Possible XSS attack on NoScript.net

Ask for help about NoScript, no registration needed to post
EdmoOnSecurity

Possible XSS attack on NoScript.net

Post by EdmoOnSecurity » Mon Mar 09, 2015 9:20 pm

Good day,

I use ESET security software and every once in a while, a warning message pops up indicating that an SSL connection has been blocked:

Code: Select all

ssl://store.uniblue.com


Pic related;

Image

I have now figured out that this occurs whenever NoScript updates itself to the latest version and takes me to the corresponding webpage on noscript.net , eg: https://noscript.net/?ver=2.6.9.17&prev=2.6.9.16

Within the source code, on that page, is the following:

Image

Obviously, it seems a little unusual that a legitimate web developer would place this line of code 500+ spaces away from the rest of the main body. Looking over to the main body, it is noticeable that this is part of a seemingly redundant...

Code: Select all

<style type="text/css ... />


...element which refers to itself as "goog1e" spelt with the the number one instead of a lower case "L" (line 288);

Image

If you look towards the bottom of the page, there is another "text/css" style type element which appears to have obfuscated code within (lines 309-325). At this time, I don't know what this does or where it points.

It's getting late where I am and I still have the new Top Gear from yesterday to watch, I'll try and do a little more analysis tomorrow. In the meantime, I look forward to hearing your thoughts on the above.

Regards,
@EdmoOnSecurity
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

User avatar
Giorgio Maone
Site Admin
Posts: 8957
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Possible XSS attack on NoScript.net

Post by Giorgio Maone » Mon Mar 09, 2015 9:45 pm

Nothing to be worried about, it's just part of a ten years old "battle" to circumvent ABP which, by their own "acceptable ads policy", should never had blocked those 1st party ads anyway. Problem is, I've never paid their racket ;)

[Edit]
Removed the hurried up "historical" reference to Easylist, which as barbaz kindly pointed out to me has nothing to do with Eyeo GmbH, the commercial owners of ABP who designed and implemented the "Acceptable ads" business.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0

Post Reply