InformAction Forums

Castle Freak wrote: ↑Tue Jul 25, 2023 7:58 pm Hey again!

I just provoked the NoScript Warning again. This is what i got:


[...]


Any idea?

Yep, it's another instance of the same false positive this thread is about.

Since you didn't censor any of the parameters at all, and I believe some of them maybe sensitive personal information, I've hidden your post. And with the information in the now-hidden post, I'm now pretty sure the "paymentInstrumentId" parameter I couldn't evaluate earlier is not XSS.

In case the suggested workaround got buried, quoting it again -

barbaz wrote: ↑Thu Jun 29, 2023 12:04 pm Normally we would recommend using "Allow this request" while waiting for Giorgio to get to this, but in this specific case I think it is safe to "Always allow document requests".

barbaz,

Thank you for further evaluating the extent of this xss warning, good news it validates your original false positive assessment. Your technical expertise and time, once again is highly appreciated.

Giorgio,
Given this issue is affecting countless numbers of NoScript users who use eBay/ PayPal, is there any chance of a more permanent fix? As most users will never find their way to this forum.

Appreciated on behalf of all users who have provided input into this post and the wider community.

Kind Regards.

Thank you so much for your assistance, barbaz, i really appreciate it! Thank you Dee3 and Rom623 too!

To be honest, i already had the suspicion that this is a false positive when NoScript's warning popped up for the first time, but i was still cautious as Ebay and Paypal seemingly have already been targets of XSS-Attacks multiple times over the past few years, as my personal google-research has shown. Like i said: You're better safe than sorry!

Nevertheless, i'd highly appreciate having this issue resolved as it might cause confusion, frustration or even unnecessary paranoia or distress, especially among users who are less knowledgeable than our IT-Professionals over here

@barbaz: I wrote an e-mail to the administrators concerning the link i posted yesterday with a request to remove my posts or at least delete the respective link. Before i went to bed, i saw that you already hid the post and the said link. Thank you very much!

Wish you all a great day!

Richard

Giorgio, barbaz,

This issue is / will be causing many NoScript users concern /frustration due to the nature of the xss issue presented at the time of checkout.
Any chance in the near future this issue can be resolved?

Greatly appreciate your time and technical expertise.

Thank you in advance.

Appreciate any traction / appreciated action to resolve this ongoing Noscript xss warning.

Regards & Thanks.

Greetings.
Any opportunity to fix this false positive reported by NoScript would be greatly appreciated on behalf of all users of eBay / PayPal.

Regards.

Giorgio, barbaz,

Patiently, keeping this post active, awaiting a permanent fix.

Thank you for your valued time and assistance.

I did try to bring this thread to Giorgio's attention, he is aware of it but AFAIK has not yet had time to look into it.

barbaz,

Greatly appreciate you taking the time to bring this issue to Giorgio's attention. Now we wait, knowing it's on his radar....

Take care & travel safe.

Could you please try latest development build? Thanks!

v 11.4.27rc2
============================================================
x [XSS] Better specificity of potential fragmented injection
through framework syntax detection (thanks Rom623, barbaz
et al)
x [nscl] RegExp.combo(): RegExp creation by combination for
better readability and comments

This is not a full confirmation, but FWIW with 11.4.27rc2 I am no longer able to reproduce the XSS warning using 127.0.0.1/localhost-based test cases: neither those I posted above, nor with 127.0.0.1/localhost with the full query string from Castle Freak's hidden post.

EDIT
For affected users who have been using XSS exception as a workaround: to remove the XSS exception after updating to 11.4.27rc2, go to NoScript Options > Advanced, under "Sanitize cross-site suspicious requests" select only the specific XSS choices related to this, then click "Clear XSS choices".

Giorgio Maone wrote: ↑Fri Sep 01, 2023 4:44 pm v 11.4.27rc2

(The commits and tag for NoScript 11.4.27rc2 are not on Github.)

barbaz wrote: ↑Sat Sep 02, 2023 5:01 pm

Giorgio Maone wrote: ↑Fri Sep 01, 2023 4:44 pm v 11.4.27rc2

(The commits and tag for NoScript 11.4.27rc2 are not on Github.)

Fixed, thanks.

barbaz, Giorgio,

Solution works!!!

A BIG thank you for your technical expertise and your personal time to help resolve this issue for all affected users of this XSS issue.

Greatly appreciated.

I just installed the new fix and made a purchase on eBay UK, and it worked for me too - no error messages either from eBay to PayPal or from PayPal to eBay. Thank you!