InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[RESOLVED]XSS false positive: access.qgcidm.citec.com.au

https://forums.informaction.com/viewtopic.php?t=14456

Page 1 of 1

[RESOLVED]XSS false positive: access.qgcidm.citec.com.au

Posted: Mon May 20, 2013 4:15 am
by Thrawn
The SAML-based Single Sign-On service at access.qgcidm.citec.com.au triggers the XSS filter after logging in, when it attempts to send you back to the site that was using the service.

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://xxx:yyy/zzz] from [https://access.qgcidm.citec.com.au/openam/UI/Login]: transformed into a download-only GET request.
Will send POST data via PM.

Re: XSS false positive: access.qgcidm.citec.com.au

Posted: Mon May 20, 2013 7:56 am
by Giorgio Maone
  1. Is citec.com.au whitelisted at the moment of submission?
  2. Is there also a message from the InjectionChecker in your error console? (you may want to PM it as well)?

Re: XSS false positive: access.qgcidm.citec.com.au

Posted: Tue May 21, 2013 3:40 am
by Thrawn
Ah. We had left it untrusted so that we could test the non-JavaScript version. That would explain it.

Whitelisting it, but switching off JavaScript, fixes the problem. Thanks :).
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited