Page 1 of 1
XSS false +ve - special chars
Posted: Fri Apr 25, 2014 1:21 pm
by access2godzilla
NS's XSS filters is incorrectly triggerred when data with special characters is transmitted and the document initiating the POST request contains a query.
http://example.com/login.php -> username: admin, password: t[0.5]=log(e,R[0]/R)/k -> successful
http://example.com/login.php?id=(long_hex_string) -> username: admin, password: t[0.5]=log(e,R[0]/R)/k -> blocked
error console:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ##t[0.5]=log(e,R[0]/R)/k
(function anonymous() {
t[0.5]=log(e,R[0]/R)/k /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
Re: XSS false +ve - special chars
Posted: Mon Apr 28, 2014 2:00 am
by Thrawn
Why do you consider this to be incorrect? It looks to me like a potential attack vector, if the landing page displays what you send.
Re: XSS false +ve - special chars
Posted: Mon Apr 28, 2014 10:11 am
by Giorgio Maone
@Thrawn:
I suppose the bug is about the filter being triggered only if there's a querystring.
Is this a cross-site request or not?
May I see the other [NoScript XSS] messages in the console?
Re: XSS false +ve - special chars
Posted: Mon Apr 28, 2014 2:09 pm
by access2godzilla
Giorgio Maone wrote:Is this a cross-site request or not?
This isn't a cross site request.
May I see the other [NoScript XSS] messages in the console?
Yes, I have this in my console:
Code: Select all
[NoScript XSS] Sanitized suspicious upload to [https://example.com/login.php?mode=login###DATA###(urlencoded_password)] from [http://example.com/]: transformed into a download-only GET request.
Source of relevant part of the page (the page is served through HTTP):
Code: Select all
<form method="post" action="https://example.com/login.php?mode=login" class="headerspace">
<fieldset class="login-form">
<label for="username">Username:</label> <input type="text" name="username" id="username" size="10" class="inputbox" title="Username" />
<label for="password">Password:</label> <input type="password" name="password" id="password" size="10" class="inputbox" title="Password" />
| <label for="autologin">Log me on automatically each visit <input type="checkbox" name="autologin" id="autologin" /></label>
<input type="submit" name="login" value="Login" class="button2" />
<input type="hidden" name="redirect" value="./index.php?" />
</fieldset>
</form>
If I use a HTTPS form for the login this does not occur.
Maybe it's related to the recent change to the XSS filter in 2.6.8.20rc1?
Re: XSS false +ve - special chars
Posted: Mon Apr 28, 2014 8:21 pm
by Giorgio Maone
access2godzilla wrote:
If I use a HTTPS form for the login this does not occur.
Maybe it's related to the recent change to the XSS filter in 2.6.8.20rc1?
Yes it is,
NoScript 2.6.8.20rc1 changelog wrote:
x [XSS] Stricter checks for HTTPS requests from a same domain origin with
different scheme (thanks LouiseRBaldwin for reporting)