NoScript XSS warning on ISP login

[34661b2c@opayq.com]

Hello:
Using:
openSUSE-13.1-KDE-x86_64 | KDE 4.11.5 | sda=80GB Ext4 | sdb=500GB Ext4
AMD Athlon II X4 640 3.0GHz | Gigabyte GA-880GA-UD3H (rev. 3.1) | DDR3-1333 8GB
ATI Radeon HD 4250 graphics (DirectX10.1) | Firefox 31.1.0 | Thunderbird 31.1.0

I'm receiving a NoScript XSS warning on logging in to my ISP email (Gmail):

Since the recent update (a week or so ago) I'm getting a black bar across the top of the screen, and have to choose "Unsafe Reload" in order to get into my mail. This has never happened before this most recent NS update.
I use gmail, not by choice but because my ISP has contracted with gmail so there I am.
A normal gmail log-in is to invoke https://www.dslextreme.com/Login.aspx?R ... fault.aspx and supply a password. I am then connected through to gmail - and yes, not great.

So my question is - is this truly an XSS attack/attempt or is NS misinterpreting it as such?
And what do I do about it, if it IS an XSS attack? It's the way I get to my email.

Following is copied from the dialog that appears after O.K.-ing the "Unsafe Reload".

UNSAFELY reloading a suspicious

POST [https://www.google.com/a/dslextreme.com/acs]

FROM [http://www.dslextreme.com/webmail/defau ... %26emr%3D1]

NoScript will NOT protect this request!
Are you sure?

Thanks for what you do ... I'll check back in later. It's 4:20 A.M. and I'm crashing.

[Giorgio Maone]

Could you please also post any [InjectionChecker] or [XSS] or [NoScript] line you can find in your Browser Console (Ctrl+Shift+J) when this happens?
Thanks.

[34661b2c@opayq.com]

Could you please also post any [InjectionChecker] or [XSS] or [NoScript] line you can find in your Browser Console (Ctrl+Shift+J) when this happens?
Thanks.

Hi Giorgio:
Thanks! I found this:

Code: Select all

[NoScript InjectionChecker] HTML injection:
<script
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|['"\s\0\/](?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|i(?:s(?:c(?:o(?:verystatechanged|nnect(?:ing|ed))|hargingtimechange)|abled)|aling)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rol(?:lerchange|select)|extmenu)|nect(?:ing|ed)?)|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|l(?:i(?:rmodechange|ck)|ose)|(?:fstate|ell)change|u(?:echange|t))|r(?:e(?:s(?:ourcetimingbufferfull|u(?:m(?:ing|e)|lt)|ize|et)|ad(?:ystatechange|success|error)|mo(?:te(?:resume|hel)d|vetrack)|questmediaplaystatus|pea(?:tEven)?t|loadpage|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|(?:adiost)?atechange)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:(?:lec(?:tstar)?)?t|ek(?:ing|ed)|n(?:ding|t))|pe(?:akerforcedchange|ech(?:start|end))|c(?:ostatuschanged|roll)|u(?:ccess|spend|bmit)|ound(?:start|end)|how)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|(?:Press)?TapGesture|AfterPaint)|p(?:o(?:inter(?:(?:lea|mo)ve|o(?:ver|ut)|cancel|enter|down|up)|p(?:up(?:hid(?:den|ing)|show(?:ing|n))|state))|a(?:i(?:redstatuschanged|nt)|ge(?:hide|show)|(?:st|us)e)|ro(?:pertychange|gress)|endingchange|lay(?:ing)?)|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load|interruptbegin)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|a(?:n(?:imation(?:iteration|start|end)|tennaavailablechange)|fter(?:(?:scriptexecu|upda)te|print)|d(?:apter(?:remov|add)ed|dtrack)|(?:2dpstatus|ttribute)changed|udio(?:process|start|end)|ctivate|lerting|bort)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|e(?:ditfocus|victed)|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut))|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ypechange|ext)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|(?:otpointercaptur|roupchang)e|et)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|s(?:tpointer|e)capture)|(?:anguage|evel)change|y)|e(?:m(?:ergencycbmodechange|ptied)|n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|victed|xit)|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|requencychange|ailed|etch)|u(?:p(?:date(?:found|ready)|gradeneeded)|s(?:erproximity|sdreceived)|n(?:derflow|load))|i(?:cc(?:(?:info)?change|(?:un)?detected)|n(?:coming|stall|valid|put))|o(?:(?:tastatuschang|(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|h(?:e(?:adphoneschange|l[dp])|fpstatuschanged|ashchange|olding)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Zoom)|v(?:o(?:lum|ic)e|ersion)change|n(?:o(?:update|match)|eedkey)|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|Request|zoom))[\s\0]*=

