XSS that goes past NoScript

General discussion about the NoScript extension for Firefox
Post Reply
Posts: 1
Joined: Sat Apr 18, 2009 2:57 pm

XSS that goes past NoScript

Post by sbowne@ccsf.edu » Sat Apr 18, 2009 3:02 pm

There's an XSS vuln on the California Democratic Party website that works even with NoScript installed. I posted details here:


Sam Bowne
City College San Francisco
Computer Networking and Information Technology
Box EVE-004, 50 Phelan Avenue, San Francisco, CA 94112
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv: Gecko/2009021910 Firefox/3.0.7

User avatar
Giorgio Maone
Site Admin
Posts: 8790
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy

Re: XSS that goes past NoScript

Post by Giorgio Maone » Sat Apr 18, 2009 3:27 pm

Not quite.
Your "PoC" involves sending the POST from the site itself, therefore there's no cross-site scripting at all. It's "same site" scripting, not exploitable at all.
Anyway the hole is there, so please come back with a PoC sending the POST from a different site, with the target site allowed to run script, and then you can call it a XSS passing through NoScript (very unlikely ;) )
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

Post Reply