NoScript XSS warning

[Hannah_Payne]

Hi all,

I came across a NoScript XSS warning this morning while trying to access my College's email account. I have read some background information on cross-site scripting attack after seeing this warning. If I block this potential attack with NoScript, how will I be able to access the College's account?

Thank you for your suggestions.

[barbaz]

I can't see the screenshot, your link says "image not found".

Could you please copy&paste the full XSS warning text here?

[Hannah_Payne]

Hi barbaz,

Thank you for your reply. The warning is:

Code: Select all

NoScript detected a potential Cross-Site Scripting attack

from [...] to https://login.microsoftonline.com.

Suspicious data:

(URL) https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office365.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=57288d7f-668c-41a8-a86e-fa2245b8142e&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&domain_hint=ic.ac.uk&nonce=637300239390009999.8bd5c4a8-c2c0-4910-af7c-cfcdde768ba9&state=DYtBDoAgDMBAzz5lMBkCe84YkhgPnozfd03aW71zbjUX06PF1UKVEBMxMSKyEVofh2ZpoEkRMu8IMquCTh3jrKV1YW_vFp9P4qVBNLz3Dw

[barbaz]

I don't see anything that looks like XSS in there. False positive?

I notice this "XSS attempt" comes from "[...]". If you block it, does it actually break the site?

[Hannah_Payne]

Hi barbaz,

Thank you for your insight. I am not the admin of this site. Therefore, I will not be able to inspect what is [...] or the embedded codes. Will I be able to block the [...] only without the admin access while being able to access my email account?

Thanks

[barbaz]

Will I be able to block the [...] only without the admin access while being able to access my email account?

That is the exact question I am asking Can you select "Block this request" on the XSS dialog, to only block it the one time as a test, and let us know if it causes the site to not work?

[Hannah_Payne]

Thanks barbaz,

When I block this request using NoScript, I am not able to access the site at all. I haven't been able to check emails since getting this warning.

[barbaz]

Since it looks like a false positive, can you allow that request for now until Giorgio gets to this thread?

[Hannah_Payne]

Yes, will do, thank you for looking into this question!

[GrK]

Are there any updates about this?

I'm getting a similar XSS pop-up when accessing Outlook on the web (or other Office365 services like Teams).

When I open https://outlook.office.com, it redirects (302) to https://outlook.office.com/owa. And https://outlook.office.com/owa redirects (302) to the https://login.microsoftonline.com page with the XSS warning.

When I enter https://outlook.office.com directly in the address bar, I get the warning with "from [...] to https ://login.microsoftonline.com.".
If I click on a link to open https://outlook.office.com, I get the warning with "from <URL of the page containing the link> to https ://login.microsoftonline.com.".
If I allow this page with the link to https ://outlook.office.com in NoScript, I get the same XSS warning.

If I allow the request I get the expected login page. (But sometimes I have to allow the request multiple times.)

It looks like the XSS warning is triggered by the claims parameter in the URL. (If I remove the claims parameter, I don't get the XSS warning.)
Is this a false positive or should I add an Anti-XSS Protection Exception (noscript.net/faq#qa4_4) to remove the XSS warning?

[Giorgio Maone]

Are there any updates about this?
[....]
It looks like the XSS warning is triggered by the claims parameter in the URL.

Could you check whether this still happens in latest development build 11.2.12rc5, which fixes a bunch of XSS-related issues?

If it does, could you please share this claim parameter for me to check?

Either way, it does sound like a false positive that you can work-around by using the permanent allow choice in the XSS warning dialog.

[GrK]

Thank you for your reaction.

Unfortunately I still get the XSS warning with the development builds (I tried 11.2.12rc5 and 11.2.16rc2).

The claims parameter is "&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d".

What happens is: I try to open https://outlook.office.com, it redirects to https://outlook.office.com/owa/. And https://outlook.office.com/owa/ redirects to https://login.microsoftonline.com/commo ... uiv1d6v55- . This triggers the XSS warning.

Also when I open this URL directly, I get the XSS warning. But when I open https://login.microsoftonline.com/commo ... uiv1d6v55- (Same URL, but with the claims parameter removed) I get the expected login page. This is tested with NoScript version 11.2.15,

PS. I allow javascript from microsoftonline.com, msauth.net and msftauth.net.

[Giorgio Maone]

Thanks for your report.
It should be fixed in latest development build, please check:
v 11.2.16rc3
============================================================
x [XSS] Fix false positive on Microsoft authentication
(thanks GrK and Hanna_Payne for reporting)

[GrK]

Thank you!

The XSS warning on https://outlook.office.com is gone when I use the development build.