InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NoScript warns if using OpenID Authentication

https://forums.informaction.com/viewtopic.php?t=19536

Page 1 of 1

NoScript warns if using OpenID Authentication

Posted: Fri Apr 11, 2014 6:33 pm
by GunnarScherf
Thank you very much for the sophisticated and helpful noscript addon, which are a lot of friends using.

I have a concern with the XSS feature.When i use the OpenID Connect specification for Authentication http://openid.net/specs/openid-connect- ... uthRequest
with a scope parameter with multiple scopes separated by spaces icluding openid, I get an XSS warning.

For example on the page https://oauth-python-sample.g10f.de/oauth2/login/ there is a link to login with google:

https://accounts.google.com/o/oauth2/au ... ontent.com

The console log contains something like this:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https://oauth-python-sample.g10f.de/oauth2/login/&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com
(function anonymous() {
scope=openid+profile+email /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://accounts.google.com/o/oauth2/auth?scope=openid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com] angefordert von [https://oauth-python-sample.g10f.de/oauth2/login/]. Bereinigte URL: [https://accounts.google.com/o/oauth2/auth?scope=OPENid+profile+email&state=eyJub25jZSI6ImNFemlmM2F0YWdDYyIsImNsaWVudCI6NywibmV4dCI6Ii8ifQ&redirect_uri=https%3A%2F%2Foauth-python-sample.g10f.de%2Foauth2%2Flogin%2F&response_type=code&client_id=1054794484004-cijvmo33q0ucevim6ip722smkjruf4rh.apps.googleusercontent.com#7047993740878138766].
The openid value is changed to OPENid ??
Perhaps because "open" in the context of the browser opens a window?
I think it would be nice,if noscript does not warn if a request is complete aligned with the openid connect specification, which is the most important authentication specification for the web.

With best regards
Gunnar

Re: NoScript warns if using OpenID Authentication

Posted: Sat Apr 12, 2014 11:09 pm
by Giorgio Maone
Please check latest development build 2.6.8.20rc1, thank you.

Re: NoScript warns if using OpenID Authentication

Posted: Thu May 29, 2014 9:45 am
by GunnarScherf
Giorgio, thank you very much for responding so quickly.
Unfortunately I still get the XSS warning and an error when i use the openid connect login with noscript.
To Login with OpenID Connect there is a scope parameter in the query string (scope=openid+profile+email+offline_access) with openid.
The openid part is then changed by noscript to OPENid with an XSS warning.
It would be very nice if this could be changed in noscript, because the parameter is specified like this in the OpenID Connect Specification ( OpenID Connect requests MUST contain the openid scope value: http://openid.net/specs/openid-connect- ... uthRequest)

With best regards
Gunnar

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///accounts/login/?next=/oauth2/authorize/?scope=openid+profile+email+offline_access&state=eyJub25jZSI6ImxFTnJFaGh2eDZaNCIsImNsaWVudCI6MSwibmV4dCI6Ii8ifQ&redirect_uri=https://oauth-python-sample.g10f.de/oauth2/login/&response_type=code&client_id=ec1e39cbe3e746c787b770ace4165d13
(function anonymous() {
scope=openid+profile+email+offline_access /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [https://sso.g10f.de/accounts/login/?next=/oauth2/authorize/%3Fscope%3Dopenid%2Bprofile%2Bemail%2Boffline_access%26state%3DeyJub25jZSI6ImxFTnJFaGh2eDZaNCIsImNsaWVudCI6MSwibmV4dCI6Ii8ifQ%26redirect_uri%3Dhttps%253A%252F%252Foauth-python-sample.g10f.de%252Foauth2%252Flogin%252F%26response_type%3Dcode%26client_id%3Dec1e39cbe3e746c787b770ace4165d13] angefordert von [https://oauth-python-sample.g10f.de/oauth2/login/]. Bereinigte URL: [https://sso.g10f.de/accounts/login/?next=%2Foauth2%2Fauthorize%2F%3Fscope%3DOPENid%2Bprofile%2Bemail%2Boffline_access%26state%3DeyJub25jZSI6ImxFTnJFaGh2eDZaNCIsImNsaWVudCI6MSwibmV4dCI6Ii8ifQ%26redirect_uri%3Dhttps%253A%252F%252Foauth-python-sample.g10f.de%252Foauth2%252Flogin%252F%26response_type%3Dcode%26client_id%3Dec1e39cbe3e746c787b770ace4165d13#5957817879784126750].

Re: NoScript warns if using OpenID Authentication

Posted: Thu May 29, 2014 10:22 pm
by Giorgio Maone
Please check latest development build 2.6.8.27rc1, thanks.

Re: NoScript warns if using OpenID Authentication

Posted: Sun Jun 08, 2014 10:24 pm
by GunnarScherf
Thank you very much. Now it is working fine.

With best regards
Gunnar Scherf
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited