InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

False positive XSS on meinestadt.de

https://forums.informaction.com/viewtopic.php?t=23504

Page 1 of 1

False positive XSS on meinestadt.de

Posted: Wed Nov 01, 2017 7:50 pm
by Atalanttore
Hi,

there always appears a XSS warning from NoScript when loading a URL of a local job search site.

Example URL:

Code: Select all

http://jobs.meinestadt.de/nuernberg/suche?sort=modified_date+desc,premium_sort+desc,distance+asc,job_id+desc&divider=false&src=mailalert#ms-jobs-result-list&xtor=EPR-9-[Mailalert]-19000101-[Neue_Stellenangebote]-0@0-19000101000001
Regards,
Ettore

Re: False positive XSS on meinestadt.de

Posted: Wed Nov 01, 2017 8:03 pm
by barbaz
Please check the Browser Console (Ctrl-Shift-J) when this issue happens and post here any messages related to NoScript.
(related messages usually start with either "[NoScript" or "[ABE]"; if you don't know what's related, turn off CSS warnings and post everything else you see)

Re: False positive XSS on meinestadt.de

Posted: Wed Nov 01, 2017 10:52 pm
by Atalanttore
I got these messages related to NoScript:

Code: Select all

[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [http://jobs.meinestadt.de/nuernberg/suche?sort=modified_date+desc,premium_sort+desc,distance+asc,job_id+desc&divider=false&src=mailalert#ms-jobs-result-list&xtor=EPR-9-[Mailalert]-19000101-[Neue_Stellenangebote]-0@0-19000101000001] angefordert von [[System Principal]]. Bereinigte URL: [http://jobs.meinestadt.de/#3726889947896497443].

[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [http://jobs.meinestadt.de/nuernberg/suche?sort=modified_date+desc,premium_sort+desc,distance+asc,job_id+desc&divider=false&src=mailalert#ms-jobs-result-list&xtor=EPR-9-[Mailalert]-19000101-[Neue_Stellenangebote]-0@0-19000101000001] angefordert von [chrome://browser/content/browser.xul]. Bereinigte URL: [http://jobs.meinestadt.de/#18995520824198986703].

[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIHttpChannel.getResponseHeader]"  nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)"  location: "JS frame :: chrome://noscript/content/Main.js?1bts38pn49vbsofniibg :: mustBlockJS :: line 3808"  data: no]mustBlockJS@chrome://noscript/content/Main.js?1bts38pn49vbsofniibg:3808:35
_onWindowCreatedReal@chrome://noscript/content/Main.js?1bts38pn49vbsofniibg:3825:23
observe@chrome://noscript/content/Main.js?1bts38pn49vbsofniibg:132:9
Regards,
Ettore

Re: False positive XSS on meinestadt.de

Posted: Wed Nov 01, 2017 11:59 pm
by barbaz
I see that only if the site is script-blocked.

With these sites Allowed, I do not get the XSS warning -

Code: Select all

+ioam.de
+google.com
+ajax.googleapis.com
+meinestadt.de
I have no idea why whitelisting the target site would cause NoScript to no longer consider the request to be XSS? If it were actual XSS, whitelisting the target site would make it MORE dangerous. Image

I would think this difference should apply instead to the site *making* the request, no?
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited