InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

[RESOLVED] XSS false positive when input data is sent

https://forums.informaction.com/viewtopic.php?t=22902

Page 1 of 1

[RESOLVED] XSS false positive when input data is sent

Posted: Tue Jun 06, 2017 11:19 am
by gruberroland_nc
Hi,

I get an XSS alert on this page for doing a search for "123678":

https://www.conrad.de/de/Search.html?se ... pe=REGULAR

The reason is that the page is sending the search terms as parameter to an external service via JS. But there is no XSS at all here. The parameters not even include any special characters.
These kind of requests are quite common for tracking services. So probably other sites will have the same issues.

Can you check this and adjust the XSS detection?


Best regards
Roland

Re: XSS detection reports false positive when input data is

Posted: Tue Jun 06, 2017 2:40 pm
by barbaz
We need more information to help you.

I cannot reproduce any XSS warning on that site with NoScript latest development build 5.0.6rc4. Do you get this XSS warning with NoScript latest development build?

If so, please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

Re: XSS detection reports false positive when input data is

Posted: Wed Jun 07, 2017 5:37 am
by gruberroland_nc
True, the development version fixes the issue. Sorry for the noise. :oops:

Re: XSS detection reports false positive when input data is

Posted: Wed Jun 07, 2017 1:44 pm
by barbaz
No problem, thanks for reporting back. :)
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited