How can I bypass NoScript XSS in my Firefox Addon?

Discussions about the Application Boundaries Enforcer (ABE) module
erosman
Posts: 16
Joined: Sun May 25, 2014 2:12 pm

How can I bypass NoScript XSS in my Firefox Addon?

Post by erosman »

Hi

In an addon I am working on, I need to insert a form and send the POST data to another site.
When I try that from a local file (file:///C:/....) there are no issues.
When I try it form an internet site, I get :
[NoScript XSS] Sanitized suspicious upload to [http://.....] from [http://.....]: transformed into a download-only GET request.
The POST data is a long string such as: (plus headers)

Code: Select all

iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==
Since it is for an addon, there is not point in changing any preferences.

How can the addon send POST data without running into above blockage?
If you need more info, you can find me at irc://moznet/#amo-editors

Thank you
:)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
User avatar
Giorgio Maone
Site Admin
Posts: 9528
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Bypass NoScript XSS in Firefox Addon

Post by Giorgio Maone »

If you use the privileged version of XMLHttpRequest to send the data collected by the form, your HTTP request won't be checked.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
erosman
Posts: 16
Joined: Sun May 25, 2014 2:12 pm

Re: How can I bypass NoScript XSS in my Firefox Addon?

Post by erosman »

Thanks Giorgio

Sadly, I have not been able to do what I need using privileged version of XHR therefore, at the moment, I createElement('form'), insert it in the dome and form.submit() (and remove the form)

As I said, when I run it on a local document, there is no error from NoSCript.
If I run it on an internet web page, I get the NoSCript warning.

The method is similar to the method used by Search By Image (by Google) which also has the same issue with NoScript when POSTing data from a web page to Google Search page.

I couldn't pass the FormData to postData in loadOneTab otherwise that would have been my favourite option :(

Any suggestions?
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
barbaz
Senior Member
Posts: 11106
Joined: Sat Aug 03, 2013 5:45 pm

Re: How can I bypass NoScript XSS in my Firefox Addon?

Post by barbaz »

What if you create a dummy document with

Code: Select all

Components.Constructor("@mozilla.org/xml/xml-document;1")
exclusively for your addon's use? Does that work? (I haven't tried for something like this, but it works well for other purpose.)
*Always* check the changelogs BEFORE updating that important software!
Mozilla/5.0 (X11; OpenBSD amd64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
erosman
Posts: 16
Joined: Sun May 25, 2014 2:12 pm

Re: How can I bypass NoScript XSS in my Firefox Addon?

Post by erosman »

Thanks barbaz

I am actually working on creating a stream to pass to postData in loadOneTab (many steps as there isn't a direct root)
I have just finished writing it... I have to do more testing.

:)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
User avatar
Giorgio Maone
Site Admin
Posts: 9528
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: How can I bypass NoScript XSS in my Firefox Addon?

Post by Giorgio Maone »

If you can't find another way, adding a line to the "noscript.filterXExceptions" preference and removing it just after the submit() call (the filter check is synchronous) should be quite simple and work.
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
erosman
Posts: 16
Joined: Sun May 25, 2014 2:12 pm

Re: How can I bypass NoScript XSS in my Firefox Addon?

Post by erosman »

Thanks Giorgio

I will bear that in mind :)
I have manged (with some ideas from Nils Maier) to pass the data the postData in loadOneTab (so little documentation on this subject)
That makes life easier and no problem with XSS.
Thanks for the help
:)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
Post Reply