XSS issue

[maurix]

Just wondering why a trusted site as "teatro alla scala" activate a XSS alert

The alert message is there even after trusted the whole site

http://teatroallascala.ticketone.it/tic ... /eventlist

Code: Select all

[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://googleads.g.doubleclick.net/pagead/viewthroughconversion/868651562/?random=1485556875735&cv=8&fst=1485556875735&num=1&fmt=1&guid=ON&u_h=768&u_w=1024&u_ah=715&u_aw=1024&u_cd=24&u_his=6&u_tz=60&u_java=true&u_nplug=8&u_nmime=26&frm=0&url=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist%3FCSRFTOKEN%3DXSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO%26map%255B%2527startpos%2527%255D%3D0%26map%255B%2527nogenre%2527%255D%3D%26map%255B%2527genre%2527%255D%3D49%26map%255B%2527production%2527%255D%3D0%26map%255B%2527eventTitle%2527%255D%3D%26map%255B%2527date_begin%2527%255D%3D27.01.2017%26map%255B%2527date_end%2527%255D%3D29.10.2017%26map%255B%2527extSearch%2527%255D%3D%2524status.value%26map%255B%2527performanceLocation%2527%255D%3D0%26map%255B%2527venue%2527%255D%3D0&ref=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist&tiba=Fond.%20Teatro%20alla%20Scala%20-%20Ticketshop] richiesto da [http://teatroallascala.ticketone.it/ticketshop/webticket/eventlist?CSRFTOKEN=XSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO&map%5B%27startpos%27%5D=0&map%5B%27nogenre%27%5D=&map%5B%27genre%27%5D=49&map%5B%27production%27%5D=0&map%5B%27eventTitle%27%5D=&map%5B%27date_begin%27%5D=27.01.2017&map%5B%27date_end%27%5D=29.10.2017&map%5B%27extSearch%27%5D=%24status.value&map%5B%27performanceLocation%27%5D=0&map%5B%27venue%27%5D=0]. URL filtrato: [https://googleads.g.doubleclick.net/pagead/viewthroughconversion/868651562/?random=1485556875735&cv=8&fst=1485556875735&num=1&fmt=1&guid=ON&u_h=768&u_w=1024&u_ah=715&u_aw=1024&u_cd=24&u_his=6&u_tz=60&u_java=true&u_nplug=8&u_nmime=26&frm=0&url=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist%3FCSRFTOKEN%3DXSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO%26map%2520%2520startpos%2520%2520%3D0%26map%2520%2520nogenre%2520%2520%3D%26map%2520%2520genre%2520%2520%3D49%26map%2520%2520production%2520%2520%3D0%26map%2520%2520eventTitle%2520%2520%3D%26map%2520%2520date_begin%2520%2520%3D27.01.2017%26map%2520%2520date_end%2520%2520%3D29.10.2017%26map%2520%2520extSearch%2520%2520%3D%2524status.value%26map%2520%2520performanceLocation%2520%2520%3D0%26map%2520%2520venue%2520%2520%3D0%231916098442555102433&ref=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist&tiba=Fond.%20Teatro%20alla%20Scala%20-%20Ticketshop#3757395624505079534].
La scrittura di un albero non bilanciato tramite document.write() ha richiesto un ulteriore parsing dei dati dalla rete. Per ulteriori informazioni consultare https://developer.mozilla.org/Optimizing_Your_Pages_for_Speculative_Parsing eventlist:182:0
about:blank : Unable to run script because scripts are blocked internally. <sconosciuto>
about:blank : Unable to run script because scripts are blocked internally. <sconosciuto>
OpenGL compositor Initialized Succesfully.
Version: 1.4 APPLE-1.6.36
Vendor: Intel Inc.
Renderer: Intel GMA 950 OpenGL Engine
FBO Texture Target: TEXTURE_2D

[barbaz]

It decodes to this -

Code: Select all

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/868651562/?random=1485556875735&cv=8&fst=1485556875735&num=1&fmt=1&guid=ON&u_h=768&u_w=1024&u_ah=715&u_aw=1024&u_cd=24&u_his=6&u_tz=60&u_java=true&u_nplug=8&u_nmime=26&frm=0&url=http://teatroallascala.ticketone.it/ticketshop/webticket/eventlist?CSRFTOKEN=XSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO&map['startpos']=0&map['nogenre']=&map['genre']=49&map['production']=0&map['eventTitle']=&map['date_begin']=27.01.2017&map['date_end']=29.10.2017&map['extSearch']=$status.value&map['performanceLocation']=0&map['venue']=0&ref=http://teatroallascala.ticketone.it/ticketshop/webticket/eventlist&tiba=Fond. Teatro alla Scala - Ticketshop

Not sure if that's a false positive or not. Does the XSS filtering break the site?

[maurix]

nope.
I can easily navigate throught the whole site even with the "alert" on.
BTW, the alert is still there even after clicking the option "reload without protection" in the top bar menu. The same question applies to the apparent inefficacy of "trust the whole site" option.

[Thrawn]

The cross-site scripting filter is separate to the regular whitelist, because the point of XSS is that when two sites are whitelisted, and one of them is malicious, it can use vulnerabilities to force the other site to execute scripts in its own security context. So random.com can cause bank.com to perform transactions, for example.

In this case, the teatroallascala site is doing something with analytics that might, or might not, represent a vulnerability that another site could exploit.