InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS attempt on account.microsoft.com

https://forums.informaction.com/viewtopic.php?t=21461

Page 1 of 1

XSS attempt on account.microsoft.com

Posted: Sat Dec 05, 2015 4:31 pm
by UniSan
Hello, I hope I am posting this in the correct manner and location.

I am recieving the following message when accessing my Microsoft Account (via account.microsoft.com) and am unsure why it is happening and if I should be concerned.

"NoScript filtered a potential cross-site scripting (XSS) attempt from [https://account.microsoft.com]. Technical details have been logged to the console."

The console reports the following:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://web.vortex.data.microsoft.com/collect/v1/t.asm?ver=%202.1%20&NAME=%20Ms.Webi.ContentView%20&time=%202015-12-05T16%3A12%3A10.454Z%20&os=%20Windows%20&*baseType=%20Ms.Content.PageView%20&-pageName=%20home-index%20&-uri=%20https%3A%2F%2Faccount.microsoft.com%2F%20&-referrerUri=%20https%3A%2F%2Faccount.microsoft.com%2F%20&-pageTags=%20%7B%20timing%20%3A%20%7B%20navigationStart%20%3A1449331923619%2C%20unloadEventStart%20%3A1449331924720%2C%20unloadEventEnd%20%3A1449331924732%2C%20redirectStart%20%3A0%2C%20redirectEnd%20%3A0%2C%20fetchStart%20%3A1449331923626%2C%20domainLookupStart%20%3A1449331923626%2C%20domainLookupEnd%20%3A1449331923626%2C%20connectStart%20%3A1449331923626%2C%20connectEnd%20%3A1449331923626%2C%20requestStart%20%3A1449331923647%2C%20responseStart%20%3A1449331924703%2C%20responseEnd%20%3A1449331924707%2C%20domLoading%20%3A1449331924720%2C%20domInteractive%20%3A1449331926491%2C%20domContentLoadedEventStart%20
[NoScript InjectionChecker] JavaScript Injection in ///collect/v1/t.asm?ver= 2.1 &NAME= Ms.Webi.ContentView &time= 2015-12-05T16:12:10.454Z &os= Windows &*baseType= Ms.Content.PageView &-pageName= home-index &-uri= https://account.microsoft.com/ &-referrerUri= https://account.microsoft.com/ &-pageTags= { timing : { navigationStart :1449331923619, unloadEventStart :1449331924720, unloadEventEnd :1449331924732, redirectStart :0, redirectEnd :0, fetchStart :1449331923626, domainLookupStart :1449331923626, domainLookupEnd :1449331923626, connectStart :1449331923626, connectEnd :1449331923626, requestStart :1449331923647, responseStart :1449331924703, responseEnd :1449331924707, domLoading :1449331924720, domInteractive :1449331926491, domContentLoadedEventStart :1449331926737, domContentLoadedEventEnd :1449331926810, domComplete :1449331930268, loadEventStart :1449331930268, loadEventEnd :0} , metaTags :{ ms.msa_mem_au : home , ms.msa_mem_flt : AreaBilling;AreaBillingOrders;AreaBillingPayments;AreaBillingRedeem;AreaDevicesFindMyDevice;AreaDevicesFindMyPhoneSms;AreaDevicesResetProtectionPopover;AreaDevicesWarranty;AreaFamilyAddMoney;AreaFamilyFindYourChild;AreaHomeCsvAnimation;AreaHomeShowPI;AreaHomeWelcomeMessage;AreaServices;AreaServicesCancelSurvey;Dvc1510CSRef;FamPrivacy;GJsllScnCompat;GlobalFeedback;GlobalHelpLinks;GlobalSignedOut;GlobalSmokeTests;GlobalSurvey;GlobalUhf;GUHF3;PrivPersnlzn;SvcCancelRiskChk;SvcSurveyOnCfm , ms.loc : nz , ms.lang : en , ms.env : Prod , ms.Cv : tixG6cegwUaZtsYF.41.11.4 }} &-customSessionGuid= 8efd86d60d4142ea824ec067d4e43a9c &-impressionGuid= 9b17fe4c-0b80-4416-9c0f-738272817ffc &-contentJsonVer=2&-content= { areaName : L1 , slotNumber : 1 , templateName : Hovermenus , contentName : Store },{ areaName : L1 , slotNumber : 2 , templateName : Hovermenus , contentName : Products },{ areaName : L1 , slotNumber : 3 , templateName : Hovermenus , contentName : Support },{ areaName : CategoryHeader-AccountAMC , slotNumber : 1 , templateName : C1 , contentId : sharedshell-profile-mobile , contentName : sharedshell-yourinfo },{ areaName : CategoryHeader-AccountAMC , slotNumber : 2 , templateName : C1 , contentId : sharedshell-services-mobile , contentName : services },{ areaName : CategoryHeader-AccountAMC , slotNumber : 3 , templateName : C1 , contentId : pb-main-mobile , contentName : billing },{ areaName : CategoryHeader-AccountAMC , slotNumber : 4 , templateName : C1 , contentId : sharedshell-devices-mobile , contentName : devices },{ areaName : CategoryHeader-AccountAMC , slotNumber : 5 , templateName : C1 , contentId : sharedshell-family-mobile , contentName : family },{ areaName : CategoryHeader-AccountAMC , slotNumber : 6 , templateName : C1 , contentId : sharedshell-privacy-mobile , contentName : privacy },{ areaName : CategoryMenuItems-AccountAMC , slotNumber : 1 , templateName : C1 , contentId : sharedshell-profile , contentName : sharedshell-yourinfo },{ areaName : CategoryMenuItems-AccountAMC , slotNumber : 2 , templateName : C1 , contentId : sharedshell-services , contentName : services },{ areaName : CategoryMenuItems-AccountAMC , slotNumber : 3 , templateName : C1 , contentId : pb-main , contentName : billing },{ areaName : CategoryMenuItems-AccountAMC , slotNumber : 4 , templateName : C1 , contentId : sharedshell-devices , contentName : devices },{ areaName : CategoryMenuItems-AccountAMC , slotNumber : 5 , templateName : C1 , contentId : sharedshell-family , contentName : family },{ areaName : CategoryMenuItems-AccountAMC , slotNumber : 6 , templateName : C1 , contentId : sharedshell-privacy , contentName : privacy } &*flightId= AreaServices,GlobalFeedback,GlobalSmokeTests,GlobalUhf,AreaBilling,AreaBillingOrders,AreaBillingPayments,AreaBillingRedeem,AreaDevicesFindMyDevice,AreaDevicesFindMyPhoneSms,AreaDevicesResetProtectionPopover,AreaDevicesWarranty,AreaFamilyAddMoney,AreaFamilyFindYourChild,AreaHomeCsvAnimation,AreaHomeShowPI,AreaHomeWelcomeMessage,AreaServicesCancelSurvey,Dvc1510CSRef,FamPrivacy,GJsllScnCompat,GlobalHelpLinks,GlobalSignedOut,GlobalSurvey,GUHF3,PrivPersnlzn,SvcCancelRiskChk,SvcSurveyOnCfm &*COOKIEEnabled=true&*browserSize= 1349x631 &*COOKIEs= MC1 GUID 148ccc8dd68a4df48b9ef35c09dc7fda&HASH 148c&LV 201509&V 4&LU 1443508720;MSFPC ID fcdd2547dbc40d458dbe4ad34a90fd61&CS 3&LV 201411&V 1; &*pageLoadTime=6642&*screenRes= 1366x768 &*isJs=true&*title= Microsoft account | Home &*signInStatus=1&cV= tixG6cegwUaZtsYF.41.11.4 &appId= JS:account.microsoft.com &ext-javascript-libVer= 3.3.0-beta-1 &ext-user-localId= t:06F8E694FF9B69211C88E2AAFB9B694D &sauth=1#9288810423697781437
How do I identify if this message is a "false positive" or a legitimate security threat?

Re: XSS attempt on account.microsoft.com

Posted: Sat Dec 05, 2015 5:00 pm
by barbaz
UniSan wrote:Hello, I hope I am posting this in the correct manner and location.
Seems fine to me.
UniSan wrote:I am recieving the following message when accessing my Microsoft Account (via account.microsoft.com) and am unsure why it is happening and if I should be concerned.
[...]
How do I identify if this message is a "false positive" or a legitimate security threat?
Well I see JSON in the URL, but I don't know if that'd be a valid reason to trigger or not:
https://hackademix.net/2008/04/16/false-false-positives-cnn-cebit-typepad/ wrote:On the other hand, the engine became smart enough to recognize syntactically valid JSON as innocuous and let it pass through, while any Web IDS out there would just scream fire.

Re: XSS attempt on account.microsoft.com

Posted: Sun Dec 06, 2015 10:08 pm
by Thrawn
If it were nothing but a JSON object, maybe, but mixing it up with the other ampersands etc around it...I'm not surprised that NoScript is flagging this.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited