Our organization runs Microsoft Office 365, and we have our onsite Active Directory federated to the Office365 cloud using ADFS on Windows Server 2008R2. Recently the XSS click-jack protection has activated when I try to click on the various modules with the Office365 administrative functions. For example when I log into the administrative page portal.microsoftonline.com (which gives me access my admin options) and then click on the subservices available under that portal, that is when the XSS protection activates. The login to the subservices contacts the onsite server to check on the SAML token and it is blocked.
I would like to create rules excepting microsoftonline.com and outlook.com (where the cloud email is) from XSS and additonally my ADFS servers (FQDN of my host). Creating those expressions doesn't seem very self explanatory though. Where can I get some help with this?
XSS protection blocking Office365 federated login
XSS protection blocking Office365 federated login
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
-
Giorgio Maone
- Site Admin
- Posts: 9524
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: XSS protection blocking Office365 federated login
I could help if you can post here some samples of [NoScript XSS] message you can find in your Error Console (ctrl+shift+J)?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Re: XSS protection blocking Office365 federated login
I changed my username to firstname.lastname rather than the actual address @our domain. I guess since we're government anyways it doesn't matter if our domain is floating around out there.
[NoScript InjectionChecker] JavaScript Injection in ##<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/t ... su:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ ... su:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ ... :AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/p ... tReference xmlns:wsa="http://www.w3.org/2005/08/addressing">< ... :Assertion MajorVersion="1" MinorVersion="1" AssertionID="_67f2392f-cf21-4623-9504-664813925148" Issuer="http://sts.thecb.state.tx.us/adfs/services/trust" IssueInstant="2012-07-30T14:51:35.737Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2012-07-30T14:51:35.737Z" NotOnOrAfter="2012-07-30T15:51:35.737Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KLl9n4Rv50CNSzNDbWbADw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><sam ... :Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Fed ... nStatement AuthenticationMethod="urn:federation:authentication:windows" AuthenticationInstant="2012-07-30T14:51:35.674Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KLl9n4Rv50CNSzNDbWbADw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds ... tionMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ... tureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-s ... :Reference URI="#_67f2392f-cf21-4623-9504-664813925148"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envel ... :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ... gestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" ... o><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X5 ... enResponse>
[NoScript XSS] Sanitized suspicious upload to [https://login.microsoftonline.com/login ... esponse%3E] from [https://sts.thecb.state.tx.us/adfs/ls/a ... 1343659030]: transformed into a download-only GET request.
[NoScript InjectionChecker] JavaScript Injection in ##<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/t ... su:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ ... su:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/ ... :AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/p ... tReference xmlns:wsa="http://www.w3.org/2005/08/addressing">< ... :Assertion MajorVersion="1" MinorVersion="1" AssertionID="_67f2392f-cf21-4623-9504-664813925148" Issuer="http://sts.thecb.state.tx.us/adfs/services/trust" IssueInstant="2012-07-30T14:51:35.737Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"><saml:Conditions NotBefore="2012-07-30T14:51:35.737Z" NotOnOrAfter="2012-07-30T15:51:35.737Z"><saml:AudienceRestrictionCondition><saml:Audience>urn:federation:MicrosoftOnline</saml:Audience></saml:AudienceRestrictionCondition></saml:Conditions><saml:AttributeStatement><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KLl9n4Rv50CNSzNDbWbADw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject><saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims"><sam ... :Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Fed ... nStatement AuthenticationMethod="urn:federation:authentication:windows" AuthenticationInstant="2012-07-30T14:51:35.674Z"><saml:Subject><saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">KLl9n4Rv50CNSzNDbWbADw==</saml:NameIdentifier><saml:SubjectConfirmation><saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod></saml:SubjectConfirmation></saml:Subject></saml:AuthenticationStatement><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds ... tionMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ... tureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-s ... :Reference URI="#_67f2392f-cf21-4623-9504-664813925148"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#envel ... :Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# ... gestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" ... o><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X5 ... enResponse>
[NoScript XSS] Sanitized suspicious upload to [https://login.microsoftonline.com/login ... esponse%3E] from [https://sts.thecb.state.tx.us/adfs/ls/a ... 1343659030]: transformed into a download-only GET request.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Re: XSS protection blocking Office365 federated login
Try the latest development build & see if that fixes the problem for you.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/16.0 Firefox/16.0 SeaMonkey/2.13a2
Re: XSS protection blocking Office365 federated login
Yeah, that worked. Thanks!!therube wrote:Try the latest development build & see if that fixes the problem for you.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1