Does NoScript protect us here?

General discussion about the NoScript extension for Firefox
Post Reply
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Does NoScript protect us here?

Post by luntrus » Sun May 31, 2009 10:45 pm

Hi users of NoScript,

Re: ... #msg383401

This vulnerability was found up:

Code: Select all"><script>alert(String.fromCharCode(88,83,83))</script>
by MethodMan
Firekeeper alerts like mad when I try to give in this request in google:

Code: Select all

XXS & Iframe injection flaw.
This should be covered by NoScript, is that so?

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1pre) Gecko/20090531 Shiretoko/3.5pre

User avatar
Giorgio Maone
Site Admin
Posts: 8955
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: Does NoScript protect us here?

Post by Giorgio Maone » Sun May 31, 2009 11:16 pm

Yes, that's a basic XSS PoC.
It's innocuous if you've got JavaScript disabled on that page, but if you've got it enabled it's immediately detected and neutralized by NoScript's XSS protection.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)

User avatar
Lieutenant Colonel
Posts: 3352
Joined: Fri Mar 20, 2009 5:19 am
Location: PST - USA

Re: Does NoScript protect us here?

Post by GµårÐïåñ » Mon Jun 01, 2009 10:00 pm

Confirmed, it gets caught just fine should scripting be allowed. Also keep in mind as Giorgio has said in the past, and forgive me if I am misquoting, can't find the exact post or PM, but NoScript also evaluates the threat of an XSS and intercepts it when malicious. I had sent some test cases that were not malicious and wondering why they weren't' caught and Giorgio was kind enough to enlighten me that NS only gets involved when its malicious, otherwise no point since its doing no harm.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/2009051909 Firefox/3.0.11

Post Reply