Possible XSS attack on NoScript.net

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Possible XSS attack on NoScript.net

Re: Possible XSS attack on NoScript.net

by Giorgio Maone » Mon Mar 09, 2015 9:45 pm

Nothing to be worried about, it's just part of a ten years old "battle" to circumvent ABP which, by their own "acceptable ads policy", should never had blocked those 1st party ads anyway. Problem is, I've never paid their racket ;)

[Edit]
Removed the hurried up "historical" reference to Easylist, which as barbaz kindly pointed out to me has nothing to do with Eyeo GmbH, the commercial owners of ABP who designed and implemented the "Acceptable ads" business.

Possible XSS attack on NoScript.net

by EdmoOnSecurity » Mon Mar 09, 2015 9:20 pm

Good day,

I use ESET security software and every once in a while, a warning message pops up indicating that an SSL connection has been blocked:

Code: Select all

ssl://store.uniblue.com
Pic related;

Image

I have now figured out that this occurs whenever NoScript updates itself to the latest version and takes me to the corresponding webpage on noscript.net , eg: https://noscript.net/?ver=2.6.9.17&prev=2.6.9.16

Within the source code, on that page, is the following:

Image

Obviously, it seems a little unusual that a legitimate web developer would place this line of code 500+ spaces away from the rest of the main body. Looking over to the main body, it is noticeable that this is part of a seemingly redundant...

Code: Select all

<style type="text/css ... />
...element which refers to itself as "goog1e" spelt with the the number one instead of a lower case "L" (line 288);

Image

If you look towards the bottom of the page, there is another "text/css" style type element which appears to have obfuscated code within (lines 309-325). At this time, I don't know what this does or where it points.

It's getting late where I am and I still have the new Top Gear from yesterday to watch, I'll try and do a little more analysis tomorrow. In the meantime, I look forward to hearing your thoughts on the above.

Regards,
@EdmoOnSecurity

Top