[BUG] Exploiting Anti-XSS Protection Exceptions

[tmj43]

Hello all,

I am using Firefox 27.0 and NoScript 2.6.8.13. I have discovered a way to evade the XSS sanitization of NoScript.

NoScript options allows Anti-XSS Protection Exceptions to be set, with one of the defaults being:
^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?

Any URL whose beginning matches that regex will be exempt from XSS sanitization. This allows for an exploitation using the @ in a URL. I will use the deliberately insecure website google-gruyere as an example.

http://www.google.com%2Fsearch%3F@google-gruyere.appspot.com/402153350769/<script>alert(1)</script>

This URL will take a you to a website whose URL has not been sanitized, because it matches the regex on the Anti-XSS Protextion Exceptions list. Because the website I chose is insecure, going to that URL will cause JavaScript to be inserted into the page. There are a few things that make an attack based on this difficult, but still plausible. First, a user going to this URL will receive a warning from Firefox saying they might not be going where they intend to. They will be asked if they want to continue. Second, this same attack must used on a trusted website, so the injected JavaScript is allowed to execute.

Although Firefox does warn users that they may be going somewhere they do not intend, naive users will continue to the website, which may execute some malicious JavaScript, even with NoScript installed.

[Thrawn]

Good spot.

Giorgio, would it be reasonable to change that exception to this?

Code: Select all

^https?://([a-z]+)\.google\.(?:[a-z]{1,3}\.)?[a-z]+/(?:search|custom|\1)\?[^@]*$

ie don't match anything containing an @ symbol after the question mark.