Cross Scripting Problem

Gene45 · Post by **Gene45** » Fri Nov 06, 2009 5:05 pm

I have been trying to get into Bell's website (Bell.ca). I can get in and log in to the point where it knows me and my details, but when I try to order anything I get a message at the top of the screen that"

"NoScript filtered a potential cross scripting site (XSS) attempt from [http\Bell.ca]. Technical details have been logged to the consol."

I have looked at the "Options" box but don't understand what it is telling me. Likewise for the consol.

When this happens I am stuck and can't get any response from the site and have no idea what to do about it.

Help?

Post by **Alan Baxter** » Fri Nov 06, 2009 5:33 pm

From http://noscript.net/features#xss:

Then a yellow notification bar displays a message like
"NoScript filtered a potential cross-site scripting (XSS) attempt from [some-evil-url.com]. Technical details have been logged to the Console."
On the left side of this bar there's also an "Options..." button: if you click it, you can choose among the following actions:
* Show Console, displaying the Error Console where further technical details about the actions taken by NoScript are logged.
Please notice that the Error Console is a standard Firefox component reporting every JavaScript-related message from any source: the explanatory messages specifically coming from NoScript and related to XSS are only the ones marked with a [NoScript XSS] label.

Please post the console message starting with [NoScript XSS].

Gene45 · Post by **Gene45** » Sat Nov 07, 2009 1:44 am

So I tried to go back to the bell site as before, I did not get the cross scripting message but it gets stuck just the same. perhaps it is bell's problem. Since I did not get the error warning, I did not get into the consol as suggested. Going to Tools >Error consol lets me look at a list like this:

Code: Select all

Warning: Expected ':' but found '='. Declaration dropped.
Source File: https://www.bell.ca/mybell/framework/sk ... ontent.css
Line: 107

Warning: Error in parsing value for 'vertical-align'. Declaration dropped.
Source File: https://www.bell.ca/web/css/content.css
Line: 1637

Warning: Unrecognized at-rule or error parsing at-rule '@import'.
Source File: https://www.bell.ca/web/css/print.css
Line: 29

Warning: Error in parsing value for 'width'. Declaration dropped.
Source File: https://www.bell.ca/web/css/print.css
Line: 40

Warning: Expected ':' but found '='. Declaration dropped.
Source File: https://www.bell.ca/mybell/framework/sk ... ontent.css
Line: 107

Warning: Error in parsing value for 'vertical-align'. Declaration dropped.
Source File: https://www.bell.ca/web/css/content.css
Line: 1637

Warning: Unrecognized at-rule or error parsing at-rule '@import'.
Source File: https://www.bell.ca/web/css/print.css
Line: 29

Warning: Error in parsing value for 'width'. Declaration dropped.
Source File: https://www.bell.ca/web/css/print.css
Line: 40

Warning: Error in parsing value for 'clear'. Declaration dropped.
Source File: viewtopic.php?f=7&t=1570215&p=7894235#p7894235
Line: 0

but with no XSS warning.

I must have done something to shut down the system, but I don't know what.

I guess I won't be able to shop at Bell.....

If it happens again, I know who to call......

Guest · Post by **Guest** » Sun Nov 15, 2009 6:27 pm

Hopefully you solve this because I can't do most things on Bell's website because of this. I tried disabling the XSS, and it still doesn't work properly. I can only get about one link deeper than I was with it enabled.

Post by **GµårÐïåñ** » Sun Nov 15, 2009 11:31 pm

None of the things you have listed are NoScript or XSS errors, they are all website related errors. If you are getting an XSS message, then there would be a record of it in the console, so its looking pretty likely that your problem is not XSS.

SeanM · Post by **SeanM** » Mon Nov 16, 2009 5:14 pm

An XSS problem with a different site from bell.ca. This displayed at the Amtrak web site (apparently recently enhanced). At the point this message was displayed, all I had done was enter the departure station, destination and travel dates.

[NoScript XSS] Sanitized suspicious upload to [http://tickets.amtrak.com/itd/amtrakÂ§D ... 2FtripType] from [http://www.amtrak.com/servlet/ContentSe ... k/HomePage]: transformed into a download-only GET request.

(I went ahead on my test PC to the train reservations.)

Post by **Giorgio Maone** » Mon Nov 16, 2009 8:09 pm

XSS exception:

Code: Select all

^http://tickets\.amtrak\.com/itd/amtrak$

SeanM · Post by **SeanM** » Tue Nov 17, 2009 4:00 am

Giorgio Maone wrote:XSS exception:
Code: Select all
^http://tickets\.amtrak\.com/itd/amtrak$

Thanks! Worked like a charm.

I had been reading through the XSS docs, perplexed as to why this exception was presented. I had "amtrak.com" in the whitelist, and assumed (I know, the mother of all foul-ups

) that "http://ticket.amtrak.com" would be trusted. I thought (for but a moment) to add "http://ticket.amtrak.com" to the whitelist, and decided to hold the thought.

Were my assumptions incorrect, was the problem caused by the special characters or is the recently "new, improved" Amtrak web site have a few risks built into it?

I tried the same procedure (on a test PC) with IE7, Opera 9.64 and Safari 3.22. IE7 processed the request, then crashed a few minutes later. Safari acted odd, then hung only the tab. Opera seemed to handle the request, with no apparent problems until I tried to close Opera. (crashed).

Post by **GµårÐïåñ** » Fri Nov 20, 2009 8:57 pm

Yes, many of them can be coded into the same CSS for various compatibilities, you might need to reference a few outside things but generally in one place.

Oliver L. · Post by **Oliver L.** » Sat Jan 16, 2010 4:08 pm

Giorgio Maone wrote:XSS exception:
Code: Select all
^http://tickets\.amtrak\.com/itd/amtrak$

Thanks this worked for me too.

roger · Post by **roger** » Wed Apr 07, 2010 2:02 am

Thanks for this lead on cross scripting. New stuff for me..

As for bell.ca and its pretty bad issue with noscript, I finally got their https site to work by adding these lines under the Advanced / XSS tab in the Anti-XSS Protection Exceptions list.

^http://bell-ca\.baynote\.net/
^https://bell-ca\.baynote\.net/
^http://[a-z]*\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https://[a-z]*\.bell\.ca/
^http://www\.ges\.bell\.ca/

Not sure which are required or how they could be simplified. Bell.ca being such a black box, that would call for a lot more testing. To me it looks like their css programmers really went to town on this one.

Roger

Post by **Giorgio Maone** » Wed Apr 07, 2010 6:29 am

roger wrote: ^http://bell-ca\.baynote\.net/
^https://bell-ca\.baynote\.net/
^http://[a-z]*\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https://[a-z]*\.bell\.ca/
^http://www\.ges\.bell\.ca/

Not sure which are required or how they could be simplified.

~~Simplification:~~

Code: Select all

^https?://[a-z\-]+\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https?://(?:[^/]+\.)?bell\.ca/

roger · Post by **roger** » Thu Apr 08, 2010 12:52 am

Thank you sir.

Those three lines in the Advanced / XSS / Anti-XSS Protection Exceptions

^https?://[a-z\-]+\.baynote\.net/
^http://[a-z]*\.liveperson\.net/
^https?://(?:[^/]+\.)?bell\.ca/

plus I forgot to mention that I had three more lines in the HTTPS / Cookies / Ignore unsafe cookies section.

bell.ca
liveperson.net
baynote.net

It all works well now.

Roger

InformAction Forums

Cross Scripting Problem

Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem

Re: Cross Scripting Problem