XSS : really ?

Ask for help about NoScript, no registration needed to post
Gloops
Posts: 14
Joined: Wed Nov 25, 2015 5:39 pm

XSS : really ?

Post by Gloops »

Hello everybody,

NoScript displayed me something very, very strange indeed, in Firefox 56 on Windows 10.
Allegedly, a script of tripadvisor.fr called by tripadvisor.fr is a cross site scripting, blocked as such.

Image
http://www.cjoint.com/doc/17_11/GKswm4H20Wu_xss.jpg

Oh ... really ?

In fact, the console shows the address where the script is hosted :

https://p.smartertravel.com/ext/partner/tripadvisor/tripadvisor-hosted.min.js

And with that, knowing how that site functions, aggregating information of very various sources (hotels, accommodations ...), you can decide that cross site scripting is legitimate.

Sorry about the picture, the right part of it is truncated in the forum, this is why I added the address where it is hosted.
Last edited by Gloops on Sat Nov 18, 2017 10:34 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS : really ?

Post by barbaz »

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-
Gloops
Posts: 14
Joined: Wed Nov 25, 2015 5:39 pm

Re: XSS : really ?

Post by Gloops »

Oh, you are really reactive :)

I filtered the console on "trip" and found this :

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/17576ret=html&phint=__bk_l=https://www.tripadvisor.fr/VacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html, uuid=eUVdsGU58lCqAtet6JbEADxYmIQ/OBcJ5J5Wy5ZxpxDPA+1+0U9IsA==, ServletName=VacationRentalReview, Calendar_a=2, Calendar_c=0, POS=fr, p2p_geos_viewed=2, p2p_geos_countries_viewed=1, p2p_geos_us_states_viewed=0, seg=last_minute, semuv_fb=17, HotelPriceTier=upscale, HotelType=vr, HotelType=Rental Home, HotelID=d1870201, HotelRating=5.0, p2p_hotels_viewed=1, p2p_hotels_viewed_in_geo=1, Zone=eu.france.ile.de.france, GeoID=196586, Calendar=days_to_trip_11, Calendar=start_wed, Calendar=stay_duration_1, Calendar=end_thu, Calendar_Month=nov&limit=4&bknms=ver=2.0,ua=f72a161c80e471c10c9c3c87702e5929,t=1511043025136,m=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,k=1,lang=a488ae48069711280697112806971128,sr=1252x704x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=3ef34a5b473b735a6bcc3d2a6bcc3d2a,notrack=,plugins=4b4e4ecaab1f1c93ab1f1c93ab1f1c93&r=11825726
(function anonymous(
) {
www.tripadvisor.fr/VacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html, uuid=eUVdsGU58lCqAtet6JbEADxYmIQ /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé requête suspicieuse. URL originale [https://tags.bluekai.com/site/17576?ret=html&phint=__bk_l%3Dhttps%3A%2F%2Fwww.tripadvisor.fr%2FVacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html&phint=uuid%3DeUVdsGU58lCqAtet6JbEADxYmIQ%2FOBcJ5J5Wy5ZxpxDPA%2B1%2B0U9IsA%3D%3D&phint=ServletName%3DVacationRentalReview&phint=Calendar_a%3D2&phint=Calendar_c%3D0&phint=POS%3Dfr&phint=p2p_geos_viewed%3D2&phint=p2p_geos_countries_viewed%3D1&phint=p2p_geos_us_states_viewed%3D0&phint=seg%3Dlast_minute&phint=semuv_fb%3D17&phint=HotelPriceTier%3Dupscale&phint=HotelType%3Dvr&phint=HotelType%3DRental%20Home&phint=HotelID%3Dd1870201&phint=HotelRating%3D5.0&phint=p2p_hotels_viewed%3D1&phint=p2p_hotels_viewed_in_geo%3D1&phint=Zone%3Deu.france.ile.de.france&phint=GeoID%3D196586&phint=Calendar%3Ddays_to_trip_11&phint=Calendar%3Dstart_wed&phint=Calendar%3Dstay_duration_1&phint=Calendar%3Dend_thu&phint=Calendar_Month%3Dnov&limit=4&bknms=ver=2.0,ua=f72a161c80e471c10c9c3c87702e5929,t=1511043025136,m=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,k=1,lang=a488ae48069711280697112806971128,sr=1252x704x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=3ef34a5b473b735a6bcc3d2a6bcc3d2a,notrack=,plugins=4b4e4ecaab1f1c93ab1f1c93ab1f1c93&r=11825726] demandée depuis [https://www.tripadvisor.fr/VacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html]. URL nettoyée : [https://tags.bluekai.com/site/17576?ret=html&phint=__bk_l%20https%3A%2F%2Fwww.tripadvisor.fr%2FVacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html&phint=uuid%20eUVdsGU58lCqAtet6JbEADxYmIQ%2FOBcJ5J5Wy5ZxpxDPA%2B1%2B0U9IsA%20%20&phint=ServletName%20VacationRentalReview&phint=Calendar_a%202&phint=Calendar_c%200&phint=POS%20fr&phint=p2p_geos_viewed%202&phint=p2p_geos_countries_viewed%201&phint=p2p_geos_us_states_viewed%200&phint=seg%20last_minute&phint=semuv_fb%2017&phint=HotelPriceTier%20upscale&phint=HotelType%20vr&phint=HotelType%20Rental%20Home&phint=HotelID%20d1870201&phint=HotelRating%205.0&phint=p2p_hotels_viewed%201&phint=p2p_hotels_viewed_in_geo%201&phint=Zone%20eu.france.ile.de.france&phint=GeoID%20196586&phint=Calendar%20days_to_trip_11&phint=Calendar%20start_wed&phint=Calendar%20stay_duration_1&phint=Calendar%20end_thu&phint=Calendar_Month%20nov&limit=4&bknms=ver=2.0,ua=f72a161c80e471c10c9c3c87702e5929,t=1511043025136,m=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,k=1,lang=a488ae48069711280697112806971128,sr=1252x704x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=3ef34a5b473b735a6bcc3d2a6bcc3d2a,notrack=,plugins=4b4e4ecaab1f1c93ab1f1c93ab1f1c93&r=11825726#2770989401788916347].
Échec du chargement pour l’élément <script> dont la source est « https://p.smartertravel.com/ext/partner/tripadvisor/tripadvisor-hosted.min.js ».  smarter_trav
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: XSS : really ?

Post by barbaz »

That XSS warning is actually related to bluekai which is a tracking site. If the message bothers you, you can make XSS exception for it and block it with ABE.

This has come up before, in the context of Tripadvisor freezing, and here's the workaround we came up with - https://forums.informaction.com/viewtop ... 449#p89449
*Always* check the changelogs BEFORE updating that important software!
-
Gloops
Posts: 14
Joined: Wed Nov 25, 2015 5:39 pm

Re: XSS : really ?

Post by Gloops »

Oh, it was more serious than I thought ?
Going to see that ...
My point was about the content of the message. There is room on the screen to display where the script comes from. with some experience it could help determine more quickly whether the XSS is OK.
Although I have to admit my reaction was not the good one.
In fact, as I just wanted some information, I did not remove the filter.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Post Reply