Page 1 of 1
NoScript XSS warning
Posted: Fri Jul 10, 2020 10:47 am
by Hannah_Payne
Hi all,
I came across a NoScript XSS warning this morning while trying to access my College's email account. I have read some background information on cross-site scripting attack after seeing this warning. If I block this potential attack with NoScript, how will I be able to access the College's account?
Thank you for your suggestions.
Re: NoScript XSS warning
Posted: Fri Jul 10, 2020 8:07 pm
by barbaz
I can't see the screenshot, your link says "image not found".
Could you please copy&paste the full XSS warning text here?
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 12:27 am
by Hannah_Payne
Hi barbaz,
Thank you for your reply. The warning is:
Code: Select all
NoScript detected a potential Cross-Site Scripting attack
from [...] to https://login.microsoftonline.com.
Suspicious data:
(URL) https://login.microsoftonline.com/common/oauth2/authorize?client_id=00000002-0000-0ff1-ce00-000000000000&redirect_uri=https://outlook.office365.com/owa/&resource=00000002-0000-0ff1-ce00-000000000000&response_mode=form_post&response_type=code+id_token&scope=openid&msafed=0&client-request-id=57288d7f-668c-41a8-a86e-fa2245b8142e&protectedtoken=true&claims={"id_token":{"xms_cc":{"values":["CP1"]}}}&domain_hint=ic.ac.uk&nonce=637300239390009999.8bd5c4a8-c2c0-4910-af7c-cfcdde768ba9&state=DYtBDoAgDMBAzz5lMBkCe84YkhgPnozfd03aW71zbjUX06PF1UKVEBMxMSKyEVofh2ZpoEkRMu8IMquCTh3jrKV1YW_vFp9P4qVBNLz3Dw
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 1:30 am
by barbaz
I don't see anything that looks like XSS in there. False positive?
I notice this "XSS attempt" comes from "[...]". If you block it, does it actually break the site?
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 1:57 pm
by Hannah_Payne
Hi barbaz,
Thank you for your insight. I am not the admin of this site. Therefore, I will not be able to inspect what is [...] or the embedded codes. Will I be able to block the [...] only without the admin access while being able to access my email account?
Thanks
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 2:29 pm
by barbaz
Hannah_Payne wrote: ↑Sat Jul 11, 2020 1:57 pm
Will I be able to block the [...] only without the admin access while being able to access my email account?
That is the exact question I am asking
Can you select "Block this request" on the XSS dialog, to only block it the one time as a test, and let us know if it causes the site to not work?
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 6:19 pm
by Hannah_Payne
Thanks barbaz,
When I block this request using NoScript, I am not able to access the site at all. I haven't been able to check emails since getting this warning.
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 6:34 pm
by barbaz
Since it looks like a false positive, can you allow that request for now until Giorgio gets to this thread?
Re: NoScript XSS warning
Posted: Sat Jul 11, 2020 8:22 pm
by Hannah_Payne
Yes, will do, thank you for looking into this question!
Re: NoScript XSS warning
Posted: Sun Dec 26, 2021 9:39 am
by GrK
Are there any updates about this?
I'm getting a similar XSS pop-up when accessing Outlook on the web (or other Office365 services like Teams).
When I open
https://outlook.office.com, it redirects (302) to
https://outlook.office.com/owa. And
https://outlook.office.com/owa redirects (302) to the
https://login.microsoftonline.com page with the XSS warning.
When I enter
https://outlook.office.com directly in the address bar, I get the warning with "from [...] to https ://login.microsoftonline.com.".
If I click on a link to open
https://outlook.office.com, I get the warning with "from <URL of the page containing the link> to https ://login.microsoftonline.com.".
If I allow this page with the link to https ://outlook.office.com in NoScript, I get the same XSS warning.
If I allow the request I get the expected login page. (But sometimes I have to allow the request multiple times.)
It looks like the XSS warning is triggered by the claims parameter in the URL. (If I remove the claims parameter, I don't get the XSS warning.)
Is this a false positive or should I add an Anti-XSS Protection Exception (noscript.net/faq#qa4_4) to remove the XSS warning?
Re: NoScript XSS warning
Posted: Sun Dec 26, 2021 10:46 am
by Giorgio Maone
GrK wrote: ↑Sun Dec 26, 2021 9:39 am
Are there any updates about this?
[....]
It looks like the XSS warning is triggered by the claims parameter in the URL.
Could you check whether this still happens in
latest development build 11.2.12rc5, which fixes a bunch of XSS-related issues?
If it does, could you please share this claim parameter for me to check?
Either way, it does sound like a false positive that you can work-around by using the permanent allow choice in the XSS warning dialog.
Re: NoScript XSS warning
Posted: Sat Jan 29, 2022 3:51 pm
by GrK
Thank you for your reaction.
Unfortunately I still get the XSS warning with the development builds (I tried 11.2.12rc5 and 11.2.16rc2).
The claims parameter is "&claims=%7b%22id_token%22%3a%7b%22xms_cc%22%3a%7b%22values%22%3a%5b%22CP1%22%5d%7d%7d%7d".
What happens is: I try to open
https://outlook.office.com, it redirects to
https://outlook.office.com/owa/. And
https://outlook.office.com/owa/ redirects to
https://login.microsoftonline.com/commo ... uiv1d6v55- . This triggers the XSS warning.
Also when I open this URL directly, I get the XSS warning. But when I open
https://login.microsoftonline.com/commo ... uiv1d6v55- (Same URL, but with the claims parameter removed) I get the expected login page. This is tested with NoScript version 11.2.15,
PS. I allow javascript from microsoftonline.com, msauth.net and msftauth.net.
Re: NoScript XSS warning
Posted: Sat Jan 29, 2022 11:48 pm
by Giorgio Maone
Thanks for your report.
It should be fixed in
latest development build, please check:
v 11.2.16rc3
============================================================
x [XSS] Fix false positive on Microsoft authentication
(thanks GrK and Hanna_Payne for reporting)
Re: NoScript XSS warning
Posted: Mon Jan 31, 2022 6:57 pm
by GrK
Thank you!
The XSS warning on
https://outlook.office.com is gone when I use the development build.