Form of cross site scripting....or normal code?

luntrus · Post by **luntrus** » Tue Aug 10, 2010 8:02 pm

Hi forum friends,

Consider this piece of code:

<a href="http://www.google.com" onclick="_gaq.push(['_trackPageview', '/outbound/google']);window.open(this.href,'_self');return false;">google</a>

If I give that in as a search query, it gets flagged as a cross site scripting attempt by firekeeper and Netcraft toolbar:

=== Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://api.search.yahoo.com/WebSearchSe ... fr&fr=flo2

The page you are trying to visit is suspected to be using Cross-Site Scripting (XSS).
This is a technique commonly used in phishing attacks.

URL: http://www.google.nl/search%3fq=%253Ca% ... f-8%26aq=t

Do you still want to go there?

Why it is flagged as it is normal link external code to count clicks to an external link? Asynchronous gaq.push( cross domain tracking!
Look here: http://www.google.nl/search?q=%3Ca+href ... utf-8&aq=t
and the direct link there: http://www.mojoportal.com/tracking-outb ... licks.aspx

luntrus