Need help with XSS resp it's RegEx

Ask for help about NoScript, no registration needed to post
Alpengreis
Posts: 15
Joined: Sun Sep 29, 2013 9:13 pm

Need help with XSS resp it's RegEx

Post by Alpengreis »

Hi all,

I should have the following XSS exception as RegEx:

POST = [https://app.swisspost.ch/VPSPayment/PaymentGateway]
FROM = [https://sso.post.ch/upm/pages/EWalletLoading.aspx?language=DE&targetURL=https%3a%2f%2fws.sso.post.ch%2fmembers%2f%3f_step%3d7&fallBackURL=https%3a%2f%2fws.sso.post.ch%2fmembers%2f%3f_step%3d7&service=webstamp&loginpost=]

The URLs should be first level domains with or without 2nd level (or higher) domains.

which means:

https://swisspost.ch/* or https://*.swisspost.ch/*

should allow XSS from

https://post.ch/* or https://*.post.ch/*

What is the correct regex entry for this?

MANY thanks in advance for your help!

Greetings from Switzerland and a nice week ...
Alpengreis
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Need help with XSS resp it's RegEx

Post by Giorgio Maone »

Exceptions entered in the XSS options panel can match either the origin (if prefixed with "@") or the destination, not both (unfortunately).
Therefore, if you trust post.ch not to originate malicious requests, you can use

Code: Select all

^@https?://([^/]+\.)?post\.ch/
Otherwise, if you prefer to trust swisspost.ch not to be XSSable, you can use

Code: Select all

^https://([^/]+\.)?swisspost\.ch/
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Alpengreis
Posts: 15
Joined: Sun Sep 29, 2013 9:13 pm

Re: Need help with XSS resp it's RegEx

Post by Alpengreis »

Ah, okay - checked and done!

Thank you VERY much, Giorgio!
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
darnit!

Re: Need help with XSS resp it's RegEx

Post by darnit! »

Hi there,
Maybe I have the same problem...
When I try to log a comment in this page. Link :
http://www.qanon302.net/news/2014/03/19/14704

...I get an XSS message from No Script !! It says that it comes from http://jetpack.wordpress.com ! (what is this?). But here is the funny part. Message appears sometimes when my commentary is long like seven lines in the frame. When I put a much shorter one on other pages of the same site... like one or two lines, the xss message doesn't appear at all. I even made a test on the above mentioned page. I put a couple of dots in the frame instead of sentences. And it appeared smoothly in the page (& is still there) without the darn xss message appearing & cancelling everything !

Any help here pls ?
Thanks
Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Need help with XSS resp it's RegEx

Post by Giorgio Maone »

darnit! wrote:Hi there,
Maybe I have the same problem...
When I try to log a comment in this page. Link :
http://www.qanon302.net/news/2014/03/19/14704

...I get an XSS message from No Script !! It says that it comes from http://jetpack.wordpress.com ! (what is this?).
Next time it happens, please open the Browser Console (ctrl+shift+J) and look for any [NoScript XSS] or [InjectionChecker] line, then send me a PM with it for examination.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Need help with XSS resp it's RegEx

Post by Giorgio Maone »

This is the line you want to add in your NoScript Options|Advanced|XSS|Exceptions box:

Code: Select all

^http:\/\/www\.qanon302\.net/wp-comments-post\.php
[Edit]
Per barbaz's request, here's the line sent in PM, with "uninteresting" data removed:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [http://www.qanon302.net/wp-comments-post.php?for=jetpack###DATA###{uninteresting long chunk of encoded data}] from [http://jetpack.wordpress.com/jetpack-comment/]: transformed into a download-only GET request.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Darnit !

Re: Need help with XSS resp it's RegEx

Post by Darnit ! »

Gosh... It worked. Thanx Giorgio. I will keep working with this solution. And if anything new arises, I will let you know.
Mozilla/5.0 (Windows NT 5.1; rv:28.0) Gecko/20100101 Firefox/28.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Need help with XSS resp it's RegEx

Post by barbaz »

If the messages don't contain any sensitive information, since this is a sticky topic maybe they should be posted here, wrapped in code tags, for others to reference when trying to figure out how to write XSS exceptions?
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:28.0) Gecko/20100101 Firefox/28.0 SeaMonkey/2.25
blublevita
Posts: 9
Joined: Mon Sep 26, 2016 9:03 am

Re: Need help with XSS resp it's RegEx

Post by blublevita »

I have a similar issue that was not as easily resolved. The cross-scripting comes when registering a credit card with my phone provider from my account control panel. The domain is salt.ch and the provider URL when I am logged in begins with

https://myaccount.salt.ch/

After entering the card info, NoScript filters the XSS attempt from [https://secure5.arcot.com/]. I have sent the Console entry to Giorgio by PM. Here is background info on arcot.com, which although actually trustworthy has an apparently poorly designed service that can appear as a man-in-the-middle attack:
https://www.jasonpearce.com/2013/05/14/ ... le-attack/

In any case, I trust the phone provider and so decided to trust the entire salt.ch domain to not be XSSable by entering the following regular expression in the list of XSS protection exceptions, per the second post in this thread:

Code: Select all

^https://([^/]+\.)?salt\.ch/
This did not, however, modify the behavior; the XSS attempt is still blocked.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
blublevita
Posts: 9
Joined: Mon Sep 26, 2016 9:03 am

Re: Need help with XSS resp it's RegEx

Post by blublevita »

Apparently, I found the cause of my issue. In the protections list, I had not entered a carriage return at the end of the new entry. After entering one, creating a new empty line, and restarting the browser (just to be on the safe side), the XSS works.
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
barbaz
Senior Member
Posts: 10834
Joined: Sat Aug 03, 2013 5:45 pm

Re: Need help with XSS resp it's RegEx

Post by barbaz »

blublevita wrote:In the protections list, I had not entered a carriage return at the end of the new entry. After entering one, creating a new empty line, and restarting the browser (just to be on the safe side), the XSS works.
You sure you're not disabling the XSS filter entirely? Does this generate a XSS warning?
*Always* check the changelogs BEFORE updating that important software!
-
Guest

Re: Need help with XSS resp it's RegEx

Post by Guest »

Hello,
I use Firefox as my browser and Startpage.com as my search engine (not Google, for more or less the same reasons I use NoScript). Normally I type search terms directly into the address bar of the browser and it opens Startpage with the results page. Since the NoScript Update of about 3 weeks ago, I get an the start page of Startpage with an information about XSS attempt. I have tried to add an exemption based on the google example as follows:
^https?://([a-z]+)\.startpage\.(?:[a-z]{1,3}\.)?[a-z]+/(?:metasearch|custom|\1)\?

But unfortunately it does not work ... :(
Searching normally on Startpage works without any issue.
Any help would be appreciated!

BTW, why does CAPTCHA require google.com to run?

Thanks
Lutz
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Guest

Re: Need help with XSS resp it's RegEx

Post by Guest »

sorry, too quick - NoScript just updated again and now it seems to work.
Thanks!
Lutz
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Locked