XBox.com

[jacdelad]

Hello,
I hope I am providing the correct and enough information.
During my visits on xbox.com the webpage freezes every time after some seconds for about 10 seconds or a bit more. NoScript shows a message telling me about XSS attempts. When using "unsafe reloading" the page works until I click on a link, then everything repeats. Long story short: I assume that some XSS thing is making my browser freeze. I tried to update the XSS filter via two lines:

^http?://www\.microsoft\.com.*$
^http?://web\.vortex\.data\.microsoft\.com.*$

I am not used to RegEx's, so this may be wrong. In fact my browser still freezes. Console shows this entry:

Code: Select all

[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://web.vortex.data.microsoft.com/collect/v1/t.asm?ver=%272.1%27&name=%27Ms.Webi.ContentView%27&time=%272016-11-18T16%3A45%3A29.070Z%27&os=%27Windows%27&*baseType=%27Ms.Content.PageView%27&-pageName=%27XboxAddOn%20Details%27&-uri=%27https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fstore%2Fp%2Fbatman-the-telltale-series-season-pass-episodes-2-5%2Fbph40w8dbzz9%27&-referrerUri=%27https%3A%2F%2Fwww.microsoftstore.com%2Fstore%2Fmsde%2Fde_DE%2FDisplayWorldWidePage%2F%3FabsoluteReturnUrl%3Dhttps%3A%2F%2Fwww.microsoft.com%2Fde-de%2Fstore%2Fp%2Fbatman-the-telltale-series-season-pass-episodes-2-5%2Fbph40w8dbzz9%27&-pageTags=%27%7B%22timing%22%3A%22%7B%5C%22navigationStart%5C%22%3A1479487510119%2C%5C%22unloadEventStart%5C%22%3A0%2C%5C%22unloadEventEnd%5C%22%3A0%2C%5C%22redirectStart%5C%22%3A0%2C%5C%22redirectEnd%5C%22%3A0%2C%5C%22fetchStart%5C%22%3A1479487510120%2C%5C%22domainLookupStart%5C%22%3A1479487510120%2C%5C%22domainLookupEnd%5C%22%3A1479487510120%2C%5C%22connectStart%5C%22%3A1479487510120%2C%5C%22connectEnd%5C%22%3A1479487510120%2C%5C%22requestStart%5C%22%3A1479487510120%2C%5C%22responseStart%5C%22%3A1479487510134%2C%5C%22responseEnd%5C%22%3A1479487510724%2C%5C%22domLoading%5C%22%3A1479487510150%2C%5C%22domInteractive%5C%22%3A1479487527767%2C%5C%22domContentLoadedEventStart%5C%22%3A1479487527769%2C%5C%22domContentLoadedEventEnd%5C%22%3A1479487527969%2C%5C%22domComplete%5C%22%3A1479487529046%2C%5C%22loadEventStart%5C%22%3A1479487529046%2C%5C%22loadEventEnd%5C%22%3A0%7D%22%2C%22metaTags%22%3A%7B%22ms.v%22%3A%222016.11.16.9%22%2C%22ms.Cv%22%3A%22tDQjbKoqDkK4240O.30%22%2C%22ms.pagename%22%3A%22XboxAddOn%20Details%22%2C%22ms.pcn%22%3A%22Redstone%20PDP%201608%20pdpGameLayout1%22%2C%22ms.availableon%22%3A%22Xbox%20One%22%2C%22ms.dqid%22%3A%228b2d1f21-2a6a-4463-a56e-c66443f1e669%22%2C%22ms.auth%22%3A%221%22%2C%22ms.prod_type%22%3A%22AddOns%22%2C%22ms.prod_cat%22%3A%22%22%2C%22ms.prod_worksonxbox%22%3A%22true%22%2C%22ms.prod%22%3A%22Batman%20-%20The%20Telltale%20Series%20-%20Season%20Pass%20(Episodes%202-5)%22%2C%22ms.prod_id%22%3A%22BPH40W8DBZZ9%22%7D%7D%27&-customSessionGuid=%276ad9062d76d74838a3fa4c6e4f759de1%27&-impressionGuid=%27987d10e6-943f-4f63-898f-8de8597898b4%27&-contentJsonVer=2&-content=%27%5B%7B%22areaName%22%3A%22Details%22%2C%22slotNumber%22%3A%221%22%2C%22templateName%22%3A%22Desc-BuyOptions-RatingsReviews%22%2C%22contentId%22%3A%22BPH40W8DBZZ9%22%2C%22contentName%22%3A%22Batman%20-%20The%20Telltale%20Series%20-%20Season%20Pass%20(Episodes%202-5)%22%2C%22contentSource%22%3A%22DisplayCatalog%22%2C%22product%22%3A%22BPH40W8DBZZ9%22%7D%2C%7B%22areaName%22%3A%22addonparent%22%2C%22slotNumber%22%3A%220%22%2C%22templateName%22%3A%221rowMWFCarousel%22%2C%22contentId%22%3A%22C4VVPDBXSH5P%22%2C%22contentName%22%3A%22Batman%20-%20The%20Telltale%20Series%20-%20Episode%201%3A%20Realm%20of%20Shadows%22%2C%22contentSource%22%3A%22DisplayCatalog%22%2C%22contentType%22%3A%224%22%7D%2C%7B%22areaName%22%3A%22addonparent%22%2C%22slotNumber%22%3A%221%22%2C%22templateName%22%3A%221rowMWFCarousel%22%2C%22contentId%22%3A%22BQ2ZZ6WTZZJZ%22%2C%22contentName%22%3A%22Batman%3A%20The%20Telltale%20Series%20-%20The%20Complete%20Season%20(Episodes%201-5)%22%2C%22contentSource%22%3A%22DisplayCatalog%22%2C%22contentType%22%3A%224%22%7D%2C%7B%22areaName%22%3A%22addonparent%22%2C%22slotNumber%22%3A%222%22%2C%22templateName%22%3A%221rowMWFCarousel%22%2C%22contentId%22%3A%22CFQ7TTC0K5DJ%22%2C%22contentName%22%3A%22Xbox%20Live%20Gold%22%2C%22contentSource%22%3A%22DisplayCatalog%22%2C%22contentType%22%3A%224%22%7D%2C%7B%22areaName%22%3A%22pdpbundles%22%2C%22slotNumber%22%3A%220%22%2C%22templateName%22%3A%221rowMWFCarousel%22%2C%22contentId%22%3A%22BQ2ZZ6WTZZJZ%22%2C%22contentName%22%3A%22Batman%3A%20The%20Telltale%20Series%20-%20The%20Complete%20Season%20(Episodes%201-5)%22%2C%22contentSource%22%3A%22DisplayCatalog%22%2C%22contentType%22%3A%224%22%7D%5D%27&*flightId=%27addemail%3A1%2Caddlegacypurchasetype%3A1%2Caddsdkbillable%3A1%2Caddsdklegacytype%3A1%2Caddxtokenformobi%3A1%2Cajaxtimeout%3A1%2Calipayba%3A1%2CBSP_PaidPurchase%3A1%2CBundle3P%3A1%2Ccartcsv%3A1%2Ccartstrings%3A1%2Cccfamily%3A1%2Cclicktale%3A1%2Ccnresell%3A1%2Cconvergence%3A1%2Ccreateprofile%3A1%2Ccup%3A1%2Cdisable404ForNoDetails%3A1%2CdisableExclusivityOnLegacy%3A1%2CdiscountDisclaimer%3A1%2Cdres%3A1%2Ceditcupcc%3A1%2Ceditcupcclink%3A1%2Cembercli%3A1%2CenableAccessibilityStatusPDP%3A1%2Censighten%3A1%2Centpcspdpmodules%3A1%2CentpRoute%3A1%2CentPRouteRedirect%3A1%2Cexclusivity%3A1%2CFeature_ClickTale%3A1%2CFeature_FamilySafety%3A1%2CFeature_TFA%3A1%2Cforcexboxeligibility%3A1%2CignoreRemediation%3A1%2Cinlinechangelink%3A1%2Ciosrerender%3A1%2Cmaskfields%3A1%2CMVR_ControlFlight%3A1%2Cmwfnext%3A1%2Cnewpaypalflow%3A1%2Cnonsimsvg%3A1%2Cnopdpcache%3A1%2Cnopost%3A1%2Comexerror%3A1%2Comexmanualretry%3A1%2Comniture%3A1%2Coneui3_0_0pdp%3A1%2Coneui3_0_0pdpent%3A1%2Corderpcsmodules%3A1%2Corderversion%3A1%2Cpaypalinpage%3A1%2Cpcslandingmodules%3A1%2Cpcsmodules%3A1%2Cpcssfv7Pdp%3A1%2Cpiinclusionjp%3A1%2Cpilang%3A1%2Cpreloadorder%3A1%2Cprofiletimeout%3A1%2CpRoute%3A1%2CratingsEdge%3A1%2CreportReview%3A1%2Crestrictpurchase%3A1%2Cretrycheckout%3A1%2Cretryget%3A1%2Cretryput%3A1%2Csapicart%3A1%2Csdkerror%3A1%2CshowFeedback%3A1%2CshowHolographic%3A1%2Cshowwarningforpurchase%3A1%2Csing%3A1%2Csoasta%3A1%2Ctiless%3A1%2Cusepartd%3A1%2Cxbfree%3A1%2Cxboxreseller%3A1%27&*cookieEnabled=true&*browserSize=%271897x4563%27&*cookies=%27MC1%3DGUID%3Dc989d23bfbdaad46a8d7a31d89b2e474%26HASH%3D3bd2%26LV%3D201602%26V%3D4%26LU%3D1455910076804%3BMSFPC%3DID%3Dc989d23bfbdaad46a8d7a31d89b2e474%26CS%3D3%26LV%3D201602%26V%3D1%3B%27&*pageLoadTime=18926&*screenRes=%271920x1080%27&*isJs=true&*title=%27Batman%20-%20The%20Telltale%20Series%20-%20Season%20Pass%20(Episodes%202-5)%20-%20Microsoft%20Store%27&*signInStatus=1&cV=%27c14Y27cltWAwJ7YI.0%27&ext-app-expId=%27none%27&appId=%27JS%3AUniStore%27&ext-javascript-libVer=%273.3.1%27&ext-user-localId=%27t%3A00FD07C111896A2D0D660F0115896940%27&sauth=1] angefordert von [https://www.microsoft.com/en-us/store/p/batman-the-telltale-series-season-pass-episodes-2-5/bph40w8dbzz9]. Bereinigte URL: [https://web.vortex.data.microsoft.com/#05269524161266115967].

...along with some javascript injections.

Can anyone help me? I would like to allow XSS on xbox.com and needed subsites.

Thanks,
Jac

[barbaz]

The answer to your question, of how to allow that site to be XSS'd, is

Code: Select all

^https://web\.vortex\.data\.microsoft\.com/

However, do keep in mind that XSS is an attack. And I can't tell whether an XSS exception for this one is actually safe.

This specific site has been brought up before -
viewtopic.php?f=7&t=21461
viewtopic.php?f=10&t=21657

[jacdelad]

Ah, thanks for answering and sorry for the reposting this topic.

I guess microsoft.com shouldn't be intentional malicious. Maybe just a bit data collecting.

Thanks,
Jac

[barbaz]

and sorry for the reposting this topic.

That's OK. You might notice that while all 3 threads involve the same site, the question asked is quite different in each one. And as a result, each thread got a different answer. This is why I thought sharing both links would be useful.

How is your thread a repost? In my view, and I am a Moderator here, it's not. Enough said.

Don't sweat it, you're fine.

Thanks,
Jac

You're welcome.

[Thrawn]

I guess microsoft.com shouldn't be intentional malicious.

I think you misunderstand. XSS is about other, potentially malicious sites leveraging the trusted status of microsoft.com, to attack microsoft.com. So, if there is an XSS vulnerability, evil.com could insert its own scripts into the pages of microsoft.com, and take actions as if it were Microsoft.

[jacdelad]

I guess microsoft.com shouldn't be intentional malicious.

I think you misunderstand. XSS is about other, potentially malicious sites leveraging the trusted status of microsoft.com, to attack microsoft.com. So, if there is an XSS vulnerability, evil.com could insert its own scripts into the pages of microsoft.com, and take actions as if it were Microsoft.

Ah I see, thanks for the info. So it's up to me to decide whether to allow microsoft.com or not. I allowed it, the store now works fine. I guess I'll have to take the risk. So, how I understand it, it's up to Microsoft to "fix" it? Or maybe reprogram it.

[Thrawn]

I guess I'll have to take the risk

Actually, you have options.

- You can change your XSS exception to ignore microsoft.com as an origin instead of a destination, by prefixing it with @. You trust Microsoft not to XSS anyone else, right? So this should be safe.
- You can protect microsoft.com from all cross-site attacks using ABE (in the USER ruleset):

Code: Select all

Site .microsoft.com
Accept from .microsoft.com
Anon GET
Deny

This was actually the original idea of ABE, to protect vulnerable sites from things like XSS and CSRF.

[jacdelad]

So, this is what ABE looks now for me:

Code: Select all

Site .microsoft.com
Accept from .microsoft.com
Anon GET
Deny

and

Code: Select all

@^http?://www\.microsoft\.com./
@^https://web\.vortex\.data\.microsoft\.com/

for XSS. Is that correct? Store still works fine.

[barbaz]

Your ABE rule could be changed to this -

Code: Select all

Site web.vortex.data.microsoft.com
Accept from .microsoft.com
Deny

You only need one XSS exception, and neither the ones you've got would match anything. If you want the exception to allow Microsoft to XSS any site,

Code: Select all

^@https://www\.microsoft\.com/

BTW, your use of the ? character shows that you've never worked with regex before. This tutorial will help you understand.

[jacdelad]

Thanks barbaz,

you won't believe it, but I actually do understand several programming languages and also wrote tools for a German school for the kids to learn coding, for Windows as well as for some embedded systems. But I never used, tried to understand or learn RegEx-things. Maybe it's really time to.

[barbaz]

I never used, tried to understand or learn RegEx-things. Maybe it's really time to.

I agree. Regex is not JavaScript-specific and can probably be used in at least one of the programming languages you already know.

[Thrawn]

I think every programmer, regardless of their chosen language, needs to understand regex and SQL...

[jacdelad]

I think every programmer, regardless of their chosen language, needs to understand regex and SQL...

I didn't need it yet. But as you command sir, I will learn it.