NoScript XSS warning
-
- Posts: 5
- Joined: Fri Jul 10, 2020 10:37 am
NoScript XSS warning
Hi all,
I came across a NoScript XSS warning this morning while trying to access my College's email account. I have read some background information on cross-site scripting attack after seeing this warning. If I block this potential attack with NoScript, how will I be able to access the College's account?
Thank you for your suggestions.
I came across a NoScript XSS warning this morning while trying to access my College's email account. I have read some background information on cross-site scripting attack after seeing this warning. If I block this potential attack with NoScript, how will I be able to access the College's account?
Thank you for your suggestions.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Re: NoScript XSS warning
I can't see the screenshot, your link says "image not found".
Could you please copy&paste the full XSS warning text here?
Could you please copy&paste the full XSS warning text here?
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 5
- Joined: Fri Jul 10, 2020 10:37 am
Re: NoScript XSS warning
Hi barbaz,
Thank you for your reply. The warning is:
Thank you for your reply. The warning is:
Code: Select all
NoScript detected a potential Cross-Site Scripting attack
from [...] to https://login.microsoftonline.com.
Suspicious data:
(URL) https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office365.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=57288d7f-668c-41a8-a86e-fa2245b8142e&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&domain_hint=ic.ac.uk&nonce=637300239390009999.8bd5c4a8-c2c0-4910-af7c-cfcdde768ba9&state=DYtBDoAgDMBAzz5lMBkCe84YkhgPnozfd03aW71zbjUX06PF1UKVEBMxMSKyEVofh2ZpoEkRMu8IMquCTh3jrKV1YW_vFp9P4qVBNLz3Dw
Last edited by barbaz on Sat Jul 11, 2020 1:18 am, edited 1 time in total.
Reason: wrap XSS text in code tags
Reason: wrap XSS text in code tags
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Re: NoScript XSS warning
I don't see anything that looks like XSS in there. False positive?
I notice this "XSS attempt" comes from "[...]". If you block it, does it actually break the site?
I notice this "XSS attempt" comes from "[...]". If you block it, does it actually break the site?
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 5
- Joined: Fri Jul 10, 2020 10:37 am
Re: NoScript XSS warning
Hi barbaz,
Thank you for your insight. I am not the admin of this site. Therefore, I will not be able to inspect what is [...] or the embedded codes. Will I be able to block the [...] only without the admin access while being able to access my email account?
Thanks
Thank you for your insight. I am not the admin of this site. Therefore, I will not be able to inspect what is [...] or the embedded codes. Will I be able to block the [...] only without the admin access while being able to access my email account?
Thanks
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Re: NoScript XSS warning
That is the exact question I am asking Can you select "Block this request" on the XSS dialog, to only block it the one time as a test, and let us know if it causes the site to not work?Hannah_Payne wrote: ↑Sat Jul 11, 2020 1:57 pm Will I be able to block the [...] only without the admin access while being able to access my email account?
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 5
- Joined: Fri Jul 10, 2020 10:37 am
Re: NoScript XSS warning
Thanks barbaz,
When I block this request using NoScript, I am not able to access the site at all. I haven't been able to check emails since getting this warning.
When I block this request using NoScript, I am not able to access the site at all. I haven't been able to check emails since getting this warning.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Re: NoScript XSS warning
Since it looks like a false positive, can you allow that request for now until Giorgio gets to this thread?
*Always* check the changelogs BEFORE updating that important software!
-
-
- Posts: 5
- Joined: Fri Jul 10, 2020 10:37 am
Re: NoScript XSS warning
Yes, will do, thank you for looking into this question!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Re: NoScript XSS warning
Are there any updates about this?
I'm getting a similar XSS pop-up when accessing Outlook on the web (or other Office365 services like Teams).
When I open https://outlook.office.com, it redirects (302) to https://outlook.office.com/owa. And https://outlook.office.com/owa redirects (302) to the https://login.microsoftonline.com page with the XSS warning.
