XSS + live.com + visualstudiogallery.msdn.microsoft.com

[DanyR]

Hi,
since V2.4.9 (or maybe an update to login.live.com) I can not browse the visualstudiogallery.msdn.microsoft.com anymore while logged in to live.com due to a message stating (translated from German):

NoScript has filtered a possible XSS from [https://login.live.com]

Now I'm not able to work with my contributions.
How can I fix this (or may be you)?

Cheers,
Dany

Topic moved from NoScript General

[Thrawn]

Hi, Dani. It's possible to exempt a site from XSS checks, but first you should ensure that it is actually immune to XSS attacks. I also recommend adding an ABE rule to protect the whitelisted site.
Can you post the full addresses from the error message? Or copy it from Tools-Error Console? German is ok, only the addresses matter.

[DanyR]

Hi Thrawn,

I'm a bit lost, because when I open the Console there are only info and warning entries and no error.

There are some messages with a question mark:

Code: Select all

[NoScript InjectionChecker] ...

[NoScript XSS] Ein verdächtiger Upload zu [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415?stoAI=10&wa=wsignin1.0###DATA###...

It affects all sites from https://visualstudiogallery.msdn.microsoft.com

Thanks,
Dany

[DanyR]

Hmm,
I just created a new profile for FF and installed solely NoScript. Here, everything is fine with that site. But why now? Why after the NoScript update (nothing else has been updated AFAIK)?

Edit:
Even with all other extensions disabled it is not working with my old profile.

Cheers,
Dany

[Giorgio Maone]

Could you show me the entire message?

Could you try using NoScript Options|Export for future reference, then NoScript Options|Reset?

[DanyR]

Hi Giorgio,
thank you.

I just discovered, that disabling scripts for microsoft.com prior to logging in and temporarily enabling afterwards will "work around" the XSS message.

Another workaround is an exception in XSS settings, I'm not really comfortable with:

Code: Select all

^https://visualstudiogallery\.msdn\.microsoft\.com/.*

This is what the "unsafe reload" (or so) dialog says:

Code: Select all

UNSICHERES Nachladen eines verdächtigen

POST [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415/stats?stoAI=10&w
a=wsignin1.0]

von [https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=visualstudiogallery.msdn.microsoft.com&wreply
=https%3a%2f%2fvisualstudiogallery.msdn.microsoft.com%2f74ecfb4f-6245-4942-a5b2-67aaacd49415%2fstats
%3fstoAI%3d10&wp=MBI_FED_SSL&wlcxt=microsoft%24microsoft%24microsoft]

NoScript wird diese Anfrage nicht schützen!
Sind Sie sicher?

This is what the console log says:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ##<wst:RequestSecurityTokenResponse xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"><wst:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-17148999-cee1-400d-bee7-c635229c82ff" IssueInstant="2012-07-27T18:26:29Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-07-27T18:26:29Z" NotOnOrAfter="2012-07-28T02:26:29Z"><saml:AudienceRestrictionCondition><saml:Audience>msdn.microsoft.com</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2012-07-27T17:58:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="http://schemas.xmlsoap.org/claims/UPN">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName="Managed" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="Child" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="TOUAccepted" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="CID" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute><saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http://schemas.xmlsoap.org/claims"><saml:AttributeValue>info@myemailadr.de</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="PUID" AttributeNamespace="http://schemas.xmlsoap.org/claims"></saml:Attribute></saml:AttributeStatement><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod><SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod><Reference URI="#uuid-17148999-cee1-400d-bee7-c635229c82ff"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform></Transforms><DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod></Reference></SignedInfo><SignatureValue>###deleted ;-)###</SignatureValue><KeyInfo><X509Data></X509Data><KeyName>Window Live ID</KeyName></KeyInfo></Signature></saml:Assertion></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"><wsa:Address>http://msdn.microsoft.com</wsa:Address></wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse>(function anonymous() {RequestSecurityTokenResponse > <wst:RequestedSecurityToken><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="uuid-17148999-cee1-400d-bee7-c635229c82ff" IssueInstant="2012-07-27T18:26:29Z" Issuer="uri:WindowsLiveID" MajorVersion="1" MinorVersion="1"><saml:Conditions NotBefore="2012-07-27T18:26:29Z" NotOnOrAfter="2012-07-28T02:26:29Z"><saml:AudienceRestrictionCondition><saml:Audience>msdn.microsoft.com</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AuthenticationStatement AuthenticationInstant="2012-07-27T17:58:00Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"><saml:Subject><saml:NameIdentifier Format="http:">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject></saml:AuthenticationStatement><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="http:">###deleted ;-)###@Live.com</saml:NameIdentifier></saml:Subject><saml:Attribute AttributeName="Managed" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="Child" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="TOUAccepted" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="CID" AttributeNamespace="http:"></saml:Attribute><saml:Attribute AttributeName="EmailAddress" AttributeNamespace="http:"><saml:AttributeValue>info@myemailadr.de</saml:AttributeValue></saml:Attribute><saml:Attribute AttributeName="PUID" AttributeNamespace="http:"></saml:Attribute></saml:AttributeStatement><Signature xmlns="http:"><SignedInfo><CanonicalizationMethod Algorithm="http:"></CanonicalizationMethod><SignatureMethod Algorithm="http:"></SignatureMethod><Reference URI="#uuid-17148999-cee1-400d-bee7-c635229c82ff"><Transforms><Transform Algorithm="http:"></Transform><Transform Algorithm="http:"></Transform></Transforms><DigestMethod Algorithm="http:"></DigestMethod></Reference></SignedInfo><SignatureValue>###deleted ;-)###</SignatureValue><KeyInfo><X509Data></X509Data><KeyName>Window Live ID</KeyName></KeyInfo></Signature></saml:Assertion></wst:RequestedSecurityToken>;DUMMY_EXPR;})

