This is on a BANK site?
Yes, that's the message. Looks like they're passing HTML fragments in the URL of a request!
Code: Select all
[xx:xx:51.791] decodeURIComponent('%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Fonlineserv%2FHB%2FSTDReg.cgi%22%3ENew+User%3F%3C%2Fa%3E%3Cspan+style%3D%22font-weight%3Anormal%3B%22%3E%26nbsp%3B%7C%26nbsp%3B%3C%2Fspan%3E%3Ca+href%3D%22https%3A%2F%2Fwww.myufbdirect.com%2Ftob%2Flive%2Fusp-core%2Fapp%2FauthUpdate%22%3EForgot+Your+Password%3F%3C%2Fa%3E')
[xx:xx:51.794] "<a+href=\"https://www.myufbdirect.com/onlineserv/HB/STDReg.cgi\">New+User?</a><span+style=\"font-weight:normal;\"> | </span><a+href=\"https://www.myufbdirect.com/tob/live/usp-core/app/authUpdate\">Forgot+Your+Password?</a>"
I wonder what happens if that HTML fragment contains a script tag?
Here's a harmless one, already percent-encoded, if you care to experiment:
Code: Select all
%3Cscript%3Ealert(%22Hi+Im+an+XSS+vulnerability%22)%3C%2Fscript%3E
Just stick that on an end (or in the middle somewhere it won't mess up the HTML syntax) of the HTML fragment in the request URL, go to the resulting address, do an unsafe reload, and see what happens.
Anyway,
Solution: PANIC!!!!!!!!!!!!!!, leave your NoScript configuration alone, and complain to the people running the site. (I'm dead serious.)
Point them to
https://hackademix.net/2008/04/16/false ... t-typepad/, tell them that they should never pass any raw HTML fragments in GET or POST request parameters (especially GET) like that because it makes them look vulnerable to XSS and the HTML fragment could be modified by attacker to make an XSS attack on the site which means people's login credentials could be stolen etc. Also be sure to let them know what, if anything, happens with that little experiment I suggested above, if you choose to try it.
Honestly I wouldn't be at all happy about trusting my money with anyone who runs a website like that...