Several HP.COM web pages trigger XSS warning

[Security Dude]

Hi,

Several HP.COM web pages trigger the XSS warning. For instance, <http://www8.hp.com/us/en/software-solut ... r-catalog/>. I do not understand XSS well enough to know if HP needs to fix it's pages, or if NoScript is flagging them inaccurately. Can someone help me understand if this is a false positive or a real issue? I'll be happy to take the results to HP to get them to fix the page once I know if it's their pages or NoScript.

Browser is FireFox 36.0.1 (and many earlier versions), and the latest version of NoScript 2.6.9.17 (and many earlier versions). The error in the console log is:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4234ret=html&phint=v31=Service Broker, Service Catalog, Propel | HP® Official Site, __bk_l=http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/, __bk_pr=, bkrid=v1|2A7CD44285010DE7-4000011240000EB9, v30=cs:software:us:en-us:3.0:propel, v24=Commercial.Large, v01=TSG, v08=Discover HP Propel, a complete cloud service broker solution for IT that provides a single user experience and unified hub for multi-supplier integrations., v11=presales.awareness, v28=Commercial.Business Manager,Commercial.IT Professional, v29=any, v56=R11374, v26=us, v16=Products&limit=15&r=84837134
(function anonymous() {
presales.awareness, v28=Commercial.Business /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4234?ret=html&phint=v31%3DService%20Broker%2C%20Service%20Catalog%2C%20Propel%20%7C%20HP%C2%AE%20Official%20Site&phint=__bk_l%3Dhttp%3A%2F%2Fwww8.hp.com%2Fus%2Fen%2Fsoftware-solutions%2Fpropel-service-broker-catalog%2F&phint=__bk_pr%3D&phint=bkrid%3Dv1%7C2A7CD44285010DE7-4000011240000EB9&phint=v30%3Dcs%3Asoftware%3Aus%3Aen-us%3A3.0%3Apropel&phint=v24%3DCommercial.Large&phint=v01%3DTSG&phint=v08%3DDiscover%20HP%20Propel%2C%20a%20complete%20cloud%20service%20broker%20solution%20for%20IT%20that%20provides%20a%20single%20user%20experience%20and%20unified%20hub%20for%20multi-supplier%20integrations.&phint=v11%3Dpresales.awareness&phint=v28%3DCommercial.Business%20Manager%2CCommercial.IT%20Professional&phint=v29%3Dany&phint=v56%3DR11374&phint=v26%3Dus&phint=v16%3DProducts&limit=15&r=84837134] requested from [http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/]. Sanitized URL: [http://tags.bluekai.com/#1733805685822937833].

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://stg.www8.hp.com/ww/en/system/inc ... 6510361184. This can be fixed by moving the resource to the same domain or enabling CORS.

Thank you for the help.

[barbaz]

It's a tracker, you can either ignore it or outright block it with ABE:

Code: Select all

Site .bluekai.com
Deny

[Guest]

I added those two lines to the NoScript Options Advanced ABE tab "USER" rules. But I still get the XSS warning when I browse to that HP.COM page.

Should I have but them someplace else, or am I missing something? By the way, if I disable ABE completely by unchecking the Enable box on the ABE tab, I still get the XSS warning.

[barbaz]

Sounds like you're doing it right... check the Browser Console (Ctrl-Shift-J) for ABE related messages?
(Maybe in your case the XSS filter acts before ABE)

[Guest]

