InformAction Forums

FlashGotters and NoScripters of all lands, unite!

Skip to content

[Possible False Positives] XSS

Ask for help about NoScript, no registration needed to post
Post a reply

[Possible False Positives] XSS

Postby Joe Pistachio » Fri Jun 29, 2012 2:51 am

Happens with the latest 2 (or 3) stable versions of NoScript, while there was no alert, previously:

This one happens on BayFiles, on pages such as [url=http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#8452899603946881688].

Log from the error console:

Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized URL: [http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#24127809571007952758].

[NoScript XSS] Sanitized suspicious referrer request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar (REF: http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ)] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized  referrer: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})

[NoScript InjectionChecker] JavaScript Injection in ///file/dUNf/sk6Epj/Bachman,Richard(King,Stephen)-Running_man.(The_Running_man).(1982).French.ebook.AlexandriZ.rar
(function anonymous() {file / dUNf / sk6Epj / Bachman, Richard(King, Stephen) - Running_man.(The_Running_man).((1982)).French.ebook.AlexandriZ.rar;DUMMY_EXPR;})


The page has to be reloaded unsecured, otherwise you get a "Invalid security token. Please check your link." from BayFiles and therefore can't download.




This one happens on pages such as http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ#5623052254508109869

Log from the error console:
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ#6640088919449771167].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})





This one is trivial, since you have to use the Update Scanner add-on.
It then depends on the pages you add to Update Scanner, but it particularly shows on pages from Userscripts, such as http://userscripts.org/scripts/review/69797.
Upon opening said pages from Update Scanner (the address being of the form chrome://updatescan/content/diffPage.xul?id=11467&title=Source%20for%20%22RedirectionHelper%22%20-%20Userscripts.org&url=http%3A//userscripts.org/scripts/review/69797&oldDate=yesterday%20%E0%2015%3A15&newDate=today%27hui%20%E0%203%3A37&delay=0 ), you'll get a XSS alert from [about:blank].
Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Joe Pistachio
 
Top

Re: [Possible False Positives] XSS

Postby Thrawn » Fri Jun 29, 2012 10:36 am

Joe Pistachio wrote:
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized URL: [http://bayfiles.com/file/dUNf/sk6Epj/Bachman,Richard%20King,Stephen%20-Running_man.%20The_Running_man%20.%201982%20.French.ebook.AlexandriZ.rar#24127809571007952758].

[NoScript XSS] Sanitized suspicious referrer request. Original URL [http://bayfiles.com/file/dUNf/sk6Epj/Bachman%2CRichard%28King%2CStephen%29-Running_man.%28The_Running_man%29.%281982%29.French.ebook.AlexandriZ.rar (REF: http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ)] requested from [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%28King%2CStephen%29-Running+man%28The+Running+man%29%281982%29.French.ebook.AlexandriZ]. Sanitized  referrer: [http://www.teamalexandriz.org/dw.php?f=Bachman%2CRichard%20King%2CStephen%20-Running+man%20The+Running+man%20%201982%20.French.ebook.AlexandriZ].

[NoScript InjectionChecker] JavaScript Injection in ///dw.php?f=Bachman,Richard(King,Stephen)-Running+man(The+Running+man)(1982).French.ebook.AlexandriZ
(function anonymous() {f = Bachman, Richard(King, Stephen) - Running + man(The + Running + man)(1982).French.ebook.AlexandriZ;DUMMY_EXPR;})

[NoScript InjectionChecker] JavaScript Injection in ///file/dUNf/sk6Epj/Bachman,Richard(King,Stephen)-Running_man.(The_Running_man).(1982).French.ebook.AlexandriZ.rar
(function anonymous() {file / dUNf / sk6Epj / Bachman, Richard(King, Stephen) - Running_man.(The_Running_man).((1982)).French.ebook.AlexandriZ.rar;DUMMY_EXPR;})


The URL in question does indeed look very much like JavaScript, especially when you look at the [NoScript InjectionChecker] entries. Not the best page design, but I doubt they're going to change it. I'd suggest writing an XSS filter exception (Options-Advanced-XSS), and protecting the site with an ABE rule similar to:
Code: Select all
Site .bayfiles.com
Accept from SELF++
Deny

You'll need to know regular expression syntax to write the XSS filter exception; if that's beyond you, then you can ask for help here (or ask a search engine).


As above.

Joe Pistachio wrote:This one is trivial, since you have to use the Update Scanner add-on.
It then depends on the pages you add to Update Scanner, but it particularly shows on pages from Userscripts, such as http://userscripts.org/scripts/review/69797.
Upon opening said pages from Update Scanner (the address being of the form chrome://updatescan/content/diffPage.xul?id=11467&title=Source%20for%20%22RedirectionHelper%22%20-%20Userscripts.org&url=http%3A//userscripts.org/scripts/review/69797&oldDate=yesterday%20%E0%2015%3A15&newDate=today%27hui%20%E0%203%3A37&delay=0 ), you'll get a XSS alert from [about:blank].

I presume that XSS filter exceptions work for chrome URLs? Can anyone confirm this?
======
Thrawn
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GCM/CS/IT/M/S d++(-) s+: C++$ ULS$>++++ P(+) L++ W++
K- w V? PS-(---) PE Y+ PGP->++ t@ X R tv b++>+++ DI+@
!D G>+++ e++>+++ h--- r+++ m?
-----END GEEK CODE BLOCK-----
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1
User avatar
Thrawn
Senior Member
 
Posts: 959
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Top
Post a reply

Return to NoScript Support

Who is online

Users browsing this forum: No registered users and 6 guests

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group