Outbound Rules (jpkboijeielcdcjhjfokoielfjchipeo): Protect against XSS by restricting access to outbound resources if a page defines a rule list... Read More > or Download Now >
Outbound Rules for Chrome
Tech Specs
- • Type: Browser Extension
- • Latest Version: 0.1 alpha 3
- • Price: Freeware
- • Offline: No
- • Developer: Hraban Luyat
User Reviews
- • Rating Average
- 4 out of 5
- • Rating Users
- 1
Download Count
- • Total Downloads
- 7
- • Current Version Downloads
- 7
- • Updated: December 17, 2016
Outbound Rules is a free Productivity Extension for Chrome. You could download the latest version crx file or old version crx files and install it.
More About Outbound Rules
The Outbound-Rules protocol turns XSS protection on its head. Instead of trying to prevent it, as other systems do, Outbound-Rules limits the possible damage of a successful XSS attack.
It requires two parts to work:
* A browser with the Outbound-Rules plugin (this plugin)
* A webserver that supports the Outbound-Rules protocol (VERY simple to implement)
DETAILS
======
A common type of XSS attack works in two phases:
Step 1: load malicious javascript or HTML in the browser as if it came from a trusted site.
Step 2: use that malicious code to send private data from that trusted site (e.g. login details, cookies, ...) to an untrusted server.
Current XSS mitigation techniques focus purely on Step 1: they try to avoid XSS from happening. This is noble, but very hard to get right. It's an uphill battle and attackers keep finding loopholes.
The Outbound-Rules plugin, instead, focuses on Step 2: in the unfortunate event an XSS attack was successful, quarantine it. It will still be part of the Outbound-Rules cage, which only allows communication with an explicit list of trusted hosts. The attacker won't be able to send the sensitive data from the browser to himself.
Since you need both the server and the browser to support the protocol, this plugin is currently useful for environments where someone controls both the browsers and the servers. E.g.: a company with an admin dashboard, which is only accessible by employees. All employees can be asked to install the plugin, and the page can be configured to send the appropriate header.
On any site that does not support the Outbound-Rules protocol, this plugin should have no effect at all. It is therefore safe to install regardless of which sites you visit.
Full source code, license and further details available at https://github.com/hraban/outbound-rules
It requires two parts to work:
* A browser with the Outbound-Rules plugin (this plugin)
* A webserver that supports the Outbound-Rules protocol (VERY simple to implement)
DETAILS
======
A common type of XSS attack works in two phases:
Step 1: load malicious javascript or HTML in the browser as if it came from a trusted site.
Step 2: use that malicious code to send private data from that trusted site (e.g. login details, cookies, ...) to an untrusted server.
Current XSS mitigation techniques focus purely on Step 1: they try to avoid XSS from happening. This is noble, but very hard to get right. It's an uphill battle and attackers keep finding loopholes.
The Outbound-Rules plugin, instead, focuses on Step 2: in the unfortunate event an XSS attack was successful, quarantine it. It will still be part of the Outbound-Rules cage, which only allows communication with an explicit list of trusted hosts. The attacker won't be able to send the sensitive data from the browser to himself.
Since you need both the server and the browser to support the protocol, this plugin is currently useful for environments where someone controls both the browsers and the servers. E.g.: a company with an admin dashboard, which is only accessible by employees. All employees can be asked to install the plugin, and the page can be configured to send the appropriate header.
On any site that does not support the Outbound-Rules protocol, this plugin should have no effect at all. It is therefore safe to install regardless of which sites you visit.
Full source code, license and further details available at https://github.com/hraban/outbound-rules