and

Code: Select all

[NoScript XSS] Ein verdächtiger Upload zu [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415/stats?stoAI=10&wa=wsignin1.0###DATA###%3Cwst%3ARequestSecurityTokenResponse+xmlns%3Awst%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2005%2F02%2Ftrust%22%3E%3Cwst%3ARequestedSecurityToken%3E%3Csaml%3AAssertion+xmlns%3Asaml%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aassertion%22+AssertionID%3D%22uuid-17148999-cee1-400d-bee7-c635229c82ff%22+IssueInstant%3D%222012-07-27T18%3A26%3A29Z%22+Issuer%3D%22uri%3AWindowsLiveID%22+MajorVersion%3D%221%22+MinorVersion%3D%221%22%3E%3Csaml%3AConditions+NotBefore%3D%222012-07-27T18%3A26%3A29Z%22+NotOnOrAfter%3D%222012-07-28T02%3A26%3A29Z%22%3E%3Csaml%3AAudienceRestrictionCondition%3E%3Csaml%3AAudience%3Emsdn.microsoft.com%3C%2Fsaml%3AAudience%3E%3C%2Fsaml%3AAudienceRestrictionCondition%3E%3C%2Fsaml%3AConditions%3E%3Csaml%3AAuthenticationStatement+AuthenticationInstant%3D%222012-07-27T17%3A58%3A00Z%22+AuthenticationMethod%3D%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.0%3Aam%3Apassword%22%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22%3E###deleted ;-)###%40Live.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml%3ASubject%3E%3C%2Fsaml%3AAuthenticationStatement%3E%3Csaml%3AAttributeStatement%3E%3Csaml%3ASubject%3E%3Csaml%3ANameIdentifier+Format%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%2FUPN%22%3E###deleted ;-)###%40Live.com%3C%2Fsaml%3ANameIdentifier%3E%3C%2Fsaml%3ASubject%3E%3Csaml%3AAttribute+AttributeName%3D%22Managed%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3EFALSE%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22Child%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3EFALSE%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22TOUAccepted%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3ETRUE%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22CID%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Ec96c25bee652da2c%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22EmailAddress%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3Einfo%40myemailadr.de%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3Csaml%3AAttribute+AttributeName%3D%22PUID%22+AttributeNamespace%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fclaims%22%3E%3Csaml%3AAttributeValue%3E###deleted ;-)###%3C%2Fsaml%3AAttributeValue%3E%3C%2Fsaml%3AAttribute%3E%3C%2Fsaml%3AAttributeStatement%3E%3CSignature+xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23%22%3E%3CSignedInfo%3E%3CCanonicalizationMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3C%2FCanonicalizationMethod%3E%3CSignatureMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1%22%3E%3C%2FSignatureMethod%3E%3CReference+URI%3D%22%23uuid-17148999-cee1-400d-bee7-c635229c82ff%22%3E%3CTransforms%3E%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23enveloped-signature%22%3E%3C%2FTransform%3E%3CTransform+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2F10%2Fxml-exc-c14n%23%22%3E%3C%2FTransform%3E%3C%2FTransforms%3E%3CDigestMethod+Algorithm%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23sha1%22%3E%3C%2FDigestMethod%3E%3CDigestValue%3ERc7O3s%2BT3FvtqBmI74KYs1aaNyE%3D%3C%2FDigestValue%3E%3C%2FReference%3E%3C%2FSignedInfo%3E%3CSignatureValue%3###deleted ;-)###%3D%3C%2FSignatureValue%3E%3CKeyInfo%3E%3CX509Data%3E%3CX509SKI%3EH1D81qx0njcaeJ3fI6gkm6N%2FjpA%3D%3C%2FX509SKI%3E%3C%2FX509Data%3E%3CKeyName%3EWindow+Live+ID%3C%2FKeyName%3E%3C%2FKeyInfo%3E%3C%2FSignature%3E%3C%2Fsaml%3AAssertion%3E%3C%2Fwst%3ARequestedSecurityToken%3E%3Cwsp%3AAppliesTo+xmlns%3Awsp%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F09%2Fpolicy%22%3E%3Cwsa%3AEndpointReference+xmlns%3Awsa%3D%22http%3A%2F%2Fschemas.xmlsoap.org%2Fws%2F2004%2F08%2Faddressing%22%3E%3Cwsa%3AAddress%3Ehttp%3A%2F%2Fmsdn.microsoft.com%3C%2Fwsa%3AAddress%3E%3C%2Fwsa%3AEndpointReference%3E%3C%2Fwsp%3AAppliesTo%3E%3C%2Fwst%3ARequestSecurityTokenResponse%3E] von [https://login.live.com/login.srf?wa=wsignin1.0&wtrealm=visualstudiogallery.msdn.microsoft.com&wreply=https%3a%2F%2Fvisualstudiogallery.msdn.microsoft.com%2F74ecfb4f-6245-4942-a5b2-67aaacd49415%2Fstats%3fstoAI%3d10&wp=MBI_FED_SSL&wlcxt=microsoft%24microsoft%24microsoft] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.

