Page 1 of 1

Need help with XSS resp it's RegEx

Posted: Sun Nov 03, 2013 7:46 pm
by Alpengreis
Hi all,

I should have the following XSS exception as RegEx:

POST = [https://app.swisspost.ch/VPSPayment/PaymentGateway]
FROM = [https://sso.post.ch/upm/pages/EWalletLoading.aspx?language=DE&targetURL=https%3a%2f%2fws.sso.post.ch%2fmembers%2f%3f_step%3d7&fallBackURL=https%3a%2f%2fws.sso.post.ch%2fmembers%2f%3f_step%3d7&service=webstamp&loginpost=]

The URLs should be first level domains with or without 2nd level (or higher) domains.

which means:

https://swisspost.ch/* or https://*.swisspost.ch/*

should allow XSS from

https://post.ch/* or https://*.post.ch/*

What is the correct regex entry for this?

MANY thanks in advance for your help!

Greetings from Switzerland and a nice week ...
Alpengreis

Re: Need help with XSS resp it's RegEx

Posted: Sun Nov 03, 2013 9:45 pm
by Giorgio Maone
Exceptions entered in the XSS options panel can match either the origin (if prefixed with "@") or the destination, not both (unfortunately).
Therefore, if you trust post.ch not to originate malicious requests, you can use

Code: Select all

^@https?://([^/]+\.)?post\.ch/

Otherwise, if you prefer to trust swisspost.ch not to be XSSable, you can use

Code: Select all

^https://([^/]+\.)?swisspost\.ch/

Re: Need help with XSS resp it's RegEx

Posted: Sun Nov 03, 2013 10:10 pm
by Alpengreis
Ah, okay - checked and done!

Thank you VERY much, Giorgio!

Re: Need help with XSS resp it's RegEx

Posted: Wed Mar 19, 2014 6:49 pm
by darnit!
Hi there,
Maybe I have the same problem...
When I try to log a comment in this page. Link :
http://www.qanon302.net/news/2014/03/19/14704

...I get an XSS message from No Script !! It says that it comes from http://jetpack.wordpress.com ! (what is this?). But here is the funny part. Message appears sometimes when my commentary is long like seven lines in the frame. When I put a much shorter one on other pages of the same site... like one or two lines, the xss message doesn't appear at all. I even made a test on the above mentioned page. I put a couple of dots in the frame instead of sentences. And it appeared smoothly in the page (& is still there) without the darn xss message appearing & cancelling everything !

Any help here pls ?
Thanks

Re: Need help with XSS resp it's RegEx

Posted: Wed Mar 19, 2014 7:32 pm
by Giorgio Maone
darnit! wrote:Hi there,
Maybe I have the same problem...
When I try to log a comment in this page. Link :
http://www.qanon302.net/news/2014/03/19/14704

...I get an XSS message from No Script !! It says that it comes from http://jetpack.wordpress.com ! (what is this?).

Next time it happens, please open the Browser Console (ctrl+shift+J) and look for any [NoScript XSS] or [InjectionChecker] line, then send me a PM with it for examination.

Re: Need help with XSS resp it's RegEx

Posted: Wed Mar 19, 2014 11:57 pm
by Giorgio Maone
This is the line you want to add in your NoScript Options|Advanced|XSS|Exceptions box:

Code: Select all

^http:\/\/www\.qanon302\.net/wp-comments-post\.php


[Edit]
Per barbaz's request, here's the line sent in PM, with "uninteresting" data removed:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [http://www.qanon302.net/wp-comments-post.php?for=jetpack###DATA###{uninteresting long chunk of encoded data}] from [http://jetpack.wordpress.com/jetpack-comment/]: transformed into a download-only GET request.

Re: Need help with XSS resp it's RegEx

Posted: Thu Mar 20, 2014 2:27 am
by Darnit !
Gosh... It worked. Thanx Giorgio. I will keep working with this solution. And if anything new arises, I will let you know.

Re: Need help with XSS resp it's RegEx

Posted: Thu Mar 20, 2014 4:29 pm
by barbaz
If the messages don't contain any sensitive information, since this is a sticky topic maybe they should be posted here, wrapped in code tags, for others to reference when trying to figure out how to write XSS exceptions?

Re: Need help with XSS resp it's RegEx

Posted: Mon Sep 26, 2016 9:25 am
by blublevita
I have a similar issue that was not as easily resolved. The cross-scripting comes when registering a credit card with my phone provider from my account control panel. The domain is salt.ch and the provider URL when I am logged in begins with

https://myaccount.salt.ch/

After entering the card info, NoScript filters the XSS attempt from [https://secure5.arcot.com/]. I have sent the Console entry to Giorgio by PM. Here is background info on arcot.com, which although actually trustworthy has an apparently poorly designed service that can appear as a man-in-the-middle attack:
https://www.jasonpearce.com/2013/05/14/verified-by-visa-and-arcot-com-function-like-a-man-in-the-middle-attack/

In any case, I trust the phone provider and so decided to trust the entire salt.ch domain to not be XSSable by entering the following regular expression in the list of XSS protection exceptions, per the second post in this thread:

Code: Select all

^https://([^/]+\.)?salt\.ch/

This did not, however, modify the behavior; the XSS attempt is still blocked.

Re: Need help with XSS resp it's RegEx

Posted: Mon Sep 26, 2016 9:33 am
by blublevita
Apparently, I found the cause of my issue. In the protections list, I had not entered a carriage return at the end of the new entry. After entering one, creating a new empty line, and restarting the browser (just to be on the safe side), the XSS works.

Re: Need help with XSS resp it's RegEx

Posted: Mon Sep 26, 2016 4:31 pm
by barbaz
blublevita wrote:In the protections list, I had not entered a carriage return at the end of the new entry. After entering one, creating a new empty line, and restarting the browser (just to be on the safe side), the XSS works.

You sure you're not disabling the XSS filter entirely? Does this generate a XSS warning?

Re: Need help with XSS resp it's RegEx

Posted: Sun Dec 18, 2016 7:09 pm
by Guest
Hello,
I use Firefox as my browser and Startpage.com as my search engine (not Google, for more or less the same reasons I use NoScript). Normally I type search terms directly into the address bar of the browser and it opens Startpage with the results page. Since the NoScript Update of about 3 weeks ago, I get an the start page of Startpage with an information about XSS attempt. I have tried to add an exemption based on the google example as follows:
^https?://([a-z]+)\.startpage\.(?:[a-z]{1,3}\.)?[a-z]+/(?:metasearch|custom|\1)\?

But unfortunately it does not work ... :(
Searching normally on Startpage works without any issue.
Any help would be appreciated!

BTW, why does CAPTCHA require google.com to run?

Thanks
Lutz

Re: Need help with XSS resp it's RegEx

Posted: Sun Dec 18, 2016 7:21 pm
by Guest
sorry, too quick - NoScript just updated again and now it seems to work.
Thanks!
Lutz