[NoScript XSS] Sanitized suspicious upload to [https://www.google.com/a/dslextreme.com/acs###DATA###%2FwEPDwUJMjMzNzMwOTczD2QWAmYPZBYEAgEPZBYCAgcPFgIeBFRleHQFfzxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsYW5ndWFnZT0iamF2YXNjcmlwdCIgc3JjPSIvL2FqYXguZ29vZ2xlYXBpcy5jb20vYWpheC9saWJzL2pxdWVyeS8xLjcuMi9qcXVlcnkubWluLmpzIj48L3NjcmlwdD5kAgMPFgQeBXN0eWxlBQ1kaXNwbGF5Om5vbmU7HgZPbkxvYWQFcWphdmFzY3JpcHQ6IGRvY3VtZW50LmZvcm1zWzBdLmFjdGlvbiA9ICdodHRwczovL3d3dy5nb29nbGUuY29tL2EvZHNsZXh0cmVtZS5jb20vYWNzJzsgZG9jdW1lbnQuZm9ybXNbMF0uc3VibWl0KCk7FgICAQ8WAh4GYWN0aW9uBaYGL3dlYm1haWwvZGVmYXVsdC5hc3B4P3NhbWxyZXF1ZXN0PWZ2bGp0c213ZWwwajhxJTJicjc5a2tiMnExcWF2dnJzd3dpa3ljdWRub2poeHJqeGljZnY0ZW55Mmlob2Q2JTJmcHl3bXJuZmZpZ3o3bWNpbWRvamF6c3FhZHEzdGRidHJsYmxwbHdodCUyZm5seHJpemtoMmQ5ZzZ0eCUyYmM5YjNzYiUyZjZtcmRnOHo2YTJtaHFmYXFwa2NwaTd0NWV0eGd5NmloaGJ3b21vbmptZmlscGZnZHJ2dnNlenVuNXV3ZDN4bndiZGx0ZW1rdW1sZHZseGZreW40dHlseDcxaWpxNndmeWc4bGp5NXA1NmVrdnE3dGpseGt5aXNoeXlpbzBqY3NmY2VubzZncGRmNmx2cjFqc28lMmZsc2dpbDUydTVjb3hlZGZianN6cHNndG5raWxocmIlMmZ1Y2l5cWRoeHNtZXVnd3FxdHJmbWNwMGRncnNldXdvOGZoOWZrcWtidnpoZGk0M3UlMmYzMHk5bXpvaWFqeHc0YyUyYm9lY2N0NW1mMDZmbHJueSUyZjAlMmZwdnUyaiUyZm1wd3RnJTJiazhwcHd6dXV3Y3draXd4JTJmZGN6c212M3Vhbm8lMmJpYm85bHppM3ZqaDN0MXNhcHFtaTZyYXpxbHR4MmFleGpxYyUyZnBqZyUyZnV2NCUyYmQzODB4dyUzZCUzZCZyZWxheXN0YXRlPWh0dHBzJTNhJTJmJTJmd3d3Lmdvb2dsZS5jb20lMmZhJTJmZHNsZXh0cmVtZS5jb20lMmZzZXJ2aWNlbG9naW4lM2ZzZXJ2aWNlJTNkbWFpbCUyNnBhc3NpdmUlM2R0cnVlJTI2cm0lM2RmYWxzZSUyNmNvbnRpbnVlJTNkaHR0cHMlMjUzYSUyNTJmJTI1MmZtYWlsLmdvb2dsZS5jb20lMjUyZmElMjUyZmRzbGV4dHJlbWUuY29tJTI1MmYlMjZzcyUzZDElMjZsdG1wbCUzZGRlZmF1bHQlMjZsdG1wbGNhY2hlJTNkMiUyNmVtciUzZDEWFAIBDxYCHwAFIjxiPkxPR0dFRCBJTiBBUzo8L2I%2BIE9MRkFSQ05BUlQgLSBkAgIPDxYCHgdWaXNpYmxlZ2RkAgUPFgIeBWNsYXNzBQtjdXJyZW50SXRlbWQCCQ8PFgIfBGhkFgRmDw8WAh4HRW5hYmxlZGhkZAIEDw8WAh8EaGRkAgoPZBYEAgEPFgIfAAXEEjxzYW1scDpSZXNwb25zZSBJRD0iZGVsa2JhYmVtaG5uaWpkZmFnZmhmZ2dubG1vYWVrcG9jZ21kZmhsayIgSXNzdWVJbnN0YW50PSIyMDE0LTEwLTI5VDE3OjAyOjI4WiIgVmVyc2lvbj0iMi4wIiB4bWxucz0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCIgeG1sbnM6eGVuYz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjIj48U2lnbmF0dXJlIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48U2lnbmVkSW5mbz48Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnL1RSLzIwMDEvUkVDLXhtbC1jMTRuLTIwMDEwMzE1IiAvPjxTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiIC8%2BPFJlZmVyZW5jZSBVUkk9IiI%2BPFRyYW5zZm9ybXM%2BPFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIiAvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3NoYTEiIC8%2BPERpZ2VzdFZhbHVlPmNNZUlrYzdtclN3N1A3U1E3cUZxdzFyTzZqTT08L0RpZ2VzdFZhbHVlPjwvUmVmZXJlbmNlPjwvU2lnbmVkSW5mbz48U2lnbmF0dXJlVmFsdWU%2BSUhaNDZ5ZmlZWUxaTGtkNk5HQ0hZZ1Z4ajVic1gxSDF6eS9ySjR0dmduek1oV1JCZnZWcE95a1d6NC9SWTQzejhUajhZQXNhVkk1YVdLaFRmUSsyTUxUeTUyRWdaTVhtT2pEUWQ5YUsrQzdqc3BkVlBhNHBTYlJRRC84b0NqRzRmcjZRaHFHaVdCSFdwMXpwd0lMYWlZWlRNUzdJcGdhRFJhTk5lK2FSQzg0PTwvU2lnbmF0dXJlVmFsdWU%2BPEtleUluZm8%2BPEtleVZhbHVlPjxSU0FLZXlWYWx1ZT48TW9kdWx1cz54ODFTQjk1SXV0VEg4R2E0TlhxellIOTdYbHJaelZZS2dSY3dEVllPSzZqZTY4UmNscUNrREo5TEJRbjJmb1puUGE4bG85cVBUaTdPOEYxVk5PdHNBZ1NiUGVPenkvZktFVVVTcjlmZ0FFd1JyVXhtazNUSkk5b2RiUGg1YmlqYk4zUDhQWkV0Z3ZlODNGUDV4K250c1BXRXVKM1BMaXp6Z3BvdGlST3VrQ3M9PC9Nb2R1bHVzPjxFeHBvbmVudD5BUUFCPC9FeHBvbmVudD48L1JTQUtleVZhbHVlPjwvS2V5VmFsdWU%2BPC9LZXlJbmZvPjwvU2lnbmF0dXJlPjxzYW1scDpTdGF0dXM%2BPHNhbWxwOlN0YXR1c0NvZGUgVmFsdWU9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpzdGF0dXM6U3VjY2VzcyIgLz48L3NhbWxwOlN0YXR1cz48QXNzZXJ0aW9uIElEPSJwbGhja25sbHBsbGFqaGljb2xlZmdmZW9manBoYW1uZmxua2Jrb2RsIiBJc3N1ZUluc3RhbnQ9IjIwMDMtMDQtMTdUMDA6NDY6MDJaIiBWZXJzaW9uPSIyLjAiIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj48SXNzdWVyPmh0dHBzOi8vd3d3Lm9wZW5zYW1sLm9yZy9JRFANCiAgICA8L0lzc3Vlcj48U3ViamVjdD48TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNz] from [http://www.dslextreme.com/webmail/default.aspx?SAMLRequest=fVLJTsMwEL0j8Q%2BR79kKB2Q1QaVVRSWWiKYcuDnOJHXrJXicFv4eNy2iHOD6%2FPyWmRnffigZ7MCiMDojaZSQADQ3tdBtRlblPLwht%2FnlxRiZkh2d9G6tX%2BC9B3SB%2F6mRDg8Z6a2mhqFAqpkCpI7T5eTxgY6ihHbWOMONJMFilpFGdRvVsEZuN5uWd3XNWbdltemkUmLdVlXFKyN4TYLX71ijQ6wFYg8LjY5p56EkvQ7TJLxKyiShyYiO0jcSFCenO6GPDf6LVR1JSO%2FLsgiL52U5COxEDfbJszPSGtNKiLhRB%2FuCIYqdhxsmEUgwQQTrfMCp0dgrsEuwO8Fh9fKQkbVzHdI43u%2F30Y9MzOIaJXw4C%2BoEcCT5MF06FLRnY%2F0%2FPvu2J%2FmPwTg%2Bk8pPWzuUWcwKIwX%2FDCZSmv3UAnO%2BibO9LzI3VjH3t1sapQMi6rAZqLTX2AEXjQC%2Fpjg%2Fuv4%2BD380Xw%3D%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fdslextreme.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fa%252Fdslextreme.com%252F%26ss%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2%26emr%3D1]: transformed into a download-only GET request.

