Page 1 of 1
XSS Alert for AT&T Wireless, False Positive?
Posted: Sun May 24, 2009 4:19 am
by GµårÐïåñ
I have been using their website for a very long time, it was Cingular at the time, and their code has changed very little over the last few years. Anyway, I have NEVER gotten an XSS warning until earlier today (around 2:30 AM) and no matter which page of the site I am on, it gives me an XSS warning, what's up?
Here is the screenshot of the message as well as the console report. I didn't want to put every single error here, it would be VERY long. I'd appreciate knowing if the site is really messed up, the developer pulled some kind of a bonehead move or is it just a false positive that can be corrected please. TIA
Re: XSS Alert for AT&T Wireless, False Positive?
Posted: Sun May 24, 2009 4:49 am
by Tom T.
GµårÐïåñ wrote:I have been using their website for a very long time, it was Cingular at the time, and their code has changed very little over the last few years. Anyway, I have NEVER gotten an XSS warning ...
I too have used Cing / ATT, never had a problem, went there now, logged in, checked account, logged out.
Unable to reproduce.
F2.0.0.20 reminder.
Original/exact URL of the example? (minus personal ID info, of course.)
Re: XSS Alert for AT&T Wireless, False Positive?
Posted: Sun May 24, 2009 5:04 am
by GµårÐïåñ
After I posted this, I updated to 1.9.3.3 and now the damn thing won't reproduce but as you can see in the picture, it was doing it and it was doing it consistently. Both my account AND my wife's. I don't know if updating to 1.9.3.3 fixed it or what.
I guess the only thing I can do is wait and see if it happens again. The link on which it was happening in the example posted is right there in the screenshot where it goes to after you login and the dancing AT&T flash validation is done (before used to be Cingular jumping orange man) and then it gave the XSS and then from that point each and every link would do the same thing.
Re: XSS Alert for AT&T Wireless, False Positive?
Posted: Sun May 24, 2009 10:30 am
by Tom T.
GµårÐïåñ wrote:...the dancing AT&T flash validation is done (before used to be Cingular jumping orange man)
I have Flash blocked at that entire domain. Also have scripting blocked from liveperson.net. Could these be possible causes?
Re: XSS Alert for AT&T Wireless, False Positive?
Posted: Sun May 24, 2009 8:51 pm
by GµårÐïåñ
I suppose its possible but I have always had liveperson blocked on all domains and although flash is allowed on that domain, never been an issue before and doesn't seem to be now either, which bothers me. I don't like not knowing why a problem came and went, it leaves me feeling like I missed something.