Page 1 of 1
Anti-XSS false positive
Posted: Sat Sep 22, 2012 11:43 pm
by iDrugoy
Hi.
I've noticed a strange behavior of NoScript's Anti-XSS subsystem.
I have a locally saved html file with the following code:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "
http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><meta content="text/html; charset=windows-1251" http-equiv="content-type">
<title>Title</title>
</head>
<form action="
http://yandex.ru/yandsearch">
<input name=text size=55>
<input type=submit value="Search">
</form>
</body>
</html>
And it generally works fine (it submits a search query to yandex.ru search engine), except some cases:
I've noticed, that whenever my search query contains "урав" - Anti-XSS system alerts me that it has worked out and blocked the query, removing "урав" (or %F3%F0%E0%E2) from the url.
Why is that happening? Other search queries do not trigger such behavior.
Re: Anti-XSS false positive
Posted: Mon Sep 24, 2012 2:58 pm
by therube
I'm not getting an XSS warning?
Ah, you get it once you have allowed file://.
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://yandex.ru/yandsearch?text=%F3%F0%E0%E2+gena01] requested from [file:///C:/TMP/SEA/yandex.html]. Sanitized URL: [http://yandex.ru/yandsearch?text=%20+gena01#9875335212563178277].
Search term: урав gena01
And there's more to it then that.
If (local file, in my case) "yandex.html" (Character Encoding) is set to Cryllic (Windows-1251), & I have allowed yandex.ru, then I get the XSS warning & I am also returned results.
http://yandex.ru/yandsearch?text=%20+gena01&lr=21003#7446668028331651496
If yandex.html is set to Unicode (UTF-8) & yandex.ru is allowed, then there is no XSS warning & the page states (& shows, effectively) "nothing found".
http://yandex.ru/yandsearch?text=%D1%83%D1%80%D0%B0%D0%B2+gena01&lr=21003
If yandex.ru is not allowed, then I get no XSS nor any results.
Re: Anti-XSS false positive
Posted: Fri Nov 02, 2012 8:58 pm
by iDrugoy
bump
Re: Anti-XSS false positive
Posted: Sat Nov 03, 2012 7:27 am
by Giorgio Maone
Is there any reason why you have to use the legacy charset on your local page, when even yandex.ru uses UTF-8 (which is the current standard for internationalized pages)?
The problem is due to the charset of the page causing the query string to be encoded in an obsolete way, which in your case (with the combination of characters used in your query) may be used in an attack against a buggy behavior of the PHP utf8_decode() function.
Notice that sending query strings which are not UTF-8 encoded across different domains (which is the thing which may trigger this false positive) is extremely rare nowadays, and doesn't justify a work-around which may be used to circumvent the filter protection against the utf8_decode() bug.
Re: Anti-XSS false positive
Posted: Sat Dec 15, 2012 12:36 pm
by iDrugoy
The problem is not just with my homepage.
Visiting
this link will also cause anti-xss false positive:
Re: Anti-XSS false positive
Posted: Mon Dec 17, 2012 8:20 pm
by therube
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [http://translate.google.ru/?sl=ru&tl=zh-CN&text=%F1%E5%F0%E0%FF%20%EB%E8%F1%E0%20%E2%EE%E7%E2%F0%E0%F9%E0%E5%F2%F1%FF] requested from [http://forums.informaction.com/viewtopic.php?f=7&t=10101]. Sanitized URL: [http://translate.google.ru/?sl=ru&tl=zh-CN&text=%F1%E5%F0%E0%FF%20%EB%E8%20%EE%E7%E2%F0%E0%F9%E0%E5%F2%F1%FF#7599522311630901242].
Re: Anti-XSS false positive
Posted: Mon Dec 17, 2012 8:44 pm
by Giorgio Maone
iDrugoy wrote:The problem is not just with my homepage.
Visiting
this link will also cause anti-xss false positive:
... and how did you create that link, exactly?
Re: Anti-XSS false positive
Posted: Mon Dec 17, 2012 9:15 pm
by therube
OP's link, which I suppose could be dangerous?:
http://translate.google.ru/?sl=ru&tl=zh-CN&text=%F1%E5%F0%E0%FF%20%EB%E8%F1%E0%20%E2%EE%E7%E2%F0%E0%F9%E0%E5%F2%F1%FF
Is page (character) encoding (Windows-1252) also playing part?
When you copy the "link" from the URL bar, it encodes it, though this particular link does not generate an XSS warning.
http://translate.google.com/#auto/zh-CN/%D1%81%D0%B5%D1%80%D0%B0%D1%8F%20%D0%BB%D0%B8%D1%81%D0%B0%20%D0%B2%D0%BE%D0%B7%D0%B2%D1%80%D0%B0%D1%89%D0%B0%D0%B5%D1%82%D1%81%D1%8F
I used this (might be slightly different from posted from OP's link):
серая лиса возвращается
translated from RU to zh-CN.
http://translate.google.com/
If you "break" the link (on the URL bar), you can copy it (to paste it here).
Code: Select all
http://translate.google.com/#auto/zh-CN/серая лиса возвращается
(But even with that, you still can't "tag" it.)
Re: Anti-XSS false positive
Posted: Sun Dec 23, 2012 9:49 pm
by iDrugoy
Giorgio Maone wrote:iDrugoy wrote:The problem is not just with my homepage.
Visiting
this link will also cause anti-xss false positive:
... and how did you create that link, exactly?
It doesn't matter how I got this URL. The fact is that it is a valid URL and that it causes false positive anti-xss warning by your extension.
Re: Anti-XSS false positive
Posted: Sun Dec 23, 2012 10:41 pm
by Giorgio Maone
iDrugoy wrote:Giorgio Maone wrote:iDrugoy wrote:The problem is not just with my homepage.
Visiting
this link will also cause anti-xss false positive:
... and how did you create that link, exactly?
It doesn't matter how I got this URL. The fact is that it is a valid URL and that it causes false positive anti-xss warning by your extension.
It does matter, because it happens to be indistinguishable from an attack against a known PHP multibyte decoding weakness which can be exploited to bypass XSS filters.
Therefore, knowing whether this legitimate false positive is a common occurrence (which I believe is not, because it appears to be caused by an artificial character encoding mismatch) is important to make a cost-benefit assessment for a (not necessarily possible) work-around.