InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[Resolved] cross-site-scripting at wellsfargo.com

https://forums.informaction.com/viewtopic.php?t=18908

Page 1 of 1

[Resolved] cross-site-scripting at wellsfargo.com

Posted: Sun Jan 05, 2014 8:57 pm
by larryhg
While attempting to log in to wellsfargo at https://www.wellsfargo.com/, a NoScript rule seems to be triggered:

Code: Select all

[NoScript InjectionChecker] HTML injection:
<A HREF=
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\0\/]|['"])(?:formaction|style|background|src|lowsrc|ping|href|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\0]*=

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://online.wellsfargo.com/signon###DATA###...
Steps to reproduce:
1) Visit https://www.wellsfargo.com/
2) In the login pane on the left, attempt to log in with any credentials -- for example, username: a, password: b.
3) My browser is redirected to https://online.wellsfargo.com/signon with a NoScript warning message.
4) Note that if you attempt to log in from this page (https://online.wellsfargo.com/signon) with invalid credentials, NoScript is not triggered and you see an error message "You have entered an invalid username. Please re-enter your username.".

Is the problem caused by NoScript's InjectionChecker regex or something else local to my machine?

Thank you.

Re: cross-site-scripting at wellsfargo.com

Posted: Mon Jan 06, 2014 4:12 am
by Thrawn
Well, I'm not an expert on the ins and outs, but from what I can see:
  • Wells Fargo is attempting to spy on your browser details, available plugins, etc.
  • Some of the details that it is trying to grab include snippets of HTML.
  • NoScript doesn't like the inclusion of this HTML in requests, since it tends to be associated with Cross-Site Scripting attacks.
I suggest bookmarking the second page and exclusively using that.

Re: cross-site-scripting at wellsfargo.com

Posted: Mon Jan 06, 2014 8:25 am
by Giorgio Maone
And anyway latest development builds are fine-tuned to allow "innocuous" anchors to be included in the request, thus removing this false positive.

Re: cross-site-scripting at wellsfargo.com

Posted: Fri Jan 10, 2014 11:11 am
by redwolfe_98
i use "wellfargo.com" and, the last time that i tried to log in to the website, i had problems, too, but i didn't know what the problem was.. i had never had problems with logging into the website, before..

when i first noticed the problem, where my login failed, i figured that i must have accidentally entered the wrong credentials..

i kept trying to log in to the website and eventually i was able to log in..

p.s. i logged in to "wellsfargo.com" just now and didn't have any problems with it..

i am using "noscript build 2.6.8.11"..
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited