XSS false +ve - special chars

access2godzilla · Post by **access2godzilla** » Fri Apr 25, 2014 1:21 pm

NS's XSS filters is incorrectly triggerred when data with special characters is transmitted and the document initiating the POST request contains a query.

http://example.com/login.php -> username: admin, password: t[0.5]=log(e,R[0]/R)/k -> successful
http://example.com/login.php?id=(long_hex_string) -> username: admin, password: t[0.5]=log(e,R[0]/R)/k -> blocked

error console:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##t[0.5]=log(e,R[0]/R)/k
(function anonymous() {
t[0.5]=log(e,R[0]/R)/k /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

Post by **Thrawn** » Mon Apr 28, 2014 2:00 am

Why do you consider this to be incorrect? It looks to me like a potential attack vector, if the landing page displays what you send.

Post by **Giorgio Maone** » Mon Apr 28, 2014 10:11 am

@Thrawn:
I suppose the bug is about the filter being triggered only if there's a querystring.
Is this a cross-site request or not?
May I see the other [NoScript XSS] messages in the console?

access2godzilla · Post by **access2godzilla** » Mon Apr 28, 2014 2:09 pm

Giorgio Maone wrote:Is this a cross-site request or not?

This isn't a cross site request.

May I see the other [NoScript XSS] messages in the console?

Yes, I have this in my console:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://example.com/login.php?mode=login###DATA###(urlencoded_password)] from [http://example.com/]: transformed into a download-only GET request.

Seems unrelated to the query strings, though.

Source of relevant part of the page (the page is served through HTTP):

Code: Select all

<form method="post" action="https://example.com/login.php?mode=login" class="headerspace">

<fieldset class="login-form">
	<label for="username">Username:</label> <input type="text" name="username" id="username" size="10" class="inputbox" title="Username" />
	<label for="password">Password:</label> <input type="password" name="password" id="password" size="10" class="inputbox" title="Password" />
		
	| <label for="autologin">Log me on automatically each visit <input type="checkbox" name="autologin" id="autologin" /></label>
			
	<input type="submit" name="login" value="Login" class="button2" />
	<input type="hidden" name="redirect" value="./index.php?" />

</fieldset>
</form>

If I use a HTTPS form for the login this does not occur.

Maybe it's related to the recent change to the XSS filter in 2.6.8.20rc1?

Post by **Giorgio Maone** » Mon Apr 28, 2014 8:21 pm

access2godzilla wrote: If I use a HTTPS form for the login this does not occur.

Maybe it's related to the recent change to the XSS filter in 2.6.8.20rc1?

Yes it is,

NoScript 2.6.8.20rc1 changelog wrote: x [XSS] Stricter checks for HTTPS requests from a same domain origin with
different scheme (thanks LouiseRBaldwin for reporting)

InformAction Forums

XSS false +ve - special chars

XSS false +ve - special chars

Re: XSS false +ve - special chars

Re: XSS false +ve - special chars

Re: XSS false +ve - special chars

Re: XSS false +ve - special chars