Help req'd with XSS configuration

dortmunder · Post by **dortmunder** » Tue Apr 18, 2017 7:54 pm

Hi. Can anyone tell me how to configure NoScript so that I don't get popups on trusted sites. In the example attached, I'm still getting the popup despite having added to the exception list. Thank you!

Post by **barbaz** » Tue Apr 18, 2017 8:07 pm

XSS exception might not be the right way to go. Without seeing the details of what was blocked, there's no telling whether it's safe to allow it.

Please remove the XSS exceptions you added, reproduce the warning again, then check the Browser Console (Ctrl-Shift-J) and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

dortmunder · Post by **dortmunder** » Tue Apr 18, 2017 8:35 pm

Hi barbaz. Wow, never seen that before. I think this is all the NoScript/ABE stuff, thanks for having a look:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/36828ret=html&phint=lbg.url=online.bankofscotland.co.uk/personal/logon/login.jsp, lbg.brand=BOS, lbg.division=Retail, lbg.journeyname=Log On, lbg.cookie=28147121db107629a701443668646375, lbg.amount=0, lbg.eventid=3CAFC3359FD5E55B82C1C0D5, lbg.productgroup=Authentication, lbg.productsubgroup=Password, __bk_t=Bank of Scotland - Welcome to internet banking, __bk_k=, __bk_pr=https://www.bankofscotland.co.uk/, __bk_l=https://online.bankofscotland.co.uk/personal/logon/login.jsp&limit=4&bknms=ver=2.0,ua=324b663159a00d40c2dd66973f24b963,t=1492547387649,m=f457e02aad67bb5b16ef6aeb6fef05cf,k=1,lang=07ef608d8a7e9677f0b83775f0b83775,sr=1536x864x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=41fee34aea2844ea24e3d19524e3d195,notrack=,plugins=eec3778d1202308918f372b176f1eda2,cn=496f155ba12f1a8c66f8c6059bbd6d8b&r=66795979
(function anonymous() {
coalesced: lbg.brand=BOS, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://stags.bluekai.com/site/36828?ret=html&phint=lbg.url%3Donline.bankofscotland.co.uk%2Fpersonal%2Flogon%2Flogin.jsp&phint=lbg.brand%3DBOS&phint=lbg.division%3DRetail&phint=lbg.journeyname%3DLog%20On&phint=lbg.cookie%3D28147121db107629a701443668646375&phint=lbg.amount%3D0&phint=lbg.eventid%3D3CAFC3359FD5E55B82C1C0D5&phint=lbg.productgroup%3DAuthentication&phint=lbg.productsubgroup%3DPassword&phint=__bk_t%3DBank%20of%20Scotland%20-%20Welcome%20to%20internet%20banking&phint=__bk_k%3D&phint=__bk_pr%3Dhttps%3A%2F%2Fwww.bankofscotland.co.uk%2F&phint=__bk_l%3Dhttps%3A%2F%2Fonline.bankofscotland.co.uk%2Fpersonal%2Flogon%2Flogin.jsp&limit=4&bknms=ver=2.0,ua=324b663159a00d40c2dd66973f24b963,t=1492547387649,m=f457e02aad67bb5b16ef6aeb6fef05cf,k=1,lang=07ef608d8a7e9677f0b83775f0b83775,sr=1536x864x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=41fee34aea2844ea24e3d19524e3d195,notrack=,plugins=eec3778d1202308918f372b176f1eda2,cn=496f155ba12f1a8c66f8c6059bbd6d8b&r=66795979] requested from [https://online.bankofscotland.co.uk/personal/logon/login.jsp]. Sanitized URL: [https://stags.bluekai.com/#8293643630628996434].

[ABE] < LOCAL> Deny on {GET https://127.0.0.1:63333/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:63333/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5900/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5900/.  check.js:26:156
XML Parsing Error: syntax error
Location: https://online.bankofscotland.co.uk/personal/marketing
Line Number 1, Column 1:  marketing:1:1
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5901/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5901/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5902/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5902/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5903/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5903/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:3389/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:3389/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5279/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5279/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5939/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5939/.

Post by **barbaz** » Tue Apr 18, 2017 8:53 pm

There are two NoScript related things going on there. One is the XSS warning, which looks to me like a false positive, i.e. not actually dangerous. So this exception should do -

Code: Select all

^https?://(?:[^/:]+\.)?bluekai\.com/

However, do note that bluekai is a tracker, nothing useful. So, to be safe, let's block those requests outright. Go to NoScript Options > Advanced > ABE > USER, and add this -

Code: Select all

Site .bluekai.com
# Deny INC is to work around https://forums.informaction.com/viewtopic.php?f=23&t=18996
Deny INC
Deny

The second NoScript thing is that ABE is preventing the site from accessing 127.0.0.1, which is your own computer. Some bank sites require such connections, so I'm not sure whether you "should" be seeing that or not. Does your bank site work fine despite those warnings?

dortmunder · Post by **dortmunder** » Tue Apr 18, 2017 8:59 pm

barbaz, thank you so much, you clearly know your stuff. Yes, the bank site works fine bar one thing - when I log off, I don't see the usual 'you have safely logged off' page. It's just a white screen but in the URL bar I can see the word logoff which I'm taking as a good sign. I haven't carried out your suggestions yet, I'll report back when I have. Thanks again.

dortmunder · Post by **dortmunder** » Tue Apr 18, 2017 9:08 pm

Hi again. The warning popup has gone (nice!) and I still get the white screen on logoff along with this URL:
secure.bankofscotland.co.uk/personal/unauth/pages/loggedoff.jsp?AWX [loads of letters and numbers...]

