InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

XSS issue

https://forums.informaction.com/viewtopic.php?t=22521

Page 1 of 1

XSS issue

Posted: Fri Jan 27, 2017 10:46 pm
by maurix
Just wondering why a trusted site as "teatro alla scala" activate a XSS alert

The alert message is there even after trusted the whole site

http://teatroallascala.ticketone.it/tic ... /eventlist

Code: Select all

[NoScript XSS] Richiesta sospetta filtrata. URL originale [https://googleads.g.doubleclick.net/pagead/viewthroughconversion/868651562/?random=1485556875735&cv=8&fst=1485556875735&num=1&fmt=1&guid=ON&u_h=768&u_w=1024&u_ah=715&u_aw=1024&u_cd=24&u_his=6&u_tz=60&u_java=true&u_nplug=8&u_nmime=26&frm=0&url=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist%3FCSRFTOKEN%3DXSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO%26map%255B%2527startpos%2527%255D%3D0%26map%255B%2527nogenre%2527%255D%3D%26map%255B%2527genre%2527%255D%3D49%26map%255B%2527production%2527%255D%3D0%26map%255B%2527eventTitle%2527%255D%3D%26map%255B%2527date_begin%2527%255D%3D27.01.2017%26map%255B%2527date_end%2527%255D%3D29.10.2017%26map%255B%2527extSearch%2527%255D%3D%2524status.value%26map%255B%2527performanceLocation%2527%255D%3D0%26map%255B%2527venue%2527%255D%3D0&ref=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist&tiba=Fond.%20Teatro%20alla%20Scala%20-%20Ticketshop] richiesto da [http://teatroallascala.ticketone.it/ticketshop/webticket/eventlist?CSRFTOKEN=XSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO&map%5B%27startpos%27%5D=0&map%5B%27nogenre%27%5D=&map%5B%27genre%27%5D=49&map%5B%27production%27%5D=0&map%5B%27eventTitle%27%5D=&map%5B%27date_begin%27%5D=27.01.2017&map%5B%27date_end%27%5D=29.10.2017&map%5B%27extSearch%27%5D=%24status.value&map%5B%27performanceLocation%27%5D=0&map%5B%27venue%27%5D=0]. URL filtrato: [https://googleads.g.doubleclick.net/pagead/viewthroughconversion/868651562/?random=1485556875735&cv=8&fst=1485556875735&num=1&fmt=1&guid=ON&u_h=768&u_w=1024&u_ah=715&u_aw=1024&u_cd=24&u_his=6&u_tz=60&u_java=true&u_nplug=8&u_nmime=26&frm=0&url=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist%3FCSRFTOKEN%3DXSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO%26map%2520%2520startpos%2520%2520%3D0%26map%2520%2520nogenre%2520%2520%3D%26map%2520%2520genre%2520%2520%3D49%26map%2520%2520production%2520%2520%3D0%26map%2520%2520eventTitle%2520%2520%3D%26map%2520%2520date_begin%2520%2520%3D27.01.2017%26map%2520%2520date_end%2520%2520%3D29.10.2017%26map%2520%2520extSearch%2520%2520%3D%2524status.value%26map%2520%2520performanceLocation%2520%2520%3D0%26map%2520%2520venue%2520%2520%3D0%231916098442555102433&ref=http%3A%2F%2Fteatroallascala.ticketone.it%2Fticketshop%2Fwebticket%2Feventlist&tiba=Fond.%20Teatro%20alla%20Scala%20-%20Ticketshop#3757395624505079534].
La scrittura di un albero non bilanciato tramite document.write() ha richiesto un ulteriore parsing dei dati dalla rete. Per ulteriori informazioni consultare https://developer.mozilla.org/Optimizing_Your_Pages_for_Speculative_Parsing eventlist:182:0
about:blank : Unable to run script because scripts are blocked internally. <sconosciuto>
about:blank : Unable to run script because scripts are blocked internally. <sconosciuto>
OpenGL compositor Initialized Succesfully.
Version: 1.4 APPLE-1.6.36
Vendor: Intel Inc.
Renderer: Intel GMA 950 OpenGL Engine
FBO Texture Target: TEXTURE_2D

Re: XSS issue

Posted: Fri Jan 27, 2017 11:06 pm
by barbaz
It decodes to this -

Code: Select all

https://googleads.g.doubleclick.net/pagead/viewthroughconversion/868651562/?random=1485556875735&cv=8&fst=1485556875735&num=1&fmt=1&guid=ON&u_h=768&u_w=1024&u_ah=715&u_aw=1024&u_cd=24&u_his=6&u_tz=60&u_java=true&u_nplug=8&u_nmime=26&frm=0&url=http://teatroallascala.ticketone.it/ticketshop/webticket/eventlist?CSRFTOKEN=XSBD-ZRH5-96D0-5A30-3TP5-EOLH-UFW0-ILUO&map['startpos']=0&map['nogenre']=&map['genre']=49&map['production']=0&map['eventTitle']=&map['date_begin']=27.01.2017&map['date_end']=29.10.2017&map['extSearch']=$status.value&map['performanceLocation']=0&map['venue']=0&ref=http://teatroallascala.ticketone.it/ticketshop/webticket/eventlist&tiba=Fond. Teatro alla Scala - Ticketshop
Not sure if that's a false positive or not. Does the XSS filtering break the site?

Re: XSS issue

Posted: Sat Jan 28, 2017 5:31 pm
by maurix
nope.
I can easily navigate throught the whole site even with the "alert" on.
BTW, the alert is still there even after clicking the option "reload without protection" in the top bar menu. The same question applies to the apparent inefficacy of "trust the whole site" option.

Re: XSS issue

Posted: Sun Jan 29, 2017 11:32 pm
by Thrawn
The cross-site scripting filter is separate to the regular whitelist, because the point of XSS is that when two sites are whitelisted, and one of them is malicious, it can use vulnerabilities to force the other site to execute scripts in its own security context. So random.com can cause bank.com to perform transactions, for example.

In this case, the teatroallascala site is doing something with analytics that might, or might not, represent a vulnerability that another site could exploit.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited