ScriptLock
 
 

ScriptLock XSS


The code execution prevention system for JavaScript

Demonstration

The best way to prove the effectiveness of ScriptLock is to demonstrate it, and that is really quite easy to do.
ScriptLock provides fully deadlocked protection in Internet Explorer 9, Safari 5.1 +, Chrome 18.0+, and Firefox 6.0 and above. Limited protection is also given in Internet Explorer 8. So it you are using any of these browsers the demonstration should work.

Persistent-XSS protection

The following demonstrates ScriptLock's ability to protect agains Persistent XSS and Reflected XSS.
Click the button below:
 
This button will try to run the following code
document.images[0].setAttribute('src','http://www.cliquecloud.com/js/scriptlock_64.png')
If the protection is enabled, then you will now see the safety alert.
If the protection is not enabled then the CliqueCloud logo on the bottom left of the screen will now show the ScriptLock logo.
Note, if the ScriptLock alert prompt has already appeared it will not appear a second time for the same page refresh, so if you repeatedly click the button above, you will not see the alert again.

Self-XSS

The characteristic that sets ScriptLock apart from other XSS protection mechanisms is its ability to protect against Self-XSS: That is a user entering javascript client-side. Fortunately the latest incarnations of most browsers have locked down entering Javascript in the address bar, however, we can still do it easily by the debugger tools.
In both of these browsers you can do the following:
  1. Press F5 to refresh this page. We are doing this because if the ScriptLock alert prompt has already appeared it will not appear a second time for the same page refresh. If you have already clicked the button above, you will need to refresh this page.
  2. Press F12 to invoke the debugger.
  3. Click the "Console" tab
  4. Paste the following in the console prompt:

    document.images[0].setAttribute('src','http://www.cliquecloud.com/js/scriptlock_64.png')
  5. If ScriptLock protection is in place then the alert prompt should appear.
  6. In the console you should see

    permission denied
  7. If the protection has not worked, then the CliqueCloud logo on the bottom left of the screen will now show the ScriptLock logo.

Conclusion

What these examples demonstrate is how ScriptLock has rewritten basic Javascript functionality to require a password in order to operate. For the instruction to work it needs to be made with a password, as follows: 
document.images[0].setAttribute('src','http://www.cliquecloud.com/js/scriptlock_64.png',null,'password')
ScriptLock locks down enough of the native Javascript functionality such that the only way the password can be found out by other javascript code is by the javascript being served from the ScriptLock server.
While you are in the debugger tool you will be able to see the password if you view the scriptlock.js file. Try copying and pasting the password into the above code to see the instruction carried out.
Please note that even though you can see the password in the debugger, javascript running within the context of the webpage or the console cannot.