Does NoScript protect us here?

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Does NoScript protect us here?

Post by luntrus » Sun May 31, 2009 10:45 pm

Hi users of NoScript,

Re: http://forum.avast.com/index.php?topic= ... #msg383401

This vulnerability was found up:

Code: Select all

 http://www.avast.nl/web/index.php?pageId=33&mode="><script>alert(String.fromCharCode(88,83,83))</script>
by MethodMan
Firekeeper alerts like mad when I try to give in this request in google:

Code: Select all

<script>alert(String.fromCharCode(88,83,83))</script>
XXS & Iframe injection flaw.
This should be covered by NoScript, is that so?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090531 Shiretoko/3.5pre

User avatar
Giorgio Maone
Site Admin
Posts: 8934
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Does NoScript protect us here?

Post by Giorgio Maone » Sun May 31, 2009 11:16 pm

Yes, that's a basic XSS PoC.
It's innocuous if you've got JavaScript disabled on that page, but if you've got it enabled it's immediately detected and neutralized by NoScript's XSS protection.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

User avatar
GµårÐïåñ
Lieutenant Colonel
Posts: 3347
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA
Contact:

Re: Does NoScript protect us here?

Post by GµårÐïåñ » Mon Jun 01, 2009 10:00 pm

Confirmed, it gets caught just fine should scripting be allowed. Also keep in mind as Giorgio has said in the past, and forgive me if I am misquoting, can't find the exact post or PM, but NoScript also evaluates the threat of an XSS and intercepts it when malicious. I had sent some test cases that were not malicious and wondering why they weren't' caught and Giorgio was kind enough to enlighten me that NS only gets involved when its malicious, otherwise no point since its doing no harm.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.11) Gecko/2009051909 Firefox/3.0.11

Post Reply