"Potential XSS" notification when searching using Ixquick

[welly]

Hi I lately use the search engin Ixquick.

When I use its main page (https://ixquick.com/), and make my search from there, it takes me to the results page, (https://ixquick.com/do/metasearch.pl) and everything is fine.

But when I make a new search from the results page (from https://ixquick.com/do/metasearch.pl) NoScript tells me that there's a potential XSS attack.

This is not so serious as I can always make my search from Ixquick frontpaage, but on the long run is frustrating.

Since Ixquick seem to be a security-minded website I was wondering if this could be a false XSS positive from NoScript.

If not, I am planning to contact Ixquick about this, because I intent to continue using their search engine.

Thanks!

[Giorgio Maone]

Can I see the [NoScript XSS] messages you get in Tools|Error Console?

[welly]

Hi sorry for taking long to reply.

There are no messages in the Error part of console.
There ARE some in "Warnings" and in "Messages".

How can I copy them to post them here?

[Alan Baxter]

Copy only the ones that contain "NoScript XSS" by right-clicking each one and selecting Copy.

[welly]

I see no "XSS" messages.
In "Warnings", a bunch of the messages say

Warning: reference to undefined property window.event
Source File: https://eu.ixquick.com/js/wz_tooltip.js
Line: 878

some say

Warning: reference to undefined property window.onunload
Source File: https://eu.ixquick.com/js/swfobject.js
Line: 116

some say

Warning: reference to undefined property window.onload
Source File: https://eu.ixquick.com/js/ccspacer.js?w=m
Line: 1

some saye

Warning: Error in parsing value for 'cursor'. Declaration dropped.
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 14

some say

Warning: Expected declaration but found '*'. Skipped to next declaration.
Source File: https://eu.ixquick.com/css/ixquick_result_page.css
Line: 49

one says

Warning: function cho does not always return a value
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 20, Column: 241
Source Code:
o_res_C.gif'); } function cho (c_ob, fg, ct) { if (fg == 1) { c_ob.style.color = '#140b73'; window.status=''; return true; } else { if (document.blah1.cat.value != ct) { c_ob.style.color = '#4585E7'; } else { c_ob.style.color = '#140b73'; } } } function u

one says

Warning: function newImage does not always return a value
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 20, Column: 177
Source Code:
= (str[2].length == 1) ? '0' + str[2] : str[2]; return ('#' + str.join("")); } function newImage(arg) { if (document.images) { rslt = new Image(); rslt.src = arg; return rslt; } } function openResult(imgurl, url, where) { var reg = /result?/; if (reg.tes

some say

Warning: assignment to undeclared variable rslt
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 20

some say

Warning: Unknown property 'text'. Declaration dropped.
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 0

some say

Warning: assignment to undeclared variable e_urls
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 88

some say

Warning: assignment to undeclared variable i
Source File: https://eu.ixquick.com/do/metasearch.pl?
Line: 540

some say

Warning: reference to undefined property window.opera
Source File: https://eu.ixquick.com/js/wz_tooltip.js
Line: 312

some say

Warning: reference to undefined property window.event
Source File: https://eu.ixquick.com/js/wz_tooltip.js
Line: 878

one says

Warning: function find_in_tree does not always return a value
Source File: http://forums.informaction.com/styles/p ... orum_fn.js
Line: 319, Column: 1
Source Code:
}

last says

Warning: Selector expected. Ruleset ignored due to bad selector.
Source File: http://forums.informaction.com/style.php?id=3&lang=en
Line: 3759

In regards to the "Messages" section, there are only 3:

eu.ixquick.com : server does not support RFC 5746, see CVE-2009-3555

eu.ixquick.com : server does not support RFC 5746, see CVE-2009-3555

s9-eu.ixquick.com : server does not support RFC 5746, see CVE-2009-3555

[Giorgio Maone]

Really, if you get a yellow "XSS warning" bar from NoScript, at the same time you MUST get a blue [NoScript XSS] line in Tools|Error Console, Messages section.
Please clear the console, then reproduce the warning and check.

[IXQuick]

Hi,

I raised this as an urgent issue with our technical director today, please see the response below:

This is a false alarm. NoScript is simply observing the text SCRIPT embedded in that URL and issuing the warning. You can tell that this Javascript is not actually being executed because if you go to

Code: Select all

http://ixquick.com/do/metasearch.pl?query=cars&cat=%22%3E%3CSCRIPT%3Ealert(%22Paros%22);%3C/SCRIPT%3E

after receiving the NoScript (incorrect) warning, a Javascript popup with the text "Paros" would appear if there was actually a problem.
If you send the equivalent string to other search engines such as Bing, the same NoScript warning appears:

Code: Select all

http://www.bing.com/search?q=cars&go=&form=QBLH&filt=all&qs=n&sk=%22%3E%3CSCRIPT%3Ealert(%22Paros%22);%3C/SCRIPT%3E

The only reason it doesn't appear with Google is that NoScript is hardcoded to not raise an alert with Google, in the NoScript->Options->Advanced->XSS section, with this 'Exception' regular expression:

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:searchcustom\1)\? [/b]

I have to say I am a little concerned that Google have exemptions hard coded into the plugin given Google's recent issues with "rogue code" and "rogue engineers" (see Google's WiFi scandal for an example) - seems a little dangerous to me for NoScript to add such an exemption in a security/privacy tool.

If there are any further questions please feel free to get in touch or post in this thread - we encourage feedback from our users, especially on potential security/privacy issues.

Regards,

IXQuick

[Giorgio Maone]

1. The original poster didn't mention he was including a script in his query
2. Is there any good reason why, after the first query, you send the request cross-domain, i.e. ixquick.com/do/metasearch.pl -> us2.ixquick.com/do/metasearch.pl? If the request was kept same-domain, NoScript wouldn't trigger.
3. Notice that the exceptions for Yahoo and Google have been created to allow people linking Google queries from 3rd party sites, and nobody complained about Bing yet because Bing keeps searches same-domain.

[welly]

Hi

I tried again and this time there was an [NoScript XSS] message in the Messages in the Error Console (I'm sure I couldn't see such a message before, I don't know why):

[NoScript XSS] Sanitised suspicious upload to [https://eu.ixquick.com/do/metasearch.pl?] from [https://ixquick.com/do/metasearch.pl]: transformed into a download-only GET request.

I searched for some random word, but it happens with any word I search for.

BTW, I'm not sure what you guys are talking about here. What's the conclusion? Is it a false positive?

[Giorgio Maone]

BTW, I'm not sure what you guys are talking about here. What's the conclusion? Is it a false positive?

Yes, it is a false positive.
However, it seems you've got eu.ixquick.com allowed but ixquick.com not.
Could you try either whitelisting ixquick.com, or forbidding both?

[welly]

Oh, OK

[IXQuick]

The server jump is by design and is for load balancing/routing purposes.

I note however that NoScript converted the query into a GET request - I would like to point out that IXQuick using POST instead of GET is by design to prevent search terms appearing in web logs - it is an additional privacy mechanism:

Q: What other measures has Ixquick taken to protect my Privacy? Contrary to other search engines Ixquick uses the so-called POST method (instead of the GET method) to keep your search terms out of the logs of webmasters of sites that you reach from our results. Search terms tell a lot about what you are thinking, which is why this is a privacy issue. With the POST method Ixquick uses, your search terms are stripped off.

See: http://www.ixquick.com/uk/protect-privacy-qa.html for further details.

I would like to personally thank you for reporting this behaviour - even though it was a false positive it is critical not just to our principles and model but also for our certification, that we address these issues to keep IXQuick the world's most private search engine.

Also my thanks to the board admin for accommodating our response on his forum.

Regards,

IXQuick.

[Giorgio Maone]

The server jump is by design and is for load balancing/routing purposes.

You may want to either consider using a DNS-based mechanism, rotating IPs on the same domain, or balancing directly the home page rather than the second query, much like Google does with its regional domains (Google, actually, adopts both the strategies).

I note however that NoScript converted the query into a GET request - I would like to point out that IXQuick using POST instead of GET is by design to prevent search terms appearing in web logs - it is an additional privacy mechanism

Please notice that using POST for requests which is not meant to modify the addressed resource is a violation of the HTTP semantics.
There are better ways to remove the referrer URL for privacy: GMail, for instance, uses a META refresh for any outbound link.

On any modern browser supporting data: URIs (i.e. every browser except IE), you can easily accomplish this even without scripting:

Code: Select all

<a href="http://www.example.com">example</a>

should become

Code: Select all

<a href="data:text/html,<meta http-equiv=refresh content=0;URL=http://www.example.com>">example</a>

At any rate, if your users have the base domain ixquick.com in their whitelist, POST request shouldn't trigger XSS warnings and be turned into GET requests unless they actually contain JavaScript or potentially dangerous HTML fragments.