When I enter https://outlook.office.com directly in the address bar, I get the warning with "from [...] to https ://login.microsoftonline.com.".
If I click on a link to open https://outlook.office.com, I get the warning with "from <URL of the page containing the link> to https ://login.microsoftonline.com.".
If I allow this page with the link to https ://outlook.office.com in NoScript, I get the same XSS warning.
If I allow the request I get the expected login page. (But sometimes I have to allow the request multiple times.)
It looks like the XSS warning is triggered by the claims parameter in the URL. (If I remove the claims parameter, I don't get the XSS warning.)
Is this a false positive or should I add an Anti-XSS Protection Exception (noscript.net/faq#qa4_4) to remove the XSS warning?
I'm getting a similar XSS pop-up when accessing Outlook on the web (or other Office365 services like Teams).
When I open https://outlook.office.com, it redirects (302) to https://outlook.office.com/owa. And https://outlook.office.com/owa redirects (302) to the https://login.microsoftonline.com page with the XSS warning.
When I enter https://outlook.office.com directly in the address bar, I get the warning with "from [...] to https ://login.microsoftonline.com.".
If I click on a link to open https://outlook.office.com, I get the warning with "from <URL of the page containing the link> to https ://login.microsoftonline.com.".
If I allow this page with the link to https ://outlook.office.com in NoScript, I get the same XSS warning.
If I allow the request I get the expected login page. (But sometimes I have to allow the request multiple times.)
It looks like the XSS warning is triggered by the claims parameter in the URL. (If I remove the claims parameter, I don't get the XSS warning.)
Is this a false positive or should I add an Anti-XSS Protection Exception (noscript.net/faq#qa4_4) to remove the XSS warning?
Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript XSS warning
Could you check whether this still happens in latest development build 11.2.12rc5, which fixes a bunch of XSS-related issues?
If it does, could you please share this claim parameter for me to check?
Either way, it does sound like a false positive that you can work-around by using the permanent allow choice in the XSS warning dialog.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Re: NoScript XSS warning
Thank you for your reaction.
Unfortunately I still get the XSS warning with the development builds (I tried 11.2.12rc5 and 11.2.16rc2).
The claims parameter is "&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d".
What happens is: I try to open https://outlook.office.com, it redirects to https://outlook.office.com/owa/. And https://outlook.office.com/owa/ redirects to https://login.microsoftonline.com/commo ... uiv1d6v55- . This triggers the XSS warning.
Also when I open this URL directly, I get the XSS warning. But when I open https://login.microsoftonline.com/commo ... uiv1d6v55- (Same URL, but with the claims parameter removed) I get the expected login page. This is tested with NoScript version 11.2.15,
PS. I allow javascript from microsoftonline.com, msauth.net and msftauth.net.
Unfortunately I still get the XSS warning with the development builds (I tried 11.2.12rc5 and 11.2.16rc2).
The claims parameter is "&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d".
What happens is: I try to open https://outlook.office.com, it redirects to https://outlook.office.com/owa/. And https://outlook.office.com/owa/ redirects to https://login.microsoftonline.com/commo ... uiv1d6v55- . This triggers the XSS warning.
Also when I open this URL directly, I get the XSS warning. But when I open https://login.microsoftonline.com/commo ... uiv1d6v55- (Same URL, but with the claims parameter removed) I get the expected login page. This is tested with NoScript version 11.2.15,
PS. I allow javascript from microsoftonline.com, msauth.net and msftauth.net.
Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: NoScript XSS warning
Thanks for your report.
It should be fixed in latest development build, please check:
v 11.2.16rc3
============================================================
x [XSS] Fix false positive on Microsoft authentication
(thanks GrK and Hanna_Payne for reporting)
It should be fixed in latest development build, please check:
v 11.2.16rc3
============================================================
x [XSS] Fix false positive on Microsoft authentication
(thanks GrK and Hanna_Payne for reporting)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
Re: NoScript XSS warning
Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0