Page 1 of 4

XSS on YouTube

Posted: Wed Sep 18, 2013 1:53 am
by DH
Starting today whenever I try to watch a video on YouTube I get a warning about a potential XSS from http://youtube.com. When I go into the console to view the details there is nothing there.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 1:57 am
by DH
Minor update: blocking scripts from plus.googleapis.com stops the XSS warning from appearing.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 2:13 am
by joe786
I'm getting the exact same thing. Started today. The warning appears when I begin to scroll down.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 2:18 am
by John Doe
Ya, noscript is FREAKING out with XSS warnings on YouTube. I highly suugest the developer check into this ASAP

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 7:11 am
by Skai
I just registered to confirm this. I cannot find anything questionable in sources or any information in console. Doesn't matter if I am logged in or running in private browsing mode either, any video triggers this as far as I know.

Edit: It doesn't trigger straight away if you open YouTube in small window, only when you scroll down. How far down exactly stays unknown but on network panel I see lots of requests for images on ytimg.com or googleusercontent.com at the same time when the XSS filtered notification comes. I hope some of this is useful.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 8:16 am
by boviscopophobic
If I have the console open when I get the XSS notification in YouTube, a warning briefly shows up in the console and then disappears. I grabbed the following screenshot. Sorry about the width, but the lines got cut off otherwise. (Right-click and "View Image" to see the whole thing.)

Image

Uploaded with ImageShack.us

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 8:51 am
by Skai
Nice catch, there are three (well, four, but two are duplicates about deprecated method) notifications when filtering with NoScript and all of them disappear almost instantly, having less than second to copy them.

Timestamp: 18.9.2013 11:43:37
Warning: nsIJSON.decode is deprecated. Please use JSON.parse instead.
Source File: jar:file:///C:/Users/<snip>/AppData/Roaming/Mozilla/Firefox/Profiles/<snip>.default/extensions/<snip noscript addon id?>.xpi!/components/noscriptService.js
Line: 2999


[NoScript InjectionChecker] JavaScript Injection in ///u/0/_/widget/render/comments?<snip>hidefirsttimecommenterpromo=function (){var a=(0,m.L)("dftcp");a&&m.S.hide(a)}<snip>
(function anonymous() {
var a=(0,m.L)("dftcp");a&&m.S.hide(a) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})


[NoScript XSS] Sanitized suspicious request. Original URL [https://apis.google.com/u/0/_/widget/render/comments?<snip>] requested from [https://www.youtube.com/watch?v=<snip>]. Sanitized URL: [https://apis.google.com/u/0/_/widget/render/comments?<snip>].


I hope I didn't snip anything useful away while trying to remove personal data. Hopefully its helpful.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 10:41 am
by Giorgio Maone
The tricky thing here is that the site is actually passing entire JavaScript functions around inside URLs, which is exactly what triggers NoScript's anti-XSS filter by design.
I wouldn't be surprised if making an exception for this specific Google API usage scenario would allow real XSS abuse.
I've got to check it thoroughly. BTW, beside the notification annoyance, does the filtering actually prevent the site from working properly?

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 10:51 am
by Giorgio Maone
And by the way, I couldn't reproduce it yet. Is there a specific URL I can test against?

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 11:05 am
by Skai
https://www.youtube.com/watch?feature=player_embedded&v=Gzn6E2m3otg triggers it. So does every other video as far as I know. It triggers instantly when Firefox is in fullscreen, otherwise only when you scroll down far enough to see the comments, I believe. I do not see any lost functionality with fast check.

In addition, anything shown on console related to NoScript gets deleted almost instantly as the page loads, showing only for like a second.

Edit: I do not have RequestPolicy addon. See below post.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 12:28 pm
by Thrawn
I can reproduce this on the link provided, if I first allow some sites in RequestPolicy.

  • (Temporarily) Allow requests from youtube.com to https://apis.google.com. Reload page.
  • (Temporarily) Allow requests from youtube.com to https://plus.googleapis.com. Reload page.
  • NoScript will now show a blocked object. Temporarily allowing it triggers the XSS warning.

The confirmation dialog for allowing the blocked object included the following:

Code: Select all

Temporarily allow https://plus.googleapis.com/_/im/_/widget/render/comments?first_party_property​=
YOUTUBE&href=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Ffeature%3Dplayer_embedded%2
6v%3DGzn6E2m3otg&owner_id=ahtHbhYZsa2zKY2Mlmr9​bA&query=http%3A%2F%2Fwww.youtube
.com%2Fwatch%3Fv%3DGzn6E2m3otg&stream_id=UCahtHbhYZsa2zKY2Mlm​r9bA&substream_id=
Gzn6E2m3otg&view_type=FILTERED&width=590&dl=true&youtube_video_acl=PUBLIC&hidefi
rsttimecomment​erpromo=function%20()%7Bvar%20a%3D(0%2Cm.L)(%22dftcp%22)%3Ba%26%2
6m.S.hide(a)%7D&hl=en_US&origin=https%3A%2F%2Fwww.youtube.com&gsrc=1p&jsh=m%3B%2
F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.bI438WBuHt0.O%2Fm%3D__features
__%2Fam%3DIA%2Frt%3Dj%2Fd%3D1%2Frs%3DAItRSTNuPHIoFBjGmV​BeSqIsgUIKEsrbzA#_method
s=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cd
refresh%2Cerefresh%2Conthumbsup%2Contimestampclicked​%2Conupgradeaccount%2Confir
sttimecomment​er&id=I0_1379507102134&parent=https%3A%2F%2Fwww.youtube.com&pfname
=&rpctoken=24347693
(application/x-unknown <IFRAME> / https://www.youtube.com)

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 1:55 pm
by crunchysuperman
I also registered to post here. Same thing, but it hosed YT functionality for me.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 3:54 pm
by Giorgio Maone
crunchysuperman wrote:I also registered to post here. Same thing, but it hosed YT functionality for me.

What's broken for you?
What have you got allowed and what not?

Anyway you can disable the XSS filter for this call by adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^https://(?:plus\.googleapis|apis\.google)\.com/[\w/]+/widget/render/comments\?


[EDIT]
updated the regular expression to include the apis.google.com variant, thanks Mastacheata for reporting it.

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 4:36 pm
by DH
Giorgio Maone wrote:The tricky thing here is that the site is actually passing entire JavaScript functions around inside URLs, which is exactly what triggers NoScript's anti-XSS filter by design.
I wouldn't be surprised if making an exception for this specific Google API usage scenario would allow real XSS abuse.
I've got to check it thoroughly. BTW, beside the notification annoyance, does the filtering actually prevent the site from working properly?

I have personally not noticed any loss of functionality with the XSS filter. Nor have I noticed any when blocking scripts from plus.googleapis.com

Re: XSS on YouTube

Posted: Wed Sep 18, 2013 4:44 pm
by crunchysuperman
DH wrote:
Giorgio Maone wrote:The tricky thing here is that the site is actually passing entire JavaScript functions around inside URLs, which is exactly what triggers NoScript's anti-XSS filter by design.
I wouldn't be surprised if making an exception for this specific Google API usage scenario would allow real XSS abuse.
I've got to check it thoroughly. BTW, beside the notification annoyance, does the filtering actually prevent the site from working properly?

I have personally not noticed any loss of functionality with the XSS filter. Nor have I noticed any when blocking scripts from plus.googleapis.com


There's something else going on here. I disabled everything and went into safe mode and still couldn't play YT videos. Upon restoring everything, the first video I tried played, but from then on they wouldn't. Clearly the XSS issue was a coincidence and there's something else other than NS to blame.