Further down was this:

reflow: 0.35ms
reflow: 0.24ms
reflow: 0.42ms function set_label, tabbrowser.xml line 4937
reflow: 0.19ms function _calcMouseTargetRect, tabbrowser.xml line 4992
reflow: 0.4ms
reflow: 0.21ms
reflow: 0.23ms function Hoverclue.isVisible, hoverclue.js line 299
GET https://accounts.google.com/MergeSession [HTTP/1.1 302 Moved Temporarily 6923ms]
POST http://clients1.google.com/ocsp [1692ms]
POST http://clients1.google.com/ocsp [1642ms]
reflow: 0.22ms function _calcMouseTargetRect, tabbrowser.xml line 4992
GET https://accounts.google.com/CheckCookie [HTTP/1.1 302 Moved Temporarily 8848ms]
GET https://mail.google.com/a/dslextreme.com/ [HTTP/1.1 302 Moved Temporarily 1750ms]
reflow: 0.52ms function _calcMouseTargetRect, tabbrowser.xml line 4992
GET https://mail.google.com/mail/u/0/ [HTTP/1.1 302 Moved Temporarily 1458ms]
GET https://mail.google.com/mail/u/0/ [HTTP/1.1 200 OK 3068ms]
reflow: 0.41ms
reflow: 0.32ms
reflow: 0.41ms function set_label, tabbrowser.xml line 4937
reflow: 0.19ms function _calcMouseTargetRect, tabbrowser.xml line 4992

Which I don't know is relevant or not....

Chuck

[barbaz]

Which I don't know is relevant or not....

Only the first set of console messages are relevant.

see the sticky for how to make xss exceptions, feel free to post back here if you need help

[34661b2c@opayq.com]

Which I don't know is relevant or not....

Only the first set of console messages are relevant.

see the sticky for how to make xss exceptions, feel free to post back here if you need help

Hi Barbaz....
Waitaminnit - is an XSS exception what I want?

This only started happening within a week ago, never happened before then.

How can I know if I'm making an exception to allow some kind of actual attack?

What was changed in NS to make it suddenly pick up a normal activity as an XSS attack?

OR is this a real XSS attack that I would be disabling NS for?

I hope you see my dilemma....

[barbaz]

Hi Barbaz....
Waitaminnit - is an XSS exception what I want?

This only started happening within a week ago, never happened before then.

How can I know if I'm making an exception to allow some kind of actual attack?

What was changed in NS to make it suddenly pick up a normal activity as an XSS attack?

OR is this a real XSS attack that I would be disabling NS for?

I hope you see my dilemma....

Yes, I see the problem, especially given what the related messages said. However, you say you've Unsafely Reloaded a few times...
When you do an Unsafe Reload, can you look at the payload of the POST request that is triggering the XSS filter (using something like HTTPFox maybe)? That should tell you whether it's legitimate.

[Guest]

Yes, I see the problem, especially given what the related messages said. However, you say you've Unsafely Reloaded a few times...

Yeh - it's the only way I can get my mail at all....

When you do an Unsafe Reload, can you look at the payload of the POST request that is triggering the XSS filter (using something like HTTPFox maybe)? That should tell you whether it's legitimate.

Just this moment downloaded HTTPFox - now to figure out how to use it. This is new to me.
Thank you! - be back when I know something more....