Anti-XSS filter causing problems on valid site

[DaveInPhx]

Hi!

The Anti-XSS filter in noscript 1.9.9.47 is causing me major headaches with paying my internet connection bill online!

I'm connected via cable from Cox communications, and login to their site is via their secure login server at https://idm.east.cox.net - once logged in, this redirects to https://service.cox.com or https://ww2.cox.com or any number of other combinations depending on the service selected from the menu ... the only common factor between these addresses is "cox" somewhere after the "https://"

While I can put in an exception filter for this, it is wide open to abuse, and I'm not that familiar with regex that I can tighten it down further. The problem is further compounded by the fact that the yellow line at the top reporting the error, disappears a split second after it appears so that the options button is unavailable. (the target webpage detects the block and redirects back to the source webpage as a login error)

The regex string I'm using doesn't seem to work as intended - I didn't want to use "https://*.cox.*" since that would also match https://fubar.cox.hacker.org !! The current string is ^https://*\.cox\.(net|com)/ the intention being to ensure that the responding site can only be cox.net/ or cox.com/ however it is still open to hacker.org/a.cox.net/ - I end up having to disable anti-xss entirely once each month to pay my bill, and then have to remember to re-enable it afterward.

Is there an easier way of doing this? Regex is a great idea for those familiar with it, but "^http://[a-z]+\.wikipedia\.org/wiki/[^"<>\?%]+$" is a little on the cryptic side for the average end-user. As the FAQ says: If you're a bit of the "geek" type, you know regular expressions and you're very confident the target web page is immune to XSS vulnerabilities ... what if you're not a bit of the "geek" type, but still need to access sites of the type described above?

[therube]

When this happens, (revisit the site so it does happen, then) post the message that shows up in the Error Console.

[DaveInPhx]