If we could fix the logoff issue you may have a virtual pint on me...

Post by **barbaz** » Tue Apr 18, 2017 9:16 pm

Well, we can try an exception in ABE and see if anything different happens.

First log out of your bank.

Then, add the exception - NoScript Options > Advanced > ABE > SYSTEM, add *at the very top*

Code: Select all

Site https://127.0.0.1:*
Accept from 127.0.0.1 https://online.bankofscotland.co.uk/*

If no joy, when the logout issue happens please post the messages from the Browser Console (Ctrl-Shift-J) as before.

dortmunder · Post by **dortmunder** » Wed Apr 19, 2017 5:00 am

Good morning. The addition to NoScript Options > Advanced > ABE > SYSTEM, add *at the very top* had no effect on the logout situation.

The ABE/SYSTEM tab looks like this (not of my doing):
Site LOCAL
Accept from LOCAL
Deny

I'm no expert but the 'Deny' command seemed to be a contradiction to the previous commands so I deleted it – didn't have any effect though so I reinstated it. Here's the data you requested and thanks for your continued efforts:

Code: Select all

[ABE] < .bluekai.com> Deny INCLUSION on {GET https://stags.bluekai.com/site/42842?ret=html&phint=lbg_url%3Dsecure.bankofscotland.co.uk%2Fpersonal%2Funauth%2Fpages%2Floggedoff.jsp&phint=lbg_brand%3DBOS&phint=lbg_division%3DRetail&phint=lbg_journeyaction%3DService%20Action%20Complete&phint=lbg_journeyname%3DLog%20Off&phint=lbg_cookie%3D28147121db107629a701443668646375&phint=lbg_eventid%3D3AAA70429A1E9D5B84887690&phint=lbg_platform%3Dauth&phint=lbg_environment%3Dsecure&phint=__bk_t%3DBank%20of%20Scotland%20-%20Logged%20Off&phint=__bk_k%3D&phint=__bk_pr%3Dhttps%3A%2F%2Fsecure.bankofscotland.co.uk%2Fpersonal%2Fa%2Faccount_details_ress%2FOWEGXWFPRK2YWZQLZMYOEV4742IGFNJR4B72U4RJ5A57PS25X3NA%2FWCCLTC6CDXY6UTQDQSBIAVWTD3VNBKWFCYB3YVA%2F62LCDBKEY6GJW%2F%2FHGNFXXQ4GBZOWSBZEAX3IVU4U3SPN4GAENHZNVTNV44MYLJLX75Q%2F&phint=__bk_l%3Dhttps%3A%2F%2Fsecure.bankofscotland.co.uk%2Fpersonal%2Funauth%2Fpages%2Floggedoff.jsp%3FAWXZA2H2XRJDHRVEMPXHEN75IF4DKVIUID3ZYXGOPTF4TNKIZ3CGORPDLCUX7JDPOBXPCIUTX7JTMRB4D7WG6GAAYKBLMNC4ND7ZSPVTODUVHIUPA2IQ&limit=4&bknms=ver=2.0,ua=324b663159a00d40c2dd66973f24b963,t=1492577187646,m=f457e02aad67bb5b16ef6aeb6fef05cf,k=1,lang=07ef608d8a7e9677f0b83775f0b83775,sr=1536x864x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=41fee34aea2844ea24e3d19524e3d195,notrack=,plugins=eec3778d1202308918f372b176f1eda2,cn=496f155ba12f1a8c66f8c6059bbd6d8b&r=23537098 <<< https://secure.bankofscotland.co.uk/personal/unauth/pages/loggedoff.jsp?AWXZA2H2XRJDHRVEMPXHEN75IF4DKVIUID3ZYXGOPTF4TNKIZ3CGORPDLCUX7JDPOBXPCIUTX7JTMRB4D7WG6GAAYKBLMNC4ND7ZSPVTODUVHIUPA2IQ - 7}
USER rule:
Site .bluekai.com
Deny INCLUSION
Deny

Post by **barbaz** » Wed Apr 19, 2017 6:35 am

Hmm. I think I would need to have that problem in front of me in order to help, and I don't even have an account there, sorry.

EDIT
I suppose you could test it in a new, clean profile with all defaults. If you don't see the problem there, install only NoScript latest development build, and import your NS settings into the clean profile (using the Import and Export buttons *on the very bottom* of NS Options). Do you see the problem now? If not, NoScript is not causing that issue, use Standard Diagnostic on your main profile to isolate the cause.

If you do try this, please let us know the results, thanks.

dortmunder · Post by **dortmunder** » Wed Apr 19, 2017 9:11 am

Hi barbaz. Ultimately, it's not that big an issue. I've just moved to Windows 10 and have been trying the Edge browser which has had a lot of good reviews. It's a fine browser but my main one will remain Firefox. However, I'm happy to use Edge for my banking.

Thanks very much for the time and trouble you've taken on my behalf, I really appreciate it.

Post by **barbaz** » Wed Apr 19, 2017 2:52 pm

You're welcome.

InformAction Forums

Help req'd with XSS configuration

Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration

Re: Help req'd with XSS configuration