Form of cross site scripting....or normal code?

Talk about internet security, computer security, personal security, your social security number...
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Form of cross site scripting....or normal code?

Post by luntrus » Tue Aug 10, 2010 8:02 pm

Hi forum friends,

Consider this piece of code:

Code: Select all

<a href="http://www.google.com" onclick="_gaq.push(['_trackPageview', '/outbound/google']);window.open(this.href,'_self');return false;">google</a> 

If I give that in as a search query, it gets flagged as a cross site scripting attempt by firekeeper and Netcraft toolbar:
=== Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://api.search.yahoo.com/WebSearchSe ... fr&fr=flo2

The page you are trying to visit is suspected to be using Cross-Site Scripting (XSS).
This is a technique commonly used in phishing attacks.

URL: http://www.google.nl/search%3fq=%253Ca% ... f-8%26aq=t

Do you still want to go there?


Why it is flagged as it is normal link external code to count clicks to an external link? Asynchronous gaq.push( cross domain tracking!
Look here: http://www.google.nl/search?q=%3Ca+href ... _gaq.push([%27_trackPageview%27%2C+%27%2Foutbound%2Fgoogle%27])%3Bwindow.open(this.href%2C%27_self%27)%3Breturn+false%3B%22%3Egoogle%3C%2Fa%3E&ie=utf-8&oe=utf-8&aq=t
and the direct link there: http://www.mojoportal.com/tracking-outb ... licks.aspx

luntrus
Mozilla/5.0 (Windows; U; Windows NT 6.0; nl; rv:1.9.0.16) Gecko/2010021011 Firefox/3.0.16 Flock/2.5.6

Post Reply