NoScript XSS warning

Ask for help about NoScript, no registration needed to post
Hannah_Payne
Posts: 5
Joined: Fri Jul 10, 2020 10:37 am

NoScript XSS warning

Post by Hannah_Payne »

Hi all,

I came across a NoScript XSS warning this morning while trying to access my College's email account. I have read some background information on cross-site scripting attack after seeing this warning. If I block this potential attack with NoScript, how will I be able to access the College's account?

Thank you for your suggestions.

Image
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript XSS warning

Post by barbaz »

I can't see the screenshot, your link says "image not found".

Could you please copy&paste the full XSS warning text here?
*Always* check the changelogs BEFORE updating that important software!
-
Hannah_Payne
Posts: 5
Joined: Fri Jul 10, 2020 10:37 am

Re: NoScript XSS warning

Post by Hannah_Payne »

Hi barbaz,

Thank you for your reply. The warning is:

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://login.microsoftonline.com.

Suspicious data:

(URL) https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office365.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=57288d7f-668c-41a8-a86e-fa2245b8142e&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&domain_hint=ic.ac.uk&nonce=637300239390009999.8bd5c4a8-c2c0-4910-af7c-cfcdde768ba9&state=DYtBDoAgDMBAzz5lMBkCe84YkhgPnozfd03aW71zbjUX06PF1UKVEBMxMSKyEVofh2ZpoEkRMu8IMquCTh3jrKV1YW_vFp9P4qVBNLz3Dw
Last edited by barbaz on Sat Jul 11, 2020 1:18 am, edited 1 time in total.
Reason: wrap XSS text in code tags
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript XSS warning

Post by barbaz »

I don't see anything that looks like XSS in there. False positive?

I notice this "XSS attempt" comes from "[...]". If you block it, does it actually break the site?
*Always* check the changelogs BEFORE updating that important software!
-
Hannah_Payne
Posts: 5
Joined: Fri Jul 10, 2020 10:37 am

Re: NoScript XSS warning

Post by Hannah_Payne »

Hi barbaz,

Thank you for your insight. I am not the admin of this site. Therefore, I will not be able to inspect what is [...] or the embedded codes. Will I be able to block the [...] only without the admin access while being able to access my email account?

Thanks :)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript XSS warning

Post by barbaz »

Hannah_Payne wrote: Sat Jul 11, 2020 1:57 pm Will I be able to block the [...] only without the admin access while being able to access my email account?
That is the exact question I am asking :) Can you select "Block this request" on the XSS dialog, to only block it the one time as a test, and let us know if it causes the site to not work?
*Always* check the changelogs BEFORE updating that important software!
-
Hannah_Payne
Posts: 5
Joined: Fri Jul 10, 2020 10:37 am

Re: NoScript XSS warning

Post by Hannah_Payne »

Thanks barbaz,

When I block this request using NoScript, I am not able to access the site at all. I haven't been able to check emails since getting this warning.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: NoScript XSS warning

Post by barbaz »

Since it looks like a false positive, can you allow that request for now until Giorgio gets to this thread?
*Always* check the changelogs BEFORE updating that important software!
-
Hannah_Payne
Posts: 5
Joined: Fri Jul 10, 2020 10:37 am

Re: NoScript XSS warning

Post by Hannah_Payne »

Yes, will do, thank you for looking into this question!
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
GrK
Posts: 3
Joined: Sun Dec 26, 2021 9:01 am

Re: NoScript XSS warning

Post by GrK »

Are there any updates about this?

I'm getting a similar XSS pop-up when accessing Outlook on the web (or other Office365 services like Teams).

When I open https://outlook.office.com, it redirects (302) to https://outlook.office.com/owa. And https://outlook.office.com/owa redirects (302) to the https://login.microsoftonline.com page with the XSS warning.

When I enter https://outlook.office.com directly in the address bar, I get the warning with "from [...] to https ://login.microsoftonline.com.".
If I click on a link to open https://outlook.office.com, I get the warning with "from <URL of the page containing the link> to https ://login.microsoftonline.com.".
If I allow this page with the link to https ://outlook.office.com in NoScript, I get the same XSS warning.

If I allow the request I get the expected login page. (But sometimes I have to allow the request multiple times.)

It looks like the XSS warning is triggered by the claims parameter in the URL. (If I remove the claims parameter, I don't get the XSS warning.)
Is this a false positive or should I add an Anti-XSS Protection Exception (noscript.net/faq#qa4_4) to remove the XSS warning?
Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript XSS warning

Post by Giorgio Maone »

GrK wrote: Sun Dec 26, 2021 9:39 am Are there any updates about this?
[....]
It looks like the XSS warning is triggered by the claims parameter in the URL.
Could you check whether this still happens in latest development build 11.2.12rc5, which fixes a bunch of XSS-related issues?

If it does, could you please share this claim parameter for me to check?

Either way, it does sound like a false positive that you can work-around by using the permanent allow choice in the XSS warning dialog.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
GrK
Posts: 3
Joined: Sun Dec 26, 2021 9:01 am

Re: NoScript XSS warning

Post by GrK »

Thank you for your reaction.

Unfortunately I still get the XSS warning with the development builds (I tried 11.2.12rc5 and 11.2.16rc2).

The claims parameter is "&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d".

What happens is: I try to open https://outlook.office.com, it redirects to https://outlook.office.com/owa/. And https://outlook.office.com/owa/ redirects to https://login.microsoftonline.com/commo ... uiv1d6v55- . This triggers the XSS warning.

Also when I open this URL directly, I get the XSS warning. But when I open https://login.microsoftonline.com/commo ... uiv1d6v55- (Same URL, but with the claims parameter removed) I get the expected login page. This is tested with NoScript version 11.2.15,

PS. I allow javascript from microsoftonline.com, msauth.net and msftauth.net.
Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript XSS warning

Post by Giorgio Maone »

Thanks for your report.
It should be fixed in latest development build, please check:
v 11.2.16rc3
============================================================
x [XSS] Fix false positive on Microsoft authentication
(thanks GrK and Hanna_Payne for reporting)
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:97.0) Gecko/20100101 Firefox/97.0
GrK
Posts: 3
Joined: Sun Dec 26, 2021 9:01 am

Re: NoScript XSS warning

Post by GrK »

Thank you!

The XSS warning on https://outlook.office.com is gone when I use the development build.
Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0
Post Reply