Opera Arioso Update.
I've made some updates on my Opera plugin to block and protect more attacks against Opera. Luckily there aren't that many attacks in comparison to other browsers, nonetheless I like to notice what happens on webpages I visit. The minor updates are based upon Gareth Heyes Unicode loop circumvention for Arioso's active heapspraying and buffer overflow detection, setPreference and more strict opera: scheme blocking based upon Aviv Raff and Stefano Di Paola, Roberto Suggi Liverani's new proof of concepts. Arioso already did protect against the proof of concepts on hyperlinks, but lacked additional heuristics on sources. Please notice that Arioso does not block Javascript, instead it analyzes a document, it's Javascript and based on attack heuristics determines whether to block the scripts from executing before the page has a chance to load the scripts. Arioso also detects attacks against Internet Explorer and Firefox, while this does not affect Opera, it's always nice to know that the page in question tries to execute an attack against you. One key feature in Arioso is the possibility in using Opera with a very strict same origin policy, this is and was enabled by default, and denies any cross context sourcing from Javascript files. This means that any script content that is loaded from another context than you are in, will be blocked by default.
You can download the new version of Arioso here: http://www.0x000000.com/arioso.js
The Arioso source can be loaded into Opera. To enable user JavaScript, use Tools > Preferences > Advanced > Content > JavaScript options, and select the directory where you will put your User JavaScript files. Opera will load all files in the specified directory whose names end with .js and will use them as User JavaScript files. Use Opera with Arioso, and you'll be more secure than any other browser available right now.
(function(opera){
/*
~~~ Opera Arioso! ~~~
Active browser vulnerability detection & protection
by rvdh, 0x000000.com
$revisions$
update: 20/7/2008: 7:15 PM, keylog pattern adjusted.
update: 22/10/2008: 23:00 PM, unicode loop detection.
update: 23/10/2008: 4:19 PM, blocks opera:* on sources, blocks intranet access.
credits: Rvdh, Gareth Heyes, Roberto Suggi Liverani, Aviv Raff, Stefano Di Paola
*/
// Arioso magic variables
window.opera.defineMagicVariable('arioso_links', function() {}, null);
window.opera.defineMagicVariable('arioso_alert', function() {}, null);
// Set strict same origin policy:
var arioso_strict_sop = true;
// Arioso variables
var arioso_links = document.links;
var arioso_alert = "";
var crlf = ". \r\n";
// Arioso messages
var m1 = 'Unsafe URI hyperlink schemes';
var m2 = 'Denial of service vector';
var m3 = 'Heapspraying or denial of service vector';
var m4 = 'VBInjection';
var m5 = 'Cookie stealing';
var m6 = 'Same origin policy violation';
var m7 = 'Keylogging';
var m8 = 'Script access';
var m9 = 'ActiveX access';
var m10 = 'Java access';
var m11 = 'Http response splitting';
var m12 = 'Preference hijacking';
// Arioso patterns
var p1 = /^(chrome|file|opera|res|data|telnet|about|resource|view-source|acrobat|localhost|loopback|127\.|192\.)\s*(:|\.)/gim;
var p2 = /for\s*\(\s*.*([a-z]|[0-9])\s*\=\s*.*([a-z]|[0-9])\s*;\s*.*([a-z]|[0-9])\s*(<|>|<=|>=|<==|>==)\s*[0-9]{3,}\s*;\s*/gim;
var p3 = /(while|for|space|block|memory).*unescape\(("|')(%[0-9]|\\x|\\u)([a-z]|[0-9])("|')\)/gim;
var p4 = /String\(\s*.*([a-z]|[0-9]){6,},\s*"[a-z]"\)/gim;
var p5 = /(http|https):\/\/.*\?.*=.*(\+|concat|join).*document\.(cookie|domain)/gim;
var p6 = /(src|href|location|data|classid|codebase|open)\s*(=|\().*(chrome|file|opera|res|data|telnet|about|resource|view-source|acrobat|localhost|loopback|127\.|192\.)\s*(:|\.)/gim;
var p7 = /(\.keyCode|\.keypress|(e|event)\.charCode)/gim;
var p8 = /(bad_arioso_schemes|arioso_links|arioso_schemes|arioso_sanitize_xss)/gim;
var p9 = /(ActiveXObject\(("|').*Shell("|')\)|HKEY\_)/gim;
var p10 = /(java\.(sun|awt)|packages\.(.*)(plugin|javascript))/gim;
var p11 = /open\(("|')\s*(GET|TRACE|POST)\s*("|').*(\\r|\\r\\n|\\n|(%[0-9]|\\x|\\u)([a-z]|[0-9])).*\)/gim;
var p12 = /.*opera\.setPreference.*/gim;
// strict same origin policy detection
if(arioso_strict_sop == true) {
window.opera.addEventListener('BeforeExternalScript', function(e) {
if (!e.element.getAttribute('src').match(document.location)) {
e.preventDefault();
}
}, false);
}
// Arioso link enumerator detecting bad uri schemes
window.addEventListener('DOMContentLoaded', function(e) {
for (i = 0; i < arioso_links.length; i++) {
entity = arioso_links[i].toString();
if (entity.match(p1)) {
arioso_alert += m1;
}
}
}, false);
window.opera.addEventListener('BeforeScript', function(e) {
if (e.element.text.match(p2)) {
arioso_alert += m2 + crlf; e.preventDefault();
}
if (e.element.text.match(p3)) {
arioso_alert += m3 + crlf; e.preventDefault();
}
if (e.element.text.match(p4)) {
arioso_alert += m4 + crlf; e.preventDefault();
}
if (e.element.text.match(p5)) {
arioso_alert += m5 + crlf; e.preventDefault();
}
if (e.element.text.match(p6)) {
arioso_alert += m6 + crlf; e.preventDefault();
}
if (e.element.text.match(p7)) {
arioso_alert += m7 + crlf; e.preventDefault();
}
if (e.element.text.match(p8)) {
arioso_alert += m8 + crlf; e.preventDefault();
}
if (e.element.text.match(p9)) {
arioso_alert += m9 + crlf; e.preventDefault();
}
if (e.element.text.match(p10)) {
arioso_alert += m10 + crlf; e.preventDefault();
}
if (e.element.text.match(p11)) {
arioso_alert += m11 + crlf; e.preventDefault();
}
if (e.element.text.match(p12)) {
arioso_alert += m12 + crlf; e.preventDefault();
}
}, false);
document.addEventListener('load', function(e) {
if (arioso_alert != '' ) {
var ary = document.createElement('div');
ary.style.position = 'fixed';
ary.style.top = '0px';
ary.style.left = '0px';
ary.style.width = '100%';
ary.style.opacity = '.90';
ary.style.filter = 'alpha(opacity=90)';
ary.style.border = '1px dotted #f30';
ary.style.padding = '3px';
ary.style.font = '8pt sans-serif';
ary.style.backgroundColor = '#f00';
ary.style.color = '#fff';
ary.appendChild(document.createTextNode('ARIOSO BLOCKED: ' + arioso_alert))
document.body.appendChild(ary);
}
}, false);
})(window.opera);
source: OWASP News
