NoScript and XSS attempt from [chrome]

Ask for help about NoScript, no registration needed to post
antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

NoScript and XSS attempt from [chrome]

Post by antipop » Sat Nov 28, 2015 1:12 am

I have the latest versions of NoScript in Firefox on Windows 10 Pro. I use Startpage as my default search engine. Just about every time I enter any text in the small search box at the top right of Firefox, while the Startpage is loaded as my homepage, and press Enter, I get a NoScript message appearing across the top to this effect:

"NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome]. Technical details have been logged to the Console. "

So, is there anything I can do to prevent this from happening without altogether disabling the important messages such as this? Thanks.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Nov 28, 2015 1:14 am

WFM... can you please post the contents of your Startpage searchplugin's xml file as well as a sample query that triggers the XSS filter?
*Always* check the changelogs BEFORE updating that important software!
-

antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

Re: NoScript and XSS attempt from [chrome]

Post by antipop » Sat Nov 28, 2015 2:19 am

Hello, barbaz

> "...Startpage searchplugin's xml file "

Where would I find this file? Thanks.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Nov 28, 2015 3:10 am

Is it in a "searchplugins" subdirectory of your profile folder?

Also I've fixed the above post for you.
*Always* check the changelogs BEFORE updating that important software!
-

antipop2

Re: NoScript and XSS attempt from [chrome]

Post by antipop2 » Sat Nov 28, 2015 2:15 pm

I think this is what you asked to see, from here C:\Users\me\AppData\Roaming\Mozilla\Firefox\Profiles\ujf4f8wo.default\searchplugins\startpage-ssl.xml:

Code: Select all

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/" xmlns:os="http://a9.com/-/spec/opensearch/1.1/">
<os:ShortName>Startpage (SSL)</os:ShortName>
<os:Description>Startpage is a search engine that does not collect or share personally identifiable information. This search bar extension utilizes SSL to protect transmissions between You and Startpage.</os:Description>
<os:InputEncoding>UTF-8</os:InputEncoding>
<os:Image width="16" height="16">data:image/x-icon;base64,AAABAAEAEBAAAAEAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2jkj+9YtD/vWLQ/71i0P+9otD/vaLRP72i0T+9YtE/vWLRP72i0T+9otD/vaNRP72jUT+9otF/vaLRf73kkv+9Yc///WJP//1iT//9Yk///rAmf/94Mz/+sCa//aRTv/1iUH/9ok///aJP//2i0H/9otB//aJQv/2iUL/9otC//aNRP/2jUT/9o1E//aNRP/6wpv////////////96dr/95dQ//aNRP/2kET/9pBG//aQRv/2kEb/9pBG//aRR//3lEz/95BH//mueP/7xJ3/959g//efYf/4p23//vDm//3p2//3kEr/95FJ//aRSf/niFH/95FK//aRSv/2mE//95hS/vq4iP/////////////////81bj/95xZ//q4iP//////+bF+//eZT//njFT/PSqi/2xGjv/2mVD/951V/vedVv783cX///////vQrf/++PP///////748//+8uj///////m3gf/olFr/PSuj/w8Pt/9sSJD/951V//eeWf73oVv++8ul///////5sXf/+KRi//vRsf////////////3r3v/olF//Piyk/w8Pt/9sSJH/+J5Z//ieWv/3oV/++KZf/vihXP/97N7//vn0//zTs//6wJP/+bBy//q6iP/onW//Piyl/w8Pt/8fGbH/m2iB/+icY//4pGD/96hl/viqZf74pmD/+Kxr//3iy/////////n1//ivbP/onGj/Pi2m/w8Pt/8uJKz/fFeQ/x8Zsf8+Lqb/6J9r//ivbP74rm3++Klm//mpZv/5q2f/+bR9//m0e//poW7/Pi6n/w8Pt/9sTZj/+Ktp//ira/+rd4P/Dw+3/4xijv/5snH++LN1/vmvbf/5r23/+a5t//mvb//4r2//TTuk/w8Pt/8fGrL/6ah1//ivcP/4r3P/q3yI/w8Pt/+MZpP/+bN5/vm4ev75t3X/+bV1//m1df/5t3X/+Ld3/8qUhP98XZn/Hxqz/+mse//5t3f/2p+B/x8as/8PD7f/u4qK//m7fv76u4D++bl7//m3fP/5uXz/+bl8//m5fP/5t3z/+bl//x8as/9NPKf/fWCb/x8as/8PD7f/bVOh//q5f//6v4X++sGI/vm9g//5voX/+b6F//m9hf/6vYX/+r6F//nCh/+bepr/Hxu0/w8Pt/8PD7f/fWOh//q+hf/6wof/+saN/vrGjf75xIv/+ceL//nEi//5xIv/+sSL//rHi//6x43/+ceN/+m7kP+7lpj/6ruQ//rHkP/6x43/+seQ//rLlf76ypT++seR//rJkf/6yZH/+seR//rJkf/6yZH/+8mR//vJlP/7yZT/+smU//rJlP/6yZT/+8yV//rJlf/6zpn+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==</os:Image>
<SearchForm>https://startpage.com/</SearchForm>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl">
  <os:Param name="query" value="searchTerms"/>
  <os:Param name="cat" value="web"/>
  <os:Param name="language" value="english"/>
</os:Url>
</SearchPlugin>

