[RESOLVED] Potential Cross-site scripting notification

[Lplate]

Hi,

I keep getting a potential cross-site scripting (XSS) notification when I log into my live.com email. Unfortunately I do not have the technical know how to work out what is causing this or to interpret the information provided by the console. At least NoScript is doing the business but I am not sure how concerned I need to be. I would appreciate any help in solving this problem. My PC skills are fairly basic.

[barbaz]

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

[Lplate]

Hi, thanks for your response. I think I have located the relevant details in the console.The section starts ' [NoScript XSS] Sanitised suspicious upload to.......'

As I do not understand their significance, before I post the section in full, are there any possible security concerns in posting them that I need to be aware of ? I noticed a similar post raising this question.

[barbaz]

It's just depends how sensitive is the site on which you get the XSS message whether posting it publicly is likely going to be a security problem for you or not. The reason being that the URLs and/or other data in the console messages might contain personal information (or, if you're logged in the site, some token(s) relating to your logged in session - but on a properly designed site those will be voided when you log out).

No one else can decide it for you.

[Thrawn]

You can also send it to a moderator via private message. Which may be a good idea anyway, because XSS filter messages often contain a lot of special characters that the forum spam filter may not like.

[Lplate]

Hi, thanks for the latest reply. Yes, private message is probably the best option. However I think a person needs to be registered to do so. My attempt to register, or rather sign in hit a problem as my password, or what I thought was my password was rejected. When I tried to reset my details , the user name and email address could not be found. This despite both were valid as I had received the activation email. I posted about this using this temporary username (my' official' one Lplate I already registered so I cannot use it !). I was advised to contact Giorgio Maone by email to sort this but have so far received no reply. So I seem to be stuck as far as private message is concerned. Bit of a nightmare really.

[barbaz]

This: viewtopic.php?f=7&t=22012

I'll try contacting Giorgio about the account.

[Lplate]

Hi, thanks for the responses. I am now logged in OK with my registered username and will send the relevant script to a moderator via private message. UPDATE: The sanitised cross site entry that is notified when I log into my live.com email emanates from an interaction with Skype. I have belatedly worked out that if I block Skype the notification does not appear. I do not have any need to use Skype so I will just leave it blocked. The app came installed with Windows 10. The interaction may be harmless., and just part of the syncing Microsoft want to achieve with Windows 10 and the new outlook.com . So there maybe no need to send the script to a moderator for analysis.

[barbaz]

(Since you can now access your account, I've fixed the Guest posts you made in this thread to be under your account as well.)

[Lplate]

Ok. Thanks.

[barbaz]

UPDATE: The sanitised cross site entry that is notified when I log into my live.com email emanates from an interaction with Skype. I have belatedly worked out that if I block Skype the notification does not appear. I do not have any need to use Skype so I will just leave it blocked. The app came installed with Windows 10. The interaction may be harmless., and just part of the syncing Microsoft want to achieve with Windows 10 and the new outlook.com .

Just saw this. Thank you for posting your findings and glad you got it resolved

So there maybe no need to send the script to a moderator for analysis.

No need to send to us now that you know the cause and fixed it.