Citibank page doesn't work

[jsbbakn]

When logging in to Citibank online banking website (http://www.citibank.com), after entering credentials and while waiting for accounts information to show up, Firefox browser hangs for about 5 minutes(!). Eventually it asks twice whether to open or save a file (Open/Save dialog window), in both cases trying to save what looks like a JavaScript from http://steps.citi.com, although having size of 0 bytes. In both cases, the suggested file name when saving a file is a string that looks like a JavaScript piece of code (which I, unfortunately, can't paste here as it triggers this forum's anti-spam filter ("Ooops, something in your posting triggered my antispam filter...")).

Disabling NoScript cures the issue completely (Tools -> Add-ons -> Extensions -> Disable; then restart a browser), and re-enabling it brings the issue back. So it clearly looks like a NoScript-induced problem.

The issue appears even if within NoScript its functionality is effectively turned off (Options -> Whitelist -> Scripts Globally Allowed (dangerous)).

[barbaz]

We've had many threads on this before, about many different bank sites - viewtopic.php?f=7&t=21178

tl;dr The bank site is XSSing itself by design, and NoScript's XSS filter is blocking that very unsafe practice.

[jsbbakn]

It looks like it's indeed XSS that's causing the problem.

After following the thread you linked, it looks like the only secure solution proposed there is to create a separate profile to access bank sites - which looks like a pain for practical purposes. So what's wrong with creating XSS exception of the "^@..." form? The thread seemed to suggest that as a relatively safe practice, but then it was contradicted by someone else as being unsafe. Can you elaborate why it's unsafe?

[barbaz]

The apparent contradiction stems from different situations being handled in the same thread.

Some people reported that the XSS filter was causing hangs, but otherwise not affecting anything. And their Browser Console messages confirmed this. For those people, the ^@ type of XSS exception is safe.

For others, like you, where the XSS filter actually needs to do something. It is not safe to make the XSS exception. Thus the recommendations of using a separate profile, etc.

[Thrawn]

As an alternative to a new profile, you can lock it down with ABE. Just make sure you use the right rules.

Although actually - I would utterly refuse to use the site anyway, since you're entering banking credentials into an unencrypted page! And it's including unencrypted script resources! Personally, the only way I'd touch it with a 10-foot pole is: forcefully and repeatedly.

[jsbbakn]

Thrawn >> Although actually - I would utterly refuse to use the site anyway

This usually is not an option: most of us are not on a crusade to fix the world, so we need to be practical

Thrawn >> As an alternative to a new profile, you can lock it down with ABE. Just make sure you use the right rules.

Could you please elaborate on what "the right rules" would be? I'm still confused as to the nuances of what will/won't work and why.

barbaz >> ... the XSS filter actually needs to do something. It is not safe to make the XSS exception.

Why is it not safe? In the discussion in the other thread it was mentioned that, if I remember correctly, the difference between using "^" and "^@" is the same as between TO and FROM in the direction of cross-site injection. So if I use "^@" (which I think defines a "FROM" site) then provided I trust the bank website not to do anything malicious and not to go anywhere random, it should be safe to use. What am I missing?

[barbaz]

Why is it not safe? In the discussion in the other thread it was mentioned that, if I remember correctly, the difference between using "^" and "^@" is the same as between TO and FROM in the direction of cross-site injection. So if I use "^@" (which I think defines a "FROM" site) then provided I trust the bank website not to do anything malicious and not to go anywhere random, it should be safe to use. What am I missing?

Given the nature of the site, if it's potentially vulnerable to XSS I'm not taking any chances. This would be quite bad if the "from" page were compromised.

Now, in a dedicated banking-only profile, it's a different story. Since you won't ever go to other sites there, if you want NoScript in your banking-only profile, you could put in the ^@ XSS exception there.

[TryingToLearn]

I will start with stating I don't understand most of what I've seen on this subject. I'm simply an old man trying to get onto my banking site. I have searched this site and tried what I could but still can only access my citi bank account by disabling noscript entirely, which I don't like doing.

I have Firefox 52.0.1 32bit running on XP (yes there are still some of us that can't handle the change to the next level).
I have ^@https://online\.citi/.com/* under XSS
and ABE (not that I understand what that is either).
Site .citi.com
Accept from .citi.com
deny

as well as whitelisted: citi.com citibank.com citicard.com citicards.com

To the point: For us less than technical people that are afraid to get involved with another profile, what can we do and how do we do it, so we can simply get on our banking site without totally disabling noscript? I understand it may not be as secure as a second profile, but unless someone is willing to walk me through all steps necessary, I simply want to use noscript and do my banking on citi. I haven't run into this issue with other banks.

Thanks for listening to my rant and I appreciate any feedback.

[barbaz]

I have ^@https://online\.citi/.com/* under XSS
and ABE (not that I understand what that is either).
Site .citi.com
Accept from .citi.com
deny

as well as whitelisted: citi.com citibank.com citicard.com citicards.com

[...] I understand it may not be as secure as a second profile,

Err, the ABE rules actually make your setup more secure than a second profile. Nicely done figuring that out.

(BTW, "Deny" is case-sensitive, with a capital D.)

[TryingToLearn]

Err, the ABE rules actually make your setup more secure than a second profile. Nicely done figuring that out.

(BTW, "Deny" is case-sensitive, with a capital D.)

Thanks but I can't take credit for figuring anything out, just plugging in what I see without understanding. I changed to upper case "Deny" but still cannot access the site.

It times out with a window "you have chosen to open:" ... displays java coding from:https://steps.citi.com but I can't save it or cancel it, still have to kill firefox.

Based on what I read here, the ABE rule should allow steps.citi.com so that means I need to look elsewhere to resolve this. Recommendations appreciated.

[barbaz]

I have ^@https://online\.citi/.com/* under XSS

You have two typos in your XSS exception. Try this -

Code: Select all

^@https://online\.citi\.com/.*

[TryingToLearn]

You have two typos in your XSS exception. Try this

Like I said, I copy & plug but don't understand. Works now!
Thank you from this happy poster for finding the typos.

[barbaz]

You're welcome!

[jonh]

I have ^@https://online\.citi/.com/* under XSS

You have two typos in your XSS exception. Try this -

Code: Select all

^@https://online\.citi\.com/.*

I'm in exactly the same position as 'TryingToLean', except not trying hard enuf to learn.
I signed up here to find out how to fix Citibank. The above works perfectly, thank you so much.
Now I have to figure out how to modify that to work with bankofamerica.com

Thank you 'TryingToLean', for exactly expressing my own feelings on this stuff.

jon

[barbaz]

@jonh try this XSS exception

Code: Select all

^@https://roll\.bankofamerica\.com/

... and this ABE rule

Code: Select all

Site roll.bankofamerica.com
Accept from .bankofamerica.com
Deny

(Based mainly on posts by lakrsrool from a year ago. If it doesn't work, the site has probably changed since then.)