It appears that XSS is triggering before ABE. Here is the console log now:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4234ret=html&phint=v31=Service Broker, Service Catalog, Propel | HP® Official Site, __bk_l=http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/, __bk_pr=, bkrid=v1|2A7CD44285010DE7-4000011240000EB9, v30=cs:software:us:en-us:3.0:propel, v24=Commercial.Large, v01=TSG, v08=Discover HP Propel, a complete cloud service broker solution for IT that provides a single user experience and unified hub for multi-supplier integrations., v11=presales.awareness, v28=Commercial.Business Manager,Commercial.IT Professional, v29=any, v56=R11374, v26=us, v16=Products&limit=15&r=960414
(function anonymous() {
presales.awareness, v28=Commercial.Business /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4234?ret=html&phint=v31%3DService%20Broker%2C%20Service%20Catalog%2C%20Propel%20%7C%20HP%C2%AE%20Official%20Site&phint=__bk_l%3Dhttp%3A%2F%2Fwww8.hp.com%2Fus%2Fen%2Fsoftware-solutions%2Fpropel-service-broker-catalog%2F&phint=__bk_pr%3D&phint=bkrid%3Dv1%7C2A7CD44285010DE7-4000011240000EB9&phint=v30%3Dcs%3Asoftware%3Aus%3Aen-us%3A3.0%3Apropel&phint=v24%3DCommercial.Large&phint=v01%3DTSG&phint=v08%3DDiscover%20HP%20Propel%2C%20a%20complete%20cloud%20service%20broker%20solution%20for%20IT%20that%20provides%20a%20single%20user%20experience%20and%20unified%20hub%20for%20multi-supplier%20integrations.&phint=v11%3Dpresales.awareness&phint=v28%3DCommercial.Business%20Manager%2CCommercial.IT%20Professional&phint=v29%3Dany&phint=v56%3DR11374&phint=v26%3Dus&phint=v16%3DProducts&limit=15&r=960414] requested from [http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/]. Sanitized URL: [http://tags.bluekai.com/#11177404790095902500].
[ABE] <tags.bluekai.com> Deny on {GET http://tags.bluekai.com/site/4234?ret=j ... 5&r=960414 <<< http://www8.hp.com/us/en/software-solut ... r-catalog/ - 2}
USER rule:
Site tags.bluekai.com
Deny
Using //@ to indicate sourceURL pragmas is deprecated. Use //# instead can.jquery-1.1.6.js:2:0
[ABE] <tags.bluekai.com> Deny on {GET http://tags.bluekai.com/#11177404790095902500 <<< http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/ - 7}
USER rule:
Site tags.bluekai.com
Deny
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://stg.www8.hp.com/ww/en/system/include/intranetCheck.jsp?_=1426523669807. This can be fixed by moving the resource to the same domain or enabling CORS.

So now what should I try?

[barbaz]

You've definitely stopped any risk at all there because you are outright blocking that item. I'm not sure what you would like to have done at this point

[Guest]

I'm trying to get the XSS warning message to stop appearing. Until it does, I'm not sure if I have successfully blocked the risk or have a typo some place and the risk is still present .

[barbaz]

The fact you get a console message from ABE blocking the request indicates that you have definitely blocked the risk (if there is any after the XSS filter).

If that isn't enough, you're probably looking at asking HP to use a different tracker on their site...

[Thrawn]

You might be able to kill off the XSS warning with a surrogate script.

[gvp]

I had the same problem at ebay.co.uk .... so I added

^http?://tags\.bluekai\.com/

to XSS exceptions and problem solved ...
I'm not familiar with regex so if i'm wrong please anyone feel free to correct the regex i used ...

ps
If you use it you must trust bluekai ..

[barbaz]

An XSS exception is definitely not the best choice here.

I'm not familiar with regex so if i'm wrong please anyone feel free to correct the regex i used ...

You have a typo, you mean

Code: Select all

^https?://tags\.bluekai\.com/

ps
If you use it you must trust bluekai ..

Why would anyone trust a tracking company not on their own website?

[gvp]

An XSS exception is definitely not the best choice here.

why ??

[barbaz]

An XSS exception is definitely not the best choice here.

why ??

Because why the heck would you want to allow a potentially dangerous request that's just for data mining? Who actually wants to be tracked?

[gvp]

maybe this
[XSS exception for origin of request deleted by moderator]

[barbaz]

That's even worse because you're allowing ebay to XSS anything, just for a tracker. If ebay gets compromised or itself XSS'ed then an attacker could then use ebay as a middleman to exploit you in all kinds of ways...