InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

NoScript InjectionChecker

https://forums.informaction.com/viewtopic.php?t=21240

Page 1 of 1

NoScript InjectionChecker

Posted: Tue Sep 08, 2015 3:20 pm
by DienerG
Hey there,
My Situation:
I started (on openSUSE 13.2) tor via the terminal (normal firefox was already running).
I later noticed that the Terminalname was renamed to "Browser.bak (deleted)" where it should actually just be "Browser"
So i typed "Browser.bak (deleted)" in duckduckgo.com (not in tor but in my normal browser) and i got the
"NoScript filtered a potential cross-site scripting (XSS) attempt from [chrome:]..."
message.
So i checked the log and it said:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in ///?q=browser.bak (deleted)&t=opensuse
(function anonymous() {
q=browser.bak (deleted) /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://duckduckgo.com/?q=browser.bak+%28deleted%29&t=opensuse] requested from [chrome://browser/content/browser.xul]. Sanitized URL: [https://duckduckgo.com/?q=browser.bak+%20deleted%20&t=OPENsuse#602271173348...].
And there was this log too:

Code: Select all

 Unknown RPC service: widget-csi-tick-I0...
I also noticed that there are many logs from [NoScript - ClearClick] Swallowed event click on ....


Does anyone have an idea about that "browser.bak (deleted)" and why i get the JavaScript Injection msg (and if its serious or not!)?

/E the injection message only apears when I use the search bar, not if I type the "browser.bak (deleted)" directly in the duckduckgo search bar

Re: NoScript InjectionChecker

Posted: Tue Sep 08, 2015 3:43 pm
by barbaz
No idea the browser.bak terminal title but the XSS warning is because your search query is syntactically valid JavaScript.
You can add

Code: Select all

^@chrome://
to your XSS exceptions if you want not have that warning?

Re: NoScript InjectionChecker

Posted: Tue Sep 08, 2015 4:43 pm
by DienerG
Thanks for the answer!

But why is
[https://duckduckgo.com/?q=[b]browser.ba ... t=opensuse[/b]]
valid js syntax while
[https://duckduckgo.com/?q=[b]browser.ba ... 2271173348[/b]...].
is not?

its just the switch from "(deleted)" to " deleted "

Re: NoScript InjectionChecker

Posted: Tue Sep 08, 2015 6:00 pm
by barbaz
The only way I can answer that is to point you to a JavaScript tutorial, so here: https://developer.mozilla.org/Learn/JavaScript
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited