InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Help req'd with XSS configuration

https://forums.informaction.com/viewtopic.php?t=22751

Page 1 of 1

Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 7:54 pm
by dortmunder
Hi. Can anyone tell me how to configure NoScript so that I don't get popups on trusted sites. In the example attached, I'm still getting the popup despite having added to the exception list. Thank you!
Image

Re: Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 8:07 pm
by barbaz
XSS exception might not be the right way to go. Without seeing the details of what was blocked, there's no telling whether it's safe to allow it.

Please remove the XSS exceptions you added, reproduce the warning again, then check the Browser Console (Ctrl-Shift-J) and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

Re: Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 8:35 pm
by dortmunder
Hi barbaz. Wow, never seen that before. I think this is all the NoScript/ABE stuff, thanks for having a look:

Code: Select all

[NoScript InjectionChecker] JavaScript Injection in coalesced:///site/36828ret=html&phint=lbg.url=online.bankofscotland.co.uk/personal/logon/login.jsp, lbg.brand=BOS, lbg.division=Retail, lbg.journeyname=Log On, lbg.cookie=28147121db107629a701443668646375, lbg.amount=0, lbg.eventid=3CAFC3359FD5E55B82C1C0D5, lbg.productgroup=Authentication, lbg.productsubgroup=Password, __bk_t=Bank of Scotland - Welcome to internet banking, __bk_k=, __bk_pr=https://www.bankofscotland.co.uk/, __bk_l=https://online.bankofscotland.co.uk/personal/logon/login.jsp&limit=4&bknms=ver=2.0,ua=324b663159a00d40c2dd66973f24b963,t=1492547387649,m=f457e02aad67bb5b16ef6aeb6fef05cf,k=1,lang=07ef608d8a7e9677f0b83775f0b83775,sr=1536x864x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=41fee34aea2844ea24e3d19524e3d195,notrack=,plugins=eec3778d1202308918f372b176f1eda2,cn=496f155ba12f1a8c66f8c6059bbd6d8b&r=66795979
(function anonymous() {
coalesced: lbg.brand=BOS, /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://stags.bluekai.com/site/36828?ret=html&phint=lbg.url%3Donline.bankofscotland.co.uk%2Fpersonal%2Flogon%2Flogin.jsp&phint=lbg.brand%3DBOS&phint=lbg.division%3DRetail&phint=lbg.journeyname%3DLog%20On&phint=lbg.cookie%3D28147121db107629a701443668646375&phint=lbg.amount%3D0&phint=lbg.eventid%3D3CAFC3359FD5E55B82C1C0D5&phint=lbg.productgroup%3DAuthentication&phint=lbg.productsubgroup%3DPassword&phint=__bk_t%3DBank%20of%20Scotland%20-%20Welcome%20to%20internet%20banking&phint=__bk_k%3D&phint=__bk_pr%3Dhttps%3A%2F%2Fwww.bankofscotland.co.uk%2F&phint=__bk_l%3Dhttps%3A%2F%2Fonline.bankofscotland.co.uk%2Fpersonal%2Flogon%2Flogin.jsp&limit=4&bknms=ver=2.0,ua=324b663159a00d40c2dd66973f24b963,t=1492547387649,m=f457e02aad67bb5b16ef6aeb6fef05cf,k=1,lang=07ef608d8a7e9677f0b83775f0b83775,sr=1536x864x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=41fee34aea2844ea24e3d19524e3d195,notrack=,plugins=eec3778d1202308918f372b176f1eda2,cn=496f155ba12f1a8c66f8c6059bbd6d8b&r=66795979] requested from [https://online.bankofscotland.co.uk/personal/logon/login.jsp]. Sanitized URL: [https://stags.bluekai.com/#8293643630628996434].

[ABE] < LOCAL> Deny on {GET https://127.0.0.1:63333/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:63333/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5900/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5900/.  check.js:26:156
XML Parsing Error: syntax error
Location: https://online.bankofscotland.co.uk/personal/marketing
Line Number 1, Column 1:  marketing:1:1
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5901/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5901/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5902/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5902/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5903/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5903/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:3389/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:3389/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5279/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5279/.  check.js:26:156
[ABE] < LOCAL> Deny on {GET https://127.0.0.1:5939/ <<< https://online.bankofscotland.co.uk/modules/iframe_security.jspf - 1}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny
Firefox can’t establish a connection to the server at wss://127.0.0.1:5939/.

Re: Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 8:53 pm
by barbaz
There are two NoScript related things going on there. One is the XSS warning, which looks to me like a false positive, i.e. not actually dangerous. So this exception should do -

Code: Select all

^https?://(?:[^/:]+\.)?bluekai\.com/
However, do note that bluekai is a tracker, nothing useful. So, to be safe, let's block those requests outright. Go to NoScript Options > Advanced > ABE > USER, and add this -

Code: Select all

Site .bluekai.com
# Deny INC is to work around https://forums.informaction.com/viewtopic.php?f=23&t=18996
Deny INC
Deny

The second NoScript thing is that ABE is preventing the site from accessing 127.0.0.1, which is your own computer. Some bank sites require such connections, so I'm not sure whether you "should" be seeing that or not. Does your bank site work fine despite those warnings?

Re: Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 8:59 pm
by dortmunder
barbaz, thank you so much, you clearly know your stuff. Yes, the bank site works fine bar one thing - when I log off, I don't see the usual 'you have safely logged off' page. It's just a white screen but in the URL bar I can see the word logoff which I'm taking as a good sign. I haven't carried out your suggestions yet, I'll report back when I have. Thanks again.

Re: Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 9:08 pm
by dortmunder
Hi again. The warning popup has gone (nice!) and I still get the white screen on logoff along with this URL:
secure.bankofscotland.co.uk/personal/unauth/pages/loggedoff.jsp?AWX [loads of letters and numbers...]

If we could fix the logoff issue you may have a virtual pint on me...

Re: Help req'd with XSS configuration

Posted: Tue Apr 18, 2017 9:16 pm
by barbaz
Well, we can try an exception in ABE and see if anything different happens.

First log out of your bank.

Then, add the exception - NoScript Options > Advanced > ABE > SYSTEM, add *at the very top*

Code: Select all

Site https://127.0.0.1:*
Accept from 127.0.0.1 https://online.bankofscotland.co.uk/*

If no joy, when the logout issue happens please post the messages from the Browser Console (Ctrl-Shift-J) as before.

Re: Help req'd with XSS configuration

Posted: Wed Apr 19, 2017 5:00 am
by dortmunder
Good morning. The addition to NoScript Options > Advanced > ABE > SYSTEM, add *at the very top* had no effect on the logout situation.

The ABE/SYSTEM tab looks like this (not of my doing):
Site LOCAL
Accept from LOCAL
Deny

I'm no expert but the 'Deny' command seemed to be a contradiction to the previous commands so I deleted it – didn't have any effect though so I reinstated it. Here's the data you requested and thanks for your continued efforts:

Code: Select all

[ABE] < .bluekai.com> Deny INCLUSION on {GET https://stags.bluekai.com/site/42842?ret=html&phint=lbg_url%3Dsecure.bankofscotland.co.uk%2Fpersonal%2Funauth%2Fpages%2Floggedoff.jsp&phint=lbg_brand%3DBOS&phint=lbg_division%3DRetail&phint=lbg_journeyaction%3DService%20Action%20Complete&phint=lbg_journeyname%3DLog%20Off&phint=lbg_cookie%3D28147121db107629a701443668646375&phint=lbg_eventid%3D3AAA70429A1E9D5B84887690&phint=lbg_platform%3Dauth&phint=lbg_environment%3Dsecure&phint=__bk_t%3DBank%20of%20Scotland%20-%20Logged%20Off&phint=__bk_k%3D&phint=__bk_pr%3Dhttps%3A%2F%2Fsecure.bankofscotland.co.uk%2Fpersonal%2Fa%2Faccount_details_ress%2FOWEGXWFPRK2YWZQLZMYOEV4742IGFNJR4B72U4RJ5A57PS25X3NA%2FWCCLTC6CDXY6UTQDQSBIAVWTD3VNBKWFCYB3YVA%2F62LCDBKEY6GJW%2F%2FHGNFXXQ4GBZOWSBZEAX3IVU4U3SPN4GAENHZNVTNV44MYLJLX75Q%2F&phint=__bk_l%3Dhttps%3A%2F%2Fsecure.bankofscotland.co.uk%2Fpersonal%2Funauth%2Fpages%2Floggedoff.jsp%3FAWXZA2H2XRJDHRVEMPXHEN75IF4DKVIUID3ZYXGOPTF4TNKIZ3CGORPDLCUX7JDPOBXPCIUTX7JTMRB4D7WG6GAAYKBLMNC4ND7ZSPVTODUVHIUPA2IQ&limit=4&bknms=ver=2.0,ua=324b663159a00d40c2dd66973f24b963,t=1492577187646,m=f457e02aad67bb5b16ef6aeb6fef05cf,k=1,lang=07ef608d8a7e9677f0b83775f0b83775,sr=1536x864x24,tzo=-60,hss=true,hls=true,idb=true,addb=undefined,odb=undefined,cpu=4b4e4ecaab1f1c93ab1f1c93ab1f1c93,platform=41fee34aea2844ea24e3d19524e3d195,notrack=,plugins=eec3778d1202308918f372b176f1eda2,cn=496f155ba12f1a8c66f8c6059bbd6d8b&r=23537098 <<< https://secure.bankofscotland.co.uk/personal/unauth/pages/loggedoff.jsp?AWXZA2H2XRJDHRVEMPXHEN75IF4DKVIUID3ZYXGOPTF4TNKIZ3CGORPDLCUX7JDPOBXPCIUTX7JTMRB4D7WG6GAAYKBLMNC4ND7ZSPVTODUVHIUPA2IQ - 7}
USER rule:
Site .bluekai.com
Deny INCLUSION
Deny

Re: Help req'd with XSS configuration

Posted: Wed Apr 19, 2017 6:35 am
by barbaz
Hmm. I think I would need to have that problem in front of me in order to help, and I don't even have an account there, sorry.

EDIT
I suppose you could test it in a new, clean profile with all defaults. If you don't see the problem there, install only NoScript latest development build, and import your NS settings into the clean profile (using the Import and Export buttons *on the very bottom* of NS Options). Do you see the problem now? If not, NoScript is not causing that issue, use Standard Diagnostic on your main profile to isolate the cause.

If you do try this, please let us know the results, thanks.

Re: Help req'd with XSS configuration

Posted: Wed Apr 19, 2017 9:11 am
by dortmunder
Hi barbaz. Ultimately, it's not that big an issue. I've just moved to Windows 10 and have been trying the Edge browser which has had a lot of good reviews. It's a fine browser but my main one will remain Firefox. However, I'm happy to use Edge for my banking.

Thanks very much for the time and trouble you've taken on my behalf, I really appreciate it.

Re: Help req'd with XSS configuration

Posted: Wed Apr 19, 2017 2:52 pm
by barbaz
You're welcome. Image
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited