False positive XSS on meinestadt.de

Bug reports and enhancement requests
Post Reply
Atalanttore
Posts: 2
Joined: Wed Nov 01, 2017 7:38 pm
Location: Europe

False positive XSS on meinestadt.de

Post by Atalanttore »

Hi,

there always appears a XSS warning from NoScript when loading a URL of a local job search site.

Example URL:

Code: Select all

http://jobs.meinestadt.de/nuernberg/suche?sort=modified_date+desc,premium_sort+desc,distance+asc,job_id+desc&divider=false&src=mailalert#ms-jobs-result-list&xtor=EPR-9-[Mailalert]-19000101-[Neue_Stellenangebote]-0@0-19000101000001
Regards,
Ettore
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Top
barbaz
Senior Member
Posts: 11108
Joined: Sat Aug 03, 2013 5:45 pm

Re: False positive XSS on meinestadt.de

Post by barbaz »

Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)
*Always* check the changelogs BEFORE updating that important software!
-
Top
Atalanttore
Posts: 2
Joined: Wed Nov 01, 2017 7:38 pm
Location: Europe

Re: False positive XSS on meinestadt.de

Post by Atalanttore »

I got these messages related to NoScript:

Code: Select all

[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [http://jobs.meinestadt.de/nuernberg/suche?sort=modified_date+desc,premium_sort+desc,distance+asc,job_id+desc&divider=false&src=mailalert#ms-jobs-result-list&xtor=EPR-9-[Mailalert]-19000101-[Neue_Stellenangebote]-0@0-19000101000001] angefordert von [[System Principal]]. Bereinigte URL: [http://jobs.meinestadt.de/#3726889947896497443].

[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [http://jobs.meinestadt.de/nuernberg/suche?sort=modified_date+desc,premium_sort+desc,distance+asc,job_id+desc&divider=false&src=mailalert#ms-jobs-result-list&xtor=EPR-9-[Mailalert]-19000101-[Neue_Stellenangebote]-0@0-19000101000001] angefordert von [chrome://browser/content/browser.xul]. Bereinigte URL: [http://jobs.meinestadt.de/#18995520824198986703].

[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIHttpChannel.getResponseHeader]"  nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)"  location: "JS frame :: chrome://noscript/content/Main.js?1bts38pn49vbsofniibg :: mustBlockJS :: line 3808"  data: no]mustBlockJS@chrome://noscript/content/Main.js?1bts38pn49vbsofniibg:3808:35
_onWindowCreatedReal@chrome://noscript/content/Main.js?1bts38pn49vbsofniibg:3825:23
observe@chrome://noscript/content/Main.js?1bts38pn49vbsofniibg:132:9
Regards,
Ettore
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Top
barbaz
Senior Member
Posts: 11108
Joined: Sat Aug 03, 2013 5:45 pm

Re: False positive XSS on meinestadt.de

Post by barbaz »

I see that only if the site is script-blocked.

With these sites Allowed, I do not get the XSS warning -

Code: Select all

+ioam.de
+google.com
+ajax.googleapis.com
+meinestadt.de
I have no idea why whitelisting the target site would cause NoScript to no longer consider the request to be XSS? If it were actual XSS, whitelisting the target site would make it MORE dangerous. Image

I would think this difference should apply instead to the site *making* the request, no?
*Always* check the changelogs BEFORE updating that important software!
-
Top
Post Reply

Return to “NoScript Development”