NoScript crashing FireFox on banking site

[jaydear]

Having the same problem with anz.com.au (and anz.com) - their 'log on' button opens another page where you enter your user name and password. If you even just place the cursor anywhere over the new page, Firefox completely locks up. The only way I have found around the problem is to totally disable noscript! Not happy with that

[Thrawn]

I can't reproduce the hang here by allowing anz.com

How long does it lock up for?

[jaydear]

In our house, I'm in charge of cooking and IT and my wife is the social and finance manager, among many other things. She has recently reported to me that she could not easily access our online banking at www.anz.com.au and I have confirmed that. Unfortunately, I have not been able to rectify the situation except by completely disabling NoScript. This is not desirable of course, so rather than get rid of NoScript, we are temporarily using Opera to access our banking, but I'm not confident that it is as secure as FireFox+NoScript+AdBlockerPro and want to return to normal asap.

There seem to be other reports of similar problems on other bank websites all over the world. I have seen various workarounds on your forums, but they have not worked for me and I could not figure out how to implement some of them anyway - too geeky for me. What I am quite concerned about is that the crash is covering up something more sinister, as hackers seem to use crashes and overloads to inject their evil code.

On windows 7 SP1 and windows 8.1, with the latest version of FireFox 41.0.1 and the latest version of NoScript our bank's website logon page now actually crashes FireFox as soon as the cursor touches it. Before, with recent versions there was a delay of maybe a minute before being able to logon. Note that you do not need an account to experience the problem, just go to www.anz.com.au and click the blue Log On button. You will then experience the crash when you move your cursor over the logon page.

There are no messages from NoScript when this happens, so I have no clue how to proceed past this point. I'm sure you will be able to dig down and find the problem.

[jaydear]

I've started a new topic so as not to hijack this one... viewtopic.php?f=10&t=21325

To answer your question: On the two PCs I've tried, it is a permanent crash of FireFox which can only be prevented by disabling NoScript. That's disabling it in tools/extensions, not just "Allow scripts globally". Only way out of the crash for me is to use Task Manager to shut down FireFox.

[barbaz]

I've started a new topic so as not to hijack this one...

Merged those posts to said new topic in order to keep discussion of your issue in one place.

So even disabling the entire XSS filter not make it work for you?

Also, what's "AdBlockerPro"?

[jaydear]

Merge is good, thanks.

So to disable XSS do I just un-tick both "Sanitize cross-site..." and "Turn cross-site POST..."? If so, I haven't done that because I don't understand the implications for all the other sites we use. If not, where do I do that?

Oops! ABP is actually AdBlock Plus, my bad

[barbaz]

So to disable XSS do I just un-tick both "Sanitize cross-site..." and "Turn cross-site POST..."?

Yes

If so, I haven't done that because I don't understand the implications for all the other sites we use.

It means NoScript does NOT protect against XSS so nothing will stop an XSS attack from using your browser as a vector for targeting a site you visit (and thus you to some extent, depending on the victim site). If you try disable the XSS filter, you are best off visiting your bank site (or any other sensitive site, for that matter) in an isolated browser session - clear cookies & quit the browser before you access the site and after you're done; and don't visit any other sites in that browser session. Those are the implications, and this is not a solution; but it's a very useful diagnostic information for this type of problem.

[jaydear]

I've disabled XSS and, yes it does stop the crash. I see that there is a list of Anti-XSS Protection Exceptions, but I am quite hopeless at writing RegExp's. Are there some instructions somewhere that decode the hieroglyphics? I've tried with Mailwasher's RegExp's and get some pretty weird results ( I don't know if it's me or Mailwasher ).

[barbaz]

the sticky in NS Support viewtopic.php?f=7&t=17774 and (if you don't know regular expressions) this tutorial

offtopic: ABP doesn't help you be more secure or better privacy https://issues.adblockplus.org/ticket/3046
that issue (& the one it links) is noticeable mostly on browser startup but it could happen anytime.

[therube]

our bank's website logon page now actually crashes FireFox

about:crashes, last few related crash report URLs ?

[therube]

I get a hang.
(A hang is not a crash.)

H A N G W A R N I N G
On this page, https: //www .anz.com/INETBANK/bankmain.asp

(I saw something about openid... ? And waf1x.anz.com.)

[therube]

Allowing the full domain, +www.anz.com, but none of the others, allows the page to load successfully.

-waf1x.anz.com
-mstcl3.anz.com
-ctmdx.anz.com
-cdn.tt.omtrdc.net
-tt.omtrdc.net
-australianewzealandb.tt.omtrdc.net
-anz.demdex.net
+www.anz.com

Now I have no idea of you can then log in & do what you need to do, but at least you've gotten past one obstacle. You might be able to whittle down the list... Perhaps it is only the one domain waf1x.anz.com that causes the issue? (Or not?)


-waf1x.anz.com is definitely instrumental in the hang.


No hang with this:

-waf1x.anz.com
+mstcl3.anz.com
+ctmdx.anz.com
+anz.demdex.net
+www.anz.com


So maybe ? you'll be OK with blacklisting:

-waf1x.anz.com

?

[barbaz]

If is not XSS message in the console then it's seems fine safe to do an origin XSS exception (prefixing "@" as shown in the above-linked sticky)

[jaydear]

the sticky in NS Support viewtopic.php?f=7&t=17774 and (if you don't know regular expressions) this tutorial

Thanks for those links

[jaydear]

about:crashes, last few related crash report URLs ?

You're right, it was hanging, not crashing! Sorry for misleading everyone, didn't know crash reports are stored for later perusal.