Security Researcher Claims NoScript Isn’t as Secure as Advertised

Frequently endorsed browsing add-on NoScript which is popular among the privacy community and millions of Firefox users around the world was put to the test by Matthew Bryant, a white-hat hacker and security researcher.

The results are likely to surprise many.

NoScript and how it works

NoScript is an immensely popular and well known privacy add-on in Mozilla’s Firefox browser. Its inherent functionality is to block content on websites that includes Flash, Java and JavaScript modules on all websites by default.

By their own account, NoScript helps provide the “most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.” Even Edward Snowden has endorsed NoScript as an effective counter-measure against surveillance.

Giorgio Maone, the main developer behind NoScript notes that:

  • NoScript has been downloaded over 50 million times since it’s time of availability back in 2005.
  • NoScript is also downloaded over 20,000 times a day presently.

In an interview with VentureBeat, Maone said: “I started developing NoScript mainly for my personal needs of security, since I perceived that web browsers were becoming the most vulnerable spot of our digital life, and our digital life was becoming more and more our “real” life — relationships, finance and all.”

Essentially, NoScript blocks JavaScript based attacks by blocking it off completely, unless the user manually allows it on any given website. In 2007, NoScript added a cross-site scripting (XSS) filter to prevent malicious scripts being pushed onto websites by attackers. This added further security in keeping login credentials safe.

Putting NoScript to the test

Penetration tester Bryant decided to bypass the add-on partially because of the fanfare and the investment of trust by millions into NoScript.

“My goal was simply to bypass the add-on when it’s been installed with the default configuration,” he said, adding that he heard a lot of people snubbing exploits because of an attitude in saying “I use NoScript when I browse the internet and am therefore safe from all web exploits!”

As it so happens, NoScript has a white-list that comes built-in with the add-on. The entries in this white-list means that NoScript allows complete access with you trusting the websites and CDNs (Content delivery network) that are included in the white-list.

Significantly, NoScript trusted not just these domains, but also the subdomains of any of the mentioned sites.


  • Adding to the whitelist means that all subdomains within the original URL are trusted too.
  • In other words, is essentially trusted as well.

Bryant proceeded to enumerate all the subdomains from each whitelisted domain name to gain the stored XSS from any one of those domains. Sure enough, NoScript was bypassed when looking at a subdomain with a small JavaScript payload.

Bryant sums up the experiment, saying: “I encourage every reading this to please purge your whitelist. Remove everything you don’t trust! It’s fine to trust a site but make sure you understand what you’re doing.”

He also contacted Giorgio Maone who put a patch out on the NoScript website within hours. The same patch was pushed as an update to all NoScript users within a matter of days.