This is the message (in the message tab in the error console) :-

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://idm.cox.com/SmMakeCookie.ccc?SMSESSION=-SM-L%2fzkRLv1Ffg7XvYa9z26xM1RwwZxr%2fhQMC8xVVZf4gAxyPWi9nfoo1A%2fs05BIa%2flTovfMKZbswMCpW6adwQIh3uMKLnGtfArirkR6%2bUH%2fLkF3NZIZNwFLEbYvf1iSu8BGxKuC6OCtStoEDbHQXB1LhqhMQoJJz9FLTzB1IbhI7rz5FLll6bA1hAoHYKKGuFZIFHuL6Tn8SrqyqG5ssSCjn8NsRN2OIRtcEnD7QTw373RibY%2bEpAK76fHeBvBG6uQ5JDSHTIQecQ8Rh8mvzpm7HS3oN9BYV8cw5yHruox3V3JQOuglkrAkxHG6jWM%2fwKE8g9NWZYeg7fF2vmkIXKROhYTrpjghxdzwbN4sbIU9oPTd4vLE83Mnu1CDxNCqkHsnYV89%2fiHPpzicJiDeU4X54Gyxg7W7nhx5oyezUGelI8FGr9XtDbVSeEEMca7NEGR4PGrt6bFy0y960uNfVi8mQhuOATbkqiwgO9Ny9xtCsOXRAS0UEeKNqib4wU%2bipvF3yYlISofy7fMRs1PTO3nBZooWKVpiv1JhBB5MC2jy62SFHQdeBPHT4MCDQo1yLJIrwOZ3%2bSr6pGpyJQh41x5aUrDiN3W9Gv6%2bNty0OBARIzMI2ORBeCsaRljlTnH%2bxTspQFn9OrZ%2bz9%2bc69a3toflBOrDoHY7X2Ez7cY2%2bgPYq4p98QUlAK%2bB7jE6iQalcUb72jJKPpNvqw%2fEiuemKNCS1kE1rCS6p1%2fmMrMFOFEby8dc%2fe9sLy6uuY%2biLX8rygWHrKrywY7sX08ujA2bc%2bp2bWqyKnqwq5XVFkOF7az4kkAnxQbovVzGducqP8zHu%2bG2Xx9AnpRl7TRNqXktP4w2Hh7ZJJatghn4emxO2eqwYul%2b%2bYrV4hAqEG%2frP1QmNSLtVnBTvtcpX10uzqKgCHb0bDoAUu4txye23seZZCrVJ8lOLWgrQm%2fi2o%2f%2b%2bmPwIoRDJPW9PdWcdtrNfHVmC05%2bBASnHJ4oARdQsoR6yYh1zHiXAgzqPW2uuC3XFbrGnr7wNC8%2f7CvVYudcYnVUrfbmQjIXa7lOK3OijqW%2bQSPc6vV1giymY28%2fCehk%2bAeEw1BdCBhqtKGdEblmwQ9hyPEykUDkWBcDbINVZdsilYPbdEiAYvBqN1oFRl6WST6yLBegCNGB72ZtR2xP7dFzZy84yqUjNLJLgmIJKwSntODHA4E584plEuH6hSss3n3drrt8RfICppIgJJLDctWWQ%2f8uLiMnmWExP63sidIuIqrxhkGtNwIwVI%2fJF6gT4hUFqeiaf%2bo2V7UqiEd6bBd7jwRhTGy7IDtnmR3&PERSIST=0&TARGET=-SM-https%3a%2f%2fidm%2eeast%2ecox%2enet%2floginvpb%2fget%3freturnURL%3d%2fcoxlogin%2fredirect%2ejsp%3ftargeturl%3dhttps-%3A-%2F-%2Fservice%2ecox%2ecom-%2Fbillpay-%2FAccountSummary%2edo%26coxretry] requested from [https://idm.east.cox.net/coxlogin/ui/viewpaybill?TYPE=33554432&REALMOID=06-b1ee1e14-29ab-100f-8507-83a094a10cb3&GUID=1&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=sWREW1N6NVlYtFDyUQmF0wY9st5UWDMowbirAzGlqvn9JCDyhskbEzirvrVAT6qN&TARGET=-SM-https%3a%2f%2fservice.cox.com%2fbillpay%2fAccountSummary.do]. Sanitized URL: [https://idm.cox.com/SmMakeCookie.ccc?SMSESSION=-SM-L%2FzkRLv1Ffg7XvYa9z26xM1RwwZxr%2FhQMC8xVVZf4gAxyPWi9nfoo1A%2Fs05BIa%2FlTovfMKZbswMCpW6adwQIh3uMKLnGtfArirkR6%2BUH%2FLkF3NZIZNwFLEbYvf1iSu8BGxKuC6OCtStoEDbHQXB1LhqhMQoJJz9FLTzB1IbhI7rz5FLll6bA1hAoHYKKGuFZIFHuL6Tn8SrqyqG5ssSCjn8NsRN2OIRtcEnD7QTw373RibY%2BEpAK76fHeBvBG6uQ5JDSHTIQ20Q8Rh8mvzpm7HS3oN9BYV8cw5yHruox3V3JQOuglkrAkxHG6jWM%2FwKE8g9NWZYeg7fF2vmkIXKROhYTrpjghxdzwbN4sbIU9oPTd4vLE83Mnu1CDxNCqkHsnYV89%2FiHPpzicJiDeU4X54Gyxg7W7nhx5oyezUGelI8FGr9XtDbVSeEEMca7NEGR4PGrt6bFy0y960uNfVi8mQhuOATbkqiwgO9Ny9xtCsOXRAS0UEeKNqib4wU%2BipvF3yYlISofy7fMRs1PTO3nBZooWKVpiv1JhBB5MC2jy62SFHQ20BPHT4MCDQo1yLJIrwOZ3%2BSr6pGpyJQh41x5aUrDiN3W9Gv6%2BNty0OBARIzMI2ORBeCsaRljlTnH%2BxTspQFn9OrZ%2Bz9%2Bc69a3toflBOrDoHY7X2Ez7cY2%2BgPYq4p98QUlAK%2BB7jE6iQalcUb72jJKPpNvqw%2FEiuemKNCS1kE1rCS6p1%2FmMrMFOFEby8dc%2Fe9sLy6uuY%2BiLX8rygWHrKrywY7sX08ujA2bc%2Bp2bWqyKnqwq5XVFkOF7az4kkAnxQbovVzGducqP8zHu%2BG2Xx9AnpRl7TRNqXktP4w2Hh7ZJJatghn4emxO2eqwYul%2BYrV4hAqEG%2FrP1QmNSLtVnBTvtcpX10uzqKgCHb0bDoAUu4txye23seZZCrVJ8lOLWgrQm%2Fi2o%2F%2BmPwIoRDJPW9PdWcdtrNfHVmC05%2BBASnHJ4oARdQsoR6yYh1zHiXAgzqPW2uuC3XFbrGnr7wNC8%2F7CvVYudcYnVUrfbmQjIXa7lOK3OijqW%2BQSPc6vV1giymY28%2FCehk%2BAeEw1BdCBhqtKGdEblmwQ9hyPEykUDkWBcDbINVZdsilYPbdEiAYvBqN1oFRl6WST6yLBegCNGB72ZtR2xP7dFzZy84yqUjNLJLgmIJKwSntODHA4E584plEuH6hSss3n3drrt8RfICppIgJJLDctWWQ%2F8uLiMnmWExP63sidIuIqrxhkGtNwIwVI%2FJF6gT4hUFqeiaf%2Bo2V7UqiEd6bBd7jwRhTGy7IDtnmR3&PERSIST=0&TARGET=-SM-https%3a%2f%2fidm%2eeast%2ecox%2enet%2floginvpb%2fget%3freturnURL%3d%2fcoxlogin%2fredirect%2ejsp%3ftargeturl%3dhttps-%3A-%2F-%2Fservice%2ecox%2ecom-%2Fbillpay-%2FAccountSummary%2edo%26coxretry#2361611422040936849].

This is accompanied by 3 separate identical warnings (in the warnings tab of the error console):

Code: Select all

Warning: Error in parsing value for 'filter'.  Declaration dropped.
Source File: https://idm.east.cox.net/coxlogin/ui/viewpaybill?TYPE=33554432&REALMOID=06-b1ee1e14-29ab-100f-8507-83a094a10cb3&GUID=1&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=sWREW1N6NVlYtFDyUQmF0wY9st5UWDMowbirAzGlqvn9JCDyhskbEzirvrVAT6qN&TARGET=-SM-https%3a%2f%2fservice%2ecox%2ecom%2fbillpay%2fAccountSummary%2edo

The warnings are followed by "Line: 26", 28 and 30

Hope that helps!

[Giorgio Maone]

Use this:

Code: Select all

^@https://[^/]*\.cox\.(?:net|com)/

The "@" means that the expression refers to the origin, rather than to the target of the request. The rest means "any URL starting with https:// and whose domain ends either with .cox.net or .cox.com".

[DaveInPhx]

That works great, thanks!

I'm sure I won't be the only one having problems with it, so I'll pass it along to cox tech support too.

Could someone maybe come up with a web page or some sort of script that can generate this type of regex. I know there will be other users that are equally as stumped.

Thanks again!