, or if you have it enabled.

It uses a simmilar approach to the one of ascii (http://www.ush.it/2007/10/11/detect-noscript-poc/) but with some < noscript> conditionals.

The other way we where talking about detecting noscript was doing some cool CSS stuff :P hehe that ascii may show you in a near future.

Greetz!!

Anonymous said...

You are a clown, scriptkitty!

Ted

whitetoque.ca/macrocosm/

Ted said...

Just for the record, the anonymous comment dated 9 November 2007 04:18 did not originate from me.

The military assclowns I used to work with in DND CIRT have too much free time on their hands and do this sort of thing to get their jollies.

The early morning timing of this surprises me, as they usually they pursue such activity during work hours rather than actually doing their jobs.

This, combined with the fact talent in the shop is rather lacking right now, goes a long way to explaining
why their networks are compromised on a fairly routine basis and why they are so vulnerable in the first place.

Besides, if I had something to say to anyone, I wouldn't hide behind an anonymous comment, nor would I act like an ass and berate anyone (especially fellow security enthusiasts) just for the sake of doing so.

Cheers,

Ted