XSS that goes past NoScript

General discussion about the NoScript extension for Firefox
Post Reply
sbowne@ccsf.edu
Posts: 1
Joined: Sat Apr 18, 2009 2:57 pm

XSS that goes past NoScript

Post by sbowne@ccsf.edu » Sat Apr 18, 2009 3:02 pm

There's an XSS vuln on the California Democratic Party website that works even with NoScript installed. I posted details here:

http://samsclass.info/123/ppt/XSS-DNC.html

Sam Bowne
City College San Francisco
Computer Networking and Information Technology
Box EVE-004, 50 Phelan Avenue, San Francisco, CA 94112
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

User avatar
Giorgio Maone
Site Admin
Posts: 8742
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS that goes past NoScript

Post by Giorgio Maone » Sat Apr 18, 2009 3:27 pm

Not quite.
Your "PoC" involves sending the POST from the site itself, therefore there's no cross-site scripting at all. It's "same site" scripting, not exploitable at all.
Anyway the hole is there, so please come back with a PoC sending the POST from a different site, with the target site allowed to run script, and then you can call it a XSS passing through NoScript (very unlikely ;) )
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)

Post Reply