Hello everybody,
NoScript displayed me something very, very strange indeed, in Firefox 56 on Windows 10.
Allegedly, a script of tripadvisor.fr called by tripadvisor.fr is a cross site scripting, blocked as such.
http://www.cjoint.com/doc/17_11/GKswm4H20Wu_xss.jpg
Oh ... really ?
In fact, the console shows the address where the script is hosted :
https://p.smartertravel.com/ext/partner/tripadvisor/tripadvisor-hosted.min.js
And with that, knowing how that site functions, aggregating information of very various sources (hotels, accommodations ...), you can decide that cross site scripting is legitimate.
Sorry about the picture, the right part of it is truncated in the forum, this is why I added the address where it is hosted.
XSS : really ?
XSS : really ?
Last edited by Gloops on Sat Nov 18, 2017 10:34 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Re: XSS : really ?
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS : really ?
Oh, you are really reactive
I filtered the console on "trip" and found this :
I filtered the console on "trip" and found this :
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/17576ret=html&phint=__bk_l=https://www.tripadvisor.fr/VacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html, uuid=eUVdsGU58lCqAtet6JbEADxYmIQ/OBcJ5J5Wy5ZxpxDPA+1+0U9IsA==, ServletName=VacationRentalReview, Calendar_a=2, Calendar_c=0, POS=fr, p2p_geos_viewed=2, p2p_geos_countries_viewed=1, p2p_geos_us_states_viewed=0, seg=last_minute, semuv_fb=17, HotelPriceTier=upscale, HotelType=vr, HotelType=Rental Home, HotelID=d1870201, HotelRating=5.0, p2p_hotels_viewed=1, p2p_hotels_viewed_in_geo=1, Zone=eu.france.ile.de.france, GeoID=196586, Calendar=days_to_trip_11, Calendar=start_wed, Calendar=stay_duration_1, Calendar=end_thu, Calendar_Month=nov&limit=4&bknms=ver=2.0,ua=f72a161c80e471c10c9c3c87702e5929,t=1511043025136,m=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,k=1,lang=a488ae48069711280697112806971128,sr=1252x704x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=3ef34a5b473b735a6bcc3d2a6bcc3d2a,notrack=,plugins=4b4e4ecaab1f1c93ab1f1c93ab1f1c93&r=11825726
(function anonymous(
) {
www.tripadvisor.fr/VacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html, uuid=eUVdsGU58lCqAtet6JbEADxYmIQ /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Nettoyé requête suspicieuse. URL originale [https://tags.bluekai.com/site/17576?ret=html&phint=__bk_l%3Dhttps%3A%2F%2Fwww.tripadvisor.fr%2FVacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html&phint=uuid%3DeUVdsGU58lCqAtet6JbEADxYmIQ%2FOBcJ5J5Wy5ZxpxDPA%2B1%2B0U9IsA%3D%3D&phint=ServletName%3DVacationRentalReview&phint=Calendar_a%3D2&phint=Calendar_c%3D0&phint=POS%3Dfr&phint=p2p_geos_viewed%3D2&phint=p2p_geos_countries_viewed%3D1&phint=p2p_geos_us_states_viewed%3D0&phint=seg%3Dlast_minute&phint=semuv_fb%3D17&phint=HotelPriceTier%3Dupscale&phint=HotelType%3Dvr&phint=HotelType%3DRental%20Home&phint=HotelID%3Dd1870201&phint=HotelRating%3D5.0&phint=p2p_hotels_viewed%3D1&phint=p2p_hotels_viewed_in_geo%3D1&phint=Zone%3Deu.france.ile.de.france&phint=GeoID%3D196586&phint=Calendar%3Ddays_to_trip_11&phint=Calendar%3Dstart_wed&phint=Calendar%3Dstay_duration_1&phint=Calendar%3Dend_thu&phint=Calendar_Month%3Dnov&limit=4&bknms=ver=2.0,ua=f72a161c80e471c10c9c3c87702e5929,t=1511043025136,m=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,k=1,lang=a488ae48069711280697112806971128,sr=1252x704x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=3ef34a5b473b735a6bcc3d2a6bcc3d2a,notrack=,plugins=4b4e4ecaab1f1c93ab1f1c93ab1f1c93&r=11825726] demandée depuis [https://www.tripadvisor.fr/VacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html]. URL nettoyée : [https://tags.bluekai.com/site/17576?ret=html&phint=__bk_l%20https%3A%2F%2Fwww.tripadvisor.fr%2FVacationRentalReview-g196586-d1870201-Stylish_Paris_Houseboat-Puteaux_La_Defense_Hauts_de_Seine_Ile_de_France.html&phint=uuid%20eUVdsGU58lCqAtet6JbEADxYmIQ%2FOBcJ5J5Wy5ZxpxDPA%2B1%2B0U9IsA%20%20&phint=ServletName%20VacationRentalReview&phint=Calendar_a%202&phint=Calendar_c%200&phint=POS%20fr&phint=p2p_geos_viewed%202&phint=p2p_geos_countries_viewed%201&phint=p2p_geos_us_states_viewed%200&phint=seg%20last_minute&phint=semuv_fb%2017&phint=HotelPriceTier%20upscale&phint=HotelType%20vr&phint=HotelType%20Rental%20Home&phint=HotelID%20d1870201&phint=HotelRating%205.0&phint=p2p_hotels_viewed%201&phint=p2p_hotels_viewed_in_geo%201&phint=Zone%20eu.france.ile.de.france&phint=GeoID%20196586&phint=Calendar%20days_to_trip_11&phint=Calendar%20start_wed&phint=Calendar%20stay_duration_1&phint=Calendar%20end_thu&phint=Calendar_Month%20nov&limit=4&bknms=ver=2.0,ua=f72a161c80e471c10c9c3c87702e5929,t=1511043025136,m=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,k=1,lang=a488ae48069711280697112806971128,sr=1252x704x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=3ef34a5b473b735a6bcc3d2a6bcc3d2a,notrack=,plugins=4b4e4ecaab1f1c93ab1f1c93ab1f1c93&r=11825726#2770989401788916347].
Échec du chargement pour l’élément <script> dont la source est « https://p.smartertravel.com/ext/partner/tripadvisor/tripadvisor-hosted.min.js ». smarter_trav
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Re: XSS : really ?
That XSS warning is actually related to bluekai which is a tracking site. If the message bothers you, you can make XSS exception for it and block it with ABE.
This has come up before, in the context of Tripadvisor freezing, and here's the workaround we came up with - https://forums.informaction.com/viewtop ... 449#p89449
This has come up before, in the context of Tripadvisor freezing, and here's the workaround we came up with - https://forums.informaction.com/viewtop ... 449#p89449
*Always* check the changelogs BEFORE updating that important software!
-
Re: XSS : really ?
Oh, it was more serious than I thought ?
Going to see that ...
My point was about the content of the message. There is room on the screen to display where the script comes from. with some experience it could help determine more quickly whether the XSS is OK.
Although I have to admit my reaction was not the good one.
In fact, as I just wanted some information, I did not remove the filter.
Going to see that ...
My point was about the content of the message. There is room on the screen to display where the script comes from. with some experience it could help determine more quickly whether the XSS is OK.
Although I have to admit my reaction was not the good one.
In fact, as I just wanted some information, I did not remove the filter.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0