NS showing wrong URLs + false +ve injection detection

[access2godzilla]

NS shows URLs for redirects etc. on untrusted sites, however, on exploit kit landing pages, NS is unable to show proper URLs. Examples:

URLs posted below are malicious, or may contain links to malicious sites. Click at your own risk!

Cool EK:

Code: Select all

private.hotelcesenaticobooking.info/r/l/updating-bugs_keeping.php

Screenshot: i.imgur.com/lDcGy.png

Blackhole EK:

Code: Select all

anifkailood.ru:8080/forum/links/column.php

Screenshot: i.imgur.com/vjdvq.jpg

Propack EK:

Code: Select all

pinsmasks.info/build/agrde/hozgl9.php

(Couldn't take a screenshot, however, since the page only contained URLs and no placeholders, the URLs are available at pastebin.com/9xh0hyFX )

(If these links are down, please use Malware domain list (www.malwaredomainlist.com/mdl.php) or Dynamoo's blog (blog.dynamoo.com) to find other such links. Generally, links with /[a-z]/l/.*[-_].*\.php belong to Cool EK, those following (\:8080/forum/links/.*\.php|/(links|less|detects)/.*([-_]+).*\.php) belong to Blackhole EK, those with Propack EK follow /build[0-9]?/.*/.*\.php)

In both cases, notice that there are links displayed, however, all of them are invalid. Clicking on them will usually redirect to a non-malicious site configured by the attacker, such as Google, or will yield a 404 error.

While submitting the report, the antispam filter was triggered and when I tried to press the back button, NS incorrectly identified it as an XSS attack, probably
due to the regex in the post. Can't post it here because the braindead spam filter will see everything as spam, so here is the pastebin:

pastebin.com/5bagfYwF

[Giorgio Maone]

Those links are extrapolated by the script sources found in the page by quite naive string manipulation, and they're meant to provide an easy way to skip idiotic JavaScript-dependant cover pages on non malicious web sites.

They're by no means meant to be accurate or to tell you all the destinations a web page will send you, especially if the scripts are heavily obfuscated as you can expect on a malicious web page.

Regarding the XSS filter being triggered, if it was a cross-site request it would have been by design (there's lot of JavaScript in your post).
The strange thing there is that the filter was unable to tell you were posting from the same site (origin appears to be null).
Are you using a Nightly build (and if so, the most recent?) or any special extension beside NoScript?
Does trying to post with all your extensions disabled except NoScript still trigger the filter?

[access2godzilla]

Regarding the XSS filter being triggered, if it was a cross-site request it would have been by design (there's lot of JavaScript in your post).

Those are regexes, but should posting them cause a XSS error?

The strange thing there is that the filter was unable to tell you were posting from the same site (origin appears to be null).

I was posting from forums.informaction.com

Are you using a Nightly build (and if so, the most recent?) or any special extension beside NoScript?

Firefox 16.0.2 on WinXP, extension list on http://pastebin.com/7A1JJQ7w

@Giorgio, please correct your antispam filter, please! I couldn't post the list of extensions due to your antispam filter!

[Thrawn]

@Giorgio, please correct your antispam filter, please! I couldn't post the list of extensions due to your antispam filter!

You can send a private message to one of the moderators, so that we can post it for you. Private messages aren't filtered.

[Giorgio Maone]

Regarding the XSS filter being triggered, if it was a cross-site request it would have been by design (there's lot of JavaScript in your post).

Those are regexes, but should posting them cause a XSS error?

Believe it or not,

Code: Select all

8080 / forum / links / column.php | /(links|less|detects)/.*([- _]);

amounts to a syntactically valid JavaScript fragment

The strange thing there is that the filter was unable to tell you were posting from the same site (origin appears to be null).

I was posting from forums.informaction.com

In facts, since it's same-domain it shouldn't trigger (it does not for me, for instance).
Something is preventing Firefox from giving NoScript the correct origin information.

Are you using a Nightly build (and if so, the most recent?) or any special extension beside NoScript?

Firefox 16.0.2 on WinXP, extension list on http://pastebin.com/7A1JJQ7w

Could you please upgrade to 17.0.1 and disable all your extensions except NoScript, then retrying to post something like

Code: Select all

<script>doSomething()</script>

and see whether it triggers?
If it doesn't, please use Standard Diagnostic to find the culprit (by bets are on HTTPS Everywhere or RefControl, even though I've got the latter).

@Giorgio, please correct your antispam filter, please! I couldn't post the list of extensions due to your antispam filter!

The spam filter would be much more forgiving if you posted with your true user agent string, rather a fake UA which doesn't identifies it as a proper Gecko browser (yes, it's a good spam indicator on this forum).

[access2godzilla]

Firefox safe-mode + extension reinstall seems to fix the issue, since I can't find the culprit.

I apologise for wasting everybody's time here.