Page 1 of 2
Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 12:59 pm
by Security Dude
Hi,
Several HP.COM web pages trigger the XSS warning. For instance, <
http://www8.hp.com/us/en/software-solut ... r-catalog/>. I do not understand XSS well enough to know if HP needs to fix it's pages, or if NoScript is flagging them inaccurately. Can someone help me understand if this is a false positive or a real issue? I'll be happy to take the results to HP to get them to fix the page once I know if it's their pages or NoScript.
Browser is FireFox 36.0.1 (and many earlier versions), and the latest version of NoScript 2.6.9.17 (and many earlier versions). The error in the console log is:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4234ret=html&phint=v31=Service Broker, Service Catalog, Propel | HPî Official Site, __bk_l=http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/, __bk_pr=, bkrid=v1|2A7CD44285010DE7-4000011240000EB9, v30=cs:software:us:en-us:3.0:propel, v24=Commercial.Large, v01=TSG, v08=Discover HP Propel, a complete cloud service broker solution for IT that provides a single user experience and unified hub for multi-supplier integrations., v11=presales.awareness, v28=Commercial.Business Manager,Commercial.IT Professional, v29=any, v56=R11374, v26=us, v16=Products&limit=15&r=84837134
(function anonymous() {
presales.awareness, v28=Commercial.Business /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4234?ret=html&phint=v31%3DService%20Broker%2C%20Service%20Catalog%2C%20Propel%20%7C%20HP%C2%AE%20Official%20Site&phint=__bk_l%3Dhttp%3A%2F%2Fwww8.hp.com%2Fus%2Fen%2Fsoftware-solutions%2Fpropel-service-broker-catalog%2F&phint=__bk_pr%3D&phint=bkrid%3Dv1%7C2A7CD44285010DE7-4000011240000EB9&phint=v30%3Dcs%3Asoftware%3Aus%3Aen-us%3A3.0%3Apropel&phint=v24%3DCommercial.Large&phint=v01%3DTSG&phint=v08%3DDiscover%20HP%20Propel%2C%20a%20complete%20cloud%20service%20broker%20solution%20for%20IT%20that%20provides%20a%20single%20user%20experience%20and%20unified%20hub%20for%20multi-supplier%20integrations.&phint=v11%3Dpresales.awareness&phint=v28%3DCommercial.Business%20Manager%2CCommercial.IT%20Professional&phint=v29%3Dany&phint=v56%3DR11374&phint=v26%3Dus&phint=v16%3DProducts&limit=15&r=84837134] requested from [http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/]. Sanitized URL: [http://tags.bluekai.com/#1733805685822937833].
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://stg.www8.hp.com/ww/en/system/inc ... 6510361184. This can be fixed by moving the resource to the same domain or enabling CORS.
Thank you for the help.
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 3:18 pm
by barbaz
It's a tracker, you can either ignore it or outright block it with ABE:
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 3:33 pm
by Guest
I added those two lines to the NoScript Options Advanced ABE tab "USER" rules. But I still get the XSS warning when I browse to that HP.COM page.
Should I have but them someplace else, or am I missing something? By the way, if I disable ABE completely by unchecking the Enable box on the ABE tab, I still get the XSS warning.
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 4:30 pm
by barbaz
Sounds like you're doing it right... check the Browser Console (Ctrl-Shift-J) for ABE related messages?
(Maybe in your case the XSS filter acts before ABE)
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 4:39 pm
by Guest
It appears that XSS is triggering before ABE. Here is the console log now:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/4234ret=html&phint=v31=Service Broker, Service Catalog, Propel | HPî Official Site, __bk_l=http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/, __bk_pr=, bkrid=v1|2A7CD44285010DE7-4000011240000EB9, v30=cs:software:us:en-us:3.0:propel, v24=Commercial.Large, v01=TSG, v08=Discover HP Propel, a complete cloud service broker solution for IT that provides a single user experience and unified hub for multi-supplier integrations., v11=presales.awareness, v28=Commercial.Business Manager,Commercial.IT Professional, v29=any, v56=R11374, v26=us, v16=Products&limit=15&r=960414
(function anonymous() {
presales.awareness, v28=Commercial.Business /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [http://tags.bluekai.com/site/4234?ret=html&phint=v31%3DService%20Broker%2C%20Service%20Catalog%2C%20Propel%20%7C%20HP%C2%AE%20Official%20Site&phint=__bk_l%3Dhttp%3A%2F%2Fwww8.hp.com%2Fus%2Fen%2Fsoftware-solutions%2Fpropel-service-broker-catalog%2F&phint=__bk_pr%3D&phint=bkrid%3Dv1%7C2A7CD44285010DE7-4000011240000EB9&phint=v30%3Dcs%3Asoftware%3Aus%3Aen-us%3A3.0%3Apropel&phint=v24%3DCommercial.Large&phint=v01%3DTSG&phint=v08%3DDiscover%20HP%20Propel%2C%20a%20complete%20cloud%20service%20broker%20solution%20for%20IT%20that%20provides%20a%20single%20user%20experience%20and%20unified%20hub%20for%20multi-supplier%20integrations.&phint=v11%3Dpresales.awareness&phint=v28%3DCommercial.Business%20Manager%2CCommercial.IT%20Professional&phint=v29%3Dany&phint=v56%3DR11374&phint=v26%3Dus&phint=v16%3DProducts&limit=15&r=960414] requested from [http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/]. Sanitized URL: [http://tags.bluekai.com/#11177404790095902500].
[ABE] <tags.bluekai.com> Deny on {GET http://tags.bluekai.com/site/4234?ret=j ... 5&r=960414 <<< http://www8.hp.com/us/en/software-solut ... r-catalog/ - 2}
USER rule:
Site tags.bluekai.com
Deny
Using //@ to indicate sourceURL pragmas is deprecated. Use //# instead can.jquery-1.1.6.js:2:0
[ABE] <tags.bluekai.com> Deny on {GET http://tags.bluekai.com/#11177404790095902500 <<< http://www8.hp.com/us/en/software-solutions/propel-service-broker-catalog/ - 7}
USER rule:
Site tags.bluekai.com
Deny
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://stg.www8.hp.com/ww/en/system/include/intranetCheck.jsp?_=1426523669807. This can be fixed by moving the resource to the same domain or enabling CORS.
So now what should I try?
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 4:46 pm
by barbaz
You've definitely stopped any risk at all there because you are outright blocking that item. I'm not sure what you would like to have done at this point
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 5:19 pm
by Guest
I'm trying to get the XSS warning message to stop appearing. Until it does, I'm not sure if I have successfully blocked the risk or have a typo some place and the risk is still present .
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 5:38 pm
by barbaz
The fact you get a console message from ABE blocking the request indicates that you have definitely blocked the risk (if there is any after the XSS filter).
If that isn't enough, you're probably looking at asking HP to use a different tracker on their site...
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 16, 2015 11:24 pm
by Thrawn
You might be able to kill off the XSS warning with a surrogate script.
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 23, 2015 4:12 pm
by gvp
I had the same problem at ebay.co.uk .... so I added
^http?://tags\.bluekai\.com/
to XSS exceptions and problem solved ...
I'm not familiar with regex so if i'm wrong please anyone feel free to correct the regex i used ...
ps
If you use it you must trust bluekai ..
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 23, 2015 4:27 pm
by barbaz
An XSS exception is definitely not the best choice here.
gvp wrote:I'm not familiar with regex so if i'm wrong please anyone feel free to correct the regex i used ...
You have a typo, you mean
gvp wrote:ps
If you use it you must trust bluekai ..
Why would anyone trust a tracking company not on their own website?
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 23, 2015 4:30 pm
by gvp
barbaz wrote:An XSS exception is definitely not the best choice here.
why ??
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 23, 2015 4:32 pm
by barbaz
gvp wrote:barbaz wrote:An XSS exception is definitely not the best choice here.
why ??
Because why the heck would you want to allow a potentially dangerous request that's just for data mining? Who actually
wants to be tracked?
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 23, 2015 4:34 pm
by gvp
maybe this
[XSS exception for origin of request deleted by moderator]
Re: Several HP.COM web pages trigger XSS warning
Posted: Mon Mar 23, 2015 4:37 pm
by barbaz
That's even worse because you're allowing ebay to XSS anything, just for a tracker. If ebay gets compromised or itself XSS'ed then an attacker could then use ebay as a middleman to exploit you in all kinds of ways...