I have the same problem with codeplex.com but here I couldn't find a RegEx.

Thanks,
Dany

[Giorgio Maone]

OK, I believe I know what the problem is.
In order to remove a potential E4X-based bypass, I tightened a bit the algorithm which simplifies and elides XML constructs before checking for JavaScript fragments.
Doing so, it seems I leave too much XML (especially arbitrary attributes) in place, which generates false positives for instance here where an XML payload is sent during the authentication process.

I've got to further fine-tune the XML reduction algorithm in order to fix this.

In the meanwhile a safer exception regexp should be the following:

Code: Select all

^@https://login\.live\.com/login\.srf\?wa=

Regarding codeplex, I'm afraid you'll have to post the whole messages for that as well.

Thank you!

[DanyR]

Thank you very much. We're one step further! (just kidding, I think it is solved for me)

Now, after logging in with LiveID there is only a brief display of an empty site with a XSS warning and then it continues to the desired site witout fault.

The warning (when loading is stopped by ESC) in the "unsafe reload" is:

Code: Select all

UNSICHERES Nachladen eines verdächtigen

POST [https://visualstudiogallery.msdn.microsoft.com/74ecfb4f-6245-4942-a5b2-67aaacd49415/stats?stoAI=10&w
a=wsignin1.0]

von [https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&wtrealm=visualstudiogallery.msdn.microsoft.co
m&wreply=https%3a%2f%2fvisualstudiogallery.msdn.microsoft.com%2f74ecfb4f-6245-4942-a5b2-67aaacd49415
%2fstats%3fstoAI%3d10&wp=MBI_FED_SSL&wlcxt=microsoft%24microsoft%24microsoft&bk=1343423509]

The console log displays the same entries however, but since it works I take it as purely informational.

As for codeplex: you fixed this as well with that RegEx due to the fact that login is also through LiveID.

P.S.: BTW, what exactly does that @ at the beginning of the RegEx do?

Thank you so much!
Cheers,
Dany

[Giorgio Maone]

P.S.: BTW, what exactly does that @ at the beginning of the RegEx do?

It tells the InjectionChecker to match it against the origin, rather than the destination as "normal" exceptions.

[Giorgio Maone]

Should be fixed in latest development build 2.5rc3, thank you.

[DanyR]

Super, works like a charm!

Thank you again,
Dany