InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[RESOLVED] Why does this search trigger XSS filter?

https://forums.informaction.com/viewtopic.php?t=20141

Page 1 of 1

[RESOLVED] Why does this search trigger XSS filter?

Posted: Thu Oct 02, 2014 2:29 am
by barbaz
Using the DuckDuckGo browser searchplugin (the xml file only, not the XPI they offer), searching for

Code: Select all

ksh add username to prompt
sets off the XSS filter. I haven't previously had XSS filter trouble with this searchplugin, and I don't think it auto-updates.
Why this particular search?
Console messages: (had to capture with a video capture program to view, so there may be typos, especially in that last set of numbers)

Code: Select all

[NoScript InjectionChecker]JavaScript Injection in ///?q=ksh+add+username+to+prompt
(function anonymous() {
q=ksh+add+username+to+prompt /* COMMENT_TERMINATOR */
DUMMY_EXPR
})

[NoScript XSS] Sanitized suspicious request.  Original URL [https://duckduckgo.com
/?q=ksh+add+username+to+prompt] requested from [chrome://navigator/content/navigator.xul].  Sanitized URL:
[https://duckduckgo.com/?q=ksh+add+userNAME+to+PROMPT#40824949409240163382].

Re: Why does this search trigger XSS filter?

Posted: Thu Oct 02, 2014 4:45 am
by Thrawn
Have you whitelisted DuckDuckGo?

If not, then the XSS filter is very aggressive.

Re: Why does this search trigger XSS filter?

Posted: Thu Oct 02, 2014 4:47 am
by barbaz
Yes, DDG is in my whitelist...

Re: Why does this search trigger XSS filter?

Posted: Thu Oct 02, 2014 4:50 am
by Thrawn
Well, judging by what the filter did, it doesn't like 'name', which is frequently a JavaScript attribute, or 'prompt', which pops up an input box.

Does it still happen if you have another keyword after 'prompt'?

Re: Why does this search trigger XSS filter?

Posted: Thu Oct 02, 2014 5:00 am
by barbaz
Thrawn wrote:Well, judging by what the filter did, it doesn't like 'name', which is frequently a JavaScript attribute, or 'prompt', which pops up an input box.
That kinda makes sense, but I didn't make "name" a completely separate word...
Thrawn wrote:Does it still happen if you have another keyword after 'prompt'?
Testing with the keyword "terminal", yes...

Re: Why does this search trigger XSS filter?

Posted: Thu Oct 02, 2014 9:59 am
by Giorgio Maone
It's a false negative from the new rules against exfiltration, which surely needs to be tweaked.
Checking it...

Re: Why does this search trigger XSS filter?

Posted: Fri Oct 03, 2014 4:49 am
by barbaz
Fixed in 2.6.9rc2, thanks.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited