Page 1 of 1
Noscript, googleapis, Basecamp
Posted: Mon Aug 28, 2017 2:08 pm
by NotHavingToRegisterIsAwesome
My company uses Basecamp, a social project management platform. Basecamp.com will get you there. I've been using Basecamp for ~10 months now, and only started having trouble at the beginning of August. When I try to donload a file from Basecamp, I am greeted with XSS and other errors from Noscript and Firefox.
This is from earlier in the month, and the Firefox console:
Code: Select all
[NoScript InjectionChecker] JavaScript Injection in ///o/oauth2/postmessageRelay?parent=https://basecamp.com&jsh=m;/_/scs/apps-static/_/js/k=oz.gapi.en_US.íGJrzvn5U.O/m=__features__/am=AQ/rt=j/d=1/rs=AGLTcCNDMcYVtrNM4guCjDss7jZkH0jDDg#rpctoken=399310344&forcesecure=1
(function anonymous(
) {
_/scs/apps-static/_/js/k==oz.gapi.en_US.íGJrzvn5U.O/m==__features__
})
[NoScript XSS] Sanitized suspicious request. Original URL [https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fbasecamp.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%3Doz.gapi.en_US.QeDGJrzvn5U.O%2Fm%3D__features__%2Fam%3DAQ%2Frt%3Dj%2Fd%3D1%2Frs%3DAGLTcCNDMcYVtrNM4guCjDss7jZkH0jDDg#rpctoken=399310344&forcesecure=1] requested from [https://basecamp.com/2185750/projects/13130887]. Sanitized URL: [https://accounts.google.com/o/oauth2/postmessageRelay?parent=https%3A%2F%2Fbasecamp.com&jsh=m%3B%2F_%2Fscs%2Fapps-static%2F_%2Fjs%2Fk%20oz.gapi.en_US.Q20GJrzvn5U.O%2Fm%20__features__%2Fam%20AQ%2Frt%20j%2Fd%201%2Frs%20AGLTcCNDMcYVtrNM4guCjDss7jZkH0jDDg#1376205676711909799].
This is another error that I got shortly later. I am now getting this error (or one very similar to it) most of the time I try to download a file.
Code: Select all
This XML file does not appear to have any style information associated with it. The document tree is shown below.
SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.GET
1501722695
/bcx_production_attachments/c7b7aa69874749ddedec22200329aa950010
This is the response I got from Basecamp:
This error you're seeing is because Basecamp's files are hosted by Google Cloud Services (GCS) and happens if the link you get to download a file from GCS expires.
Let's say you want to download a file from Basecamp. You'd normally go to an URL like this, clicking on the Download link:
https://basecamp.com/1679267/projects/2 ... 8/download
This is a Basecamp URL, so when you access that, we check that you are signed in and have permission to see that file. Clicking on it, you are taken to this other URL, referencing the original file:
https://asset1.basecamp.com/1679267/pro ... attachment
Again, another Basecamp URL that only works only if you are signed in and have permission to download the file. However, since we are hosting our files in GCS, this is where Basecamp territory ends. The response from requesting that URL is not the file, but a 302 redirection to a signed GCS URL that only works for a limited amount of time. That URL looks like this:
https://storage.googleapis.com/bcx_prod ... MGE8TUgTaJ...
That URL is from Google, and anybody can access the file if they have this specific URL. Over at googleapis they have no way of checking Basecamp credentials, permissions, etc. We then issue a signed URL that only works for a little while. If you wait some time, that will stop working, and the signature is different every time you try to download the same file.
I think what is happening to you with this error message is simply that you've got a googleapis URL for a file, that has since expired. This is redirection to GCS is also likely what is causing NoScript to throw warning messages.
I suspect that the XSS error comes about when the Basecamp page tries to rename the GUID/gibberish file hosted on Google. I am able to have DownThemAll download the files without error, and they use the intended filenames, not the gibberish ones.
Aside from visiting this website in IE and stripping away the protections I have put into my browser, what can I do to address this issue?
On a side note, I'm starting to come across XSS warnings from NoScript much more frequently. Will there ever be a GUI listing mechanism for XSS like there is with allowing or forbidding scripts from domains?
Re: Noscript, googleapis, Basecamp
Posted: Mon Aug 28, 2017 2:12 pm
by barbaz
That is a NoScript bug that was fixed in NoScript 5.0.9. Please upgrade NoScript to the latest version and try again.
Let us know, thanks.
Re: Noscript, googleapis, Basecamp
Posted: Mon Aug 28, 2017 2:49 pm
by NotHavingToRegisterIsAwesome
Thanks for the fast reply! I updated NoScript and Firefox, I get the same error(s).
After updating NoScript, I would get an XSS alert, but was still able to download a file. It had the GUID name. After updating Firefox, Firefox gets redirected to another page complaining about XML. This is the latest error:
Code: Select all
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>GET
1503931627
/bcx_production_attachments/3c18b022-89cf-11e7-96b8-089e019fd4bb</StringToSign></Error>
Re: Noscript, googleapis, Basecamp
Posted: Mon Aug 28, 2017 4:02 pm
by barbaz
NotHavingToRegisterIsAwesome wrote:After updating NoScript, I would get an XSS alert, but was still able to download a file. It had the GUID name. After updating Firefox, Firefox gets redirected to another page complaining about XML.
As a test, does disabling NoScript (Tools > Add-ons Manager > NoScript > Disable > Yes, remove ALL protections) get it working?
Re: Noscript, googleapis, Basecamp
Posted: Mon Aug 28, 2017 6:32 pm
by NotHavingToRegisterIsAwesome
The actual error condition seems to change based on which of the 2 download links I click on. One link, placed over a thumbnail of the PDF, opens a new tab, then starts to download the file, then closes the new tab. That gives the XSS bar and xml error. The download link on the right side of the javascript(?) popup/popover does not open a new tab and just attempts to download the file. This one triggers the XSS bar from NoScript, but I still get the file, albeit with the GUID name.
Turning off NoScript makes things work properly for both links, and I get the intended filename from both links.
Disabling script protection leaves XSS protection enabled, so I get the same problems.
Re: Noscript, googleapis, Basecamp
Posted: Mon Aug 28, 2017 6:49 pm
by barbaz
Thanks for confirming. Can you please post the new console message(s) from NoScript 5.0.9 when this issue occurs?
Re: Noscript, googleapis, Basecamp
Posted: Thu Aug 31, 2017 12:35 pm
by NotHavingToRegisterIsAwesome
Sorry for the delay, been busy with other stuff. When I get the redirect and XML error, I am directed to a page:
Code: Select all
https://storage.googleapis.com/bcx_production_attachments/b6ca2826-8d87-11e7-828e-089e019fd4bb?GoogleAccessId=bcx-production%40bcx-production.iam.gserviceaccount.com&Expires=1504182714&Signature=fXHLSqGBQ0SMd6dL5KoY8obdEJTud2%2F3t7Stk9pAzffYzaETAjC9ordvdrnyvHp%2Bu26aALbCjvAbOwu5DLlL%2BhaglYZPZ5vCCWpRPgvNJt8ChUr60Yno1%2Fn13Tw4BWAFQLi9PSC8g5KGltkMHq9mwc3TjR930EJuXrw4OAL6%2BmdzEtu0mbrIkdyNZSzkemuOyqVu4tIoD77%2F2dqBt2fkZ67eTTtxFEQKZh8bo%2BP%2FR6RiNxG46IduY0iDzYj6j2eyflklblSCRQ20tFxpDsKne5mZaKUxtNVTulN3vBDE523Vy%2FP7B1rOMmbkhI5bQXIuaystNxvxqtlRo4QRTXXfhQ &response-content-type=application%2Fpdf&response-content-disposition=attachment%3B+filename <sanitized>.pdf %3B+filename* UTF-8 <sanitized>.pdf#4293811821493213475
(I removed the actual filename) and I currently have NoScript blocking scripts from storage.googleapis.com.
This is the console error:
Code: Select all
[NoScript XSS] Sanitized suspicious request. Original URL [https://storage.googleapis.com/bcx_production_attachments/b6ca2826-8d87-11e7-828e-089e019fd4bb?GoogleAccessId=bcx-production%40bcx-production.iam.gserviceaccount.com&Expires=1504182714&Signature=fXHLSqGBQ0SMd6dL5KoY8obdEJTud2%2F3t7Stk9pAzffYzaETAjC9ordvdrnyvHp%2Bu26aALbCjvAbOwu5DLlL%2BhaglYZPZ5vCCWpRPgvNJt8ChUr60Yno1%2Fn13Tw4BWAFQLi9PSC8g5KGltkMHq9mwc3TjR930EJuXrw4OAL6%2BmdzEtu0mbrIkdyNZSzkemuOyqVu4tIoD77%2F2dqBt2fkZ67eTTtxFEQKZh8bo%2BP%2FR6RiNxG46IduY0iDzYj6j2eyflklblSCRQ69tFxpDsKne5mZaKUxtNVTulN3vBDE523Vy%2FP7B1rOMmbkhI5bQXIuaystNxvxqtlRo4QRTXXfhQ%3D%3D&response-content-type=application%2Fpdf&response-content-disposition=attachment%3B+filename%3D%22EMO8960_BD.pdf%22%3B+filename%2A%3DUTF-8%27%27EMO8960_BD.pdf] requested from [https://basecamp.com/2185750/projects/14240936]. Sanitized URL: [https://storage.googleapis.com/bcx_production_attachments/b6ca2826-8d87-11e7-828e-089e019fd4bb?GoogleAccessId=bcx-production%40bcx-production.iam.gserviceaccount.com&Expires=1504182714&Signature=fXHLSqGBQ0SMd6dL5KoY8obdEJTud2%2F3t7Stk9pAzffYzaETAjC9ordvdrnyvHp%2Bu26aALbCjvAbOwu5DLlL%2BhaglYZPZ5vCCWpRPgvNJt8ChUr60Yno1%2Fn13Tw4BWAFQLi9PSC8g5KGltkMHq9mwc3TjR930EJuXrw4OAL6%2BmdzEtu0mbrIkdyNZSzkemuOyqVu4tIoD77%2F2dqBt2fkZ67eTTtxFEQKZh8bo%2BP%2FR6RiNxG46IduY0iDzYj6j2eyflklblSCRQ20tFxpDsKne5mZaKUxtNVTulN3vBDE523Vy%2FP7B1rOMmbkhI5bQXIuaystNxvxqtlRo4QRTXXfhQ%20%20&response-content-type=application%2Fpdf&response-content-disposition=attachment%3B+filename%20%20EMO8960_BD.pdf%20%3B+filename*%20UTF-8%20%20EMO8960_BD.pdf#809340863164074533].
[NoScript XSS] Sanitized suspicious request. Original URL [https://storage.googleapis.com/bcx_production_attachments/b6ca2826-8d87-11e7-828e-089e019fd4bb?GoogleAccessId=bcx-production%40bcx-production.iam.gserviceaccount.com&Expires=1504182714&Signature=fXHLSqGBQ0SMd6dL5KoY8obdEJTud2%2F3t7Stk9pAzffYzaETAjC9ordvdrnyvHp%2Bu26aALbCjvAbOwu5DLlL%2BhaglYZPZ5vCCWpRPgvNJt8ChUr60Yno1%2Fn13Tw4BWAFQLi9PSC8g5KGltkMHq9mwc3TjR930EJuXrw4OAL6%2BmdzEtu0mbrIkdyNZSzkemuOyqVu4tIoD77%2F2dqBt2fkZ67eTTtxFEQKZh8bo%2BP%2FR6RiNxG46IduY0iDzYj6j2eyflklblSCRQ69tFxpDsKne5mZaKUxtNVTulN3vBDE523Vy%2FP7B1rOMmbkhI5bQXIuaystNxvxqtlRo4QRTXXfhQ%3D%3D&response-content-type=application%2Fpdf&response-content-disposition=attachment%3B+filename%3D%22EMO8960_BD.pdf%22%3B+filename%2A%3DUTF-8%27%27EMO8960_BD.pdf] requested from [https://basecamp.com/2185750/projects/14240936]. Sanitized URL: [https://storage.googleapis.com/bcx_production_attachments/b6ca2826-8d87-11e7-828e-089e019fd4bb?GoogleAccessId=bcx-production%40bcx-production.iam.gserviceaccount.com&Expires=1504182714&Signature=fXHLSqGBQ0SMd6dL5KoY8obdEJTud2%2F3t7Stk9pAzffYzaETAjC9ordvdrnyvHp%2Bu26aALbCjvAbOwu5DLlL%2BhaglYZPZ5vCCWpRPgvNJt8ChUr60Yno1%2Fn13Tw4BWAFQLi9PSC8g5KGltkMHq9mwc3TjR930EJuXrw4OAL6%2BmdzEtu0mbrIkdyNZSzkemuOyqVu4tIoD77%2F2dqBt2fkZ67eTTtxFEQKZh8bo%2BP%2FR6RiNxG46IduY0iDzYj6j2eyflklblSCRQ20tFxpDsKne5mZaKUxtNVTulN3vBDE523Vy%2FP7B1rOMmbkhI5bQXIuaystNxvxqtlRo4QRTXXfhQ%20%20&response-content-type=application%2Fpdf&response-content-disposition=attachment%3B+filename%20%20EMO8960_BD.pdf%20%3B+filename*%20UTF-8%20%20EMO8960_BD.pdf#4293811821493213475].
This is the error I get on the webpage:
Code: Select all
This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Message><StringToSign>GET
1504182714
/bcx_production_attachments/b6ca2826-8d87-11e7-828e-089e019fd4bb</StringToSign></Error>
Like I said previously, there are 2 different download links. I'm not getting consistent results clicking on either of them, because sometimes one will work. Which one changes. It seems if I click on the links a few times, eventually one will work. I usually alternate between the thumbnail and the download link to the right.
Re: Noscript, googleapis, Basecamp
Posted: Thu Aug 31, 2017 2:57 pm
by barbaz
That's a different false positive. Assuming you trust basecamp not to XSS other sites, try this exception in NoScript Options > Advanced > XSS -
Does it work consistently now?
Re: Noscript, googleapis, Basecamp
Posted: Fri Sep 01, 2017 11:35 am
by NotHavingToRegisterIsAwesome
I am now able to download the file with both links. One gives me the correct filename, and the other gives me a GUID. I can work with this.
This basically disables the xss protections for basecamp, am I reading that right?
Thanks for the help!
Re: Noscript, googleapis, Basecamp
Posted: Fri Sep 01, 2017 3:29 pm
by barbaz
NotHavingToRegisterIsAwesome wrote:This basically disables the xss protections for basecamp, am I reading that right?
Nope, it allows basecamp to XSS any site. See
the sticky for more info on XSS exceptions.
NotHavingToRegisterIsAwesome wrote:Thanks for the help!
You're welcome!
