InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS exclusion for msdn.microsoft.com to plusone.google.com

https://forums.informaction.com/viewtopic.php?t=16678

Page 1 of 1

XSS exclusion for msdn.microsoft.com to plusone.google.com

Posted: Wed Aug 21, 2013 5:04 pm
by m60freeman
What exclusion string do I need to make this not be flagged as an XSS issue:

[NoScript XSS] Sanitized suspicious request referer. URL [https://plusone.google.com/_/+1/fastbut ... 6rd%3Dtrue (REF: http://msdn.microsoft.com/query/dev10.q ... .PORTAL.F1);k(SQL11.PORTAL.DEVREF.F1);k(SQL11.PORTAL.INSTALLATION.F1)&rd=true)] requested from [http://msdn.microsoft.com/query/dev10.q ... 1)&rd=true]. Sanitized Referrer: [http://msdn.microsoft.com/query/dev10.q ... 20&rd=true].

Thanks!

- Mark

Re: XSS exclusion for msdn.microsoft.com to plusone.google.c

Posted: Thu Aug 29, 2013 4:48 am
by Thrawn
That's a nasty query string you have there :D

If you're confident that Google +1 is not actually vulnerable to an XSS attack, then you could try something like:

Code: Select all

^https://plusone\.google\.com/.*
I'm not sure of the details of the XSS filter, but it's possible that Giorgio will find a way to improve it so that the exception is not needed.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited