LocalRodeo - Client-side protection against JavaScript Malware

Users of Firefox 3.5 and above: NoScript now provides LocalRodeo-like protection. For this reason, we won't update LocalRodeo in the foreseeable future

A version for Firefox 3 is available here.

Software:

• localrodeo.xpi (beta) - The Firefox Extension (does not function with Firefox 3)
• See this blog-entry for a description.

Testcases:

• Testcase 1: JavaScript Portscanner from SPI Dynamics (offline right now).
• Testcase 2: Anti-DNS-Pinning Demo from Kanatoko (jumperz.net).
• Testcase 3: Various testcases we used during the implementation.

Open Issues:

• Right now only private IPs (127.0.0.1, 10.0.0.0/8. 192.168.0.0/16 and 172.16.0.0/12) are considered to be local. Adding further IP-ranges to the local-class still requires editing the extension's source code. Adding a GUI for this purpose will be addressed.
• In some cases major slow-downs caused by the extension have been reported. Until now we were unable to reproduce the described behavior but we are still trying. We suspect an odd incompatibility between extensions to be the root of the problem.
• Robert Hansen has shown how to detect LocalRodeo.

Limitations:

• LocalRodeo only protects against malicious JavaScript. Attacks that solely rely on Java or Flash are out of the scope of this extension. Especially Flash should always be disabled (!).

News and Trivia:

• We will give a talk on JavaScript malware in general and LocalRodeo in particular at this year's Hack in the Box conference.
• An academic paper on LocalRodeo has been accepted for publication at the DIMVA 2007 conference.
• LocalRodeo is mentioned in the upcoming XSS book. Click here for a sample chapter (which coincidentally is the one referring to LocalRodeo).
• In fact LocalRodeo is just a specialized version of the still unfinished RequestRodeo-Extension that we have been working on for some time now (a more general anti-CSRF solution based on the concepts we described in our OWASP paper).

Version History:

• 0.8.5.2 (12.08.2008)
  • First FF3 compatible version: https://databasement.net/localrodeo/
• 0.8.5 (18.04.2007)
  • Fixes for some issues found by Stefan Esser and Robert Hansen (thank you).
  • Better UI to (de)activate the extension.
  • Notifications through the JavaScript console.
  • Debug-mode. If the debug checkbox is activated, Firefox will print verbose debug messages to the commandline-console that was used to start the browser.
• 0.8 (19.02.2007)
  • Initial public release.

Credits:

• LocalRodeo was written by Justus Winter and Martin Johns
• Thanks to Bjoern Engelmann for his valuable help and to Kanatoko for his excellent anti-DNS-pinning testcase.
• Martin Johns' work on LocalRodeo was sponsored by the secologic-project.

Please send feedback to localrodeo AT databasement DOT net