Do let me know if you want to see something else or if you see any problems in the above file. Thank you.
Last edited by barbaz on Sat Nov 28, 2015 2:28 pm, edited 1 time in total.
Reason: wrap searchplugin in code tags
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Nov 28, 2015 2:30 pm

That is indeed the searchplugin I asked to see. The last part of your searchplugin looks quite different from mine, you have this

Code: Select all

<SearchForm>https://startpage.com/</SearchForm>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/metasearch.pl">
  <os:Param name="query" value="searchTerms"/>
  <os:Param name="cat" value="web"/>
  <os:Param name="language" value="english"/>
</os:Url>

where I have this

Code: Select all

<UpdateInterval>3</UpdateInterval>
<UpdateUrl>https://startpage.com/toolbar/searchbar/en/startpage_ff_secure_en.src</UpdateUrl>
<IconUpdateUrl>https://startpage.com/toolbar/searchbar/en/startpage.png</IconUpdateUrl>
<os:Url type="text/html" method="POST" template="https://startpage.com/do/search">
  <os:Param name="query" value="{searchTerms}"/>
  <os:Param name="cat" value="web"/>
  <os:Param name="pl" value="ff"/>
  <os:Param name="language" value="english"/>
</os:Url>


Did the board strip the curly brackets off of your "searchTerms"? If so, for future reference you can work around it by typing double curly brackets before preview and submit.
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Nov 28, 2015 2:33 pm

Even so, I'm not seeing what would trigger the XSS filter. Can you please post a sample query per above?

BTW how come you can't log in?
*Always* check the changelogs BEFORE updating that important software!
-

antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

Re: NoScript and XSS attempt from [chrome]

Post by antipop » Sat Nov 28, 2015 4:35 pm

barbaz,

I can log in just fine. However, it is not necessary to log in to post, but I cannot post with my registered user ID while doing so. I simply post without logging in while using "antipop2" as the ID. Does my doing it like this cause a problem in the information for some reason?

Anyway, I just now saw this same problem occur while making a search. I entered for instance this expression exactly in this manner: microsoft certification

The Startpage was opened when I entered these words, but I put them in the little search box on upper right, not in the Startpage search box at the center of its page.When I entered it in the search box and pressed Enter, it popped up the message. It only shows the error message the first time I press Enter; when I then click the arrow "-->" at the end of the box or press Enter again, it does the search normally.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Sat Nov 28, 2015 5:16 pm

antipop wrote:I can log in just fine. However, it is not necessary to log in to post, but I cannot post with my registered user ID while doing so. I simply post without logging in while using "antipop2" as the ID. Does my doing it like this cause a problem in the information for some reason?

We prefer you log in to post if you're registered because posting as guest makes it easier for people to impersonate you and harder for people to follow who's who, plus you have to solve the CAPTCHA every time you need to post and you can't edit posts, plus the spam filter might treat you differently.
Good that you don't have some problem with your account anyway.

antipop wrote:Anyway, I just now saw this same problem occur while making a search. I entered for instance this expression exactly in this manner: microsoft certification

The Startpage was opened when I entered these words, but I put them in the little search box on upper right, not in the Startpage search box at the center of its page.When I entered it in the search box and pressed Enter, it popped up the message. It only shows the error message the first time I press Enter; when I then click the arrow "-->" at the end of the box or press Enter again, it does the search normally.

