New Update Netcraft Anti-Phishing Extension for Firefox Updated - Adds protection against malicious JavaScript

[Windows_Security]

I have tested Netcraft XSS few years ago. Chrome was testing its new (at that time) same origin policy and offered some tests to go with. The XSS protection of Netcraft did quite well.

I guess it is based on text patterns and command sequences which indicate client side injected scripts (making makes them first party so you would need to block all scripts to be protected not just third-party).

 

[Windows_Security]

Also on (old) Edge it has updated

 

[HarborFront]

I have tested Netcraft XSS few years ago. Chrome was testing its new (at that time) same origin policy and offered some tests to go with. The XSS protection of Netcraft did quite well.

I guess it is based on text patterns and command sequences which indicate client side injected scripts (making makes them first party so you would need to block all scripts to be protected not just third-party).

Do you know what type(s) of XSS is Netcraft protecting against?

1) Stored XSS
2) Reflected XSS
3) DOM based XSS

NoScript for FF protects against 2) and 3) only. FF protects against 2) only. Chrome no longer protects against XSS

 

[shmu26]

Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.

 

[Windows_Security]

Do you know what type(s) of XSS is Netcraft protecting against?

1) Stored XSS
2) Reflected XSS
3) DOM based XSS

NoScript for FF protects against 2) and 3) only. FF protects against 2) only. Chrome no longer protects against XSS

Don't know, do I recall correctly that no client based protection is possible against 1 (because Stored XSS are injected on the server of website or webapplication itself)?

 

[Windows_Security]

Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.

Or Netcraft tries to read out what content management, SQL, PHP software version the website is using and when one of the software versions have a critical vulnerability listed it simply blocks it?

 

[Stas]

What's new in v1.15.0

- Added more protections against malicious JavaScript
- Added protections against malware
- Minor bugfixes

 

[eonline]

this extension is really very good.

 

[Evjl's Rain]

did a quick test against malicious links from vxvault
netcraft was meh. It missed 18 links while bitdefender trafficlight only missed 2 links

it needs more time

 

[Stas]

did a quick test against malicious links from vxvault
netcraft was meh. It missed 18 links while bitdefender trafficlight only missed 2 links

it needs more time

Netcraft is anti-phishing extension, it's not supposed to be good against malicious links from vxvault.

 

[Burrito]

Yesterday I was trying to order a flight online and I was signing into various booking sites and airline sites. I got stopped in my tracks by the new Netcraft. I couldn't enter my login credentials into one of the sites. So yes, it works. But maybe it works too well. Either that, or it was an infected site.

Yeah, this happened to me as well.

Not with a travel site, but another site that required keyboard input.

It was frustrating as I played with all sorts of security applications that could have caused it... I didn't suspect Netcraft as it never interfered with anything.

Finally, I figured it out..

this extension is really very good.

View attachment 224597

Good to know that Netcraft is doing something. I've used it for a long time... it's never actually blocked anything. But I have a lot of 'stuff' on my computer -- it maybe was always beat to the punch by something else.

 

[ebocious]

It may seem contradictory that a default-deny proponent such as myself would be disinterested in a default-deny script blocker for the browser, but there it is. While I only install new apps and updates once or twice a week, I probably surf a couple hundred websites in a day. NoScript is a no-no for me.

Malwarebytes Browser Guard may be a bit heavy on resources and prone to false positives, but it doesn't grind my surfing to a halt. I think I have decent coverage between MBBG, TrafficLight, and Windows Defender Browser Protection for dealing with zero-day threats. Anything that gets through them and the sandbox then has to deal with AppGuard or Cruel Comodo (except on the Macs, which are hardened and protected with a few apps from Objective-See).