need help with XSS exception for internet bank login

[ginahoy]

I just signed up for a savings account with ufbdirect.com and when I attempt to log in, I get a cross-site warning:

"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://ufbdirect.com]."

In order to avoid having to click the 'unsafe reload' every time, I'd like to create an exception. I looked at the FAQ (4.4) but not enough information. I would appreciate an assist.

[Thrawn]

First, can you check the Browser Console (Ctrl+Shift+J) when this occurs? It should have more detail about what is being blocked.

Second, we need to determine whether the site is actually vulnerable to XSS, or just doing something odd that triggers a false positive. If there's scope for enhancing the filter, Giorgio will probably jump on it (again, the Browser Console messages are handy).

Third, when writing an XSS filter exception, you should probably also write an ABE rule such as:

Code: Select all

Site .ufbdirect.com
Accept from SELF++
Deny INC
Anon GET
Deny

This will allow other sites (like search engines) to link to the bank, but block any attempt to send cross-site requests to it.

If you're willing to always access your bank through bookmarks, then you could simplify it to:

Code: Select all

Site .ufbdirect.com
Accept from SELF++
Deny

[ginahoy]

One step at a time

Ok, the Console had tons of entries so after navigating to the login page, I cleared the console and attempted login. At that point there were 6 JS warnings, and a bunch of JS "info" entries. Here's the one I think you're looking for:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://www.myufbdirect.com/tob/live/usp-core/app/initialLogin###DATA###%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Fonlineserv%2FHB%2FSTDReg.cgi%22%3ENew+User%3F%3C%2Fa%3E%3Cspan+style%3D%22font-weight%3Anormal%3B%22%3E%26nbsp%3B%7C%26nbsp%3B%3C%2Fspan%3E%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Ftob%2Flive%2Fusp-core%2Fapp%2FauthUpdate%22%3EForgot+Your+Password%3F%3C%2Fa%3E] from [https://www.ufbdirect.com/]: transformed into a download-only GET request.

[barbaz]

This is on a BANK site?

Yes, that's the message. Looks like they're passing HTML fragments in the URL of a request!

Code: Select all

[xx:xx:51.791] decodeURIComponent('%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Fonlineserv%2FHB%2FSTDReg.cgi%22%3ENew+User%3F%3C%2Fa%3E%3Cspan+style%3D%22font-weight%3Anormal%3B%22%3E%26nbsp%3B%7C%26nbsp%3B%3C%2Fspan%3E%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Ftob%2Flive%2Fusp-core%2Fapp%2FauthUpdate%22%3EForgot+Your+Password%3F%3C%2Fa%3E')
[xx:xx:51.794] "<a+href=\"https://www.myufbdirect.com/onlineserv/HB/STDReg.cgi\">New+User?</a><span+style=\"font-weight:normal;\"> | </span><a+href=\"https://www.myufbdirect.com/tob/live/usp-core/app/authUpdate\">Forgot+Your+Password?</a>"

I wonder what happens if that HTML fragment contains a script tag?
Here's a harmless one, already percent-encoded, if you care to experiment:

Code: Select all

%3Cscript%3Ealert(%22Hi+Im+an+XSS+vulnerability%22)%3C%2Fscript%3E

Just stick that on an end (or in the middle somewhere it won't mess up the HTML syntax) of the HTML fragment in the request URL, go to the resulting address, do an unsafe reload, and see what happens.
Anyway,

Solution: PANIC!!!!!!!!!!!!!!, leave your NoScript configuration alone, and complain to the people running the site. (I'm dead serious.)
Point them to https://hackademix.net/2008/04/16/false ... t-typepad/, tell them that they should never pass any raw HTML fragments in GET or POST request parameters (especially GET) like that because it makes them look vulnerable to XSS and the HTML fragment could be modified by attacker to make an XSS attack on the site which means people's login credentials could be stolen etc. Also be sure to let them know what, if anything, happens with that little experiment I suggested above, if you choose to try it.

Honestly I wouldn't be at all happy about trusting my money with anyone who runs a website like that...

[ginahoy]

I will attempt to raise this issue with the webmaster.

BTW, ufbdirect is part of BofI Federal Bank (BofI = Bank of the Internet) and like many other Internet banks, credit unions and community banks, their web interface is provided by digitalinsight.com. What's not clear is who is responsible for the code on the login page.

I'm interested in trying your experiment but your instructions are greek to me. For example, I'm not sure what you mean by the request URL. Is this the page where I log in (https://usbdirect.com) or the URL of the landing page after I log in? BTW, when I mouse-hover over the login button, no URL is displayed.

[Giorgio Maone]

All barbaz says is correct: those cross-site requests are really scary and the site developers should carefully reconsider what they're doing.

That said, if you trust ufbdirect.com not to attack other sites, you can work around permanently by adding the following line to your NoScript Options|Advanced|XSS exceptions box:

Code: Select all

^@https://www\.ufbdirect\.com/

[barbaz]

I'm not sure what you mean by the request URL.

Whatever the URL is that this is fragments of.

Code: Select all

https://www.myufbdirect.com/tob/live/usp-core/app/initialLogin###DATA###%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Fonlineserv%2FHB%2FSTDReg.cgi%22%3ENew+User%3F%3C%2Fa%3E%3Cspan+style%3D%22font-weight%3Anormal%3B%22%3E%26nbsp%3B%7C%26nbsp%3B%3C%2Fspan%3E%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Ftob%2Flive%2Fusp-core%2Fapp%2FauthUpdate%22%3EForgot+Your+Password%3F%3C%2Fa%3E