InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS protection - max nr of characters or html tags?

https://forums.informaction.com/viewtopic.php?t=21918

Page 1 of 1

XSS protection - max nr of characters or html tags?

Posted: Mon May 23, 2016 12:43 pm
by matthias-g
Hello forum,

in the FAQ for the Anti-XSS feature, it says:
Cross-site requests from a trusted site to a different trusted site are checked through the InjectionChecker engine, which is more accurate and sanitizes only requests which contain conspicuous fragments of HTML or syntactically valid JavaScript.
https://noscript.net/faq#qa4_2

What exactly determines if a string is conspicous or not? Is there a certain threshold for number of characters and/or number of html tags? Any chance that spaces play a role?
Because I have a string consisting of alphanumeric characters, spaces and html elements (<br />, <b>, and <i>) and when I do a POST request from Site A to Site B where this string is sent, NoScript's XSS protection steps in:
[NoScript InjectionChecker] JavaScript Injection in ##[[My string...]]

[NoScript XSS] Ein verdächtiger Upload zu [[Site B...]] von [[Site A...]] wurde bereinigt und in eine GET-Anfrage (nur Download) umgewandelt.
I woul like to know how I should tweak the string so that it passes. I tried using less charachters and less html elements, but without luck.

I use NoScript 2.9.0.11.

Any help would be appreciated, thanks.

Re: XSS protection - max nr of characters or html tags?

Posted: Mon May 23, 2016 1:09 pm
by matthias-g
To elaborate:

Here's the original part of the string that caused the problem:
"<br /><br />
Some words with spaces between them."
I changed this part of the string, with varying results.
"abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"
--> works, so it can't be just the number of characters which causes the problem
"<br /><br />
abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz"
--> works, so it's not just the two <br />-Tags
"<br /><br />
abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz."
--> works, so it's not just the dot at the end.
"<br /><br />
abc defghijklmnopqrstuvwxyz."
--> doesn't work. It's far less characters than the above example, so it can't be the number of characters. However, there is now a space. Is this causing the problem?

Re: XSS protection - max nr of characters or html tags?

Posted: Mon May 23, 2016 4:01 pm
by barbaz
It is unwise to pass HTML fragments around through the user's browser, that's just an invitation to be XSSed. Can you change your site to use something safer for formatting, e.g. BBCode?

Re: XSS protection - max nr of characters or html tags?

Posted: Tue May 24, 2016 3:59 am
by matthias-g
Thanks for your reply.

Currently, I don't have the option of using something other than HTML for this string, but I may be able to so in the future, so thanks for the suggestion.

You say that passing HTML is unwise - true enough, but evidently NoScript's XSS protection lets through at least some amount of HTML elements without blocking the request. Can somebody explain why the different strings I tried (see above posts) work or don't work, respectively?

Re: XSS protection - max nr of characters or html tags?

Posted: Tue May 24, 2016 2:13 pm
by barbaz
(just guessing...)
Well you might look at about:config > noscript.filterXGetRx see if that's anything to do with it?

IIRC NoScript is designed to let some "known innocuous" HTML through the XSS filter, but no idea what exactly.

Image As a test, can you submit the form using GET and check the Browser Console (Ctrl-Shift-J) see how NoScript sanitises the URL?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited