New Update Netcraft Anti-Phishing Extension for Firefox Updated - Adds protection against malicious JavaScript

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
I have tested Netcraft XSS few years ago. Chrome was testing its new (at that time) same origin policy and offered some tests to go with. The XSS protection of Netcraft did quite well.

I guess it is based on text patterns and command sequences which indicate client side injected scripts (making makes them first party so you would need to block all scripts to be protected not just third-party).
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Also on (old) Edge it has updated
1565127842345.png
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,014
I have tested Netcraft XSS few years ago. Chrome was testing its new (at that time) same origin policy and offered some tests to go with. The XSS protection of Netcraft did quite well.

I guess it is based on text patterns and command sequences which indicate client side injected scripts (making makes them first party so you would need to block all scripts to be protected not just third-party).
Do you know what type(s) of XSS is Netcraft protecting against?

1) Stored XSS
2) Reflected XSS
3) DOM based XSS

NoScript for FF protects against 2) and 3) only. FF protects against 2) only. Chrome no longer protects against XSS
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Do you know what type(s) of XSS is Netcraft protecting against?

1) Stored XSS
2) Reflected XSS
3) DOM based XSS

NoScript for FF protects against 2) and 3) only. FF protects against 2) only. Chrome no longer protects against XSS

Don't know, do I recall correctly that no client based protection is possible against 1 (because Stored XSS are injected on the server of website or webapplication itself)?
 

Windows_Security

Level 24
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Mar 13, 2016
1,298
Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.
Or Netcraft tries to read out what content management, SQL, PHP software version the website is using and when one of the software versions have a critical vulnerability listed it simply blocks it?
 

Burrito

Level 24
Verified
Top Poster
Well-known
May 16, 2018
1,363
Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.

Yeah, this happened to me as well.

Not with a travel site, but another site that required keyboard input.

It was frustrating as I played with all sorts of security applications that could have caused it... I didn't suspect Netcraft as it never interfered with anything.

Finally, I figured it out..

this extension is really very good. (y)

View attachment 224597

Good to know that Netcraft is doing something. I've used it for a long time... it's never actually blocked anything. But I have a lot of 'stuff' on my computer -- it maybe was always beat to the punch by something else.
 

ebocious

Level 5
Verified
Well-known
Oct 25, 2018
232
It may seem contradictory that a default-deny proponent such as myself would be disinterested in a default-deny script blocker for the browser, but there it is. While I only install new apps and updates once or twice a week, I probably surf a couple hundred websites in a day. NoScript is a no-no for me.

Malwarebytes Browser Guard may be a bit heavy on resources and prone to false positives, but it doesn't grind my surfing to a halt. I think I have decent coverage between MBBG, TrafficLight, and Windows Defender Browser Protection for dealing with zero-day threats. Anything that gets through them and the sandbox then has to deal with AppGuard or Cruel Comodo (except on the Macs, which are hardened and protected with a few apps from Objective-See).
 
  • Like
Reactions: Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top