Page 1 of 1
XSS and JSFIDDL
Posted: Thu May 01, 2014 5:19 am
by erosman
Hi
There is an issue with XSS and
http://jsfiddle.net/
NoScript comes with a warning (converts POST to GET)
Disable the XSS Post to get will get the site working but the warning still comes up
Also in JSFIDDLE panel : {"error": "Please use POST request"}
Adding the ^http://jsfiddle\.net/.*$ did have any effect
Form is sent to
http://fiddle.jshell.net/_display/
Regards
Re: XSS and JSFIDDL
Posted: Thu May 01, 2014 1:57 pm
by barbaz
Could you please post here the NoScript XSS message from the Browser Console? (Ctrl-Shift-J)
Re: XSS and JSFIDDL
Posted: Fri May 02, 2014 6:30 am
by erosman
barbaz wrote:Could you please post here the NoScript XSS message from the Browser Console? (Ctrl-Shift-J)
Code: Select all
[NoScript ClearClick] Swallowed event mousedown on http://jsfiddle.net/ (rapid fire from http://fiddle.jshell.net in 400ms)
[NoScript ClearClick] Swallowed event mouseup on http://jsfiddle.net/ (rapid fire from http://fiddle.jshell.net in 400ms)
[NoScript ClearClick] Swallowed event click on http://jsfiddle.net/ (rapid fire from http://fiddle.jshell.net in 400ms)
[NoScript InjectionChecker] HTML injection:
<img
matches <[^\w<>]*(?:[^<>"'\s]*:)?[^\w<>]*(?:\W*s\W*c\W*r\W*i\W*p\W*t|\W*f\W*o\W*r\W*m|\W*s\W*t\W*y\W*l\W*e|\W*s\W*v\W*g|\W*m\W*a\W*r\W*q\W*u\W*e\W*e|(?:\W*l\W*i\W*n\W*k|\W*o\W*b\W*j\W*e\W*c\W*t|\W*e\W*m\W*b\W*e\W*d|\W*a\W*p\W*p\W*l\W*e\W*t|\W*p\W*a\W*r\W*a\W*m|\W*i?\W*f\W*r\W*a\W*m\W*e|\W*b\W*a\W*s\W*e|\W*b\W*o\W*d\W*y|\W*m\W*e\W*t\W*a|\W*i\W*m\W*a?\W*g\W*e?|\W*v\W*i\W*d\W*e\W*o|\W*a\W*u\W*d\W*i\W*o|\W*b\W*i\W*n\W*d\W*i\W*n\W*g\W*s|\W*s\W*e\W*t|\W*i\W*s\W*i\W*n\W*d\W*e\W*x|\W*a\W*n\W*i\W*m\W*a\W*t\W*e)[^>\w])|(?:<\w[\s\S]*[\s\0\/]|['"])(?:formaction|style|background|src|lowsrc|ping|on(?:d(?:e(?:vice(?:(?:orienta|mo)tion|proximity|found|light)|livery(?:success|error)|activate)|r(?:ag(?:e(?:n(?:ter|d)|xit)|(?:gestur|leav)e|start|drop|over)?|op)|i(?:s(?:c(?:hargingtimechange|onnect(?:ing|ed))|abled)|aling)|ata(?:setc(?:omplete|hanged)|(?:availabl|chang)e|error)|urationchange|ownloading|blclick)|Moz(?:M(?:agnifyGesture(?:Update|Start)?|ouse(?:PixelScroll|Hittest))|S(?:wipeGesture(?:Update|Start|End)?|crolledAreaChanged)|(?:(?:Press)?TapGestur|BeforeResiz)e|EdgeUI(?:C(?:omplet|ancel)|Start)ed|RotateGesture(?:Update|Start)?|A(?:udioAvailable|fterPaint))|c(?:o(?:m(?:p(?:osition(?:update|start|end)|lete)|mand(?:update)?)|n(?:t(?:rolselect|extmenu)|nect(?:ing|ed))|py)|a(?:(?:llschang|ch)ed|nplay(?:through)?|rdstatechange)|h(?:(?:arging(?:time)?ch)?ange|ecking)|(?:fstate|ell)change|u(?:echange|t)|l(?:ick|ose))|m(?:o(?:z(?:pointerlock(?:change|error)|(?:orientation|time)change|fullscreen(?:change|error)|network(?:down|up)load)|use(?:(?:lea|mo)ve|o(?:ver|ut)|enter|wheel|down|up)|ve(?:start|end)?)|essage|ark)|s(?:t(?:a(?:t(?:uschanged|echange)|lled|rt)|k(?:sessione|comma)nd|op)|e(?:ek(?:complete|ing|ed)|(?:lec(?:tstar)?)?t|n(?:ding|t))|u(?:ccess|spend|bmit)|peech(?:start|end)|ound(?:start|end)|croll|how)|b(?:e(?:for(?:e(?:(?:scriptexecu|activa)te|u(?:nload|pdate)|p(?:aste|rint)|c(?:opy|ut)|editfocus)|deactivate)|gin(?:Event)?)|oun(?:dary|ce)|l(?:ocked|ur)|roadcast|usy)|a(?:n(?:imation(?:iteration|start|end)|tennastatechange)|fter(?:(?:scriptexecu|upda)te|print)|udio(?:process|start|end)|d(?:apteradded|dtrack)|ctivate|lerting|bort)|DOM(?:Node(?:Inserted(?:IntoDocument)?|Removed(?:FromDocument)?)|(?:CharacterData|Subtree)Modified|A(?:ttrModified|ctivate)|Focus(?:Out|In)|MouseScroll)|r(?:e(?:s(?:u(?:m(?:ing|e)|lt)|ize|et)|adystatechange|pea(?:tEven)?t|movetrack|trieving|ceived)|ow(?:s(?:inserted|delete)|e(?:nter|xit))|atechange)|p(?:op(?:up(?:hid(?:den|ing)|show(?:ing|n))|state)|a(?:ge(?:hide|show)|(?:st|us)e|int)|ro(?:pertychange|gress)|lay(?:ing)?)|t(?:ouch(?:(?:lea|mo)ve|en(?:ter|d)|cancel|start)|ime(?:update|out)|ransitionend|ext)|u(?:s(?:erproximity|sdreceived)|p(?:gradeneeded|dateready)|n(?:derflow|load))|f(?:o(?:rm(?:change|input)|cus(?:out|in)?)|i(?:lterchange|nish)|ailed)|l(?:o(?:ad(?:e(?:d(?:meta)?data|nd)|start)?|secapture)|evelchange|y)|g(?:amepad(?:(?:dis)?connected|button(?:down|up)|axismove)|et)|e(?:n(?:d(?:Event|ed)?|abled|ter)|rror(?:update)?|mptied|xit)|i(?:cc(?:cardlockerror|infochange)|n(?:coming|valid|put))|o(?:(?:(?:ff|n)lin|bsolet)e|verflow(?:changed)?|pen)|SVG(?:(?:Unl|L)oad|Resize|Scroll|Abort|Error|Zoom)|h(?:e(?:adphoneschange|l[dp])|ashchange|olding)|v(?:o(?:lum|ic)e|ersion)change|w(?:a(?:it|rn)ing|heel)|key(?:press|down|up)|(?:AppComman|Loa)d|no(?:update|match)|Request|zoom))[\s\0]*=
[NoScript XSS] Sanitized suspicious upload to [http://fiddle.jshell.net/_display/###DATA###PGltZyBzcmM9Imh0dHA6Ly9sLnlpbWcuY29tL3VzLnlpbWcuY29tL2kvbWVzZy9lbW90aWNvbnM3LzEuZ2lmIiBhbHQ9ImhhcHB5Ij4KCjxpbWcgc3JjPSJodHRwOi8vbC55aW1nLmNvbS91cy55aW1nLmNvbS9pL21lc2cvZW1vdGljb25zNy8yLmdpZiIgYWx0PSJzYWQiPgoKPGltZyBzcmM9Imh0dHA6Ly9sLnlpbWcuY29tL3VzLnlpbWcuY29tL2kvbWVzZy9lbW90aWNvbnM3LzMuZ2lmIiBhbHQ9IndpbmtpbmciPgoKPGltZyBzcmM9Imh0dHA6Ly9sLnlpbWcuY29tL3VzLnlpbWcuY29tL2kvbWVzZy9lbW90aWNvbnM3LzQuZ2lmIiBhbHQ9ImJpZyBncmluIj4KCjxpbWcgc3JjPSJodHRwOi8vbC55aW1nLmNvbS91cy55aW1nLmNvbS9pL21lc2cvZW1vdGljb25zNy81LmdpZiIgYWx0PSJiYXR0aW5nIGV5ZWxhc2hlcyI%2BCgo8aW1nIHNyYz0iaHR0cDovL2wueWltZy5jb20vdXMueWltZy5jb20vaS9tZXNnL2Vtb3RpY29uczcvNi5naWYiIGFsdD0iYmlnIGh1ZyI%2B] from [http://jsfiddle.net/]: transformed into a download-only GET request.
The character encoding of the plain text document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the file needs to be declared in the transfer protocol or file needs to use a byte order mark as an encoding signature. _display
Re: XSS and JSFIDDL
Posted: Fri May 02, 2014 1:35 pm
by barbaz
You need to match "@" + the start of the URL if you want to trust the origin.
Adding either of these to XSS exceptions will work (but don't use both):
if you trust jsfiddle not to originate malicious requests, use this
if you trust fiddle.jshell to protect itself, use instead this
Code: Select all
^https?://fiddle\.jshell\.net/_display/
(I'm assuming that anti-XSS is the only thing getting in your way, i.e. ClearClick triggering does not affect your usage of the site.)
Re: XSS and JSFIDDL
Posted: Sat May 03, 2014 11:07 am
by erosman
Thank you ...yes, anti-XSS is the issue
The point is NOT to add exceptions. The point is why it is blocking it in the first place.
I (and many) use JSFIDDLE for JavaScript code snippet displays.
The issue has only come when I entered image tags in the HTML pane and not on other occasions.
Has any of the developers tested the issue on JSFIDDLE?
Re: XSS and JSFIDDL
Posted: Sat May 03, 2014 4:25 pm
by barbaz
erosman wrote:The point is NOT to add exceptions. The point is why it is blocking it in the first place.
Because passing HTML fragments as part of cross-site requests is
screaming potential XSS vulnerability.