XSS on YouTube

Ask for help about NoScript, no registration needed to post
DH

XSS on YouTube

Post by DH » Wed Sep 18, 2013 1:53 am

Starting today whenever I try to watch a video on YouTube I get a warning about a potential XSS from http://youtube.com. When I go into the console to view the details there is nothing there.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

DH

Re: XSS on YouTube

Post by DH » Wed Sep 18, 2013 1:57 am

Minor update: blocking scripts from plus.googleapis.com stops the XSS warning from appearing.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

joe786
Posts: 5
Joined: Sun May 15, 2011 7:00 pm

Re: XSS on YouTube

Post by joe786 » Wed Sep 18, 2013 2:13 am

I'm getting the exact same thing. Started today. The warning appears when I begin to scroll down.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

John Doe

Re: XSS on YouTube

Post by John Doe » Wed Sep 18, 2013 2:18 am

Ya, noscript is FREAKING out with XSS warnings on YouTube. I highly suugest the developer check into this ASAP
Mozilla/5.0 (Windows; U; Windows NT 6.1; de-DE) AppleWebKit/533.21.1 (KHTML, like Gecko) Version/5.0.5 Safari/533.21.1

Skai
Posts: 3
Joined: Wed Sep 18, 2013 7:08 am

Re: XSS on YouTube

Post by Skai » Wed Sep 18, 2013 7:11 am

I just registered to confirm this. I cannot find anything questionable in sources or any information in console. Doesn't matter if I am logged in or running in private browsing mode either, any video triggers this as far as I know.

Edit: It doesn't trigger straight away if you open YouTube in small window, only when you scroll down. How far down exactly stays unknown but on network panel I see lots of requests for images on ytimg.com or googleusercontent.com at the same time when the XSS filtered notification comes. I hope some of this is useful.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

boviscopophobic
Posts: 1
Joined: Wed Sep 18, 2013 8:09 am

Re: XSS on YouTube

Post by boviscopophobic » Wed Sep 18, 2013 8:16 am

If I have the console open when I get the XSS notification in YouTube, a warning briefly shows up in the console and then disappears. I grabbed the following screenshot. Sorry about the width, but the lines got cut off otherwise. (Right-click and "View Image" to see the whole thing.)

Image

Uploaded with ImageShack.us
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Skai
Posts: 3
Joined: Wed Sep 18, 2013 7:08 am

Re: XSS on YouTube

Post by Skai » Wed Sep 18, 2013 8:51 am

Nice catch, there are three (well, four, but two are duplicates about deprecated method) notifications when filtering with NoScript and all of them disappear almost instantly, having less than second to copy them.

Timestamp: 18.9.2013 11:43:37
Warning: nsIJSON.decode is deprecated. Please use JSON.parse instead.
Source File: jar:file:///C:/Users/<snip>/AppData/Roaming/Mozilla/Firefox/Profiles/<snip>.default/extensions/<snip noscript addon id?>.xpi!/components/noscriptService.js
Line: 2999


[NoScript InjectionChecker] JavaScript Injection in ///u/0/_/widget/render/comments?<snip>hidefirsttimecommenterpromo=function (){var a=(0,m.L)("dftcp");a&&m.S.hide(a)}<snip>
(function anonymous() {
var a=(0,m.L)("dftcp");a&&m.S.hide(a) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})


[NoScript XSS] Sanitized suspicious request. Original URL [https://apis.google.com/u/0/_/widget/render/comments?<snip>] requested from [https://www.youtube.com/watch?v=<snip>]. Sanitized URL: [https://apis.google.com/u/0/_/widget/render/comments?<snip>].


I hope I didn't snip anything useful away while trying to remove personal data. Hopefully its helpful.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
Giorgio Maone
Site Admin
Posts: 8742
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS on YouTube

Post by Giorgio Maone » Wed Sep 18, 2013 10:41 am

The tricky thing here is that the site is actually passing entire JavaScript functions around inside URLs, which is exactly what triggers NoScript's anti-XSS filter by design.
I wouldn't be surprised if making an exception for this specific Google API usage scenario would allow real XSS abuse.
I've got to check it thoroughly. BTW, beside the notification annoyance, does the filtering actually prevent the site from working properly?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
Giorgio Maone
Site Admin
Posts: 8742
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS on YouTube

Post by Giorgio Maone » Wed Sep 18, 2013 10:51 am

And by the way, I couldn't reproduce it yet. Is there a specific URL I can test against?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

Skai
Posts: 3
Joined: Wed Sep 18, 2013 7:08 am

Re: XSS on YouTube

Post by Skai » Wed Sep 18, 2013 11:05 am

https://www.youtube.com/watch?feature=player_embedded&v=Gzn6E2m3otg triggers it. So does every other video as far as I know. It triggers instantly when Firefox is in fullscreen, otherwise only when you scroll down far enough to see the comments, I believe. I do not see any lost functionality with fast check.

In addition, anything shown on console related to NoScript gets deleted almost instantly as the page loads, showing only for like a second.

Edit: I do not have RequestPolicy addon. See below post.
Last edited by Skai on Wed Sep 18, 2013 12:42 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: XSS on YouTube

Post by Thrawn » Wed Sep 18, 2013 12:28 pm

I can reproduce this on the link provided, if I first allow some sites in RequestPolicy.

  • (Temporarily) Allow requests from youtube.com to https://apis.google.com. Reload page.
  • (Temporarily) Allow requests from youtube.com to https://plus.googleapis.com. Reload page.
  • NoScript will now show a blocked object. Temporarily allowing it triggers the XSS warning.

The confirmation dialog for allowing the blocked object included the following:

Code: Select all

Temporarily allow https://plus.googleapis.com/_/im/_/widget/render/comments?first_party_property​=
YOUTUBE&href=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Ffeature%3Dplayer_embedded%2
6v%3DGzn6E2m3otg&owner_id=ahtHbhYZsa2zKY2Mlmr9​bA&query=http%3A%2F%2Fwww.youtube
.com%2Fwatch%3Fv%3DGzn6E2m3otg&stream_id=UCahtHbhYZsa2zKY2Mlm​r9bA&substream_id=
Gzn6E2m3otg&view_type=FILTERED&width=590&dl=true&youtube_video_acl=PUBLIC&hidefi
rsttimecomment​erpromo=function%20()%7Bvar%20a%3D(0%2Cm.L)(%22dftcp%22)%3Ba%26%2
6m.S.hide(a)%7D&hl=en_US&origin=https%3A%2F%2Fwww.youtube.com&gsrc=1p&jsh=m%3B%2
F_%2Fscs%2Fabc-static%2F_%2Fjs%2Fk%3Dgapi.gapi.en.bI438WBuHt0.O%2Fm%3D__features
__%2Fam%3DIA%2Frt%3Dj%2Fd%3D1%2Frs%3DAItRSTNuPHIoFBjGmV​BeSqIsgUIKEsrbzA#_method
s=onPlusOne%2C_ready%2C_close%2C_open%2C_resizeMe%2C_renderstart%2Concircled%2Cd
refresh%2Cerefresh%2Conthumbsup%2Contimestampclicked​%2Conupgradeaccount%2Confir
sttimecomment​er&id=I0_1379507102134&parent=https%3A%2F%2Fwww.youtube.com&pfname
=&rpctoken=24347693
(application/x-unknown <IFRAME> / https://www.youtube.com)
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0

crunchysuperman
Posts: 2
Joined: Wed Sep 18, 2013 1:51 pm

Re: XSS on YouTube

Post by crunchysuperman » Wed Sep 18, 2013 1:55 pm

I also registered to post here. Same thing, but it hosed YT functionality for me.
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0

User avatar
Giorgio Maone
Site Admin
Posts: 8742
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: XSS on YouTube

Post by Giorgio Maone » Wed Sep 18, 2013 3:54 pm

crunchysuperman wrote:I also registered to post here. Same thing, but it hosed YT functionality for me.

What's broken for you?
What have you got allowed and what not?

Anyway you can disable the XSS filter for this call by adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^https://(?:plus\.googleapis|apis\.google)\.com/[\w/]+/widget/render/comments\?


[EDIT]
updated the regular expression to include the apis.google.com variant, thanks Mastacheata for reporting it.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

DH

Re: XSS on YouTube

Post by DH » Wed Sep 18, 2013 4:36 pm

Giorgio Maone wrote:The tricky thing here is that the site is actually passing entire JavaScript functions around inside URLs, which is exactly what triggers NoScript's anti-XSS filter by design.
I wouldn't be surprised if making an exception for this specific Google API usage scenario would allow real XSS abuse.
I've got to check it thoroughly. BTW, beside the notification annoyance, does the filtering actually prevent the site from working properly?

I have personally not noticed any loss of functionality with the XSS filter. Nor have I noticed any when blocking scripts from plus.googleapis.com
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0

crunchysuperman
Posts: 2
Joined: Wed Sep 18, 2013 1:51 pm

Re: XSS on YouTube

Post by crunchysuperman » Wed Sep 18, 2013 4:44 pm

DH wrote:
Giorgio Maone wrote:The tricky thing here is that the site is actually passing entire JavaScript functions around inside URLs, which is exactly what triggers NoScript's anti-XSS filter by design.
I wouldn't be surprised if making an exception for this specific Google API usage scenario would allow real XSS abuse.
I've got to check it thoroughly. BTW, beside the notification annoyance, does the filtering actually prevent the site from working properly?

I have personally not noticed any loss of functionality with the XSS filter. Nor have I noticed any when blocking scripts from plus.googleapis.com


There's something else going on here. I disabled everything and went into safe mode and still couldn't play YT videos. Upon restoring everything, the first video I tried played, but from then on they wouldn't. Clearly the XSS issue was a coincidence and there's something else other than NS to blame.
Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Firefox/24.0

Post Reply