NotHereToPlayGames Posted December 7, 2021 Author Share Posted December 7, 2021 I do not use "web portals" (HTML) to access email. I use POP3 or IMAP. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted December 7, 2021 Author Share Posted December 7, 2021 The "logging" CAN be prevented! BUT it is BEYOND the scope of this website. You will need to use a local proxy "filter" called Proxomitron. From the best I can get without spending an enormous amount of time on it, you would need to "edit" MSFN's ckeditor.js file "on-the-fly". What Proxomitron can do is intercept the ckeditor.js file and EDIT it BEFORE the web browser ever sees it. But there is a very steep learning curve behind doing this type of "filtering" and is way waayyy beyond the scope of this website. Link to comment Share on other sites More sharing options...
msfntor Posted December 7, 2021 Share Posted December 7, 2021 (edited) v13.5 r 5: "Your browser is not vulnerable!" natively.. most of the time, click Ctrl and F5, hmm why this is better than reload the page with browser button?.. Here: CSS Exfil Vulnerability Tester: https://www.mike-gualtieri.com/css-exfil-vulnerability-tester - This page tests to see if your browser is vulnerable to Cascading Style Sheets (CSS) data leakage. If you are vulnerable, one way to protect yourself is to install the CSS Exfil Protection plugin for your browser. EDIT: Yes NOT vulnerable here, because it's "Dark Background and Light Text" extension, which defend me, if it's enabled on "Default" position (why this extension acts in this manner?..) Edited December 7, 2021 by msfntor 2 Link to comment Share on other sites More sharing options...
Hunterw Posted December 8, 2021 Share Posted December 8, 2021 I'm grateful for the time that 360EE has made web browsing on XP possible, and it's not even over yet. Because 7 is inferior and it's all downhill from there. No, soon it will not be a computer, but a "Windows appliance" to access the web. I don't understand why...why did the web have to turn into a bloated turd? I mean sure some hipster websites, but pretty much most places you need to go, the whole industry, locks you out if you don't have the latest technology running, and unfortunately that has been s*** for the past decade at least. 2 Link to comment Share on other sites More sharing options...
XPerceniol Posted December 8, 2021 Share Posted December 8, 2021 (edited) On 12/2/2021 at 1:36 PM, msfntor said: And so do I (with 13.5 and 3 G of RAM). And use too WiseDiskCleaner v7. A few things in the registry I've found to be helpful (for me) with only 3GM of RAM. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management] "DisablePagingExecutive"=dword:00000000 "LargeSystemCache"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters] "EnableSuperfetch"=dword:00000000 "EnablePrefetcher"=dword:00000000 "EnableBootTrace"=dword:00000000 Please make sure you back up your registry before making any changes and please don't blame me if its worse for you. Hope it helps some and 13.5 and 3 G of RAM is quite enjoyable now EDIT: And.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem] "NtfsDisable8dot3NameCreation"=dword:00000001 "NtfsDisableLastAccessUpdate"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem Management] "NtfsDisable8dot3NameCreation"=dword:00000001 "NtfsDisableLastAccessUpdate"=dword:00000001 Edited December 8, 2021 by XPerceniol 1 Link to comment Share on other sites More sharing options...
msfntor Posted December 9, 2021 Share Posted December 9, 2021 On 12/7/2021 at 5:49 PM, msfntor said: v13.5 r 5: "Your browser is not vulnerable!" natively.. most of the time, click Ctrl and F5, hmm why this is better than reload the page with browser button?.. Here: CSS Exfil Vulnerability Tester: https://www.mike-gualtieri.com/css-exfil-vulnerability-tester - This page tests to see if your browser is vulnerable to Cascading Style Sheets (CSS) data leakage. If you are vulnerable, one way to protect yourself is to install the CSS Exfil Protection plugin for your browser. EDIT: Yes NOT vulnerable here, because it's "Dark Background and Light Text" extension, which defend me, if it's enabled on "Default" position (why this extension acts in this manner?..) Here's the reaction to my post, surely: https://github.com/mlgualtieri/CSS-Exfil-Protection/issues/36 Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted December 9, 2021 Author Share Posted December 9, 2021 All that tells me is that the test is FLAWED and not to be relied on! Do you have MULTIPLE css data leakage test sites? As a general rule of thumb, NEVER rely on ONE test case. 2 Link to comment Share on other sites More sharing options...
msfntor Posted December 9, 2021 Share Posted December 9, 2021 (edited) 1 hour ago, NotHereToPlayGames said: All that tells me is that the test is FLAWED and not to be relied on! Do you have MULTIPLE css data leakage test sites? As a general rule of thumb, NEVER rely on ONE test case. "How can you prevent attackers from exploiting a CSS injection vulnerability? There are a few simple steps you can take to ensure your application is free from bugs that could allow attackers to include arbitrary CSS content: Apply context-dependent sanitization. This means that you have to use different forms of encoding in different situations: for example, hex encoding within script blocks or HTML entities within other HTML tags. There might be situations where you need to use other forms of sanitization as well, like HTML encoding, or with the help of a white list. Scan your application with a vulnerability scanner, since the vulnerability is essentially an injection of HTML code that can be detected by most web application security scanners. Just like XSS, this attack requires an injection of code. Netsparker can easily detect the underlying injection vulnerability, which is similar to Cross-Site Scripting. Implement a proper Content Security Policy (CSP) if you want to be absolutely sure that an attacker can't abuse this vulnerability, even if you forgot sanitization once. We recommend that you also implement a proper CSP that restricts from where images and stylesheets are allowed to be loaded. This enables you to instruct the user's browser to only load CSS files from your own domain (not cross-domain) or trusted third parties, which would ensure such an attack would fail. Each of these recommendations is essential to prevent the vulnerability across your entire code base." (highlighting is by me.) - here: https://www.netsparker.com/blog/web-security/private-data-stolen-exploiting-css-injection/ Some links I've found about CSP: Content Security Policy - An Introduction (by Scott Helme): https://scotthelme.co.uk/content-security-policy-an-introduction/ CSP Cheat Sheet: https://scotthelme.co.uk/csp-cheat-sheet/ Analyse your HTTP response headers: https://securityheaders.com/ Content Security Policy Browser Test: https://content-security-policy.com/browser-test/ CSP (Content-Security-Policy) Header Test: https://gf.dev/csp-test CSP Evaluator (with google): https://csp-evaluator.withgoogle.com/ Content Security Policy (CSP) Validator: https://cspvalidator.org/#url=https://cspvalidator.org/ Report URI: Analyse your CSP: https://report-uri.com/home/analyse EDIT: By Glebb Ahmutov: Inline javascript is a security risk: https://glebbahmutov.com/disable-inline-javascript-tutorial/index.html - and click the links.. This page does NOT allow inline JavaScript using CSP: https://glebbahmutov.com/disable-inline-javascript-tutorial/index-secure.html - and click the links... Edited December 9, 2021 by msfntor 1 Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted December 9, 2021 Share Posted December 9, 2021 A group of German researchers from the Ruhr University (Bochum) and the Hochschule Niederrhein have discovered 14 types of XS-Leaks attacks that affect all major browsers. Cross-site attacks are not new, but the academic researchers showed how many types of XS-Leaks are still unclassified and unresolved. https://xsinator.com/ 3 Link to comment Share on other sites More sharing options...
msfntor Posted December 9, 2021 Share Posted December 9, 2021 (edited) 1 hour ago, Sampei.Nihira said: A group of German researchers from the Ruhr University (Bochum) and the Hochschule Niederrhein have discovered 14 types of XS-Leaks attacks that affect all major browsers. Cross-site attacks are not new, but the academic researchers showed how many types of XS-Leaks are still unclassified and unresolved. https://xsinator.com/ XSinator results (Exploitable, in red): DcBrowser M: 12 positions! 360Chrome 13.5 r 5: 12 positions! Uh oh! Edited December 9, 2021 by msfntor Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted December 9, 2021 Author Share Posted December 9, 2021 No offense, do what you want. But you will NEVER rid yourself of every "exploit". At least not on XP! Do exploits exist? H#ll Yeah! Do they exist on banking, billpay, online shopping, online news, and "forum" web sites? No clue, but you either "support" those sites or you don't. If you don't "support" them, then who the H#ll cares if an "exploit" exists on their web site. Reminds me of how I used to always assist church-going folks on how to restore their computers from viruses that made it past their useless antivirus software. After four or five times of having to help them clear their computer of malware, trojans, and viruses, you finally have to turn to the church-goer and blatantly call it like it is, "You wouldn't get these viruses if you stopped visiting p0rn sites!" Deer in the headlights look and they deny. So you show them the cookies and malware flags, all originating from p0rn sites! It's a dog chasing its tail, in my view. I really do not waste my time finding these "exploits". If I were that concerned, do you really think I'd be using XP and a browser based on Chromium code from 2018? Waste your time on hunting these down all you want. But don't expect me to "care" about them. I cannot backport last week's Chromium v96 to XP. And it doesn't bother me that I cannot. The reality is that if you are that concerned with the thousands upon thousands of exploits that you keep hunting down, then you really shouldn't be running XP, yeah, it's that simple. "Uh oh!" Link to comment Share on other sites More sharing options...
msfntor Posted December 9, 2021 Share Posted December 9, 2021 (edited) On 12/9/2021 at 3:43 PM, NotHereToPlayGames said: The reality is that if you are that concerned with the thousands upon thousands of exploits that you keep hunting down, then you really shouldn't be running XP, yeah, it's that simple. Yes, sure.. "Cross-site attacks are not new, but the academic researchers showed how many types of XS-Leaks are still unclassified and unresolved." I've found interesting extension, play with "countless" possibilities: WebAPI Blocker: https://chrome.google.com/webstore/detail/webapi-blocker/pnkcgdkeogljjhpgfbnlnpnenhebeiaf/related?hl=en-US Unnotched already WebGLBuffer to see the pictures and Youtube videos... To be able to quote in the reply window of our website, I've unnotched HTLMCanvasElement... - so that Speedtest by Ookla can choose the server...: unnotch WebSocket ... Edited December 10, 2021 by msfntor Link to comment Share on other sites More sharing options...
msfntor Posted December 9, 2021 Share Posted December 9, 2021 (edited) About XSinator results: "You can also compare your result to other internet browsers: Click on Compare your results. Your browser is in the first column "Your Browser". On the right, you will find all the other browsers by version. Finally you find the same color code green, red or yellow. If needed, you can filter the comparison to a specific browser and even by version and platform (Windows, Linux, MacOSX) ". - translated from French article here: XSINATOR : FAIRE UN TEST XS-LEAKS BROWSER DE SON NAVIGATEUR WEB: https://www.malekal.com/xsinator-faire-un-test-xs-leaks-browser-de-son-navigateur-web/ So I see from this Compare your results page, that the problems are identical for all new versions of Chrome (up to version 80 - the older versions are not there...) - but 360Chrome (and DcBrowser) behave better than the newest Chrome versions, in many parameters! Edited December 9, 2021 by msfntor Link to comment Share on other sites More sharing options...
Sampei.Nihira Posted December 10, 2021 Share Posted December 10, 2021 16 hours ago, msfntor said: About XSinator results: "You can also compare your result to other internet browsers: Click on Compare your results. Your browser is in the first column "Your Browser". On the right, you will find all the other browsers by version. Finally you find the same color code green, red or yellow. If needed, you can filter the comparison to a specific browser and even by version and platform (Windows, Linux, MacOSX) ". - translated from French article here: XSINATOR : FAIRE UN TEST XS-LEAKS BROWSER DE SON NAVIGATEUR WEB: https://www.malekal.com/xsinator-faire-un-test-xs-leaks-browser-de-son-navigateur-web/ So I see from this Compare your results page, that the problems are identical for all new versions of Chrome (up to version 80 - the older versions are not there...) - but 360Chrome (and DcBrowser) behave better than the newest Chrome versions, in many parameters! This may be the exception that proves the rule. My result with Edge: with Firefox I have only 2. Link to comment Share on other sites More sharing options...
NotHereToPlayGames Posted December 10, 2021 Author Share Posted December 10, 2021 1 hour ago, Sampei.Nihira said: with Firefox I have only 2. That may be. BUT you are also on Win10 and posting in an "Older NT-Family OSes" thread. So MOST of us in this thread won't really care IF you are posting results from a Firefox that only works in Win10, which I suspect is a very safe assumption. Link to comment Share on other sites More sharing options...
Recommended Posts