It shouldn't matter what page you have opened...

In any case I can't reproduce this, regardless of script permissions of Startpage or having Startpage opened or using your searchplugin.
Please create a clean profile from scratch. Add your searchplugin from your existing profile (create a "searchplugins" folder in your new profile folder, then copy in the xml file). Install only NoScript latest development build, leaving all the defaults. Does the problem still exist?
If not, what if you then import your NS settings into the clean profile using the Import and Export buttons *on the very bottom* of NS Options?

Let us know, thanks.
*Always* check the changelogs BEFORE updating that important software!
-

antipop
Junior Member
Posts: 43
Joined: Mon Nov 26, 2012 12:47 am

Re: NoScript and XSS attempt from [chrome]

Post by antipop » Tue Dec 01, 2015 2:26 pm

I want to add another point about this before deciding my next step in troubleshooting. On far end of the notification bar with aforementioned error message, there is an options button that appears, giving me choices such as Load console, Unsafe Reload, Notifications, Options, and XSS FAQ. So, I was wondering whether one of these choices would either lead to a straightforward solution or help to pinpoint the cause, say, possibly from information in the Console. Thanks.
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Tue Dec 01, 2015 2:54 pm

bye
Last edited by barbaz on Tue Dec 01, 2015 3:35 pm, edited 1 time in total.
*Always* check the changelogs BEFORE updating that important software!
-

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Tue Dec 01, 2015 3:34 pm

Oops, I realize I forgot to ask, when this issue occurs do you see anything related in the Browser Console? (Ctrl-Shift-J)
(if you don't know what's related, turn off CSS warnings and post everything else you see)

So yes, the "Load console" option would help, but the others probably won't.
*Always* check the changelogs BEFORE updating that important software!
-

antipop2

Re: NoScript and XSS attempt from [chrome]

Post by antipop2 » Wed Dec 02, 2015 2:12 pm

Is this what you asked to see:

Code: Select all

"[TunnelToLms] get ajax response from https://api-mva.microsoft.com ==> {"messageWay":"response","messageType":"AJAX_SUCCESS","messageId":"TunnelToMvaApi44","statusText":"success","statusCode":200,"statusMessage":"OK","result":"User activity saved successfully"}" scowrapper:14:107185
"[TunnelToMvaApi] get ajax response from https://api-mva.microsoft.com ==> {"messageWay":"response","messageType":"AJAX_SUCCESS","messageId":"TunnelToMvaApi44","statusText":"success","statusCode":200,"statusMessage":"OK","result":"User activity saved successfully"}" scowrapper:14:107185
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 2, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_util.js:2:417
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 2, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" } extra_util.js:2:417
[CustomizableUI] Custom widget with id loop-button does not return a valid node
Last edited by barbaz on Thu Dec 03, 2015 11:34 pm, edited 1 time in total.
Reason: wrap console messages in code tags
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

antipop2

Re: NoScript and XSS attempt from [chrome]

Post by antipop2 » Wed Dec 02, 2015 2:20 pm

And here is another shortly thereafter:

Code: Select all

GET 
https://startpage.com/font/ProximaNova-Bold-webfont.woff2 [HTTP/1.1 200 OK 0ms]
GET
https://startpage.com/font/Arimo-Regular-webfont.woff2 [HTTP/1.1 200 OK 0ms]
POST
XHR
https://startpage.com/tbpu [HTTP/1.1 200 OK 66ms]
GET
https://startpage.com/font/OpenSans-Regular-webfont.woff [HTTP/1.1 200 OK 0ms]
Exception { message: "", result: 2153644038, name: "", filename: "https://startpage.com/js/extra_util…", lineNumber: 1, columnNumber: 0, inner: null, data: null, stack: "c@https://startpage.com/js/extra_ut…" }
Last edited by barbaz on Thu Dec 03, 2015 11:36 pm, edited 1 time in total.
Reason: wrap console messages in code tags
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0

barbaz
Senior Member
Posts: 9442
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript and XSS attempt from [chrome]

Post by barbaz » Wed Dec 02, 2015 9:59 pm

Unfortunately the NoScript XSS message is not there... Image
If what you posted is all you see, try increasing about:config > devtools.hud.loglimit.console to something bigger?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7

Post Reply